Microsoft Video ActiveX Control Vulnerability

Microsoft Video ActiveX Control Vulnerability

Microsoft Video ActiveX Control Vulnerability

Microsoft has announced an unusual out-of-band security update.  It is critical that you patch your Windows XP or Windows 2003 Server system.  You can be affected by simply browsing to a website that has been compromised, or opening an html email that points you toward a compromised website.

For the short version, read this: http://support.microsoft.com/default.aspx/kb/972890

and to have Microsoft fix your machine, click here and follow the instructions: http://blogs.technet.com/srd/archive/2009/07/06/new-vulnerability-in-mpeg2tunerequest-activex-control-object-in-msvidctl-dll.aspx

which is basically looking for the picture:

clicking on it, and running the file that starts to download.


 

National Cyber Alert System

Technical Cyber Security Alert TA09-187A
Microsoft Video ActiveX Control Vulnerability

Original release date: July 06, 2009
Last revised: —
Source: US-CERT
Systems Affected

* Microsoft Windows XP
* Microsoft Windows Server 2003
Overview

An unpatched vulnerability in the Microsoft Video ActiveX control is being used in attacks.
I. Description

Microsoft has released Security  Advisory (972890) to describe attacks on a vulnerability in the Microsoft Video ActiveX  control.  Because no fix is currently available for this vulnerability, please see the Security Advisory and US-CERT Vulnerability Note VU#180513 for workarounds.
II. Impact

A remote, unauthenticated attacker could execute arbitrary code with the privileges of the victim user.
III. Solution

Apply workarounds

Microsoft has provided workarounds for this vulnerability in Security Advisory (972890). Additional details and workarounds are provided in US-CERT Vulnerability Note VU#180513.

The most effective workaround for this vulnerability is to set kill bits for the Microsoft Video ActiveX control, as outlined in the documents noted above.  Other workarounds include disabling ActiveX, as specified in the Securing Your Web Browser document, and upgrading to Internet Explorer 7 or later, which can help mitigate the vulnerability with its ActiveX opt-in feature.