IE 7 Is Bulletproof against Direct Animation Overflow

Microsoft announced in Security Advisory 925444 that it is investigating public reports of a vulnerability in the Microsoft DirectAnimation Path ActiveX Control that could permit remote code execution, impacting Internet Explorer on Windows 2000 Service Pack 4, on Windows XP Service Pack 1, and on Windows XP Service Pack 2. In this context, the Redmond Company has offered a temporary workaround solution to mitigate the issue until a security bulletin will resolve the flaw. As the Microsoft DirectAnimation Path ActiveX control included in Daxctle.ocx is the ActiveX control responsible for the vulnerability, disabling ActiveX controls is a viable security solution.

Rob Franco, IE Lead Program Manager has revealed on the IEBlog that Internet Explorer 7 is not impacted by the direct animation overflow vulnerability: "the good news in yesterday's disclosure is that IE7 is safe against this attack and many of the other recent attacks on IE6. The input of the security community had a deep impact on the security strategy for IE7. As we worked with researchers to strengthen the core of the IE7 codebase against threats, we also eliminated threats on the periphery by reducing the attack surface that we expose to malicious websites. Most notably, IE7 reduces attack surface by disabling most ActiveX controls on the system by default. We actually went a step further with Direct Animation control and effectively remove it when you install IE7."

Franco also added that while the developing team is laboring to decrease the volume of ActiveX attacks in the browser, it is also collaborating with outside developers building ActiveX controls and other binary extensions including Adobe Flash, Apple Quicktime, the RealPlayer, WMP, the Sun JRE and Adobe Acrobat, in order to increase the safety level of the controls.