Microsoft Kills More Third-Party ActiveX Controls

Microsoft Wednesday issued “kill bit” updates for ActiveX controls from HP and a Washington state developer, the third time it’s disabled third-party add-ons in the last four months. One security researcher linked the release to a new program Microsoft announced last week that’s designed to help other vendors find and fix bugs in their own software.

Microsoft disabled ActiveX controls from two companies, Hewlett-Packard Co. and Tacoma, Wash.-based Aurigma Inc., in its kill bit update, according to the security advisory issued Wednesday. The update was released through Windows Update, but can also be downloaded from the Microsoft site.

Both companies have acknowledged vulnerabilities in their ActiveX controls, and have, in fact, patched those controls. The HP software that Microsoft killed Wednesday were older ActiveX controls associated with a customer support application bundled with some of its PCs; the program, dubbed “HP Instant Support,” is meant to help users update key drivers and other HP software.

HP patched its Instant Support in early June.

Aurigma’s Image Uploader, meanwhile, also has a troubled past. In late January, security vendor Symantec Corp. reported multiple vulnerabilities in the software, which is licensed by sites such as MySpace and Facebook, to give their users a way to upload photos from within Internet Explorer. Aurigma quashed the bugs in a March 2008 update to Image Uploader. The first time Microsoft released a kill bit update for another vendors’ software was in April, when it disabled a buggy ActiveX control used by Yahoo Inc.’s music player. In June, it released a kill bit that crippled an ActiveX control used by Logitech International SA to retrieve updates for software for its keyboards and mice.

In April, company officials said they would issue kill bit updates whenever asked by a vendor. “If an independent software vendor discovers that they have shipped a vulnerable [ActiveX] control, they should e-mail [us] to work with Microsoft to issue a kill bit, disabling that control,” Tim Rains, a spokesman for the Microsoft Security Response Center (MSRC), said at the time.

Setting the kill bit for an ActiveX control involves modifying the Windows registry. It does not patch the problem, and setting the kill bit means the control’s functionality is lost. In today’s cases, however, Microsoft was setting the kill bits for the older, vulnerable versions of the HP and Aurigma controls; users who had updated to the newer editions should not lose the programs’ functionality.

“This is right in line with Microsoft’s presentation at Black Hat,” said Andrew Storm, director of security operations at security vendor nCircle Network Security Inc., referring to last week’s security conference. At Black Hat, Microsoft said it would launch Microsoft Vulnerability Research (MSVR), a program to help third-party developers of Windows applications and add-ons find and fix bugs in their software, in two months.

“They said many times that they are working as a coalition to better secure the Windows operating system and everything which runs on it,” Storms continued. “While Microsoft has issued a few kill bits in the past for third-party products, this is something we are going to continue to see going forward.”