Microsoft Admits Browser Security Flaw

DALLAS - Software giant Microsoft, Inc. announced this afternoon that a hole in its Video ActiveX Control application could provide an entry point for hackers.

Dr. Matt Wright, a computer science professor at the University of Texas at Arlington’s College of Engineering, says it’s an issue because Microsoft doesn’t usually acknowledge problems with its software unless it has a fix at the ready . “I think it’s making a lot of noise because of that,” Dr. Wright said, “And there are Web sites out there exploiting this vulnerability.”

Visiting such a site using Microsoft’s Internet Explorer browser would expose a user to so-called “malware” that begins to install itself on a computer. Once that happens, malicious users could conceivably take control of the machine, according to the company’s online statement about the problem.

As of late Monday afternoon, no security program had been released by the software maker to patch the hole. “It shouldn’t take long” for a patch to become available, Dr. Wright noted. “Typically, it’s only a couple of days before Microsoft develops something … if it takes that long.”

Still, Dr. Wright says it’s worth noting that Internet Explorer isn’t the only way to browse the Web. Companies such as Mozilla offer browsers like Firefox , which don’t rely on proprietary controls like Microsoft’s ActiveX.

ActiveX is a control program that runs inside Microsoft’s Internet Explorer Web browser. It is used to control videos viewed during Web browsing, primarily those which have been converted from television. The problem affects computers using Microsoft’s Windows XP and Windows Server 2003. Windows’ latest version, Vista, does not appear to be affected by the hole, nor does Microsoft’s Windows Server 2008.

The company says that Internet Explorer does not depend on ActiveX to run videos successfully. That’s good news for online video watchers, as it should be possible to work around the problem by avoiding use of the vulnerable program. Details are available at support.microsoft.com/kb/972890   including a “fix it for me” option to disable ActiveX.