… Microsoft is investigating a privately reported vulnerability in Microsoft Video ActiveX Control. An attacker who successfully exploited this vulnerability could gain the same user rights as the local user. When using Internet Explorer, code execution is remote and may not require any user intervention.
We are aware of attacks attempting to exploit the vulnerability. …
Microsoft is currently working to develop a security update for Windows to address this vulnerability and will release the update when it has reached an appropriate level of quality for broad distribution. … [1]
We are aware of active attacks exploiting a remote code execution vulnerability in Microsoft’s MPEG2TuneRequest ActiveX Control Object. We have released advisory 972890 providing guidance to help our customers stay protected. In this blog post, we’d like to go into more detail to help you understand this issue. [3]
A browse-and-get-owned attack vector exists. A user needs to be lured to navigate to a malicious website or a compromised legitimate website to be affected. No further user interaction is needed. [3]
The 0-day exploit will be detected as Exploit-MSDirectShow.b by McAfee VirusScan from DAT 5668. [7]
Exploit-MSDirectShow.b (0-day) – trojans that exploits an unpatched vulnerability in Microsoft DirectShow ActiveX object, via Internet Explorer.
MEDIATION:
The code has been published in the public domain via a number of Chinese web sites [4]. Kill-bit MPEG2TuneRequest ActiveX Control Object (CLSID 0955AC62-BF2E-4CBA-A2B9-A63F772D46CF) is the recommended workaround [3]. The Microsoft Security Response Center (MSRC) has made a kill bit package available to close this and several other issues via MicrosoftFixit50287.msi.
LINKS:
[1] Microsoft Security Advisory (972890) Vulnerability in Microsoft Video ActiveX Control Could Allow Remote Code Execution (2009-Jul-06) [MS: Technet]
[2] Microsoft Security Advisory 972890 Released (2009-Jul-06) [MS: MSRC]
[3] New vulnerability in MPEG2TuneRequest ActiveX Control Object in msvidctl.dll (2009-Jul-06) [MS: SRD]
[4] 0-day in Microsoft DirectShow (msvidctl.dll) used in drive-by attacks (2009-Jul-06) [SANS]
[5] 0-dags drive-by i praksis (2009-Jul-??) [CSIS] (EN via Google)
[6] IE 0day exploit domains (constantly updated) (2009-Jul-06) [SANS]
[7] New Attacks Against Internet Explorer (2009-Jul-06) [McAfee]
[8] Microsoft DirectShow MPEG2TuneRequest ActiveX Control Buffer Overflow (2009-Jul-06) [Secunia]
CRP09-028
exploit for this 0day vulnerability – http://www.rec-sec.com/2009/07/06/ms-directshow-msvidctl-exploit/
…Customers who have already implemented the killbits manually or through the FixIt workaround won’t need to implement next week’s security update, though we recommend that you apply the update to ensure that reporting accurately shows that the systems are fully protected.
…
We’re on track to release the security update next Tuesday. But if you haven’t implemented the killbits already, we recommend that you go ahead and do that to protect yourself against the attacks. …
– Questions about Timing and Microsoft Security Advisory 972890 (2009-Jul-09) [MSRC]