ActiveX Shark Stalks IE Surfers

Microsoft (Nasdaq: MSFT) has warned Web surfers that an unused ActiveX control in Internet Explorer could let hackers launch malicious code on the user's system if it's running an older OS like Windows XP or Windows Server 2003.

Hackers have reportedly already begun exploiting the vulnerability, and security experts predict the attacks could get worse.

Microsoft has posted a fix for the problem online.

About the ActiveX Flaw

The flaw, which resides in Microsoft Video ActiveX Control, connects Microsoft DirectShow filters for use in capturing, recording and playing video. This is the main component Microsoft Windows Media Center uses to build filter graphs for recording and playing video.

The exploit gives attackers the same user rights as the local user, Microsoft said in Security Advisory 972890, issued on Monday.

Properly organized, an attack through this doorway could be very dangerous indeed.

"If you're logged in as an ordinary user, the attacker gets your privileges; but if you're logged in as the system administrator, the attacker gets all your system administrator privileges," Marc Fossi, a Symantec (Nasdaq: SYMC) research and development manager, told TechNewsWorld.

The control is hosted within the file msvidctl.dll.

So, what does this bit of software do when it's not serving as an attack vector? Not much, according to Christopher Budd, security response communications lead for Microsoft.

"Our investigation has shown that there are no by-design uses for this ActiveX Control within Internet Explorer," he told TechNewsWorld.

Discovery of the flaw is being credited to Ryan Smith and Alex Wheeler of IBM's (NYSE: IBM) ISS X-Force Hustle Labs.

Solving the Problem

While the flaw only affects IE on corporate and personal versions of Windows XP and on Windows Server 2003, Microsoft suggested that Windows Vista and Windows Server 2008 customers should also implement the workaround.

The workaround consists of deleting the MPEG2TuneRequest ActiveX Control Object.

"During the investigation, we identified that none of the ActiveX Control Objects hosted by msvidctl.dll are meant to be used in IE," Microsoft's Chengyun Chi wrote on the company's Security Research & Defense blog. "Therefore we recommend to kill-bit all of these controls."

Side effects are minimal, he said, and Randy Abrams, director of technical education at security vendor ESET, agreed.

"The side effects can't be worse than being hit by the exploit," he told TechNewsWorld. "We know the ActiveX Control flaw is being exploited, and every bad guy in the world already knows how to exploit it."

About the Attacks

Using this exploit, hackers can launch their attack remotely. PC users can unwittingly be loaded up with malware simply by visiting a malicious Web site -- not necessarily by clicking on any links once there.

In fact, hackers can hijack pages on legitimate Web sites and redirect visitors to a malicious site that will load the malware onto their PCs, Symantec's Fossi said. They typically modify the HTML code on the legitimate Web site so that it contains an iframe that redirects users to the malicious site they control.

An iframe, short for inline frame, places one HTML document in a frame inside another HTML document. Since the frames can be very small, this attack is very difficult to detect and protect against, and it is a favorite of malware authors.

The malicious sites often load multiple malware packages onto their victims' PCs. These can include information stealers that spy on the user's credentials, including online banking passwords and credit card information, Fossi said.

Other nasty bits may include JS/exploit.cve-2008-0015, a common vulnerability dating back to 2008, ESET's Abrams said.

Hackers often use and reuse any malware that works, and some of it has been floating around for several years.

Another piece of malware is a variant of Win 32/autorun.killav.a, Abrams said. This shuts down the antivirus software on an infected PC.

More About the Attacks

Currently, the most activity connected to this vulnerability is occurring on Web sites in China, ESET's Abrams said, with several hundred domains having been registered there to exploit it.

That could change at any time.

"The bad guys want to make money, and the people in Brazil doing banking Trojans will begin getting on it, and the guys in Europe and the U.S. will soon jump on the bandwagon," Abrams said. "This is open source software for hackers -- it's all free."

Still, he said, the attacks are relatively unsophisticated.

"It seems the people that released the attacks were not as professional as we're used to dealing with, so they're downloading stuff a lot of antivirus products already detect," Abrams said.

However, that, too, could soon change.

"I'd be really shocked if we didn't see this being used in conjunction with fake antivirus software packages as well," Abrams said. "The real danger is if someone combines that exploit with exploits that they know get by antivirus software."

Fake antivirus software packages, also known as "scareware," have become such a nuisance that Microsoft has teamed up with the attorney general of the state of Washington to crack down on it.

Social Networking and Other Dangers

Social networking sites have always been a soft target and a favorite of cybercriminals, and Abrams expects the ActiveX Control exploiters to involve them next.

"If it hasn't happened already, you'll soon see tweets and Facebook and MySpace messages with links that take you to infected Web sites, and you click on the messages, and bam! You're hit," he said.

"Users have to go to Microsoft's support site and fix the vulnerability," he urged.