Microsoft kills more third-party ActiveX controls
Company issues kill bit updates for Hewlett-Packard, Aurigma ActiveX controls
Microsoft Wednesday issued "kill bit" updates for ActiveX controls from HP and a Washington state developer, the third time it's disabled third-party add-ons in the last four months.
One security researcher linked the release to a new program Microsoft announced last week that's designed to help other vendors find and fix bugs in their own software.
[ Get more about the latest risks and security news from the recent Black Hat and Defcon conferences. ]
Microsoft disabled ActiveX controls from two companies, Hewlett-Packard Co. and Tacoma, Wash.-based Aurigma Inc., in its kill bit update, according to the security advisory issued Wednesday. The update was released through Windows Update, but can also be downloaded from the Microsoft site.
Both companies have acknowledged vulnerabilities in their ActiveX controls, and have, in fact, patched those controls. The HP software that Microsoft killed Wednesday were older ActiveX controls associated with a customer support application bundled with some of its PCs; the program, dubbed "HP Instant Support," is meant to help users update key drivers and other HP software.
HP patched its Instant Support in early June.
Aurigma's Image Uploader, meanwhile, also has a troubled past. In late January, security vendor Symantec Corp. reported multiple vulnerabilities in the software, which is licensed by sites such as MySpace and Facebook, to give their users a way to upload photos from within Internet Explorer.
Aurigma quashed the bugs in a March 2008 update to Image Uploader.
The first time Microsoft released a kill bit update for another vendors' software was in April, when it disabled a buggy ActiveX control used by Yahoo Inc.'s music player. In June, it released a kill bit that crippled an ActiveX control used by Logitech International SA to retrieve updates for software for its keyboards and mice.
In April, company officials said they would issue kill bit updates whenever asked by a vendor. "If an independent software vendor discovers that they have shipped a vulnerable [ActiveX] control, they should e-mail [us] to work with Microsoft to issue a kill bit, disabling that control," Tim Rains, a spokesman for the Microsoft Security Response Center (MSRC), said at the time.
