IE's new ActiveX vulnerability: drive-by exploiting msvidctl.dll

IE has a new ActiveX vulnerability, now being exploited by drive-by downloads: in msvidctl.dll. In IT Blogwatch, bloggers unpick fact from fiction.

By Richi Jennings: your humble blogwatcher, who selected these bloggy morsels for your enjoyment. Not to mention graphic design muppets...

Dan Goodin explains the problem:

Thousands of websites have been hit by fast-moving exploit code that installs a cocktail of nasty malware on visitors' computers by targeting a previously unknown vulnerability in some versions of Internet Explorer. The compromised websites link to a series of servers that exploit a zero-day vulnerability in an IE component that processes media. The vulnerability affects those using the XP and 2003 versions of Windows.
...
Today's Microsoft advisory offers a workaround users can take to safeguard against the vulnerability until a patch is released. It involves making changes to the Windows registry, a risky undertaking for those who aren't sure what they're doing. The easier fix is to stop using IE until there's a fix, at least for those who don't use apps that are dependent on the Microsoft browser.

Emil Protalinski offers an easier workaround:

The vulnerability could allow for an attacker to gain the same user rights as the local user. ... Code execution is remote and may not require any user intervention. The company also noted that it is currently working on a security update for Windows to address the flaw.
...
The workaround prevents the Video ActiveX Control from running in Internet Explorer, but it requires editing the registry. Thankfully, Microsoft has created a "Fix it for me" for this workaround, available at KB 972890. Just click the "Fix this problem" link and you're good to go. Microsoft claims that preventing the control from running in IE has no impact on application compatibility.

But Michael Horowitz hates Redmond's double-negativity:

Microsoft made a mistake regarding the registry zap. It might be a trivial mistake or it might be a huge one, I can't tell.
...
When you want to disable the buggy code, you download file MicrosoftFixit50287.msi. Disabling the buggy code is also referred to in the KB article as enabling the workaround. ... When you want to re-enable the buggy code (that is, disable the workaround), you download file MicrosoftFixit50288.msi. ... Simply put, the purpose of MicrosoftFixit50287.msi is to disable msvidctl.dll. Yet the properties of the file say that it does the exact opposite. Likewise, the properties of file MicrosoftFixit50288.msi also seem, to me at least, logically backwards.
...
No wonder IE is losing market share.

Microsoft's Christopher Budd speaks fluent Redmondese:

We have an investigation into this issue under way as part of our Software Security Incident Response Process (SSIRP) and are working to develop a security update to address the issue. ... There are no by-design uses for this ActiveX Control within Internet Explorer.  Therefore, we’re recommending that all customers go ahead and implement the workaround.
...
We are also actively working with partners in the Microsoft Active Protections Program (MAPP) and the Microsoft Security Response Alliance (MSRA) program to provide information that they can use to provide broader protections to customers.

Dennis Fisher has more detail:

The attacks are using injected iFrames and redirecting users to the compromised sites, many of which appear to be in China. ... Following in the footsteps of the attackers who have been using SQL injection to compromise thousands of legitimate sites for the last year or so. The specific attack vector is different, but the idea is the same: compromise a large number of sites, attract vulnerable users and install your malware.

This has proven to be a very lucrative and effective attack method of late, and has been used to push all sorts of malware. Attackers can install keyloggers, Trojans or whatever other programs they choose once they've exploited a given PC. That much hasn't changed. What has is the variety of vectors that attackers have at their disposal for these attacks. The number of sites that are vulnerable to SQL injection is incalculable, and many sites that are cleaned once are reinfected over and over.

Being British, Graham Cluley had a normal weekend:

One has to wonder if the hackers intentionally timed their attack to coincide with the USA's weekend of independence festivities. Is it possible that they were hoping many people would be caught off their guard by this?

So what's your take?
Get involved: leave a comment.

• Marc Andreessen starts $300 million VC fund with Ben Horowitz
• iPhone 3G/3GS overheating; hot Apple SMS security issues
• Usenet.com loses MP3 copyright lawsuit vs. RIAA
• Six of the best: June's IT Blogwatch
• Finally! Download Firefox 3.5 from Mozilla in 3... 2... 1...

Don't miss out on IT Blogwatch:

• Subscribe to the Computerworld Blogs newsletter
• Catch up with posts from the previous few days

And finally...

• Muppets confused by Quark XPress
  

Richi Jennings is an independent analyst/consultant, specializing in blogging, email, and spam. A 24 year, cross-functional IT veteran, he is also an analyst at Ferris Research. You can follow him as @richi on Twitter or richij on FriendFeed, pretend to be Richi's friend on Facebook, or just use good old email: itblogwatch@richij.com.