14 DAY TRIAL // A newly discovered Windows vulnerability might allow hackers to re-enable any ActiveX exploit previously blocked by Microsoft. Vulnerability researchers from VUPEN Security have successfully crafted a proof-of-concept attack that leverages the flaw to bypass an active killbit.
Setting killbits is the default method used by Microsoft to close security holes that can be exploited via ActiveX. Each ActiveX control has a corresponding unique identifier known as CLSID. Killbits are registry values that tell software like Internet Explorer or Microsoft Office not to execute controls with specific CLSIDs because they are malicious.
"We found a potential Windows Kill Bit bypass vuln which could open hundreds of flaws exploitable via killed ActiveX controls," VUPEN announced via Twitter. "We are still investigating the Windows Kill Bit bypass but we already created an exploit working with a kill bit set to True!" a later update reads.
If indeed the vulnerability found by VUPEN can be used to bypass any killbits, attackers could theoretically leverage it to make previously blocked ActiveX exploits work on fully patched Windows systems. Normally, this shouldn't be the case, because when bugs are discovered, vulnerability research companies work with vendors to help them create a patch.
However, VUPEN has recently changed its policy and is no longer offering vulnerability intelligence for free to affected developers. The company only shares the research with its customers, which include governments, intelligence agencies, law enforcement units, security vendors and corporations.
Since Microsoft has publicly declared itself unwilling to pay for bug information, it will have to find this vulnerability on its own or with assistance from other companies, preferably before the malicious hackers figure it out. And even if they do manage to find it and patch it, this could still spell trouble for a large number of users.
First of all, there are a lot of computers still running Windows XP SP2, which will not receive a fix for this issue because Microsoft cut support for that version of the operating system last month. And then there's the huge percentage of users that fail to install security patches. Lets take for example a user who did a fresh install of Windows Vista with SP2, but did not install any updates afterward. He used to be protected from all ActiveX exploits that appeared before Vista SP2, but not anymore.
You can follow the editor on Twitter @lconstantin