Microsoft Finally Patches ActiveX

As usual on the upcoming Patch Tuesday next week, Microsoft will be issuing a series of critical patches to fix security vulnerabilities for its popular Windows computer operating system.

But this time, the company is getting a bit more attention than it's used to for its patch release schedule.

[ Learn how to secure your systems with Roger Grimes' Security Adviser blog and newsletter, both from InfoWorld. ]

Three new "critical" security patches affecting Windows will be part of the patch package that will be available on Tuesday, as well as three "important" fixes for other Microsoft products - Publisher, Internet Security and Acceleration (ISA) Server and Virtual PC and Virtual Server. The fixes affect machines running Windows Vista, Windows XP or Windows Server 2003, according to details in the patch advisories.

If your computer is set to automatically receive Microsoft patch updates as recommended, then you should receive the fixes without any intervention on your part.

One of those fixes, for a security vulnerability in Microsoft Video ActiveX Control affecting computers running Windows XP or Windows Server 2003, though, has been awaited for quite a while. It appears that the first reports of the problem date back to early 2008.

Questions raised about first reports

"We've gotten some questions from customers about when we got the first report of this vulnerability and how long the investigation has taken relative to the outbreak of attacks against this vulnerability," wrote Microsoft spokesman Mike Reavey in a Microsoft Security Response Center blog item yesterday.

"Before I go into the details, the key thing I want customers to understand is that this is an issue that was responsibly reported to us and we have been driving in our standard process towards a security update," Reavey wrote. "While in the middle of that process, attackers found this same vulnerability and began attacks against it. We were far enough in the process that we could provide information that customers can use to protect themselves in the interim while we complete that investigation and deliver a security update that you can deploy broadly with confidence. "

Oh yeah, I'm real confident now.

First report received in Spring 2008

What's interesting here for consumers is that the first report of this ActiveX Control security vulnerability came in during the spring of 2008, according to Microsoft, and it's just getting around to fix it now. That's more than a whole year.

And Reavey even admits that in his blog post.

The reason the vulnerability is being fixed is because it can enable an attacker to take over a victim's computer over the Internet as the logged-on user if the computer's owner browses a malicious Web site.

Yet despite that danger, more than a year has passed for a fix.

Hmmmmm, another Tuesday, another group of Microsoft patches.

So is that Google Chrome OS ready to try out yet?