New attack code targets Microsoft ActiveX zero-day vulnerability

By Robert Westervelt, News Editor 06 Jul 2009 | SearchSecurity.com

Security Wire Daily News Digg This!     StumbleUpon     Del.icio.us

SearchSecurity.com: To get security news and tips delivered to your inbox, click here to sign up for our free newsletter.

Security researchers detected a new drive-by exploit in the wild actively targeting a zero-day vulnerability in an ActiveX component that connects to the Microsoft DirectShow video streaming software.

Microsoft issued a security advisory today calling the vulnerability in its Video ActiveX Control remotely exploitable with little user interaction when browsing with Internet Explorer. The ActiveX control msvidctl.dll connects to Microsoft DirectShow filters for use in capturing, recording, and playing video. The specific control is used by Windows Media Center to build filter graphs for recording and playing television video.

The software maker also issued an automated workaround until a patch is released.

Users of Windows 2000, 2003 or XP with Internet Explorer 6 and 7 are impacted by the attacks. Computers running Windows Vista or Windows Server 2008 are not affected by the attack.

The vulnerability is different from a DirectShow flaw acknowledged by Microsoft in May.

DirectShow vulnerability: May 29 - Hackers targeting unpatched Microsoft DirectShow flaw: Software giant is investigating a newly discovered flaw in DirectShow's QuickTime parser that could allow an attacker to execute code remotely.

According to Symantec Corp., the exploit uses a JavaScript file and a data file to exploit the vulnerability in the video streaming ActiveX control. A victim must browse to a website hosting the malicious files.

"When a user visits a malicious website hosting these files, the vulnerability allows remote code execution and malicious files are downloaded," Symantec engineer Joji Hamada wrote on Symantec's security blog.

An attacker who successfully exploits the vulnerability could gain the same user rights as the local user, according to Microsoft.

SearchSecurity radio:

Stephen Hall of the SANS Internet Storm Center said a valid work around for the attack vector is available which sets the kill bit on the vulnerable DLL. Hall posted details of the exploit.

Researchers say users of antivirus or IPS/IDS should ensure their signatures are up to date.

"It is likely to be widely deployed with the code being available," Hall wrote.

Tags: Windows Security: Alerts, Updates and Best Practices,  Emerging Information Security Threats,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Windows Security: Alerts, Updates and Best Practices Microsoft to address flaws in Windows, Office for Mac Microsoft fixes security update that breaks Internet Explorer What is the best database patch management process? Microsoft addresses critical SMBv2 flaw, fixes record number of flaws Microsoft to address SMB zero-day, IIS FTP Service vulnerabilities Microsoft releases temporary fix for SMB2 zero-day vulnerability Microsoft issues SMB vulnerability advisory, patch pending Attackers target Microsoft IIS; new SMB flaw discovered Microsoft repairs Windows media, TCP/IP vulnerabilities Microsoft five critical updates won't include IIS Emerging Information Security Threats Modern malware, stealthy botnets, adapt quickly, expert says New ransomware Trojan pushes victims to buy software Bruce Schneier on outsourcing, awareness training US-CERT warns of BlackBerry snooping software Marcus Ranum on cyberwarfare, infosec careers Researchers find thousands of flawed embedded devices Enterprise botnets contain thousands of malware variants Nuke and pave to eradicate botnets Rand study urges caution on cyberwarfare attacks Hathaway joins Harvard to contribute to DOD project

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary BotHunter  (SearchSecurity.com) principle of least privilege (POLP)  (SearchSecurity.com) security identifier  (SearchSecurity.com) trusted computing  (SearchSecurity.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary