Monday, July 6, 2009

0-day in Microsoft DirectShow

0-day in Microsoft DirectShow (msvidctl.dll) used in drive-by attacks

A 0-day exploit within the msVidCtl component of Microsoft DirectShow is actively being exploited through drive-by attacks using thousands of newly compromised web sites, according to CSIS. The code has been published in the public domain via a number of Chinese web sites.

Please keep a watchful eye on your AV and IDS/IPS vendors updates to ensure coverage as early as possible on this exploit as it is likely to be widely deployed with the code being available.

A valid work around for the attack vector is available which set's the kill bit on the vulnerable DLL.

Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINESOFTWAREMicrosoftInternet ExplorerActiveX Compatibility{0955AC62-BF2E-4CBA-A2B9-A63F772D46CF}]
"Compatibility Flags"=dword:00000400

Details of the exploit are available on the CSIS web site, but are included below:



No comments: