National Cyber Alert System
Technical Cyber Security Alert TA09-187A
Microsoft Video ActiveX Control Vulnerability
Original release date: July 06, 2009
* Microsoft Windows XP
* Microsoft Windows Server 2003
An unpatched vulnerability in the Microsoft Video ActiveX control
is being used in attacks.
Microsoft has released Security Advisory (972890) to describe
attacks on a vulnerability in the Microsoft Video ActiveX control.
Because no fix is currently available for this vulnerability,
please see the Security Advisory and US-CERT Vulnerability Note
VU#180513 for workarounds.
A remote, unauthenticated attacker could execute arbitrary code
with the privileges of the victim user.
Microsoft has provided workarounds for this vulnerability in
Security Advisory (972890). Additional details and workarounds are
provided in US-CERT Vulnerability Note VU#180513.
The most effective workaround for this vulnerability is to set kill
bits for the Microsoft Video ActiveX control, as outlined in the
documents noted above. Other workarounds include disabling
ActiveX, as specified in the Securing Your Web Browser document,
and upgrading to Internet Explorer 7 or later, which can help
mitigate the vulnerability with its ActiveX opt-in feature.
* US-CERT Vulnerability Note VU#180513 –
* Microsoft Security Advisory (972890) –
* Securing Your Web Browser –