I just read over at The Security Mentor that there's still debate about whether Microsoft actually closed this ADODB.Stream ActiveX hole, recently exploited by Scob, with their recent software update patch. With a little digging, I found this NTBugtraq item on an unfixed Scob variant and this Bugtraq post saying "THE VULNERABILITY STILL WORKS AFTER TODAY'S PATCH". If this is still a problem, and it looks like it is, then Microsoft hasn't closed the hole at all.
It sounds like they've known about this variant attack on ActiveX for just as long as the ADODB.Stream hole. So why didn't they patch it with the Friday software update too? The only explanations I can come up with are that either they just thought that an incomplete fix now was better PR than a more complete fix later or they have customers who depend too heavily on this Shell.Application ActiveX control so they decided they couldn't disable it like they did ADODB.Stream.
The good news is that even though Microsoft seems content to leave IE vulnerable to this Scob attack, the Windows Registry change to close the rest of the hole is available at the NTBugtraq link above.
How did this mess happen? I'm no security expert so I may be completely accurate on the technical details, but I think I've got the basics and the timeline correct and this is what I think happened:
ActiveX, combined with Windows security zones, makes it possible for IE to automatically download and install software without user intervention, that is, without the user seeing any dialogs or giving any explicit permission to that download and install. This is quite scary, and I don't think there's a Mozilla equivalent. There are several mechanisms available to ActiveX programmers to do this but all are supposed to be restricted to the safest Windows security zone, supposedly open only to intranet pages, but not the internet. It turns out, however, that zones are broken and pages on the internet can use a couple bits of ActiveX as if they were supposedly safe intranet pages.
Microsoft was informed of this problem nearly a year ago and failed to fix it. After the Scob attack broke (June 10), Microsoft spent about three weeks apparently unable to fix the real problem, so talking to important customers (big companies that standardized on IE and ActiveX) about just disabling the ADODB.Stream feature. By Friday, they had gathered enough data, and seen enough bad press, that they decided to push an update that disabled ADODB.Stream with a simple registry switch that had been publicly available from an independent security research group for the better part of the month (but not something Microsoft was loudly advertising).
Having left IE users open to this known exploit for almost a year, and then left their customers open to the "in the wild" Scob attack for about three weeks, Microsoft finally pushed out an update that worked around (rather than fixed) only part of the problem!
So, IE "features" which have been known to be insecure for quite a while, and which were being actively exploited by bad guys using high-profile banking and ecommerce web sites were partially disabled by Microsoft when the pressure from bad press (and hopefully customer complaints) got sufficiently high. This is what Microsoft calls "Trustworthy Computing"?
