Support Overview

Help Desk

Online Service Request

Emergency IT Support

Security Alerts

Computer Usage Tips

Security Alerts

Security Warning: Vulnerable Microsoft Video ActiveX Control Being Exploited in The Wild
Updated 7/14/2009

On so-called Patch Tuesday in July Microsoft released security bulletin MS09-032 with a patch for a vulnerability in a Microsoft Video ActiveX Control (msVidCtl) that is being actively exploited on the Internet through drive-by downloads.  Initially, there were limited in-the-wild attacks; however, the vulnerability is now being exploited to a greater extent, and exploit code has been publicly published (making it easier for more use of the exploit).  Currently the vulnerability is mostly being exploited by web sites in China where thousands of hacked web sites have the malicious code added.  Many of these web sites would not be considered irreputable.  The web sites appear to have been compromised using an exploit kit.  The scope of this attack is likely to increase.

ActiveX control are one of the top targets of malicious web exploit toolkit developers.  These web exploit toolkits now account for nearly all browser-related exploits seen in the wild.

Threat Level

Warning:  Vulnerability is being actively exploited on the Internet.

(A "warning" alert is for a situation that are currently occurring or conditions are right for the situation to occur soon.)

Severity:  Medium.  The current exploit runs with the privileges of the logged-on-user, which could allow complete control over the computer if the user has local administrator rights.

Media attention: Yes.

Affected Software

Internet Explorer 6 or 7 on Windows XP and Windows Server 2003.  Enhanced Security Configuration in Windows Server 2003 effectively mitigates the vulnerability.

How Are Systems Compromised?

The current exploit is primarily compromising computer systems using a drive-by download, which attempts to install a cocktail of malware on visitors' computer.  A user needs only to browse a malicious or compromised legitimate web site.  Sites that allow user-provided HTML content (such as facebook.com, myspace.com, and netflix.com) or host advertisement with unvetted content could contain specially crafted content that could exploit this vulnerability.  No further user action is needed to be compromised.  

Users are typically lured to malicious or compromised web sites such as through e-mail messages with links.  However, search engine seeding with the malicious or compromised web sites is also possible.  Remember that safe computing practice is to not follow links in unsolicited messages, no matter how compelling the message is (such as promises of current news events such as about Michael Jackson or that you can get a laptop for very cheap).

How Do I Protect My Computer

Microsoft Security Bulletin MS09-032 is a cumulative security update of ActiveX kill bits.  It contains basically the same solution at the work-around perviously published by Microsoft in the Security Advisory.  Installing this update will prevent the ActiveX Control from being executed by setting the kill-bit for that control's CLSID.  Currently there is one ActiveX Control object being exploited; however, the Microsoft advisory lists 45 such Microsoft Video ActiveX Control objects that Microsoft recommends killing.  Microsoft has investigated and found that none of the controls in msVidCtl.dll are meant to be used in IE and there is no reason to not set the kill-bit for all of them. Setting the kill-bit for one control on one computer can be done with a little work.  Setting 45 kill-bits on many PCs is much harder to do.  The Microsoft advisory contains instructions for setting the kill bit.  Install the cumulative security update of ActiveX kill bits to kill all 45 CLSIDs.

Use a gateway spyware blocker (such as Untangle) that can block malicious ActiveX controls and add the vulnerable ActiveX control's CLSID in just one place on your network.

Do not log on with an account with administrative rights for normal use of the computer.

Most major virus protection vendors have added detection for this particular exploit, so keep virus protection and intrusion detection/prevention system definitions up-to-date.  However, other exploits of the underlying vulnerability will not necessarily be detected by virus protection or intrusion detection/prevention systems until a sample of the exploit has been analyzed and definitions developed.

More Information

Security Advisories
Microsoft Security Bulletin: http://www.microsoft.com/technet/security/Bulletin/MS09-032.mspx
Microsoft Advisory: http://www.microsoft.com/technet/security/advisory/972890.mspx
US-CERT: http://www.kb.cert.org/vuls/id/180513
ISS: http://www.iss.net/threats/329.html
Symantec blog: http://www.symantec.com/connect/blogs/another-unpatched
     -vulnerability-being-massively-exploited-internet-explorer

McAfee Avert blog: http://www.avertlabs.com/research/blog/index.php/
     2009/07/06/new-attacks-against-internet-explorer/

Trend Micro blog: http://blog.trendmicro.com/zero-day-microsoft-directshow
     -mpeg2tunerequest-exploit-leads-to-killav-malware/

Microsoft has published several blog entries regarding this vulnerability
http://blogs.technet.com/msrc/default.aspx
http://blogs.technet.com/srd/

News
Washington Post: http://voices.washingtonpost.com/securityfix/2009/07/
      microsoft_internet_explorer_ex.html?wprss=securityfix

The Register: http://www.theregister.co.uk/2009/07/06/new_microsoft_exploit_in_wild/
KLFY:
WBOC-TV: http://www.wboc.com/Global/story.asp?S=279979&nav=menu222_8_6_4
cnet news: http://news.cnet.com/8301-10784_3-9984823-7.html
Computerworld: http://www.computerworld.com/s/article/9135259/
      Microsoft_may_have_known_about_critical_IE_bug_for_months?taxonomyId=1

Managed Services

Based on the criticality, IT Professional Services performed an emergency deployment of either a Group Policy Object (GPO) to set the kill bit of all 45 vulnerable ActiveX Controls Class IDs (CLSIDs) or to deploy the Microsoft "Fix It for Me" installer to protect all systems under managed care.

Professional Services

If you need assistance installing protection from this worm or a security assessment, IT Professional Services can help. Call our help desk.

Find out more about our managed care service.

To find out how vulnerable your network is schedule a free network security analysis today.

We at IT Professional Services (ITPS) hope that the information in this bulletin is valuable to you. ITPS believes the information provided herein is reliable. While care has been taken to ensure accuracy, your use of the information contained in this bulletin is at your sole risk. All information in this bulletin is provided "as-is", without any warranty, whether express or implied, of its accuracy, completeness, fitness for a particular purpose, title or non-infringement, and none of the third-party products or information mentioned in the bulletin are authored, recommended, supported or guaranteed by ITPS. ITPS shall not be liable for any damages you may sustain by using this information, whether direct, indirect, special, incidental or consequential, even if it has been advised of the possibility of such damages.

Privacy Policy

© 2009-2013 IT Professional Services All rights are reserved.  (805) 650-6030