Windows XP, older IE users at risk from Microsoft ActiveX Control flaw

If you’re still using Windows XP and haven’t moved up to the latest version of Internet Explorer, your system could be in danger of being hacked owing to an as yet unpatched Microsoft Video ActiveX Control flaw, according to security researchers.

Thousands of Web sites are believed to have been infected by a virus that exploits the vulnerability and enables cyber criminals to insert a data-targeting Trojan into a victim’s machine, according to Yurval Ben Itzhak, chief technology officer at Finjan Software Inc. a provider of Web security products headquartered in San Jose, Calif.

“The attack, which has already been spotted in the wild, enables remote code execution (RCE) on the target machine,” said Itzhak

The vulnerability lies within the Microsoft ActiveX Video Control object that connects to Microsoft DirectShow filters used for capturing, recording, and playing video. 

Microsoft’s ActiveX technology allows Web sites to run executable programs on a PC through the user’s browser. This feature is now being used by cyber criminals to distribute malicious code.

The code can be activated remotely without the user’s intervention. Using the vulnerability, an attacker could gain the same user rights as the machine’s local user, Itzhak said.

By controlling the victim’s computer, cyber criminals can easily install key loggers and other tools to lift valuable information such as computer sign on signatures and passwords, credit card and other online transaction information, or sensitive corporate data, the Finjan executive warned.

Symantec Corp. has recorded limited in-the-wild attacks but new developments indicate the flaw is now being exploited to a greater extent in China and other parts of Asia, according to Dean Turner, director of global intelligence network at the Cupertino, Calif.-based security firm.

Turner said it’s still early to determine just how many have fallen victims to the exploit. “But many anecdotal accounts lead us to believe that thousands of sites – some legitimate – could be infected,” he said.

Malicious URLs were found injected into compromised Web sites; as a result visiting users are led to drive-by servers, Turner said.

“Basically, Windows XP machines using older versions of the Internet Explorer browser — such as IE5, IE6 and IE7 — are vulnerable,” he said.

With many private and business users dragging their feet on Vista adoption and scores of users holding onto Windows XP, Turner said the number of potential victims could be tremendous.

How to prevent an attack

The Symantec executive said his firm learned about the exploit on July 1.

On Monday, Microsoft issued a security advisory warning to users about the vulnerability. Microsoft Security Advisory 972890, also provided users with a workaround to mitigate the affects of an attack that took advantage of the flaw.

Microsoft said customers using Windows Vista or Windows Server 2008 are not affected because the ability to pass data to ActiveX control within Internet Explorer has been restricted in these programs. By default, Internet Explorer on Windows Server 2003 and 2008 runs in a restricted mode known as Enhanced Security Configuration, the advisory said.

Users may prevent the Microsoft Video ActiveX Control from running in Internet Explorer, by either manually using the instructions in the workaround section or automatically using the solution found in Microsoft Knowledge Base Article 972890.

In an attack scenario, the hacker would need to first get the user to click a link in an e-mail or Instant Messenger message that diverts her or him to the attacker’s Web site.

“Users whose accounts are configured to have fewer user rights on the system could be less affected than those who operate with administrative user rights,” the Microsoft advisory stated.

Itzhak of Finjan said users can protect themselves from the latest zero-day attacks by installing real-time code analysis tools, such as those available to Finjan’s Vital Security Web Gateway users. “Since the attack uses trusted Web sites a reputation-based anti-virus tool is useless.”

According to Itzhak, a real-time code analysis tool, essentially determines threat potential by querying the code about its role. “Based on feedback from the code, the tool then decides whether the code is a threat or not.”

Turner of Symantec also suggests the following precautions:

  • Disabling the ActiveX Control of your machine until Microsoft can come up with a patch
  • Disabling execution of JavaScript in the browser
  • Avoiding visits to questionable sites
  • Keeping antivirus definitions up to date
Share on LinkedIn Share with Google+