New vulnerability in MPEG2TuneRequest ActiveX Control Object in msvidctl.dll

We are aware of active attacks exploiting a remote code execution vulnerability in Microsoft’s MPEG2TuneRequest ActiveX Control Object. We have released advisory 972890 providing guidance to help our customers stay protected. In this blog post, we’d like to go into more detail to help you understand this issue.

What’s the attack vector? (i.e. How could a user be compromised?)

A browse-and-get-owned attack vector exists. A user needs to be lured to navigate to a malicious website or a compromised legitimate website to be affected. No further user interaction is needed.

By default, Outlook Express and Outlook open HTML e-mail messages in the Restricted sites zone. The Restricted sites zone helps reduce attacks that could try to exploit this vulnerability by preventing ActiveX controls from being used when reading HTML e-mail messages.

However, if a user clicks a link in an e-mail message, they could still be vulnerable to this issue through the Web-based attack scenario.

Which configurations are at risk?

As indicated in the advisory, Windows XP and Windows Server 2003 are affected. Please note while Window Server 2003 is listed as affected platform, Enhanced Security Configuration (ESC) in Windows Server 2003 can effectively mitigate the attack via IE from the Internet Zone.

How can I protect myself?

Kill-bit MPEG2TuneRequest ActiveX Control Object (CLSID 0955AC62-BF2E-4CBA-A2B9-A63F772D46CF) is the workaround we recommend to mitigate the current attack in the wild.

Why we recommend to kill-bit several other ActiveX Control Objects in msvidctl.dll as well?

During the investigation, we identified that none of the ActiveX Control Objects hosted by msvidctl.dll are meant to be used in IE. Therefore, we recommend to kill-bit all of these controls as a defense-in-depth practice, as stated in Advisory 972890. The side effect is minimal.

As mentioned in the advisory, we are also providing a way to apply this workaround automatically. You can click the button below to set the kill-bit on this control.

Click Here To Kill-Bit MSVidCtl

Please visit Microsoft Knowledge Base Article 972890 for more information.

Chengyun Chu, MSRC Engineering