MyCERT Advisories
MyCERT Advisories, Alerts and Summaries for the year 2009
Bookmark and Share

MA-173.072009: 0day Microsoft Video ActiveX Control MPEG2TuneRequest Stack Overflow Vulnerability

1.0 Introduction

A critical vulnerability has been identified in Microsoft Video ActiveX. This vulnerability would cause the application to crash and could potentially allow an attacker to take control of the affected system due to stack overflow vulnerability while parsing video media files.

2.0 Impact

By exploiting this vulnerability, an attacker could execute arbitrary code on vulnerable installations of Microsoft ActiveX and gain the same privilege as the user. The attack can be launched via local or remote by abusing Microsoft ActiveX web browser plugin.

MyCERT have conducted analysis on the exploit sample and confirmed the impact of the vulnerability. The sample analyzed by MyCERT showed the shellcode will fetch another malicious software to be installed on victim machine.

3.0 Affected Products

Microsoft Windows operating systems listed below are vulnerable to this vulnerability:

  • Windows 2000 Service Pack 4
  • Windows XP (All Service Pack 1,2,3)
  • Windows Server 2003 (SP1)

4.0 Recommendation

Due to the nature of 0day of exploit, Microsoft hasn't released any patches to address this vulnerability yet. However, Users are recommended to disable ActiveX for Microsoft Video plugin. Users can prevent an ActiveX control from running in Internet Explorer by setting the kill bit so that Internet Explorer never calls the control when default settings are used. The Class Identification (CLSID) to be disabled for Microsoft Video is 0955AC62-BF2E-4CBA-A2B9-A63F772D46CF.

To implement the workaround that disables the Microsoft Video ActiveX Control automatically on a computer that is running Windows XP or Windows Server 2003, download MicrosoftFixit from this link http://go.microsoft.com/?linkid=9672398 and follow the steps in the wizard.

If you are unable to download it or prefer to the manual way, below are the steps to disable/blacklist the ActiveX:

  • Open Registry Editor


  • Use Registry Editor to view the data value of the Compatibility Flags DWORD value of the ActiveX object CLSID in the following registry key
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\

  • Create a new CLSID to be disabled. In this case, the CLSID is 0955AC62-BF2E-4CBA-A2B9-A63F772D46CF
  • Create or Modified the DWORD value of Compatibility Flags value in the registry

  • Change the value of the Compatibility Flags DWORD value to 0x00000400

MyCERT also urges public to update the latest antivirus definition due to payload used by exploit in the wild to fetch malware and installed it on victim machine.

Generally, MyCERT advises the users of this product to be updated with the latest security announcements by the vendor. Users who receive suspicious video files or URL can forward them to MyCERT for further analysis.

MyCERT can be reached through the following channels:

E-mail : mycert@mycert.org.my
Phone : +603 89926969 or 1-300-88-2999 (monitored during business hours)
Fax : +603 89453442
Handphone : +60 19 2665850 (24x7 call incident reporting)
SMS : +60 19 2813801 (24x7 SMS reporting)
Business Hours : Mon - Fri 08:30 -17:30 MYT
Web: http://www.mycert.org.my

5.0 References

  • http://www.microsoft.com/technet/security/advisory/971778.mspx
  • http://www.securityfocus.com/bid/35558/info
  • http://isc.sans.org/diary.html?storyid=6733
  • http://www.microsoft.com/technet/security/advisory/972890.mspx