Microsoft knew about the DirectShow vulnerability a year ago - Update
Microsoft was apparently informed of the recently disclosed vulnerability in the DirectShow video ActiveX control a full year ago. According to a number of anti-virus software vendors, the vulnerability is currently being exploited by thousands of specially crafted websites to infect visitors' PCs with malware.
Christopher Budd of Microsoft's Security Response Center has confirmed to US media that the vulnerability was reported to Microsoft by security specialists Ryan Smith and Alex Wheeler of IBM's X-Force, back in 2008. According to Budd, Microsoft began looking into the problem straight away and came to the conclusion that the best solution would be to remove the affected ActiveX control from Internet Explorer completely. However, it has taken a considerable amount of time to properly evaluate the effects of removal.
According to Budd, Microsoft is now working on a patch, which they will make available as soon as it meets the quality standards necessary for large-scale distribution. Until then, the company has made a fix-it tool available that users can apply to quickly and simply disable system support for the vulnerable control. According to current analysis, only users of Internet Explorer 6 and 7 under Windows XP and Server 2003 are affected.
Vista and Internet Explorer 8 users are not vulnerable, although to be on the safe side Microsoft is recommending that they should also avail themselves of the fix-it tool. According to a report from IBM's X-Force, Windows can also load the control when starting Office and WordPad. The IBM team has reported that there is a further vulnerability in the control, which can also be used to inject and execute code.
With the appearance of a Metasploit module for exploiting the vulnerability, specially crafted MPEG2 files are likely to appear on more websites in the near future. Windows users are advised to download and run the fix-it tool.
Update: In a later telephone conversation Microsoft told heise Security that only one vulnerability had been reported in 2008. Microsoft now say that users of Internet Explorer 8 will also be vulnerable because the second hole in the DirectShow ActiveX control is not browser specific.
- Microsoft issues quick fix for critical vulnerability in DirectShow, a report from The H.
- Web pages infect Windows PCs via new DirectShow hole, a report from The H.
- Multiple Microsoft Video Control ActiveX Remote Code Execution Vulnerabilities, advisory from IBM X-Force.