Hours after announcing plans to issue a patch next week for a dangerous Microsoft Video ActiveX control vulnerability, for which there are ongoing exploits being launched through drive-by attacks, a company official admitted the company first learned about the flaw in spring 2008.
Mike Reavey, group manager of the Microsoft Security Response Center, said in a blog post late Thursday that two researchers at IBM ISS first revealed the bug to engineers, which immediately got working on a fix. However, the process took more time than usual because of the complexity of the vulnerability.
Soon after it learned that active attacks were taking place against the flaw, Microsoft disclosed the vulnerability and recommended a temporary workaround, which involves setting the kill bit for the affected ActiveX control, Reavey said.
“The key thing I want customers to understand is that this is an issue that was responsibly reported to us, and we have been driving in our standard process toward a security update,” he wrote. “While in the middle of that process, attackers found this same vulnerability and began attacks against it. We were far enough in the process that we could provide information that customers can use to protect themselves in the interim, while we complete the investigation and deliver a security update that you can deploy broadly with confidence.”
The vulnerability is being mostly exploited through Asian websites, but experts worry that the threat will grow.