Drive-by Attack using Microsoft DirectShow vulnerability

Discussion in 'malware problems & news' started by Rmus, Jul 6, 2009.

Thread Status:
Not open for further replies.
  1. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    0-day in Microsoft DirectShow (msvidctl.dll) used in drive-by attacks
    http://isc.sans.org/diary.html?storyid=6733
    Microsoft DirectShow vulnerability used in drive-by-download attacks
    http://www.thetechherald.com/articl...lnerability-used-in-drive-by-download-attacks
    From a Google translation of the Danish CSIS alert (link posted at DSLR):

    Note that if the user has Scripting enabled per site, the likelihood of being redirected is minimal.

    Any security product that blocks unauthorized executables will stop the exploit at this point.

    All of the URLs listed no longer work, so nothing to test at this moment, but it appears to be a typical drive-by attack, just using a different means of triggering the download of a malicious executable file

    ----
    rich
     
    Last edited: Jul 6, 2009
  2. Cudni

    Cudni Global Moderator

    Joined:
    May 24, 2009
    Posts:
    6,956
    Location:
    Somethingshire
    Thanks. It is a never ending race and being educated about what is out there helps being ahead :)
     
  3. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    You are welcome.

    There has been some confusion over the desriptions of this vulnerability. Some web sites describe the dll as:

    Microsoft does not use DirectShow in its titles of the advisories - links provided by ronjor (thanks!);

    Vulnerability in Microsoft Video ActiveX Control Could Allow Remote Code Execution
    http://www.microsoft.com/technet/security/advisory/972890.mspx

    But inside:
    New vulnerability in MPEG2TuneRequest ActiveX Control Object in msvidctl.dll
    http://blogs.technet.com/srd/archiv...t-activex-control-object-in-msvidctl-dll.aspx

    There is no mention of DirectShow. But all of the mainstream press alerts refer to it as a DirectShow vulnerability. This caused some to think it was connected with a previous vulnerbility:

    Microsoft Security Advisory: Vulnerability in Microsoft DirectShow could allow remote code execution
    http://support.microsoft.com/kb/971778

    Here, the offending file was quartz.dll

    Possibly, Microsoft avoided using the same title in their advisories to avoid confusion...

    As of yet, no other infected sites have been listed.

    ----
    rich
     
Loading...
Thread Status:
Not open for further replies.