Microsoft - Loi ActiveX chi la loi hang xoang

Sau khi US-CERT va SecurityFocus tiet lo mot loi bao mat ActiveX moi trong trinh duyet Internet Explorer 6 tren Microsoft Security Response Center Blog, Microsoft khang dinh se dieu tra cu the ve loi bao mat nay.

Hom qua, Microsoft da chinh thuc tiet lo thong tin chi tiet ve loi bao mat nay.
 
Microsoft tuyen bo loi bao mat ActiveX noi tren hoan toan khong nguy hiem, no chi la mot loi bao mat hang xoang kho co the bi khai thac de tu xa chiem quyen dieu khien he thong mac loi.
 
Chi co mot so phien ban Windows co cai dat Microsoft XML Core Services 4.0 - bo cong cu cho phep cac nha lap trinh su dung ngon ngu script de truy cap den van ban dinh dang XML – la bi mac loi bao mat ActiveX do.
 
Cu the nhung phien ban Windows bi mac loi gom Windows 2000 Service Pack 4, Windows XP Service Pack 2, Windows Server 2003, va Microsoft Windows Server 2003 Service Pack 1.
 
De co khai thac thanh cong loi bao mat nay ke tan cong phai lua duoc nguoi dung truy cap vao mot trang web duoc lap trinh dac biet co gan ma khai thac loi XMLHTTP 4.0 ActiveX Control. Khong nhung the ke tan cong con buoc phai co duoc quyen truy cap vao he thong bi mac loi tuong tu nhu quyen truy cap ma nguoi dung dang su dung. Neu co du duoc cac dieu kien nay thi moi co the doat duoc toan bo quyen kiem soat he thong bi mac loi.
 
Microsoft tuyen bo da tung co mot loi XMLHTTP ActiveX Control tuong tu da duoc phat hien 5 nam truoc day. Loi nay sau do da duoc khac phuc.
 
De tu bao ve minh nguoi dung co the vo hieu hoa tinh nang ActiveX Control cua trinh duyet. Tuy nhien neu vo hieu hoa tinh nang nay thi mot so trang web co the se gap truc trac.
 
SANS Institute xep loi bao mat ActiveX Control moi duoc phat hien trong Internet Explorer 6 la mot loi “zero-day”. Dieu nay dong nghia voi viec loi nay hien van chua duoc va. Trong khi do, mot so hang bao mat khac lai xep loi nay vao muc “cuc ky nguy hiem”.

Theo PcWorld,VnMedia