Video Screencast Help
Symantec Appoints Michael A. Brown CEO. Learn more.
Security Response

Another Unpatched Vulnerability is Being Massively Exploited via Internet Explorer

Created: 06 Jul 2009 17:00:19 GMT • Updated: 23 Jan 2014 18:34:20 GMT
Security Intel Analysis Team's picture
+4 6 Votes
Login to vote

As mentioned in a recent blog, Symantec is aware of the exploitation of a previously unknown and unpatched vulnerability affecting the Microsoft Video Streaming ActiveX control. Initially, there were limited in-the-wild attacks; however, new developments indicate that the flaw is now being exploited to great extent in China and other parts of Asia. Reports indicate that thousands of websites have been compromised and are now hosting the exploit for this issue.

Our tests show that Microsoft Windows XP systems are affected, while Windows Vista systems do not seem to be affected by the attack. The flaw lies in the “msvidctl.dll” library and can be exploited by providing a crafted file as input to the “data” parameter of the “BDATuner.MPEG2TuneRequest.1” ActiveX object. The object is associated with the following CLSID:

0955AC62-BF2E-4CBA-A2B9-A63F772D46CF

imagebrowser image

Exploits available in the wild use a .gif file as an input to the data parameter of the object. However, the file is not a GIF file. An overflow occurs when “msvidctl.dll” file parses the file, which results in overwriting the SEH handler with 0x0C0C0C0C. This address lies in heap, where the exploit has already loaded the shellcode using heap-spray techniques.

imagebrowser image

Symantec Security Response advises users to:

• Set the kill bit associated with the control’s CLSID
• Disable execution of JavaScript in the browser
• Avoid visiting sites of questionable integrity
• Deploy NIDS to monitor traffic at the network level
• Keep antivirus definitions up to date

Symantec antivirus products detect the exploit as Downloader.Fostrem and the dropped files as Trojan Horse, Backdoor.Trojan, Infostealer, and Downloader. Symantec IPS detects the threat as “HTTP Malicious Toolkit Download Request” and “HTTP Malicious Toolkit Variant Activity.”