Microsoft today issued a warning about an attack that is occurring in the wild against its Video ActiveX Control in Internet Explorer running on XP and Windows Server 2003. (Vista and Windows Server 2008 are not affected.) The company has not rated this vulnerability, although it has some of the earmarks of a critical hole, in that an attacker could gain the same rights as a user, execute code and do so without a user's interaction. At the same time, the company is downplaying the seriousness of the attack because it is easily mitigated and the default security settings of Internet Explorer also restrict a hacker's ability to take advantage of it.
According to Microsoft:
"The primary workaround is to turn off the Video ActiveX Control from running in Internet Explorer. The Microsoft Video Control object is a Microsoft ActiveX control that connects Microsoft DirectShow filters for use in capturing, recording, and playing video. It is the main component that Microsoft Windows Media Center uses to build filter graphs for recording and playing television video. When the ActiveX control is used in Internet Explorer, the control may corrupt the system state in such a way that an attacker could run arbitrary code"
Microsoft says it is working on a patch. Full information about the ActiveX security hole is outlines in Microsoft Security Advisory (972890)
Visit the Microsoft Subnet web site for more news, blogs, podcasts. Subscribe to all Microsoft Subnet bloggers. Sign up for the bi-weekly Microsoft newsletter. (Click on News/Microsoft News Alert.)
- Roll your own XP-to-Windows 7 upgrade on a USB drive
- Windows 7 pricing fails to impress
- Firefox Stays In The Game With Firefox 3.5
- Fake Microsoft Update Email Scam - That almost looks professional
- Sometimes Slower Can Be Better
- Microsoft Training for Solution Providers – a nifty website...
- Linxter offers a secure cloud messaging framework
- Giveaways and goodies from Microsoft Subnet and Cisco Subnet
Follow Microsoft Subnet on Twitter