Microsoft was alerted a year ago about an unpatched video control flaw in versions of Windows XP and Windows Server 2003 that is currently being actively exploited in a wave of attacks around the world — including on some .org and .com sites.
Microsoft yesterday issued a special security advisory on the critical vulnerability in its Video ActiveX Control, and said it was aware of attacks exploiting it. The software giant recommends users set a “kill bit” for the Video ActiveX Control to protect themselves from the attack, which could allow an attacker to grab the user’s local rights to his or her machine, as well as to infect IE 6 and 7 users without their clicking on any malicious links. The advisory included a link to the bug’s CVE number, CVE-2008-0015.
“This vulnerability was reported to Microsoft 2008. When we were alerted in 2008, we immediately started an investigation,” says Christopher Budd, Microsoft’s security response communications lead. “As a result of this investigation, we chose to remove this ActiveX Control from Internet Explorer as the best way to proceed. As we wanted to be thorough, this took extra time to fully evaluate.”
Budd says Microsoft is continuing to work on a patch for the vulnerability and will release it “once it has reached an appropriate level of quality for broad distribution.”
So far, the attacks are mainly originating from domains in China, and mostly trying to steal online gaming credentials. But security researchers say it’s a potentially dangerous exploit that could easily be used for even more nefarious purposes.
“Any user that visits these domains without having implemented the correct safety measures will likely be hit,” says Ryan Smith, a researcher with Hustle Labs and a vulnerability researcher at iDefense, who, along with Alex Wheeler, first found the bug while working at IBM ISS.
Adding fuel to the fire, Metasploit today released an exploit module for the vulnerability, as well. It creates an MPEG2 file that can be planted on a Website that the attacker already controls. “So that means you already own it — as in a criminal gang — or you break into it,” says Marcus Sachs, director of SANS Internet Storm Center. “I suspect that if there are Websites already under the control of criminal groups, they will quickly add a Metasploit-generated MPEG2 document to catch any visitors.”
iDefense, meanwhile, issued a press statement today that provided additional background on the flaw and subsequent attacks. “Microsoft has been quite gracious in its efforts to share information about the process it has undergone to fix this flaw, and it has been quite diligent in its remediation efforts. The mechanics and circumstances of this flaw are quite unique, which was what caused Microsoft to take some time patching this flaw,” the statement says.
Coincidentally, Smith, along with researchers Mark Dowd and David Dewey, are on deck to present a talk at Black Hat USA later this month called “The Language of Trust: Exploiting Trust Relationships in Active Content,” which was to include the Video Control flaw. “When reviewing our material, [the video flaw] actually seems quite insignificant in contrast to the larger body of work our presentation covers,” says Smith, who wouldn’t divulge any details about the Black Hat presentation, which is scheduled to cover the issue of trust in interactive content.
The vulnerability affects Windows XP Service Pack 2 and Windows XP Service Pack 3; Windows XP Professional x64 Edition Service Pack 2; Windows Server 2003 Service Pack 2; Windows Server 2003 x64 Edition Service Pack 2; and Windows Server 2003 with SP2 for Itanium-based systems.
“It seems pretty likely that this will become a standard attack and be seen all over the place,” says Randy Abrams, director of technical education at Eset. “Videos are just too tempting to people.”
Abrams says it’s possible the attackers discovered the flaw themselves, but this first round of attacks isn’t very sophisticated, he says. “It would suggest they got it from someone more skilled or from an inside source,” Abrams says. “They really wasted a zero-day by having it download some malware with high detection rates.”
A few security vendors — including Finjan, Zscaler, Sophos, and F-Secure — today announced their products can now detect the malware being used in the attacks