Vulnerability in Microsoft Video ActiveX Control being exploited
There is a new vulnerability in a Microsoft ActiveX (DirectShow) control that is currently being exploited in the Wild, to take over or infect vulnerable machines. Also, the related MPEG2TuneRequest ActiveX Control Object is being exploited.
Microsoft Security Advisory (972890), published on July 06, 2009, describes the vulnerability as affecting users of various versions of Internet Explorer (web browsers), in such a way that code execution occurs from remote locations and may not require any user intervention at all. This is typical of "drive-by" ActiveX exploits. As a result, an attacker who successfully exploited this vulnerability could gain the same user rights as the local user. Since most Windows XP users operate with full Administrator privileges, their machines could be taken over completely and without notice.
This newly-exploited vulnerability is the second unpatched DirectShow bug to surface in the last five weeks. Workarounds for the new DirectShow vulnerability are listed in my extended content.
This security advisory is like the horse that is out of the stable. This vulnerability that was only acknowledged on Monday, July 6 has already been distributed over the past weekend via compromised websites with injected redirection codes.The compromised sites lead to a handful of payload sites hosting the exploit code which targets msvidctl.dll - an ActiveX control for streaming video. I have read several reports 1 2 3 about a recent flurry of website injection compromises that started by targeting mostly Chinese servers, but has since moved to attack any server anywhere that responds to the code injection attempt.
Each compromised website acts as a zombie redirector in a botnet of websites. The payloads are hosted on Asian and Former Soviet Union servers, where take-downs of malicious sites are slow at best, and non-existent in many instances. The injected script re-routes visitors of those websites to a malicious exploit-laden site, which in turn downloads and launches a multi-exploit hacker toolkit that includes the DirectShow attack code and the KillAV malware (which tries to kill your anti virus program). DirectShow is a part of Windows' DirectX graphics infrastructure. Windows XP and Server 2003 computers appear to be the only ones directly vulnerable to this DirectShow ActiveX attack. However, Vista users who operate as Administrators, with UAC turned off are also at high risk.
How you can protect your computer against the DirectShow exploits
Until Microsoft releases a patch, tentatively set for July 14, 2009, users of XP and Server 2003 can apply the Workarounds outlined in the Microsoft Security Advisory and disable the vulnerable ActiveX controls
Microsoft Security Advisory (972890) explains how to disable the 45 ActiveX controls provided by msvidctl.dll to mitigate this vulnerability. The Microsoft Technet blog article about this vulnerability has a button to fix the kill bits for these ActiveX Objects with one push (requires Internet Explorer). Or, better yet, alter your Internet Options to disable all ActiveX Controls in the Internet Zone, whether signed or unsigned, or marked safe or otherwise.
UPDATE - 7/10/2009
Microsoft has added Fix It and Undo workaround buttons on this security advisory support page. These offer one push solutions to set or unset the killbits for all 45 affected ClassIDs of the vulnerable ActiveX Controls. The instructions state: "To implement the workaround that disables the Microsoft Video ActiveX Control automatically on a computer that is running Windows XP or Windows Server 2003, click the Fix this problem link under Enable workaround. To undo the workaround, click the Fix this problem link under Disable workaround. Then click Run in the File Download dialog box, and follow the steps in this wizard."
Whether you choose to run the Fix It buttons on a browser, or download the fix it file (has a .msi extension, thus cannot be right-click "run as" an administrator), you will need to run them from an account that has Administrator privileges (unfortunately). XP users operating as Limited or Power Users will need to close Internet Explorer, fast-switch into an Administrator level account, run the fix (file or browser) tool, log out of the Admin account, then log back into your reduced privileges (safer) account. When you re-open Internet Explorer the killbits for the affected ActiveX controls will be set. You survive to surf another day! You're welcome!
I also recommend that you further protect your computers by downloading Mozilla's Firefox browser and surfing the web with it, exclusively (Firefox offers to import IE cookies and Favorites during setup). Firefox doesn't recognize or run any ActiveX controls, making it safer out of the box. Also, any critical bugs in Firefox are usually patched very quickly, to protect the users from exploits via their Firefox browsers. Always use the latest version of Firefox and set the checking for updates to automatic.
In addition to affecting Internet Explorer browsers, the DirectShow exploits also target Microsoft Outlook, Outlook Express and Windows Live email clients. If you have moved your email client out of the Restricted Sites Zone, and allow HTML content to be displayed, you are at risk from email-born exploit attacks. Even with your email client opening messages in the Restricted zone, the links in those messages will still be clickable. If you are fooled into clicking on a hostile link, chances are high that your PC will become Botnetted, or acquire a Trojan, or a downloader malware agent. The same applies to links sent to you by Bots, in hijacked Instant Messages.
This bears repeating: An attacker who successfully exploited this vulnerability could gain the same user rights as the local user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. I invite you to read my article explaining how operating with reduced user privileges protects against the installation of 92% of known malware.
The US-CERT has published a great article explaining how to secure your web browsers against most common exploit tactics. You should bookmark that page!
In closing, apply the workarounds listed in Microsoft Advisory 972890 to kill the affected ActiveX Controls (or turn OFF ActiveX altogether). Surf the interwebs with Firefox, not Internet Exploder. Finally, keep the best anti malware protection on your computer that you can afford. I use and recommend Trend Micro Internet Security 2009. If you can't afford to purchase a commercial security suite, at least get a decent free anti virus and anti-spyware/malware solution. Avira AntiVir Free and Spybot Search & Destroy are good free programs. So is MalwareBytes AntiMalware, which I use and promote.
If you like this article please share it.
The content on this blog may be reprinted provided you do not modify the content and that you give credit to Wizcrafts and provide a link back to the blog home page, or individual blog articles you wish to reprint. Commercial use, or derivative work requires written permission from the author.