Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


05:29 PM
Connect Directly

Bug Now Being Exploited In Microsoft Zero-Day Attacks Was Reported A Year Ago

Researchers in 2008 disclosed Windows video control vulnerability that's now spreading attacks to some .com, .org Websites

Microsoft was alerted a year ago about an unpatched video control flaw in versions of Windows XP and Windows Server 2003 that is currently being actively exploited in a wave of attacks around the world -- including on some .org and .com sites.

Microsoft yesterday issued a special security advisory on the critical vulnerability in its Video ActiveX Control, and said it was aware of attacks exploiting it. The software giant recommends users set a "kill bit" for the Video ActiveX Control to protect themselves from the attack, which could allow an attacker to grab the user's local rights to his or her machine, as well as to infect IE 6 and 7 users without their clicking on any malicious links. The advisory included a link to the bug's CVE number, CVE-2008-0015.

"This vulnerability was reported to Microsoft 2008. When we were alerted in 2008, we immediately started an investigation," says Christopher Budd, Microsoft's security response communications lead. "As a result of this investigation, we chose to remove this ActiveX Control from Internet Explorer as the best way to proceed. As we wanted to be thorough, this took extra time to fully evaluate."

Budd says Microsoft is continuing to work on a patch for the vulnerability and will release it "once it has reached an appropriate level of quality for broad distribution."

So far, the attacks are mainly originating from domains in China, and mostly trying to steal online gaming credentials. But security researchers say it's a potentially dangerous exploit that could easily be used for even more nefarious purposes.

"Any user that visits these domains without having implemented the correct safety measures will likely be hit," says Ryan Smith, a researcher with Hustle Labs and a vulnerability researcher at iDefense, who, along with Alex Wheeler, first found the bug while working at IBM ISS.

Adding fuel to the fire, Metasploit today released an exploit module for the vulnerability, as well. It creates an MPEG2 file that can be planted on a Website that the attacker already controls. "So that means you already own it -- as in a criminal gang -- or you break into it," says Marcus Sachs, director of SANS Internet Storm Center. "I suspect that if there are Websites already under the control of criminal groups, they will quickly add a Metasploit-generated MPEG2 document to catch any visitors."

iDefense, meanwhile, issued a press statement today that provided additional background on the flaw and subsequent attacks. "Microsoft has been quite gracious in its efforts to share information about the process it has undergone to fix this flaw, and it has been quite diligent in its remediation efforts. The mechanics and circumstances of this flaw are quite unique, which was what caused Microsoft to take some time patching this flaw," the statement says.

Coincidentally, Smith, along with researchers Mark Dowd and David Dewey, are on deck to present a talk at Black Hat USA later this month called "The Language of Trust: Exploiting Trust Relationships in Active Content," which was to include the Video Control flaw. "When reviewing our material, [the video flaw] actually seems quite insignificant in contrast to the larger body of work our presentation covers," says Smith, who wouldn't divulge any details about the Black Hat presentation, which is scheduled to cover the issue of trust in interactive content.

The vulnerability affects Windows XP Service Pack 2 and Windows XP Service Pack 3; Windows XP Professional x64 Edition Service Pack 2; Windows Server 2003 Service Pack 2; Windows Server 2003 x64 Edition Service Pack 2; and Windows Server 2003 with SP2 for Itanium-based systems.

"It seems pretty likely that this will become a standard attack and be seen all over the place," says Randy Abrams, director of technical education at Eset. "Videos are just too tempting to people."

Abrams says it's possible the attackers discovered the flaw themselves, but this first round of attacks isn't very sophisticated, he says. "It would suggest they got it from someone more skilled or from an inside source," Abrams says. "They really wasted a zero-day by having it download some malware with high detection rates."

A few security vendors -- including Finjan, Zscaler, Sophos, and F-Secure -- today announced their products can now detect the malware being used in the attacks

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Data Leak Week: Billions of Sensitive Files Exposed Online
Kelly Jackson Higgins, Executive Editor at Dark Reading,  12/10/2019
Lessons from the NSA: Know Your Assets
Robert Lemos, Contributing Writer,  12/12/2019
4 Tips to Run Fast in the Face of Digital Transformation
Shane Buckley, President & Chief Operating Officer, Gigamon,  12/9/2019
Register for Dark Reading Newsletters
White Papers
Current Issue
The Year in Security: 2019
This Tech Digest provides a wrap up and overview of the year's top cybersecurity news stories. It was a year of new twists on old threats, with fears of another WannaCry-type worm and of a possible botnet army of Wi-Fi routers. But 2019 also underscored the risk of firmware and trusted security tools harboring dangerous holes that cybercriminals and nation-state hackers could readily abuse. Read more.
Flash Poll
Rethinking Enterprise Data Defense
Rethinking Enterprise Data Defense
Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2019-12-15
In the Linux kernel before 5.3.11, sound/core/timer.c has a use-after-free caused by erroneous code refactoring, aka CID-e7af6307a8a5. This is related to snd_timer_open and snd_timer_close_locked. The timeri variable was originally intended to be for a newly created timer instance, but was used for ...
PUBLISHED: 2019-12-15
python-requests-Kerberos through 0.5 does not handle mutual authentication
PUBLISHED: 2019-12-15
CFME (CloudForms Management Engine) 5: RHN account information is logged to top_output.log during registration
PUBLISHED: 2019-12-15
jersey: XXE via parameter entities not disabled by the jersey SAX parser
PUBLISHED: 2019-12-15
JBoss KeyCloak: Open redirect vulnerability via failure to validate the redirect URL.