Original release date: July 06, 2009
Last revised: July 15, 2009
Source: US-CERT

Systems Affected

• Microsoft Windows XP
• Microsoft Windows Server 2003

Overview

An unpatched vulnerability in the Microsoft Video ActiveX control is being used in attacks.

I. Description

Microsoft has released Security Advisory (972890) to describe attacks on a vulnerability in the Microsoft Video ActiveX control. Because no fix is currently available for this vulnerability, please see the Security Advisory and US-CERT Vulnerability Note VU#180513 for workarounds.

II. Impact

A remote, unauthenticated attacker could execute arbitrary code with the privileges of the victim user.

III. Solution

Apply Updates

Microsoft has released an update to address this issue. See Microsoft Security Bulletin MS09-032 for more details.

Apply workarounds

Microsoft has provided workarounds for this vulnerability in Security Advisory (972890). Additional details and workarounds are provided in US-CERT Vulnerability Note VU#180513.

The most effective workaround for this vulnerability is to set kill bits for the Microsoft Video ActiveX control, as outlined in the documents noted above. Other workarounds include disabling ActiveX, as specified in the Securing Your Web Browser document, and upgrading to Internet Explorer 7 or later, which can help mitigate the vulnerability with its ActiveX opt-in feature.

IV. References

• US-CERT Vulnerability Note VU#180513 - <http://www.kb.cert.org/vuls/id/180513>
• Microsoft Security Advisory (972890) - <http://www.microsoft.com/technet/security/advisory/972890.mspx>
• Microsoft Security Bulletin - <http://www.microsoft.com/technet/security/Bulletin/MS09-032.mspx>
• Securing Your Web Browser - <http://www.us-cert.gov/reading_room/securing_browser/>

Feedback can be directed to US-CERT.

Produced 2009 by US-CERT, a government organization. Terms of use

July 06, 2009: Initial release
July 15, 2009: Updated Solution section with MS09-032