Tuesday, July 28, 2009

IE Proof-of-Concept Attack Exploits Kilbitted ActiveX Control

A proof-of-concept attack against Internet Explorer demonstrates how a patched vulnerability can be exploited in order to take over the victim's computer. The demo, hosted on Hustlelabs, comes courtesy of three security researchers, Mark Dowd, Ryan Smith, David Dewey, who are scheduled to present the attack in detail at Black Hat 2009 in Las Vegas. Black Hat participants can get a more hands-on experience with the attack via The Language of Trust: Exploiting Trust Relationships in Active Content presentation.

Microsoft has already patched the Video ActiveX Control vulnerability (CVE-2008-0015) with the release of Security Bulletin MS09-032. The security update package brought to the table a Cumulative Security Update of ActiveX Kill Bits, and was designed to patch a vulnerability already exploited in the wild.

Check Hustlelabs for video

Source Softpedia

No comments: