Was Microsoft Slow to Patch Video ActiveX Vulnerability? | eWeek

Was Microsoft Slow to Patch Video ActiveX Vulnerability?

Written By
Brian Prince
Brian Prince
Jul 7, 2009
2 minute read
eWeek content and product recommendations are editorially independent. We may make money when you click on links to our partners. Learn More

The unpatched vulnerability in the Video ActiveX control that Microsoft has warned about was reported to the company in 2008, but one of the security researchers who found it refused to criticize Microsoft’s response to the threat.

The bug was uncovered by researchers Alex Wheeler and Ryan Smith, who at the time both worked at IBM’s ISS-X-Force. A Microsoft spokesperson said the company first learned of the vulnerability in 2008 and immediately began an investigation.

“I really don’t think it’s an entirely too long of a period,” said Wheeler, who is now with TippingPoint DVLabs. “They’ve got a lot of bugs to deal with, a lot of bugs to patch, and they try to address the most critical and serious ones first, those being the ones … exploited currently. This particular bug affected a lot of different areas of code so I think it’s reasonable for them to take a while to address it.”‘

The Video ActiveX control is used to connect Microsoft DirectShow filters for use in capturing, recording and playing video, and is the main component Microsoft Windows Media Center uses to build filter graphs for recording and playing television video.

While little has been said publicly about the exact nature of the vulnerability, an advisory from X-Force describes CVE-2008-0015 as a buffer overflow vulnerability, and states the first known exploitation in the wild occurred June 11.

News that the vulnerability was being exploited hit the Web July 6 when Microsoft warned of reports of attacks. If successful, a hacker could execute code remotely and take control of a system. So far the exploit seems to be spreading via drive-by downloads on compromised and malicious sites. Researchers at Trend Micro reported July 7 that about 1,000 Chinese Websites were infected with a malicious script that leads users to successive site redirections before leading them to a download of a .jpg file containing the exploit.

In that case, the script downloads another piece of malware detected by Trend Micro as WORM_KILLAV.AI, which disables anti-virus software and drops other malware on the affected system.

“What we’ve been able to determine so far is most of the early attack data was coming from IP addresses located or geo-IP located outside the U.S.,” Wheeler said, adding that there is more than one variant of the exploit going around.

Internet Explorer is particularly susceptible to the drive-by attacks, and Microsoft is recommending that users remove support for the ActiveX Control within Internet Explorer using all the Class Identifiers listed in the Workaround section of the Microsoft advisory. There is also a way for organizations to automatically deploy the workaround, available here.

In addition to CVE-2008-0015, X-Force also identified a memory corruption vulnerability in the ActiveX control registered as CVE-2008-0020. Microsoft officials did not say when a patch would be made available for the flaw. The next round of Patch Tuesday fixes for Microsoft is scheduled for July 14.

eWeek Logo

eWeek has the latest technology news and analysis, buying guides, and product reviews for IT professionals and technology buyers. The site's focus is on innovative solutions and covering in-depth technical content. eWeek stays on the cutting edge of technology news and IT trends through interviews and expert analysis. Gain insight from top innovators and thought leaders in the fields of IT, business, enterprise software, startups, and more.

Property of TechnologyAdvice. © 2026 TechnologyAdvice. All Rights Reserved

Advertiser Disclosure: Some of the products that appear on this site are from companies from which TechnologyAdvice receives compensation. This compensation may impact how and where products appear on this site including, for example, the order in which they appear. TechnologyAdvice does not include all companies or all types of products available in the marketplace.