Microsoft has released two downloads containing ActiveX Killbits for the 32-bit and the 64-bit flavors of Windows 7 Release Candidate Build 7100. The Cumulative Security Update for ActiveX Killbits for Windows 7 went live on the Microsoft Download Center on July 14th, 2009 and are currently available for users running the RC Build 7100 release of the next iteration of the Windows client. Although labeled a cumulative security update, fact is that the ActiveX Killbits are not designed to patch a vulnerability in Windows 7. Users must regard them instead as a defense-in-depth measure and nothing more.
The killbits released on July 14 are part of a patch that came to resolve a Critical vulnerability in the Microsoft Video ActiveX Control. The Redmond company informed the public about the issue in the first half of June 2009. The security vulnerability comes with a Critical rating for all supported editions of Windows XP, but just Moderate for Windows Server 2003. The flaw does not affect Windows Vista, Windows Server 2008, Windows 7 or Windows Server 2008 R2. Nonetheless, deploying the Killbits is a healthy preventive measure that will increase the level of security.
The Redmond company advised even customers of non-affected platforms to apply the security update. The fix is designed to render useless any possible future new vectors of attack. Although the vulnerability was privately reported to Microsoft, attacks with exploits targeting the specific flaw were detected in the wild.
“A remote code execution vulnerability exists in the Microsoft Video ActiveX Control, msvidctl.dll. An attacker could exploit the vulnerability by constructing a specially crafted Web page. When a user views the Web page, the vulnerability could allow remote code execution. An attacker who successfully exploited this vulnerability could gain the same user rights as the logged on user,” Microsoft informed.