Microsoft Video ActiveX Control Vulnerability

Microsoft is recommending setting the kill bit for an ActiveX control object, MPEG2TuneRequest, to avoid an in the wild zero day exploit that allows for remote code execution when a web site containing the exploit is browsed by a user with Internet Explorer. No user interaction is required for the exploit to be successful once a web site hosting the vulnerability is accessed in the Internet Explorer web browser, and any resultant exploit code is run with the same rights as the local user (so a user running as admin would result in exploit code being run in an admin context for example). This control is reported by Microsoft as having no legitimate use by IE, and thus there is no reason to wait for a Microsoft patch to disable it.

Background

The news hit the web at large on July 6th when Microsoft released advisory 972890. IBM ISS is reporting a first known exploit however on June 11th. The vulnerability, first reported by researchers Alex Wheeler and Ryan Smith (ISS employees at the time) was first reported to Microsoft in 2008, which has sparked criticism from at least one reporter covering the IT marketplace: eWeek’s Brian Prince. The problem would have been available since IE version 6, SP1.

Exploit Details

The exploit is described by MSRC Engineer Chengyun Chu as a “browse and get owned attack vector”. Once the user navigates to a web site purposely hosting the exploit, or a web site that has been compromised to host the exploit, no further user interaction is required. Examples in the wild (approximately 967 Chinese web sites according to Trend Micro) are reporting having used both .gif and .jpg files containing the exploit. The Trend Micro found web sites that redirect the users multiple times, eventually loading a .jpg file with the exploit, which upon being successful loads malware called WORM_KILLAV.AI. This malware, as it is named, terminates antivirus software processes and loads additional malicious code.

The exploit is based on an overflow condition that is created in the msvidctl.dll library when a crafted file is provided as input, causing a handler to be overwritten which then points to the exploit’s shell code, already loaded in the memory heap via heap spraying. The object that accepts the crafted input, BDATuner.MPEG2TuneRequest.1, is associated with CLSID 0955AC62-BF2E-4CBA-A2B9-A63F772D46CF, and thus this is the primary CLSID for which a kill bit needs to be set. Microsoft however recommends setting the kill bit for all of the ActiveX Control Objects hosted by msvidctl.dll.

As security vendors such as Symantec, ISS, and others are aware of the problem, antivirus and IDS signatures are either available or forthcoming.

Work Around Details

Microsoft provides an automated Fix it which entails disabling attempts to instantiate a COM object in Internet Explorer by setting the kill bit for the control in the registry. This involves adding a DWORD value to 45 keys in the registry representing Class Identifiers that relate to Microsoft Video ActiveX Control. More information can be found in the [security advisory] (href=”http://www.microsoft.com/technet/security/advisory/972890.mspx).

To implement the workaround on a single computer, you can manually enter the DWORD value 1024 (0×00000400) for each of the 45 class IDs or launch this reg file with the values.

For an enterprise environment, you have two options to deploy this workaround to your workstations. First, through the use of a computer startup script, you can add the execution of a reg file with the values for computers to launch at startup. The second option is to add a custom ADM file to a group policy object which is applied to your workstations. Which option to choose depends on preference and your environment.

Computer Start-up Script

You may already have a group policy which has a computer startup script enabled. Add a line which executes this reg file. Computer startup script is suggested as the user side startup script runs in the user’s context, and they may not have permission to modify the keys necessary. You can find more information on configuring computer startup scripts here.

 Custom ADM File in Group Policy

The challenge with an ADM file for this particular workaround is that each class ID which needs to be modified is designated as a separate key in the registry rather than a value. So, instead of being able to create a single configuration entry in a group policy object which would modify every value, you have to have an option for each key. Fortunately, the leg work has been done in this example custom ADM file, which you can cut and paste into a larger file you may already have.

Save the file where your GPO editor can browse to it. In Computer Configuration, Administrative Templates, right click and select Add/Remove templates. Once you add the template, you’ll have to ensure your filtering is setup to see “unmanaged” group policies, which are basically custom ADM entries which tattoo the registry. Under filtering, in your GPO editor, uncheck the option as shown:

gpedit

gpedit


Once the ADM is added, and the filter option is cleared, you will see the configuration entries for the Microsoft Video ActiveX kill bit. Set them all to Enabled as shown:

gpedit

gpedit


Once you link the policy to all your Windows XP and Windows Server 2003 computers, you will have implemented the workaround. 

Active X

ActiveX, while largely associated with Internet browsing, is not a program that runs inside the browser but rather a technology used throughout the Windows operating system. While only Windows XP and certain configurations of Windows Server 2003 are affected a similar control does exist in Windows Vista and Server 2008 that is not vulnerable.

Example Exploits

Both links provide example exploit code:

References

Vulnerability Cross Reference

Filed Under: Vulnerability

Tags: , , , , ,

Comments (2)

Trackback URL | Comments RSS Feed

  1. Mike says:

    Excellent article, great links and documentation on how to implement the fix for this exploit.

    Again, excellent job.

    Mike

  2. Other variant is possible also