Every month the BugBlog picks its Bug of the Month, representing the most significant bug found in the past 30 days. Sometimes, the bug will be the one which could potentially cause the most damage; sometimes it will be the bug which affects the most users. And sometimes, it will be the bug that is just the most interesting.
This month the Bug of the Month goes to Microsoft, for this ActiveX bug that appeared in the BugBlog on October 10.
Another bug in an ActiveX control puts users of Windows 2000, Windows XP, and Windows Server 2003 in jeopardy. The bug is in the WebViewFolderIcon ActiveX control, and if you visit a malicious website (using Microsoft Internet Explorer) that tries to exploit this bug, the bad guys may take complete control of your system. This is rated a Critical bug for Windows 2000 and Windows XP by Microsoft, and a moderate bug for Windows Server 2003. Get your patch (although there may be some problems with patch availability on 10/10).
Why this bug? Actually, it serves as a representative for two different events at Microsoft. The first is the deluge of security bulletins issued by Microsoft in October. There were ten bulletins that, together, fixed twenty-five different bugs. A patch Tuesday, this big deserves recognition.
The second thing it represents is ActiveX itself. Microsoft chose to emphasize ActiveX, instead of Java, in the '90s, and it wasn't a good decision. Over the years, there have been many security problems with ActiveX controls, and they are still occurring. An ActiveX control from AOL was the Bug of the Day on October 12, and the BugBlog Plus of November 1 reports on an exploit in the Microsoft WMI Object Broker ActiveX control.
So for these reasons, Microsoft wins another Bug of the Month.