Drive-by Attack using Microsoft DirectShow vulnerability

0-day in Microsoft DirectShow (msvidctl.dll) used in drive-by attacks
http://isc.sans.org/diary.html?storyid=6733

Microsoft DirectShow vulnerability used in drive-by-download attacks
http://www.thetechherald.com/articl...lnerability-used-in-drive-by-download-attacks

From a Google translation of the Danish CSIS alert (link posted at DSLR):

Note that if the user has Scripting enabled per site, the likelihood of being redirected is minimal.

Any security product that blocks unauthorized executables will stop the exploit at this point.

All of the URLs listed no longer work, so nothing to test at this moment, but it appears to be a typical drive-by attack, just using a different means of triggering the download of a malicious executable file

----
rich

 

Thanks. It is a never ending race and being educated about what is out there helps being ahead

 

You are welcome.

There has been some confusion over the desriptions of this vulnerability. Some web sites describe the dll as:

Microsoft does not use DirectShow in its titles of the advisories - links provided by ronjor (thanks!);

Vulnerability in Microsoft Video ActiveX Control Could Allow Remote Code Execution
http://www.microsoft.com/technet/security/advisory/972890.mspx

But inside:

New vulnerability in MPEG2TuneRequest ActiveX Control Object in msvidctl.dll
http://blogs.technet.com/srd/archiv...t-activex-control-object-in-msvidctl-dll.aspx

There is no mention of DirectShow. But all of the mainstream press alerts refer to it as a DirectShow vulnerability. This caused some to think it was connected with a previous vulnerbility:

Microsoft Security Advisory: Vulnerability in Microsoft DirectShow could allow remote code execution
http://support.microsoft.com/kb/971778

Here, the offending file was quartz.dll

Possibly, Microsoft avoided using the same title in their advisories to avoid confusion...

As of yet, no other infected sites have been listed.

----
rich