John Pescatore

Microsoft put out a security bulletin reporting attacks against an unpatched vulnerability in the msvidctl.dll that hosts the Microsoft Video ActiveX Control.  The vulnerability is serious, per Microsoft: “An attacker who successfully exploited this vulnerability could gain the same user rights as the local user. When using Internet Explorer, code execution is remote and may not require any user intervention.” The vulnerability was reported privately in 2008, but Microsoft does not yet have a patch ready to ship.

Trend Micro and others have reported growing numbers of web sites have been compromised and attack code exploiting the Microsoft Video ActiveX Control vulnerability is being downloaded onto vulnerable PCs. These types of attacks in the past have generally used techniques like Google-hacking and spam mail to direct people to the compromised sites, so this is a serious issue. Make your your Windows 2003 and 2008 servers are running in the default enhanced security configuration that will help on reduce successful attacks on the server-side.

Not much realistic mitigation for this one, unless you are running Vista, which isn’t impacted.  Microsoft has a tech bulletin out on how to disable the vulnerable Microsoft Video ActiveX control – first warning users, updating all intrusion prevention systems, and then taking that step is a prudent path for this critical vulnerability.