About Me

Ravi Balupari

Ravi Balupari

Read More

Feeds & Podcasts

Blogs

Meet the Bloggers

Archive

Tags

#SecChat $1 million guarantee 12 Scams of Christmas access to live fraud resolution agents Acquisition Alex Thurber Android antivirus Apple botnet Channel Partners cloud security Compliance Consumer counter identity theft credit card fraud and protection credit fraud alerts credit monitoring credit monitoring and resolution critical infrastructure Cyber Security Mom cyberbullying Cybercrime cybermom data breach data center data center security Data Protection Dave DeWalt DLP Email & Web Security embedded encryption Endpoint Protection enterprise facebook fake anti-virus software Family Safety Friday Security Highlights global threat intelligence google government Hacktivism how to talk to kids how to talk to teens identity fraud identity fraud scams identity protection identity protection $1 million guarantee identity protection fraud identity protection surveillance identity surveillance identity theft identity theft expert identity theft fraud identity theft protection identity theft protection product Identity thieves and cybercriminals intel iphone kids online behavior lost wallet protection malware McAfee McAfee Channel McAfee Family Protection McAfee Identity Protection McAfee Initiative to Fight Cybercrime McAfee Labs McAfee security products Mid-Market Mobile mobile malware mobile security monitor credit and personal information Network Security online personal data protection online safety Operation Aurora PCI personal identity theft fraud personal information loss personal information protection phishing privacy proactive identity protection proactive identity surveillance Public Sector restore credit and personal identity Risk and Compliance scam scams scareware security smartphones social media social networking social networks spam Stuxnet twitter vulnerability Web 2.0 work with victim restore identity

McAfee Labs :

Network Security Defeats Microsoft Video ActiveX Exploit

Tuesday, July 7, 2009 at 3:28pm by Ravi Balupari
Ravi Balupari

As a follow-up to our two recent blogs, we want to provide some details for this zero-day exploit from the perspective of the McAfee Network Security Platform (formerly known as IntruShield).

Unlike traditional ActiveX exploits, in this case the Microsoft Video ActiveX controls are being used to load malicious image files and trigger the vulnerability. McAfee Network Security Platform detects this exploit attempt using the attack signature HTTP: Vulnerability in Microsoft Video ActiveX Control Could Allow Remote Code Execution. At this point, we have seen active attempts in the wild trying to exploit this vulnerability. Figure 1, below, shows one such attempt as viewed on the Alert Viewer and Figure 2, bottom, shows the corresponding packet capture from the evidence report.

Exploit Attempt Alert
Figure 1. Exploit attempt alert

Packet Capture from Evidence Report
Figure 2. Packet capture from evidence report

Microsoft Security Advisory 972890 says customers can set the kill bit for a bunch of Class Identifiers. Any attempt to use these Class Identifiers for exploitation can be detected using the audit signatures HTTP: Potential Harmful Microsoft Video ActiveX Control I, HTTP: Potential Harmful Microsoft Video ActiveX Control II, and HTTP: Potential Harmful Microsoft Video ActiveX Control III.

All of the attack signatures described above were released on July 6 in the following network security signature sets.
”¢Â 5.1.22.14
”¢Â 4.1.52.14

Bookmark and Share

Submit your own comments / message for this post

Your email is never published nor shared. Required fields are marked *

 

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>

Comments (0)