New attack code targets Microsoft ActiveX zero-day vulnerability

Article

New attack code targets Microsoft ActiveX zero-day vulnerability

Robert Westervelt, News Editor

Security researchers detected a new drive-by exploit in the wild actively targeting a zero-day vulnerability in an ActiveX component that connects to the Microsoft DirectShow video streaming software.

Microsoft issued a security advisory today calling the vulnerability in its Video ActiveX Control

    Requires Free Membership to View

    Login

    SearchSecurity.co.UK members gain immediate and unlimited access to breaking UK industry news, virus alerts, new hacker threats, highly focused security newsletters, and more -- all at no cost. Join me on SearchSecurity.co.UK today!

    Michael S. Mimoso, Editorial Director

    By submitting your registration information to SearchSecurity.co.uk you agree to receive email communications from TechTarget and TechTarget partners. We encourage you to read our Privacy Policy which contains important disclosures about how we collect and use your registration and other information. If you reside outside of the United States, by submitting this registration information you consent to having your personal data transferred to and processed in the United States. Your use of SearchSecurity.co.uk is governed by our Terms of Use. You may contact us at webmaster@TechTarget.com.

remotely exploitable with little user interaction when browsing with Internet Explorer. The ActiveX control msvidctl.dll connects to Microsoft DirectShow filters for use in capturing, recording, and playing video. The specific control is used by Windows Media Center to build filter graphs for recording and playing television video.

The software maker also issued an automated workaround until a patch is released.

Users of Windows 2000, 2003 or XP with Internet Explorer 6 and 7 are impacted by the attacks. Computers running Windows Vista or Windows Server 2008 are not affected by the attack.

The vulnerability is different from a DirectShow flaw acknowledged by Microsoft in May.

According to Symantec Corp., the exploit uses a JavaScript file and a data file to exploit the vulnerability in the video streaming ActiveX control. A victim must browse to a website hosting the malicious files.

"When a user visits a malicious website hosting these files, the vulnerability allows remote code execution and malicious files are downloaded," Symantec engineer Joji Hamada wrote on Symantec's security blog.

An attacker who successfully exploits the vulnerability could gain the same user rights as the local user, according to Microsoft.

Stephen Hall of the SANS Internet Storm Center said a valid work around for the attack vector is available which sets the kill bit on the vulnerable DLL. Hall posted details of the exploit.

Researchers say users of antivirus or IPS/IDS should ensure their signatures are up to date.

"It is likely to be widely deployed with the code being available," Hall wrote.

Updated with Microsoft information.