IT Security Office

Alert

0-day in Microsoft DirectShow ActiveX control

Posted: 2009-07-07 10:15:00

Summary: A vulnerability in the msVidCtl component of the DirectShow ActiveX control is currently being exploited via drive-by download.

Affected Systems:

Windows XP (32/64-bit, all service packs)
Windows Server 2003 (32/64-bit, Itanium, all service packs)

Please note:

In Windows Server 2003 ONLY, the Enhanced Security Configuration feature can successfully mitigate this attack via IE from the Internet Zone. If ESC has been disabled/modified, Windows Server 2003 can be exploited via IE.

Additionally, the default behavior of Microsoft Outlook and Outlook Express is to open HTML e-mail messages in the Restricted sites zone. If these settings have been modified, the exploit may execute successfully via a maliciously crafted HTML e-mail message.

Description:

The primary infection vector for this exploit is via enticement to visit a maliciously crafted web page. A user may receive an e-mail message asking them to click a link or may be lured in by malicious search results.

Solution:

Microsoft recommends setting the killbits for this particular ActiveX control. They have released a tool that will do this automatically. It can be downloaded at http://go.microsoft.com/?linkid=9672398

Users should also be encouraged to switch to a browser other than Internet Explorer for everyday browsing purposes.

References:

New vulnerability in MPEG2TuneRequest ActiveX Control Object in msvidctl.dll
Microsoft Security Advisory 972890 Released

Source:

Microsoft Security Advisory (972890) Vulnerability in Microsoft Video ActiveX Control Could Allow Remote Code Execution

Organization

Projects

Services

Resources

Security Issues

Contact ITSO

Other Security Sites