Security Response

It's Independence Day weekend in the United States and many folks are out at picnics, barbeques, and catching firework shows. However, some of us here in the security industry missed out on these events due a new exploit for a zero-day vulnerability in Microsoft's Video Streaming ActiveX control that we discovered in the wild right before the weekend started.

The exploit uses a specially crafted JavaScript file, along with a data file, to take advantage of a vulnerability in the IMPEG2TuneRequest DirectX object interface located in the Msvidctl.dll file. When a user visits a malicious website hosting these files, the vulnerability allows remote code execution and malicious files are downloaded.

Windows XP users with Internet Explorer 6 and 7 are in danger, but those with Internet Explorer 8 installed are not vulnerable. Preliminary testing shows that computers running Windows Vista are not affected by the attack....