Attacks/Breaches
7/7/2009
05:29 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%
Repost This

Bug Now Being Exploited In Microsoft Zero-Day Attacks Was Reported A Year Ago

Researchers in 2008 disclosed Windows video control vulnerability that's now spreading attacks to some .com, .org Websites

Microsoft was alerted a year ago about an unpatched video control flaw in versions of Windows XP and Windows Server 2003 that is currently being actively exploited in a wave of attacks around the world -- including on some .org and .com sites.

Microsoft yesterday issued a special security advisory on the critical vulnerability in its Video ActiveX Control, and said it was aware of attacks exploiting it. The software giant recommends users set a "kill bit" for the Video ActiveX Control to protect themselves from the attack, which could allow an attacker to grab the user's local rights to his or her machine, as well as to infect IE 6 and 7 users without their clicking on any malicious links. The advisory included a link to the bug's CVE number, CVE-2008-0015.

"This vulnerability was reported to Microsoft 2008. When we were alerted in 2008, we immediately started an investigation," says Christopher Budd, Microsoft's security response communications lead. "As a result of this investigation, we chose to remove this ActiveX Control from Internet Explorer as the best way to proceed. As we wanted to be thorough, this took extra time to fully evaluate."

Budd says Microsoft is continuing to work on a patch for the vulnerability and will release it "once it has reached an appropriate level of quality for broad distribution."

So far, the attacks are mainly originating from domains in China, and mostly trying to steal online gaming credentials. But security researchers say it's a potentially dangerous exploit that could easily be used for even more nefarious purposes.

"Any user that visits these domains without having implemented the correct safety measures will likely be hit," says Ryan Smith, a researcher with Hustle Labs and a vulnerability researcher at iDefense, who, along with Alex Wheeler, first found the bug while working at IBM ISS.

Adding fuel to the fire, Metasploit today released an exploit module for the vulnerability, as well. It creates an MPEG2 file that can be planted on a Website that the attacker already controls. "So that means you already own it -- as in a criminal gang -- or you break into it," says Marcus Sachs, director of SANS Internet Storm Center. "I suspect that if there are Websites already under the control of criminal groups, they will quickly add a Metasploit-generated MPEG2 document to catch any visitors."

iDefense, meanwhile, issued a press statement today that provided additional background on the flaw and subsequent attacks. "Microsoft has been quite gracious in its efforts to share information about the process it has undergone to fix this flaw, and it has been quite diligent in its remediation efforts. The mechanics and circumstances of this flaw are quite unique, which was what caused Microsoft to take some time patching this flaw," the statement says.

Coincidentally, Smith, along with researchers Mark Dowd and David Dewey, are on deck to present a talk at Black Hat USA later this month called "The Language of Trust: Exploiting Trust Relationships in Active Content," which was to include the Video Control flaw. "When reviewing our material, [the video flaw] actually seems quite insignificant in contrast to the larger body of work our presentation covers," says Smith, who wouldn't divulge any details about the Black Hat presentation, which is scheduled to cover the issue of trust in interactive content.

The vulnerability affects Windows XP Service Pack 2 and Windows XP Service Pack 3; Windows XP Professional x64 Edition Service Pack 2; Windows Server 2003 Service Pack 2; Windows Server 2003 x64 Edition Service Pack 2; and Windows Server 2003 with SP2 for Itanium-based systems.

"It seems pretty likely that this will become a standard attack and be seen all over the place," says Randy Abrams, director of technical education at Eset. "Videos are just too tempting to people."

Abrams says it's possible the attackers discovered the flaw themselves, but this first round of attacks isn't very sophisticated, he says. "It would suggest they got it from someone more skilled or from an inside source," Abrams says. "They really wasted a zero-day by having it download some malware with high detection rates."

A few security vendors -- including Finjan, Zscaler, Sophos, and F-Secure -- today announced their products can now detect the malware being used in the attacks

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Kelly Jackson Higgins is Senior Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise Magazine, ... View Full Bio

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Latest Comment: LOL.
Current Issue
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-6213
Published: 2014-04-19
Unspecified vulnerability in Virtual User Generator in HP LoadRunner before 11.52 Patch 1 allows remote attackers to execute arbitrary code via unknown vectors, aka ZDI-CAN-1833.

CVE-2013-6214
Published: 2014-04-19
Unspecified vulnerability in the Integration Service in HP Universal Configuration Management Database 9.05, 10.01, and 10.10 allows remote authenticated users to obtain sensitive information via unknown vectors, aka ZDI-CAN-2042.

CVE-2012-0871
Published: 2014-04-18
The session_link_x11_socket function in login/logind-session.c in systemd-logind in systemd, possibly 37 and earlier, allows local users to create or overwrite arbitrary files via a symlink attack on the X11 user directory in /run/user/.

CVE-2012-6646
Published: 2014-04-18
F-Secure Anti-Virus, Safe Anywhere, and PSB Workstation Security before 11500 for Mac OS X allows local users to disable the Mac OS X firewall via unspecified vectors.

CVE-2013-4279
Published: 2014-04-18
imapsync 1.564 and earlier performs a release check by default, which sends sensitive information (imapsync, operating system, and Perl version) to the developer's site.

Best of the Web