The unpatched vulnerability in the Video ActiveX control that Microsoft has warned about was reported to the company in 2008, but one of the security researchers who found it refused to criticize Microsoft’s response to the threat.
The bug was uncovered by researchers Alex Wheeler and Ryan Smith, who at the time both worked at IBM’s ISS-X-Force. A Microsoft spokesperson said the company first learned of the vulnerability in 2008 and immediately began an investigation.
“I really don’t think it’s an entirely too long of a period,” said Wheeler, who is now with TippingPoint DVLabs. “They’ve got a lot of bugs to deal with, a lot of bugs to patch, and they try to address the most critical and serious ones first, those being the ones … exploited currently. This particular bug affected a lot of different areas of code so I think it’s reasonable for them to take a while to address it.”‘
The Video ActiveX control is used to connect Microsoft DirectShow filters for use in capturing, recording and playing video, and is the main component Microsoft Windows Media Center uses to build filter graphs for recording and playing television video.
While little has been said publicly about the exact nature of the vulnerability, an advisory from X-Force describes CVE-2008-0015 as a buffer overflow vulnerability, and states the first known exploitation in the wild occurred June 11.
News that the vulnerability was being exploited hit the Web July 6 when Microsoft warned of reports of attacks. If successful, a hacker could execute code remotely and take control of a system. So far the exploit seems to be spreading via drive-by downloads on compromised and malicious sites. Researchers at Trend Micro reported July 7 that about 1,000 Chinese Websites were infected with a malicious script that leads users to successive site redirections before leading them to a download of a .jpg file containing the exploit.
In that case, the script downloads another piece of malware detected by Trend Micro as WORM_KILLAV.AI, which disables anti-virus software and drops other malware on the affected system.
“What we’ve been able to determine so far is most of the early attack data was coming from IP addresses located or geo-IP located outside the U.S.,” Wheeler said, adding that there is more than one variant of the exploit going around.
Internet Explorer is particularly susceptible to the drive-by attacks, and Microsoft is recommending that users remove support for the ActiveX Control within Internet Explorer using all the Class Identifiers listed in the Workaround section of the Microsoft advisory. There is also a way for organizations to automatically deploy the workaround, available here.
In addition to CVE-2008-0015, X-Force also identified a memory corruption vulnerability in the ActiveX control registered as CVE-2008-0020. Microsoft officials did not say when a patch would be made available for the flaw. The next round of Patch Tuesday fixes for Microsoft is scheduled for July 14.