Monday, July 06, 2009

Internet Explorer Video Active X Exploit

Been awhile since Windows had a zero day exploit that would allow the bad guys to take over your computer just by visiting a web site. Got one now. All you need to do is to visit a web site that has been set up to use this vulnerability with Internet Explorer and boom, they got you. Apparently, a flaw in Microsoft directShow( MSVIDCTL.DLL ) lets them do it. It does need to be IE 6 or 7 with Windows XP or Windows 2003. Yay! Vista and presumably Windows 7 aren't affected.

One way to avoid this is to not use IE. Firefox, Opera, Safari and other browsers aren't affected. The bad guys could try to open IE or trick you into opening it, so it's best to the video Active X advisory page and use the fix it button to turn off the part of IE that allows the exploit.

F-secure detects it as Exploit:W32/Agent.LBV. They have a write up and plug for their free beta of ISTP or ExploitShield that also protect you. Also has video link showing them trying to get infected with it and failing.

McAfee detects it as Exploit-MSDirectShow.b and has their write up here that says this has been around since last December and only has become widely know recently.

The Registry key that the Microsoft advisory page modifies is this. Best to not mess around in the registry. Might be more, but I'm not going to list them all.

[HKEY_LOCAL_MACHINESOFTWAREMicrosoftInternet ExplorerActiveX Compatibility{0955AC62-BF2E-4CBA-A2B9-A63F772D46CF}]
"Compatibility Flags"=dword:00000400

More tech details at Microsoft Security Advisory 972890.