National Cyber Alert System

Technical Cyber Security Alert TA09-187A

Microsoft Video ActiveX Control Vulnerability

Original release date: July 06, 2009

Source: US-CERT

Systems Affected

* Microsoft Windows XP

* Microsoft Windows Server 2003

Overview

An unpatched vulnerability in the Microsoft Video ActiveX control

is being used in attacks.

I. Description

Microsoft has released Security Advisory (972890) to describe

attacks on a vulnerability in the Microsoft Video ActiveX control.

Because no fix is currently available for this vulnerability,

please see the Security Advisory and US-CERT Vulnerability Note

VU#180513 for workarounds.

II. Impact

A remote, unauthenticated attacker could execute arbitrary code

with the privileges of the victim user.

III. Solution

Apply workarounds

Microsoft has provided workarounds for this vulnerability in

Security Advisory (972890). Additional details and workarounds are

provided in US-CERT Vulnerability Note VU#180513.

The most effective workaround for this vulnerability is to set kill

bits for the Microsoft Video ActiveX control, as outlined in the

documents noted above. Other workarounds include disabling

ActiveX, as specified in the Securing Your Web Browser document,

and upgrading to Internet Explorer 7 or later, which can help

mitigate the vulnerability with its ActiveX opt-in feature.

IV. References

* US-CERT Vulnerability Note VU#180513 -

<http://www.kb.cert.org/vuls/id/180513>

* Microsoft Security Advisory (972890) -

<http://www.microsoft.com/technet/security/advisory/972890.mspx>

* Securing Your Web Browser -

<http://www.us-cert.gov/reading_room/securing_browser/>