Security Warning: Vulnerable
Microsoft Video ActiveX Control Being Exploited in The Wild
On so-called Patch Tuesday in July Microsoft
released security bulletin MS09-032 with a patch for
a vulnerability in a Microsoft Video ActiveX
Control (msVidCtl) that is being actively exploited on the Internet
drive-by downloads. Initially, there were limited in-the-wild
however, the vulnerability is now being exploited to a greater extent,
and exploit code has been publicly published (making it easier for more
use of the exploit). Currently the vulnerability is mostly
being exploited by web sites in China where thousands of hacked web
sites have the malicious code added. Many of these web sites
would not be considered irreputable. The
web sites appear to have been compromised using an exploit kit.
The scope of this attack is likely to increase.
ActiveX control are one of the top targets of
malicious web exploit toolkit developers. These web exploit
toolkits now account for nearly all browser-related exploits seen in
Warning: Vulnerability is being
actively exploited on the Internet.
Severity: Medium. The current exploit runs with the
privileges of the logged-on-user, which could allow complete control
over the computer if the user has local administrator rights.
(A "warning" alert is for a situation that are currently occurring or
conditions are right for the situation to occur soon.)
Media attention: Yes.
Internet Explorer 6 or 7 on Windows XP and Windows Server 2003.
Enhanced Security Configuration in Windows Server 2003
effectively mitigates the vulnerability.
How Are Systems Compromised?
The current exploit is primarily
compromising computer systems using a drive-by download, which
attempts to install a cocktail of malware on visitors' computer.
A user needs only to browse a malicious or compromised
legitimate web site. Sites that allow
user-provided HTML content (such as facebook.com, myspace.com, and
netflix.com) or host advertisement with unvetted content could contain
specially crafted content that could exploit this vulnerability.
No further user action is needed to be compromised.
Users are typically lured to malicious or
compromised web sites such as through e-mail messages with links.
However, search engine seeding with the malicious or
compromised web sites is also possible. Remember that safe
computing practice is to not follow links in unsolicited messages, no
matter how compelling the message is (such as promises of current news
events such as about Michael Jackson or that you can get a laptop for
Do I Protect My Computer
Microsoft Security Bulletin MS09-032
is a cumulative security update of ActiveX kill bits. It
basically the same solution at the work-around perviously published by
Microsoft in the Security Advisory. Installing this update
will prevent the ActiveX Control from
being executed by setting the kill-bit for that control's CLSID.
Currently there is one ActiveX Control object being
exploited; however, the Microsoft advisory lists 45 such Microsoft
Video ActiveX Control objects that Microsoft recommends killing.
Microsoft has investigated and found that none of the
controls in msVidCtl.dll are meant to be used in IE and there
is no reason to not set the kill-bit for all of them. Setting
the kill-bit for one control on one computer can be done with a little
work. Setting 45 kill-bits on many PCs is much harder to do.
The Microsoft advisory contains instructions for setting the
kill bit. Install the cumulative security update of ActiveX
bits to kill all 45 CLSIDs.
Use a gateway spyware blocker (such as Untangle) that can block
malicious ActiveX controls and add the vulnerable ActiveX control's
CLSID in just one place on your network.
Do not log on with an account with
administrative rights for normal use of the computer.
Most major virus protection vendors have added
detection for this particular exploit, so keep virus protection and
intrusion detection/prevention system definitions up-to-date.
However, other exploits of the underlying vulnerability will
not necessarily be detected by virus protection or intrusion
detection/prevention systems until a sample of the exploit has been
analyzed and definitions developed.
Microsoft Security Bulletin: http://www.microsoft.com/technet/security/Bulletin/MS09-032.mspx
Microsoft Advisory: http://www.microsoft.com/technet/security/advisory/972890.mspx
Symantec blog: http://www.symantec.com/connect/blogs/another-unpatched
McAfee Avert blog: http://www.avertlabs.com/research/blog/index.php/
Trend Micro blog: http://blog.trendmicro.com/zero-day-microsoft-directshow
Microsoft has published several blog
entries regarding this
Washington Post: http://voices.washingtonpost.com/securityfix/2009/07/
The Register: http://www.theregister.co.uk/2009/07/06/new_microsoft_exploit_in_wild/
cnet news: http://news.cnet.com/8301-10784_3-9984823-7.html
Based on the criticality, IT Professional Services
performed an emergency deployment of either a Group Policy Object (GPO)
to set the kill bit of all 45 vulnerable ActiveX Controls Class IDs
(CLSIDs) or to deploy the Microsoft "Fix It for Me"
installer to protect all systems under
If you need assistance installing protection from
this worm or a security assessment, IT Professional Services
can help. Call our
out more about our managed care service.
To find out how vulnerable your network is
schedule a free network security analysis today.
We at IT Professional Services (ITPS)
hope that the information in this bulletin is valuable to you. ITPS
believes the information provided herein is reliable. While care has
been taken to ensure accuracy, your use of the information contained in
this bulletin is at your sole risk. All information in this bulletin is
provided "as-is", without any warranty, whether express or implied, of
its accuracy, completeness, fitness for a particular purpose, title or
non-infringement, and none of the third-party products or information
mentioned in the bulletin are authored, recommended, supported or
guaranteed by ITPS. ITPS shall not be liable for any damages you may
sustain by using this information, whether direct, indirect, special,
incidental or consequential, even if it has been advised of the
possibility of such damages.