- Home
- Information Security
- Alerts
ActiveX vulnerability in Internet Explorer (Windows)
Microsoft has announced a significant vulnerability in ActiveX and there are already two known exploits in the wild. There is no patch, so Microsoft is recommending that users disable ActiveX for anything except untrusted sites.
Affected Software
- Windows 2000 Service Pack 4
- Windows XP Service Pack 1 & 2
If you run Windows 2003 with Enhanced Security Configuration turned on, you are not vulnerable.
Our current recommendation is for Yale users to employ another browser for non-Yale sites until Microsoft provides a patch. Please note that Firefox has a vulnerability for another issue, but that browser is patchable right now.
Additional information
Chronology of both exploits and MS response
Microsoft Security Advisory (925444)-- Vulnerability in the Microsoft DirectAnimation Path ActiveX Control Could Allow Remote Control Execution
Microsoft quantifies and qualifies the risk
- only Win 2000 & XP web browsing should be affected
- 2003 runs IE in Enhanced Security Configuration mode ( ActiveX and Active Script disabled by default).
- emailed pages should not be immediately dangerous as most Outlook versions now open email webpages in the Restricted Zone (where ActiveX and Active Script disabled), but Users can be lured to websites via email links
- Users would have to be lured/redirected to a malicious website
- No automatic privilege escalation.
Recommendations
- Disable ActiveX and Active Scripting in IE.
- Avoid use of IE.
- Use IE Security Zones (only enable ActiveX and Active Scripting for completely Trusted Sites for which ActiveX and Active Scripts are required)
