Researcher Shows Killbit is No Defense on MsVidCtl Flaw

Ryan Smith, one of the researchers who found the bug in the Microsoft MsVidCtl DLL that the vendor is rushing to patch this week, has posted a short video demonstration of a technique that bypasses the stop-gap solution of preventing the vulnerable ActiveX control from loading.

Ryan Smith, one of the researchers who found the bug in the Microsoft MsVidCtl DLL that the vendor is rushing to patch this week, has posted a short video demonstration of a technique that bypasses the stop-gap solution of preventing the vulnerable ActiveX control from loading.

In the demo, Smith, a former researcher with IBM ISS who will be giving a talk on the exploit at the Black Hat conference later this week with Mark Dowd and David Dewey, shows that setting the killbit on the vulnerable control, as Microsoft and others suggested, is not sufficient to prevent exploitation. The demo shows Smith using a new tool called Killbit Visualizer to log the IDs of killbits that are specifically allowed or denied.

He is then able to get around the killbit protection on the vulnerable video control and cause the calculator to start on the machine.

Smith’s demo comes on the heels of a blog post by Halvar Flake, a well-known security researcher, who pointed out nearly three weeks ago that simply setting the killbit was not going to protect users against the MsVidCtl flaw. From his post:

So, where does this leave us ?

  1. The bug is actually much “deeper” than most people realize.

  2. The killbit-fix is clearly insufficient, as there are bound to be many other ways of triggering the issue.

  3. The bug might have weaseled it’s way into third-party components, IF anyone outside of Microsoft had access to the broken ATL versions.

  4. If this has happened, MS might have accidentally introduced security vulnerabilities into third-party products.

  5. Depending on the optimization settings applied to the executables, it might require a bit of an effort to find out whether a vulnerable or non-vulnerable version of the code is present.

  6. There might be a lot of recompiling next week.

  7. IF this has gotten into third-party-products, I would bet that only a tiny fraction of software vendors will push out proper/timely updates.

Microsoft is rushing out an emergency patch for the vulnerability on Tuesday.

Suggested articles

biggest headlines 2020

The 5 Most-Wanted Threatpost Stories of 2020

A look back at what was hot with readers — offering a snapshot of the security stories that were most top-of-mind for security professionals and consumers throughout the year.