-
Microsoft Admits IE Vulnerability, Gives Solution
Techtree News Staff, Jul 07, 2009 1511 hrs ISTVulnerability in Microsoft Video ActiveX Control
A security advisory has been issued by Microsoft, confirming a privately reported vulnerability in Microsoft Video ActiveX Control.
The company acknowledged the attack on June 6 giving out details of the systems and versions of the Internet Explorer affected, along with workarounds for the same.
Microsoft says that users running IE6 or IE7 on Windows XP and Windows Server 2003 are vulnerable to the drive-bys attacks, while Windows Vista and Server 2008 and those running IE8 are not at risk.
The Issue
According to Microsoft, an attacker who successfully exploited the vulnerability in Microsoft Video ActiveX Control could gain the same user rights as the local user. When using Internet Explorer, code execution is remote and may not require any user intervention.
Our investigation has shown that there are no by-design uses for this ActiveX Control in Internet Explorer which includes all of the Class Identifiers within the msvidctl.dll that hosts this ActiveX Control.
Microsoft Recommends
Microsoft says that users running IE6 or IE7 on Windows XP and Windows Server 2003 are vulnerable to the drive-bys attacks; a workaround for this is available here.
On the other hand, Windows Vista and Server 2008 users and those running IE8 which are not at risk are also recommended that they remove support for this ActiveX Control within Internet Explorer using the same Class Identifiers as a defense-in-depth measure.
The company acknowledged the attack on June 6 giving out details of the systems and versions of the Internet Explorer affected, along with workarounds for the same.
Microsoft says that users running IE6 or IE7 on Windows XP and Windows Server 2003 are vulnerable to the drive-bys attacks, while Windows Vista and Server 2008 and those running IE8 are not at risk.
The Issue
According to Microsoft, an attacker who successfully exploited the vulnerability in Microsoft Video ActiveX Control could gain the same user rights as the local user. When using Internet Explorer, code execution is remote and may not require any user intervention.
Our investigation has shown that there are no by-design uses for this ActiveX Control in Internet Explorer which includes all of the Class Identifiers within the msvidctl.dll that hosts this ActiveX Control.
Microsoft Recommends
Microsoft says that users running IE6 or IE7 on Windows XP and Windows Server 2003 are vulnerable to the drive-bys attacks; a workaround for this is available here.
On the other hand, Windows Vista and Server 2008 users and those running IE8 which are not at risk are also recommended that they remove support for this ActiveX Control within Internet Explorer using the same Class Identifiers as a defense-in-depth measure.
Related Links
Tag keywords
Discussion Board
(1) Comments
Fran
,Newfane, VT, on Jul 07, 2009 11:19 PM
Report abuse
Opinion Poll
- Which desktop web browser do you use?
-
Internet Explorer
Firefox
Chrome
Safari
Opera
Other (specify in comments)
Poll Results View Previous Polls