Not a good week for timwi

There’s another major bug in one of the IE ActiveX controls installed as part of Windows. It allows any web site to run arbitrary code on your system via malformed HTTP requests. Microsoft have issued a fix for this one. The problem is, the original broken ActiveX control is still out there, and is signed as trusted code with a Microsoft signature which doesn’t expire. So nefarious web sites can simply request the old, broken version be downloaded and executed in preference to the new one, then use the old security hole to reformat your hard drive.

Don’t trust Microsoft—no, really

Well, the inevitable has happened: some hackers have managed to get hold of a valid Microsoft security certificate. This will let them sign their virus or trojan horse programs, and Windows will believe that the code was written by Microsoft and run it without warning. The signed malicious code could be sent by e-mail or embedded in any web page as an ActiveX control. The article suggests that users just need to check the signature date and refuse to run the ActiveX control if it’s the wrong date—but that’s not true.