Published: 2009-07-07T21:30+00:00    Last Updated: 2009-07-26T02:41+00:00

Microsoft Video ActiveX Control Vulnerability (TA09-187A)


An unpatched vulnerability in the Microsoft Video ActiveX control is being used in attacks.

Event Information

Date (UTC)Description
2009-07-20 21:00 IBM Internet Security Systems
AlertCon (2) => (1)
2009-07-14 19:16 Microsoft
Microsoft Security Advisory (972890): Vulnerability in Microsoft Video ActiveX Control Could Allow Remote Code Execution
Microsoft has completed the investigation into a public report of this vulnerability. We have issued MS09-032 to address this issue.
2009-07-07 14:55 SANS Internet Storm Center
* INFOCON Status - staying green
There is adequate coverage in the security software community (IDS detection, AV detection, etc.) and Microsoft has a bulletin available we decided to stay GREEN.
2009-07-07 09:05 McAfee
An Artemis View of Zero-Day Attacks
Computer Security Research - McAfee Avert Labs Blog
In China, a new sample variant was queried by Artemis more than 180 times at more than 70 unique IP addresses (ISP, not end point) over a 24-hour period.
2009-07-07 02:33 SANS Internet Storm Center
IE 0day exploit domains (constantly updated)
This diary entry contains a list of domains that are exploiting the new IE-0day as well as secondary domains that are hosting potentially malicious binaries utilized in these attacks. This list has been produced as a combined effort of researchers, vendors, and volunteers.
2009-07-07 00:36 Trend Micro
Zero-day MPEG2TuneRequest Exploit Leads to KILLAV
TrendLabs | Malware Blog - by Trend Micro
2009-07-06 21:29 Symantec
ThreatCON (2) => (2)
On July 2, 2009, Symantec became aware of a previously unknown vulnerability affecting Microsoft Windows. This issue is being exploited in the wild in limited attacks. On July 6, 2009, Microsoft published a security advisory discussing the issue.
2009-07-06 21:14 US-CERT
TA09-187A: Microsoft Video ActiveX Control Vulnerability
Via US-CERT Mailing List
2009-07-06 19:07 SANS Internet Storm Center
0-day in Microsoft DirectShow (msvidctl.dll) used in drive-by attacks (Version: 2)
A 0-day exploit within the msVidCtl component of Microsoft DirectShow is actively being exploited through drive-by attacks using thousands of newly compromised web sites, according to CSIS. The code has been published in the public domain via a number of Chinese web sites.
2009-07-06 17:57 US-CERT
Microsoft Releases Security Advisory 972890
US-CERT Current Activity
Microsoft has released Security Advisory 972890 to alert users about a vulnerability in Microsoft Video ActiveX Control. Exploitation of this vulnerability may allow an attacker to execute arbitrary code. The advisory also indicates that Microsoft is aware of attacks attempting to exploit the vulnerability.
2009-07-06 17:55 IBM Internet Security Systems
AlertCon (1) => (2)
The IBM Internet Security Systems threat level has been raised to AlertCon 2 in response to the Microsoft DirectShow vulnerability currently being exploited in the wild.
2009-07-06 17:51 Microsoft
Microsoft Security Advisory (972890): Vulnerability in Microsoft Video ActiveX Control Could Allow Remote Code Execution
Advisory published.
Microsoft is investigating a privately reported vulnerability in Microsoft Video ActiveX Control. An attacker who successfully exploited this vulnerability could gain the same user rights as the local user. When using Internet Explorer, code execution is remote and may not require any user intervention.
2009-07-06 IBM Internet Security Systems
Multiple Microsoft Video Control ActiveX Remote Code Execution Vulnerabilities
Buffer overflow vulnerability (CVE-2008-0015)
Memory corruption vulnerability (CVE-2008-0020)
Multiple vulnerabilities were discovered in the Microsoft Video Controller ActiveX Library, MSVidCtl, which can result in reliable remote code execution.
2009-07-06 McAfee
2009-07-06 Trend Micro
Exploiting Buffer overflow vulnerability (CVE-2008-0015)
2009-07-05 Symantec
Exploiting Buffer overflow vulnerability (CVE-2008-0015)

Other Information