Hackers are using a new multiple-attack package composed of seven ActiveX exploits, many of them never seen in the wild before, said a security company on Friday.

Fewer than half of the flawed ActiveX controls have been patched.

The attack framework probes Windows PCs for vulnerable ActiveX controls from software vendors Microsoft, Citrix Systems and Macrovision, as well as hardware makers D-Link, Hewlett-Packard, Gateway and Sony, said a Symantec researcher.

“What’s interesting about this attack is that there are so many vulnerabilities in one attack that have not been seen in the wild previously,” said Symantec researcher Patrick Jungles, who wrote an analysis of the multistrike package for customers of the company’s DeepSight threat service.

According to Jungles, visitors to compromised Web sites are redirected by a rogue IFRAME to a malicious site serving the package. The attack pack tests the victim’s PC for each ActiveX control, detects whether a vulnerable version of a control is installed, and then launches an attack when it finds one.

Bugs in ActiveX, a Microsoft technology used most often to create add-ons for the company’s Internet Explorer browser, have always been common, but so many serious flaws have been disclosed of late that some security experts have recommended that users do without them.

The seven exploited in the package outlined by Jungles are a mix of old and brand-new flaws. For example, Microsoft’s own ActiveX vulnerability — a bug in IE’s Speech API — was disclosed in June 2007, while the vulnerability in the Citrix Presentation Server Client control harks back even further, to December 2006. Others, such as the ActiveX bugs in D-Link’s security webcams and in Sony’s ImageStation, are much more recent, having been revealed in February.

Four of the seven ActiveX flaws — those in the D-Link, Gateway, Sony and Macrovision products — have not been patched, said Jungles.

Assuming the exploit framework succeeds in compromising a PC, the hackers drop a Trojan on the machine that turns it into a spam-spewing zombie; the Trojan includes a rootkit component to mask the malware from antivirus scanners.

Symantec added that while the initial IP address that sent users to the malicious site was no longer infected with the IFRAME code, other addresses were redirecting users.

“The list of IPs involved in the exploitation is by no means comprehensive,” said Jungles, “because the nature of the exploitation indicates that several other sites are likely forwarding victims.” The IFRAME code, he continued, had been found embedded in the legitimate sites’ HTML and was at times distributed via online advertisements; DNS poisoning, he said, was also suspected.

Jungles’ report recommended that users apply patches, when they’re available, and set the “kill bit” on those ActiveX controls that have not yet been updated by their makers.

Making money is what today’s malware is all about and the first ransom Trojans for smartphones have been found in China. We have already seen similar Trojans on the PC side before which infect your computer, take your data ‘hostage’ or somehow disrupt your computer’s capabilities, and then offer to restore everything back to normal if you pay out the ransom money. Typically, the ransom Trojan first encrypts your hard drive and then sends you a password after you have sent money to the criminals via an online money transfer system.

In the case of Kiazha, the first smartphone ransom Trojan, you get infected by downloading a shareware lookalike program on your phone, which then drops several known older viruses on your phone. Next it sends a message explaining that you can only get the phone fixed by transferring the equivalent of seven dollars to the attackers through an online payment system. Today’s smartphones are so important to many people that they are prepared to pay a ransom to get back their phonebook, calendar and mobile emails, so we might well be seeing much more of this type of malware in the future.

A technical committee in India has rejected Microsoft’s Office Open XML file format as a standard.

In the meeting of the Bureau of Indian Standards (BIS) technical committee Thursday, 13 members voted against the standard, while five members, including some outsourcing companies, and the National Association of Software and Service Companies (Nasscom) voted for making Open XML a standard.

Nasscom is in favor of multiple standards, including Open XML and ODF (Open Document Format), the association said in a statement. It added that technology neutrality and competition will lead to falling prices of IT products.

The technical committee was constituted by the Bureau of Indian Standards (BIS), India’s national standards body, after moves by Microsoft and other organizations to make Open XML a standard of the International Organization for Standardization (ISO).

BIS is a founder member of ISO, and represents India at the ISO.

The BIS committee had voted in August against making Office Open XML a standard, although some participants said at the time that Open XML may be again reconsidered as a standard by the technical committee and BIS after Microsoft makes the required changes to the document format.

The India vote comes ahead of a March 29 deadline for ISO members to reconsider their votes if they wished.

While disappointed by the decision of the BIS committee, Microsoft said Thursday that it was however encouraged by the support of IT industry players like Nasscom, Tata Consultancy Services, Wipro and Infosys who voted in favor of Open XML becoming an ISO standard.

Welcome to WordPress.com. This is your first post. Edit or delete it and start blogging!