Microsoft on Monday warned of a vulnerability in its Video ActiveX
Control that could allow an attacker to take control of a PC if the
user visits a malicious Web site.
There have been limited attacks exploiting the hole, which affects Windows XP and Windows Server 2003, Microsoft said on its Security Response Center blog.
This is the second DirectShow security hole Microsoft has announced in
the past few months. The company has yet to provide a security update
for a vulnerability announced in May that involves the way DirectX handles QuickTime files.
Since there are no by-design uses for the ActiveX Control within
Internet Explorer, Microsoft is recommending that users implement a
workaround outlined in the security advisory. Customers can automatically implement the workaround by following the instructions under "Fix It For Me" in the Knowledge Base article for advisory number 972890 on the Microsoft support site.
Even though
Windows Vista
and Windows Server 2008 are not affected by the vulnerability,
Microsoft is recommending that users of those products also use the
workaround.
Microsoft is working on a security update and will release it when the
quality is at the appropriate level for broad distribution, the company
said.
The Microsoft Video Control object is an ActiveX control that connects
Microsoft DirectShow filters for use in capturing, recording, and
playing video. The control is the main component used in Windows Media
Center for building filter graphs for recording and playing television
video.
When it is used in IE, the control can corrupt the system state in such
a way that arbitrary code could be run by an attacker. If the user is
logged in with administrative rights, the attacker could take complete
control of the system.
Antivirus vendor Symantec said it was seeing the flaw being exploited
in China and other parts of Asia and cited reports that indicate
thousands of Web sites are hosting the exploit.
Internet Explorer versions 6 and 7 are at risk, but people running
IE 8 are not vulnerable, Symantec said.
