Danger through DirectAnimation in Internet Explorer
A demo exploiting a security hole in an ActiveX control has been published on a security mailing list. The flaw can be used to plant and execute code via Internet Explorer, such as through specially prepared websites that install spyware on a visitor's computer, a trick often already achieved in the past. Microsoft has confirmed the flaw and has already released an advisory related to it: the problem is currently under investigation and a fix will be released in conjunction with an upcoming security bulletin. The company does not mention a concrete time frame.
The problem is based on a programming error in the daxctle.ocx ActiveX control that can lead to a buffer overflow on the heap. The control belongs to DirectAnimation, which is in turn a component of DirectX and allows for the depiction of animated multimedia content. The published proof-of-concept exploit clearly does not function reliably--and only with the Chinese versions of Windows--but for some reason contains the comment "public version". The security company Secunia is also reporting that it has verified that the error can be exploited in a targeted manner on a completly patched system running Windows XP Service Pack 2.
Microsoft's advisory describes a series of workarounds to protect against the flaw until a patch is released. They fundamentally involve deactivating ActiveX in Internet Explorer's settings, or at least setting it to query the user before allowing code to execute. The heisec Browsercheck at heise Security also shows how to set Internet Explorer to run more safely. Users with advanced knowledge can deactivate the DirectAnimation control by setting its kill bit in the registry. Because alternative browsers like Firefox or Opera do not execute ActiveX, they are not affected by the problem.
- Vulnerability in the Microsoft DirectAnimation Path ActiveX Control Could Allow Remote Control Execution from Microsoft
- Microsoft DirectAnimation Path ActiveX control fails to validate input Security advisory from US-CERT