FYI...

- http://support.microsoft.com/kb/971778#FixItForMeAlways
(Get the Enable Workaround "FixIt" here. MUST be run in Admin mode.)

- http://web.nvd.nist.gov/view/vuln/detail?v...d=CVE-2009-1537
CVSS v2 Base Score:9.3 (HIGH)

- http://preview.tinyurl.com/luqvka
06-17-2009 Symantec Security Response Blog - "... Some of the first pages to use this exploit for this vulnerability in the wild were linked from phishing pages. The phishing pages in question not only attempted to steal the visitors’ login credentials, but also silently redirected users to a malicious Web page hosting an exploit for the DirectShow vulnerability (CVE-2009-1537). This malicious Web page loads a corrupt .avi file that exploits the vulnerability and also loads some additional malicious .dlls to facilitate reliable exploitation of the user’s machine... The malicious .dlls in turn download an encoded .exe payload that, in this case, ultimately leads to Trojan.Cipevas being loaded on to the victim’s machine. Trojan.Cipevas then connects back to the attackers’ website (the same one where the exploit page is hosted), sends some minimal user information to the attacker and then waits for further commands from the attacker... The phishing page observed in this case was for a well-known webmail login page... The attackers were hosting the fake login page on their own servers, so the URL displayed in the location bar was obviously not the real URL you would expect to see... although the main purpose of this fake login page is to steal user credentials, the page also contains an iframe that redirects to the DirectShow exploit page. As usual in these types of attacks, the width and height of the iframe are set to zero to hide it from the user... it is not a typical buffer overflow/heap corruption vulnerability; rather, the vulnerability only allows one byte in memory to be overwritten. This means that the creator of the exploit code had to think outside the box to get this vulnerability to be exploitable..."

(Screenshots available at the Symantec URL above.)



This post has been edited by AplusWebMaster: Jul 8 2009, 10:23 AM

FYI...

DirectShow Exploit In the Wild, Part II
- http://preview.tinyurl.com/lhmtkd
06-19-2009 Symantec Security Response Blog - "... With no patch for this vulnerability available as of yet, the fact that we are seeing this exploit used more commonly in the wild is worrying... To trigger this vulnerability, attackers are currently enticing users to visit a malicious page. Attackers have become quite adept at doing this by embedding iframe tags in legitimate pages, among other techniques. This is the most likely attack vector. We have seen iframe tags pointing to this exploit inside phishing pages already and we do expect to see iframe tags added to more pages. The vulnerability exists in the code within Microsoft DirectX and can be triggered by a specially crafted QuickTime media file. The attackers Web page will try to play the malicious QuickTime file, not using the QuickTime player, but using Windows Media Player instead. This will trigger the vulnerability and allow the attacker to execute code on the visitor’s computer. The vulnerable code exists in quartz.dll and is a null-byte overwrite. It allows the attacker to overwrite just one byte of memory with a null byte... (end-user) work-around*."
* http://support.microsoft.com/kb/971778#FixItForMeAlways



This post has been edited by AplusWebMaster: Jul 8 2009, 10:04 AM

FYI...

0-day in MS DirectShow (msvidctl.dll) used in drive-by attacks
- http://isc.sans.org/diary.html?storyid=6733
Last Updated: 2009-07-06 08:56:55 UTC - "A 0-day exploit within the msVidCtl component of Microsoft DirectShow is actively being exploited through drive-by attacks using thousands of newly compromised web sites, according to CSIS. The code has been published in the public domain via a number of Chinese web sites. Please keep a watchful eye on your AV and IDS/IPS vendors updates to ensure coverage as early as possible on this exploit as it is likely to be widely deployed with the code being available. A valid work around for the attack vector is available which set's the kill bit on the vulnerable DLL.
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINESOFTWAREMicrosoftInternet ExplorerActiveX Compatibility{0955AC62-BF2E-4CBA-A2B9-A63F772D46CF}]
"Compatibility Flags"=dword:00000400 ..."

- http://securitylabs.websense.com/content/Alerts/3432.aspx
07.06.2009 - "Websense... is currently tracking -legitimate- sites that have been compromised to lead to a zero-day exploit targeting an Internet Explorer vulnerability. The compromised sites lead to a handful of payload sites hosting the exploit code which targets msvidctl.dll - an ActiveX control for streaming video. The new zero-day exploit has been added to other exploits on Chinese payload sites. We have been monitoring these sites, which have been systematically injected throughout the last year..."

- http://secunia.com/advisories/35683/2/
Release Date: 2009-07-06
Critical: Extremely critical
Impact: System access
Where: From remote
Solution Status: Unpatched
OS: Microsoft Windows XP Home Edition, Microsoft Windows XP Professional ...
... The vulnerability is caused due to a boundary error in the ActiveX control for streaming video (msvidctl.dll) and can be exploited to cause a stack-based buffer overflow via specially crafted image content.
Successful exploitation allows execution of arbitrary code when a user e.g. visits a malicious website.
NOTE: The vulnerability is currently being actively exploited...
Solution: Set the kill-bit for the affected ActiveX control...

>>> http://support.microsoft.com/kb/972890#FixItForMe
July 6, 2009 (Get the Enable Workaround "FixIt" here. MUST be run in Admin mode.)



This post has been edited by AplusWebMaster: Jul 8 2009, 10:22 AM

FYI...

IE 0day exploit domains...
- http://isc.sans.org/diary.html?storyid=6739
Last Updated: 2009-07-07 02:33:54 UTC - "This diary entry contains a list of domains that are exploiting the new IE-0day as well as secondary domains that are hosting potentially malicious binaries utilized in these attacks. This list has been produced as a combined effort of researchers, vendors, and volunteers. You can thank the groups below for their efforts and their willingness to share this information with the public. This list is intended to serve as a quick way to provide protection against these attacks by identifying domains that are hosting these (and potentially other) exploits. This list is not formatted for any specific file format, it is up to you the reader to translate this date into the proper formatting that your environment requires... The information provided has had varying degrees of verification performed on it. As such this information is provided as is. There may very well be mistakes, mistakes that may result in legitimate sites being blocked if you choose to use this list as a block list..."

FYI...

0-day exploit leads to KILLAV
- http://blog.trendmicro.com/zero-day-micros...killav-malware/
July 6, 2009 - "... Around 967 Chinese websites are reported to be infected by a malicious script that leads users to successive site redirections and lands them to download a .JPG file containing the exploit. Trend Micro detects it as JS_DLOADER.BD... Upon successful exploitation, the script downloads another malware detected as WORM_KILLAV.AI. This malware disables and terminates antivirus software processes, and drops other malware on the affected system..."
(Screenshots available at the URL above.)

Edit/update - see: http://secunia.com/advisories/35683/2/
Last Update: 2009-07-14
Solution Status: Vendor Patch
MS09-032 (KB973346):
http://www.microsoft.com/technet/security/...n/MS09-032.mspx ...



This post has been edited by AplusWebMaster: Jul 30 2009, 07:06 AM