TechNet
Vulnerability in Microsoft Video ActiveX Control Could Allow Remote Code Execution
Published: July 06, 2009Microsoft is investigating a privately reported vulnerability in Microsoft Video ActiveX Control. An attacker who successfully exploited this vulnerability could gain the same user rights as the local user. When using Internet Explorer, code execution is remote and may not require any user intervention.
We are aware of attacks attempting to exploit the vulnerability.
http://www.microsoft.com/technet/security/advisory/972890.mspx
The Microsoft Security Response Center (MSRC)
Microsoft Security Advisory 972890 discusses new, limited attacks against a Microsoft Video ActiveX Control affecting Windows XP and Windows Server 2003.
Specifically, we’re aware of a code execution vulnerability within this control that can enable an attacker to run code as the logged-on user if they browse to a malicious site.
We have an investigation into this issue under way as part of our Software Security Incident Response Process (SSIRP) and are working to develop a security update to address the issue.
In the meantime, our investigation has shown that there are no by-design uses for this ActiveX Control within Internet Explorer. Therefore, we’re recommending that all customers go ahead and implement the workaround outlined in the Security Advisory: setting all killbits associated with this particular control. While Windows Vista and Windows Server 2008 customers are not affected by this vulnerability, we are recommending that they also set these killbits as a defense-in-depth measure. Once that killbit is set, any attempt by malicious websites to exploit the vulnerability would not succeed.
http://blogs.technet.com/msrc/archive/2009/07/06/microsoft-security-advisory-972890-released.aspx
Microsoft has provided a way to automatically implement the workaround. Follow the instructions under “Fix It For Me†in the KB article for the advisory.
http://support.microsoft.com/kb/972890
