In part one of this blog, I gave an overview of the exploitation flow for the recent DirectShow vulnerability. With no patch for this vulnerability available as of yet, the fact that we are seeing this exploit used more commonly in the wild is worrying. In this article I will discuss the exploit, how it works, and mitigation strategies to protect against it.
To get straight to the mitigation strategies jump to the bottom of the page. This vulnerability does not exist in Vista or Windows Server 2008.
The Vulnerability
To trigger this vulnerability, attackers are currently enticing users to visit a malicious page. Attackers have become quite adept at doing this by embedding iframe tags in legitimate pages, among other techniques. This is the most likely attack vector. We have seen iframe tags pointing to this exploit inside phishing pages already and we do expect to see iframe tags added...
In this article I will outline the stages involved in the full exploitation of the recent DirectShow vulnerability. In particular I will discuss a specific example of how this exploit was used in the wild. The recent DirectShow vulnerability was interesting for a number of reasons and to explore each of those reasons in detail I will first give an overview of the entire exploitation flow, and then explore individual portions in more detail.
Some of the first pages to use this exploit for this vulnerability in the wild were linked from phishing pages. The phishing pages in question not only attempted to steal the visitors’ login credentials, but also silently redirected users to a malicious Web page hosting an exploit for the DirectShow vulnerability (CVE-2009-1537). This malicious Web page loads a corrupt .avi file that exploits the vulnerability and also loads some additional...
Hello and welcome to this month’s blog on the Microsoft patch releases. This is a very heavy month—the vendor is releasing 10 bulletins covering a total of 31 vulnerabilities, which is the largest number of vulnerabilities covered in a single "Patch Tuesday" since Microsoft started the monthly patch program.
A video of Symantec Security Response’s John Harrison discussing the vulnerabilities addressed this month can be viewed here: http://www.youtube.com/watch?v=-X51L07fk48
Seventeen of the issues are rated “Critical” and affect Office, Print Spooler, Excel, Word, Internet Explorer, and Active Directory. The more severe of the two Active Directory issues can be remotely exploited to gain complete access to a vulnerable computer. In most cases, the remaining “Critical” issues require some sort of user interaction to trigger (e.g. visiting a...
