Every month the BugBlog picks its Bug of the Month, representing the most significant bug found in the past month. Sometimes, the bug will be the one which could potentially cause the most damage; sometimes it will be the bug which affects the most users. And sometimes, it will be the bug that is just the most interesting bug. This bug will be selected either from the free Bug of the Day, or from the subscription-only BugBlog Plus.
This month the Bug of the Month goes to Microsoft, for this XML ActiveX control bug. The first notice of this bug came in the 11/6 BugBlog:
Microsoft has issued a Security Advisory about a bug in the XMLHTTP 4.0 ActiveX Control. This control is part of Microsoft XML Core Services 4.0 on Windows, which should be present on Windows 2000, Windows XP, and Windows Server 2003 computers, even if the users don't know it. However, Windows Server 2003 users running with Enhanced Security Configuration on will not be vulnerable. An attack could be mounted if you browse to a maliciously designed page, resulting in hostile code running on your computer. Microsoft is working on a patch which will be coming in a future Patch Tuesday. Read the details at Microsoft's website.
The patch for this was released as part of Microsoft's Patch Tuesday for November, on November 14. With so many Microsoft bugs getting fixed this day, the patch was relegated to the BugBlog Plus:
Microsoft has issued a patch for the Critical security bug for XMLHTTP ActiveX control that is in Microsoft XML Core Services. Exploit code for this bug has been circulating, and the BugBlog Plus noted the problem on 11/6). An attacker could design a webpage that could use this bug to take complete control of a computer. Microsoft has the patch. They credit Robert Freeman of ISS and Dror Shalev and Moti Jospeh of Checkpoint for finding the problem.
Why this bug? First, it was a zero-day attack, which meant that hostile code that could exploit this bug was already circulating on various malware sites when the bug was announced on 11/6. Second, potential targets were widespread, for anyone using Internet Explorer on Windows 2000 or Windows XP were vulnerable if they visited a malicious website. Finally, the damage could be severe, with the attackers taking over the computer. And for the icing on the cake, it was yet another example of security threats coming in via an ActiveX control. (For instance, see the November 2006 Bug of the Month)
So for these reasons, Microsoft wins another Bug of the Month.