Plugin Spotlight: Vulnerability in Microsoft Video ActiveX Control

Browsing the web is increasingly hazardous, especially given the recently released vulnerabilities and associated exploits. It’s interesting how the vulnerabilities are being referred to as "remote". While they are remotely exploitable, there are differences in how they are executed. One form of remote exploit requires no user interaction. A process listens on a port and is exploited over the network without the end user having to perform any action. The ActiveX vulnerability referenced in this plugin is remote, but does require that the user have a web browser loaded and actually be browsing the web. The exploit can be embedded into different web pages and executed without the user's knowledge or interaction on that particular page. Exploits that are “remote” in this context, but require a user to perform an action, are called “context dependant” by several vulnerability databases. Tenable has developed a plugin to detect a vulnerability that can be exploited in this manner.

Microsoft reports that they are aware of attacks occurring that are attempting to exploit this vulnerability and has issued an advisory. The Microsoft advisory describes a workaround to use until a patch is available.

Nessus plugin 39622,Vulnerability in Microsoft Video ActiveX Control Could Allow Remote Code Execution (972890) checks for this vulnerability. It requires that you have credentials on the hosts that are being tested and checks that the appropriate workarounds and countermeasures have been put into place. Workarounds entail removing support for Class Identifiers (CLSID) associated with msvidctl.dll on Windows XP and Windows Server 2003. Plugin 39622 checks that this action has been taken on those platforms only. If "Thorough Tests" are enabled, Nessus will check extended class IDs. Following is the output of the plugin:

The plugin is available to both ProfessionalFeed and HomeFeed users as of July 7, 2009.

References

• CVE-2008-0015 Entry
• IE 0day exploit domains
• Microsoft Security Advisory: Vulnerability in Microsoft Video ActiveX control could allow remote code execution
• Poking around MSVIDCTL.DLL - An in-depth technical analysis of this vulnerability. Also provides evidence that just setting the kill bit on the Class Identifiers may not be enough to mitigate the problem.