Update 2:
Microsoft DirectShow vulnerability used in drive-by-download attacks. (IMG:J.Anderson)
Microsoft will issue a patch for this on Tuesday. Six months after it was discovered and less than a week after it started to be actively exploited.
"It is concerning, but not entirely surprising that Microsoft has been aware of this ActiveX vulnerability for more than six months but has not released a patch yet. The ability of malicious hackers to independently rediscover and quickly weaponize vulnerabilities for website drive-by attacks has been highlighted once again. Even more dangerous is the possibility that the vulnerability was leaked shortly before the Microsoft patch was due to be released," said Tas Giakouminakis from Rapid7 in an email.
The other three bulletins due on Tuesday during Microsoft's patch push affect less common Microsoft software. There are privilege elevations in Virtual PC/Virtual Server and Microsoft ISA Server, as well as a remote code execution in the Microsoft Office Publisher. "Customers that use these products should be prepared to evaluate the severity of the vulnerabilities and deploy the patches accordingly," added Giakouminakis.
Update provided by Microsoft:
"In the meantime, our investigation has shown that there are no by-design uses for this ActiveX Control within Internet Explorer. Therefore, we’re recommending that all customers go ahead and implement the workaround outlined in the Security Advisory: setting all killbits associated with this particular control," outlined Microsoft.
"While Windows Vista and Windows Server 2008 customers are not affected by this vulnerability, we are recommending that they also set these killbits as a defense-in-depth measure. Once that killbit is set, any attempt by malicious websites to exploit the vulnerability would not succeed."
The advisory can be found here. More information is here.
Original Article:
CSIS Security is reporting the discovery of a new vulnerability within Microsoft DirectShow. The Zero-Day attack is part of a massive Web site hijacking operation, where exploited domains are injected with code that attempts to exploit the DirectShow vulnerability as well as other known flaws.
According to CSIS, the attacks start by compromising a legitimate Web site, where malicious JavaScript is embedded into the site’s code. Once the compromised page loads, the injected JavaScript forces the user to visit a sub-domain on 8866.org.
At the time this article was published, The Tech Herald could not confirm that the sub-domain listed by CSIS was still malicious, as it was unavailable. However, 8866.org is online, and should be considered suspect if not blacklisted altogether.
The Zero-Day vulnerability, which is a stack overflow in DirectShow MPEG2TuneRequest, can be mitigated by setting the kill bit on msVidCtl.dll. CSIS has provided the solution on its site (Google Translated).
However, this is just one of several vulnerabilities the drive-by-download attack is attempting to exploit. Once the system is compromised, a keylogger is installed, as well as a "cocktail of malicious code" according to CSIS.
Microsoft Windows 2000, 2003, and XP are all listed as vulnerable -- no word yet on whether Vista or Windows 7 are also at risk. The Tech Herald has asked Microsoft for comment and will update this story as more news comes in.
For now, CSIS is reporting that thousands of sites are using this new attack, and the ultimate landing points are starting to grow in number, thanks to the exploit code being published online.
SANS is offering the best advice to IT this morning, saying: "Please keep a watchful eye on your AV and IDS/IPS vendors updates to ensure coverage as early as possible on this exploit as it is likely to be widely deployed with the code being available."
Want regular updates from The Tech Herald? Follow us on Twitter.
Interested in a more interactive TTH? Join our Facebook Group.
Interested in a more interactive TTH? Join our Facebook Group Want regular updates from The Tech Herald? Follow us on Twitter
Advertising
Comment on this Story