Attack alert
By Elinor Mills
Published: 7 July 2009 10:52 GMT
Microsoft on Monday warned of a vulnerability in its Video ActiveX Control that could allow an attacker to take control of a PC if the user visits a malicious website.
There have been limited attacks exploiting the hole, which affects Windows XP and Windows Server 2003, Microsoft said on its Security Response Center blog.
This is the second DirectShow security hole Microsoft has announced in the past few months. The company has yet to provide a security update for a vulnerability announced in May that involves the way DirectX handles QuickTime files.
A-Z of security
Since there are no by-design uses for the ActiveX Control within Internet Explorer, Microsoft is recommending that users implement a workaround outlined in the security advisory. Customers can automatically implement the workaround by following the instructions under "Fix It For Me" in the Knowledge Base article for advisory number 972890 on the Microsoft support site.
Even though Windows Vista and Windows Server 2008 are not affected by the vulnerability, Microsoft is recommending that users of those products also use the workaround.
Microsoft is working on a security update and will release it when the quality is at the appropriate level for broad distribution, the company said.
The Microsoft Video Control object is an ActiveX control that connects Microsoft DirectShow filters for use in capturing, recording and playing video. The control is the main component used in Windows Media Center for building filter graphs for recording and playing television video.
When it is used in IE, the control can corrupt the system state in such a way that arbitrary code could be run by an attacker. If the user is logged in with administrative rights, the attacker could take complete control of the system.
Antivirus vendor Symantec said it was seeing the flaw being exploited in China and other parts of Asia and cited reports that indicate thousands of websites are hosting the exploit.
Internet Explorer versions 6 and 7 are at risk but people running IE 8 are not vulnerable, Symantec said.
Original article: Microsoft warns of hole in Video ActiveX control from CNET News.com
This successful company is headquartered in Central London near Oxford Circus, with European offices - there are 20 users in the UK office and 100+ ...
Pre-sales Support (Video Conferencing / AV Software) - Marlow, Buckinghamshire Company: The growth of video conferencing is explosive and becoming ...
Business Development Manager - Video Conferencing Sales Solutions London 35-50k Base, 80-100k OTE + Benefits Our client is a leading provider of ...
Agenda Setters 2009
Welcome to the ninth annual Agenda Setters poll – silicon.com's list of the top 50 most influential individuals in the technology and IT industries, from techies and CIOs to entrepreneurs and business leaders. Find out more in our latest special report.
Stories from the web...
Copyright © 2008 CBS Interactive Limited. All rights reserved. Top of page
Digg
Slashdot
Del.icio.us
Stumble
Reddit
RSS Feeds
Tim Ferguson Exclusive: Former MySQL boss Marten Mickos talks open source Why Microsoft could become one of the "biggest friends of open source" and why Oracle getting its hands on MySQL could be "one of the biggest open source coups ever"...
Naked CIO Naked CIO: Cloud computing more expensive than we thought? Smart IT leaders will examine the impact of how they pay for tech