TECHNICAL BULLETIN

T-178: Microsoft Windows 'msvidctl.dll' ActiveX Control Unspecified Remote Memory Corruption Vulnerability

[CVE-2008-0020]

July 7, 2009 13:00 GMT


PROBLEM:	Microsoft Windows is prone to a remote memory-corruption vulnerability that affects the Video Control ActiveX control.
PLATFORM:	Windows XP SP3, Windows Server 2003
ABSTRACT:	Mscvidctl.dll hosts 45 active x objects that are not meant to be used in IE. At least one of these - the MPEG2TuneRequest ActiveX Control Object - is vulnerable to a remote code execution exploit. Visiting an infected web site with IE on Windows XP or 2003 allows the attacker to run arbitrary code.

LINKS:
DOE-CIRC BULLETIN:	http://www.doecirc.energy.gov/bulletins/t-178.shtml
OTHER LINKS:	ISC http://isc.sans.org/diary.html?storyid=6739 SecurityFocus http://www.securityfocus.com/bid/35585/discuss Microsoft http://www.microsoft.com/technet/security/advisory/972890.mspx
CVE:	CVE-2008-0020

IMPACT ASSESSMENT:	This risk is high. Exploit code is being shared on the Internet and it is estimated that already thousands of web sites have been infected with code that exploits this vulnerability. Administrators are strongly urged to implement workarounds until a patch is released.

[***** Start CVE-2008-0020 *****]
Description:
This is variously being described as a 0-day vulnerability in IE (SANS), in Windows XP/2003 (Security Focus), in MS DirectShow, MS MPEG2TuneRequest, or MsVidCtl.dll. Msvidctl.dll hosts a number of Avtive X components that MS says are not meant to be used with IE. At least one of these -  MPEG2TuneRequest  is vulnerable to remote code execution. 
A user browsing an infected site with IE on Windows XP or Windows 2003 can be infected with no other interaction. SANS reports that thousands of newly compromised web sites are already being used to compromise systems via this vector.

Solution: There is no patch available at this time.

Workaround: Because attacks are already widespread, Miscrosoft recommends that all this class of Active X objects be disabled by setting the kill bit as explained in their advisory -http://www.microsoft.com/technet/security/advisory/972890.mspx. This can be done through group policy.. MS also recommends that the kill bits be set for Vista and Windows 2008 as a precaution, though they are known not to be vulnerable to this particular exploit.

Microsoft has also provided a web link that will set the kill bits at 
http://support.microsoft.com/kb/972890.

SANS also has a list of domains currently exploiting this vulnerability. at 
http://isc.sans.org/diary.html?storyid=6739. Administrators should consider blacklisting these domains.

[***** End CVE-2008-0020 *****]

DOE-CIRC services are available to DOE, DOE Contractors, and the NIH. DOE-CIRC can be contacted at:

    Voice:          866-941-2472
    E-mail:          doecirc@doecirc.energy.gov
    World Wide Web:  http://www.doecirc.energy.gov

UCRL-MI-119788