Microsoft warns and fixes vulnerability in ActiveX control without use

Posted

Redmond (WA) – Microsoft said it is “is investigating a privately reported vulnerability in Microsoft Video ActiveX Control” that could allow an attacker to gain the same user rights as a local user on your Windows PC. What makes this security issue especially interesting that it aims at a component Microsoft apparently had no idea still exists.

The company said that there are “no by-design uses for this ActiveX Control in Internet Explorer which includes all of the Class Identifiers within the msvidctl.dll that hosts this ActiveX Control.” According to a security advisory, only Windows XP and Windows Server 2003 systems are affected. Windows Vista and Windows Server 2008 are not affected, but Microsoft nevertheless recommends removing support for this specific control within Internet Explorer “as a defense-in-depth measure”.

According to security reports, the vulnerability is already exploited. When using Internet Explorer (instead of other software that links to a website taking advantage of this control, such as a link within an Outlook email), code execution is remote and may not require any user intervention, Microsoft said.

Microsoft has published a workaround for the vulnerability, which requires using the Windows Registry Editor to set a kill bit for 45 different Class Identifiers (CLSIDs). If you have some time on hand and you would like to do that yourself, you can do ahead using the instructions posted on the web. A more elaborate version is laid out by BetaNews. Or, you can simply use Microsoft’s Fixit feature to do it automatically.