Researcher Shows Killbit is No Defense on MsVidCtl Flaw

Ryan Smith, one of the researchers who found the bug in the Microsoft MsVidCtl DLL that the vendor is rushing to patch this week, has posted a short video demonstration of a technique that bypasses the stop-gap solution of preventing the vulnerable ActiveX control from loading.

Microsoft Response on MsVidCtl Flaw Was Lacking

Microsoft has expended a massive amount of time, energy and money in the last few years to improve both the quality of its software and the speed and efficiency of its security response process. It has succeeded in large part on both counts, especially on the security and reliability of its products. But, as the company’s response to the privately disclosed MsVidCtl ActiveX vulnerability in Internet Explorer shows, Microsoft still has some ground to cover on the issue of timely response.

Demo: Exploiting the Microsoft MsVidCtl DirectShow Flaw

By Georg Wicherski, Kaspersky Lab Germany

As you’ve probably already heard, there’s a dangerous vulnerability in Internet Explorer 6 & Internet Explorer 7 being exploited in the wild. The vulnerability affects Windows XP Service Pack 0 to Service Pack 2. Microsoft hasn’t released a patch yet, but they have provided a work-around. Some people have simply recommended turning off JavaScript to mitigate this issue. However this vulnerability is a trivial buffer overflow which makes it possible to overwrite the SEH handler. Thus, heap spraying is not required and turning off JavaScript only mitigates attacks from less skilled attackers.

The ongoing exploitation of the vulnerability in an ActiveX control used by Internet Explorer has created a dangerous situation, as there is no patch yet for the MSVidCtl.dll vulnerability. However, there are several steps you can take to protect yourself against attacks.

There is a widespread attack underway against an unpatched vulnerability in the Msvidctl DLL, with attackers using thousands of newly compromised Web sites to exploit victims’ PCs via drive-by downloads. The attacks are using Internet Explorer as the attack vector and are pushing a Trojan downloader onto compromised machines.

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.