Microsoft is investigating attacks targeting a vulnerability in Microsoft
Video ActiveX Control that could allow a hacker to gain complete control of a
system.
Not much has been said about the exact
nature of the Microsoft Video ActiveX Control vulnerability, which is so
far reported to affect Windows XP and Windows Server 2003. If the vulnerability
is successfully exploited, the attacker could gain the same user rights as the
local user. When using Internet Explorer, code execution is remote and may not
require any user intervention, Microsoft warned.
The ActiveX control involved is used to connect Microsoft DirectShow filters
for use in capturing, recording and playing video. It is also the primary
component Microsoft Windows Media Center uses to build filter graphs for
recording and playing television video.
Microsoft said its investigation has shown that there are no
by-design uses for this ActiveX Control within Internet Explorer, and customers
should consider setting the kill bit for the control in the registry until
a patch is ready. A list of the Class Identifiers relate to the Video ActiveX
Control can be found in the advisory in the workaround section. Microsoft has
also provided a way for users to implement the workaround automatically here.
"While Windows Vista and Windows Server 2008
customers are not affected by this vulnerability, we are recommending that they
also set these kill bits as a defense-in-depth measure," Christopher Budd,
a member of Microsoft's
Security Response Center team, wrote in a blog post July 6. "Once that kill bit
is set, any attempt by malicious Websites to exploit the vulnerability would
not succeed."
Though Budd did not indicate when a patch for the issue would be forthcoming,
the company's monthly
patch release is scheduled for July 14.
IT Security & Network Security News & Reviews News & Reviews 
