In association with heise online

06 July 2009, 11:34

Web pages infect Windows PCs via new DirectShow hole

  • Twitter
  • Facebook
  • submit to slashdot
  • StumbleUpon
  • submit to reddit

A new, unpatched security hole in DirectShow is reported to be already being actively exploited to infect Windows PCs. Simply visiting a manipulated web page is enough for systems to become infected. The hole is located in the msVidCtl ActiveX control for streaming videos in Internet Explorer. Specially crafted MPEG2TuneRequest objects provoke a buffer overflow which can be exploited to inject and execute arbitrary code. The exploit code is already being publicly circulated on various Chinese web pages.

Windows 2000, XP and Server 2003 are affected. The only current way of protecting systems is to set the kill bit for the vulnerable control and prevent it from being loaded in Internet Explorer. Instructions on how to set kill bits can be found in the KnowledgeBase article How to stop an ActiveX control from running in Internet Explorer. The control's CLSID is {0955AC62-BF2E-4CBA-A2B9-A63F772D46CF}.

Microsoft has so far not provided any information about the problem. For the previous security hole in DirectShow at the end of May, Redmond offered a simple tool (Fix It) for setting and deleting the kill bit until a patch became available to solve the problem.

See also:


Print Version | Send by email | Permalink:

  • July's Community Calendar

The H Open

The H Security

The H Developer

The H Internet Toolkit