English
The Internet threat alert status is currently normal. At present, no major epidemics or other serious incidents have been recorded by Kaspersky Lab’s monitoring service. Internet threat level: 1
Latest posting
By rating
By popularity

Join our blog

You can contribute to our blog if you have +100 points. Comment on articles and blogposts, and other users will rate your comments. You receive points for positive ratings.

The msvidctl Internet Explorer 0day

Georg 'oxff' Wicherski
Kaspersky Lab Expert
Posted July 07, 15:58  GMT
Tags: Microsoft ActiveX, Microsoft Internet Explorer
0
 

As you've probably already heard, there's a dangerous vulnerability in Internet Explorer 6 & Internet Explorer 7 being exploited in the wild. The vulnerability affects Windows XP Service Pack 0 to Service Pack 3. Microsoft hasn't released a patch yet, but they have provided a work-around.

Some people have simply recommended turning off JavaScript to mitigate this issue. However this vulnerability is a trivial buffer overflow which makes it possible to overwrite the SEH handler. Thus, heap spraying is not required and turning off JavaScript only mitigates attacks from less skilled attackers. I put a bit of time into researching this -it very quickly became clear that this vulnerability doesn't rely on JavaScript, i.e. it can be exploited with JavaScript turned off:

The vulnerability allows arbitrary code execution and we therefore strongly recommend that you should apply the workaround from Microsoft's advisory or turn off ActiveX altogether. Otherwise you will be at risk of exploitation of Internet Explorer 6 and Internet Explorer 7.

We've added generic detection for the actual exploit as Exploit.Win32.Direktshow and the often accompanying JavaScript as Exploit.JS.Direktshow.

(08.07, 15.04: edited to correct typo in the Service Pack information.)


Comments

If you would like to comment on this article you must first
login


Bookmark and Share
Share

Analysis

Blog