Microsoft has been forced to issue emergency patches for Windows after researchers discovered a way to bypass a critical security mechanism in Internet Explorer.
During a talk at this week's Black Hat conference in Las Vegas, researchers Mark Dowd, Ryan Smith and David Dewey will show a way of bypassing the 'kill-bit' mechanism used to disable buggy ActiveX controls.
A video demonstration posted by Smith shows how the researchers were able to bypass the mechanism, which checks for ActiveX controls that are not allowed to run on Windows. They were able to then exploit a buggy ActiveX control in order to run an unauthorised program on a victim's computer.
Although the researchers have not revealed the technical details behind their work, this bug could be a big deal, giving hackers a way of exploiting ActiveX problems that were previously thought to have been mitigated via kill-bits.
"It's huge because then you can execute controls on the box that weren't intended to be executed," said Eric Schultze, chief technology officer with Shavlik Technologies. "So by visiting an evil Web site [criminals] can do anything they want even though I've applied the patch."
Microsoft commonly issues these kill-bit instructions as a quick way of securing Internet Explorer from attacks that exploit buggy ActiveX software.
The Windows Registry assigns ActiveX controls unique numbers, called GUIDs (globally unique identifiers). The kill-bit mechanism blacklists certain GUIDs in the Windows registry so that the components cannot be run.
According to sources familiar with the matter, Microsoft is taking the unusual step of releasing an emergency patch for the bug on Tuesday.
Microsoft typically only releases these "out-of-cycle" patches when hackers are exploiting the flaw in real-world attacks. But in this case the details of the flaw are still secret and Microsoft said it is not being used in attacks.
"This must have really scared Microsoft," said Schultze said, speculating on why Microsoft might have issued the out-of-cycle patches.
It may also reflect an awkward public relations problem for Microsoft, which has been working more closely with security researchers in recent years.