Multiple Microsoft Video Control ActiveX Remote Code Execution Vulnerabilities

Notification Type: IBM Internet Security Systems Protection Advisory
Notification Date: July 06, 2009
Notification Version: 1.5
   
Name: Multiple Microsoft Video Control ActiveX Remote Code Execution Vulnerabilities
Public disclosure/
In the wild date:

July 6, 2009 (public disclosure)
June 11, 2009 first recorded public exploitation (CVE-2008-0015)

Aliases:

MS09-032 and MS09-037

CVE: CVE-2008-0015 and CVE-2008-0020
Description:

Multiple vulnerabilities were discovered in the Microsoft Video Controller ActiveX Library, MSVidCtl, which can result in reliable remote code execution.

One of these vulnerabilities, CVE-2008-0015, has been exploited in the wild since June 11, 2009 (as discovered by X-Force) and was touted by the media and by SANS as being exploited in the wild on July 6, 2009.

Discoverers:

The buffer overflow vulnerability (CVE-2008-0015) was researched by Ryan Smith and Alex Wheeler of IBM X-Force. The memory corruption vulnerability (CVE-2008-0020) was researched by Robert Freeman of IBM X-Force.

 

ISS Coverage

Product Content Version
Network Sensor 7.0
Proventia A
Proventia IPS (G/GX)
Server Sensor 7.0
Proventia Multifunction Appliance
Proventia Server (Linux)
29.060
Proventia Server (Windows)
Proventia Desktop
2400
Propagation Techniques ISS Protection Available
remote exploit

Script_ATL_Stream_Load*
HTML_ATLStream_BO*
JavaScript_Obfuscation_Fre
HTML_IE_ActiveX_Loader_Heap_Corruption*

Nov 11, 2008
Nov 11, 2008
June 9, 2009
June 9, 2009

related malware Trojan.JS.PZQ (Proventia Desktop and Proventia ESC)

* The exploits that have been found in the wild (as of the publication date of this advisory) are obfuscated and, therefore, detected through one of our obfuscation signatures (JavaScript_Obfuscation_Fre).  Other obfuscation signatures may also apply to in-the-wild attack attempts.

Content Updates released on July 14, 2009 removed some false alarms flagged by JavaScript_Obfuscation_Fre and added the list of kill bits from the Microsoft Advisory (972890) to the HTML_IE_ActiveX_Loader_Heap_Corruption signature.  Customers that have not applied this update can use the following instructions to modify this siganture to include the kill bits themselves:

The Script_ATL_Stream_Load and HTML_ATLStream_BO signatures are designed to catch unobfuscated attack attempts.

Customers can also add the ClassID that is currently being exploited (0955AC62-BF2E-4CBA-A2B9-A63F772D46CF) to the HTML_IE_ActiveX_Loader_Heap_Corruption signature to catch any unobfuscated exploit attempts by using the pam.content.clsid.activexloaderbo.blacklist='<clsid>' tuning parameter.  To add more than one ClassID (for example, all of the new killbits listed in the Microsoft Advisory - see References below), use:

pam.content.clsid.activexloaderbo.blacklist.1='<clsid>'
pam.content.clsid.activexloaderbo.blacklist.2 ='<clsid>'

Detailed Description

Business Impact:

Plug-ins, like this ActiveX control, are one of the top targets of malicious web exploit toolkit developers.  These web exploit toolkits now account for nearly all browser-related exploits seen in the wild.  The exploitation of this ActiveX control provides the attacker with the privileges of the end user, which could allow complete control over the targeted endpoint.

This ActiveX control is installed by default on Microsoft XP SP 0 through SP 3.  In addition to Internet Explorer, this control may also be loaded through WordPad and Microsoft Office.

CVSS: Base Score: 9.3
  Access Vector: Network
Access Complexity: Medium
Authentication: None
Confidentiality Impact: Complete
Integrity Impact: Complete
Availability Impact: Complete
Adjusted Temporal Score: 8.8
  Exploitability: High
Remediation Level: Workaround
Report Confidence: Confirmed
Affected Products: For a full list of affected versions, see references below.
Technical Description:

Multiple vulnerabilities were discovered in the Microsoft Video Controller ActiveX Library, MSVidCtl, which can result in reliable remote code execution.

These vulnerabilities pertain to both buffer overflows and memory corruption.  CVE-2008-0015 is presently being exploited in the wild.

Remediation:

A patch that sets the kill bit for these vulnerable controls was made available on July 14, 2009, and an update (MS09-037) was made available on August 11, 2009.  See References for details.

References

XFDB: http://xforce.iss.net/xforce/xfdb/40693
Microsoft: http://www.microsoft.com/technet/security/Bulletin/MS09-037.mspx

http://www.microsoft.com/technet/security/Bulletin/MS09-032.mspx
http://www.microsoft.com/technet/security/advisory/972890.mspx

SANS: http://isc.sans.org/diary.html?storyid=6733

Revision History

1.0 Initial publication.
1.1 Added reference to SANS and additional detail about public exploitation.
1.2 Added more detailed protection information.
1.3 Added more protection information.
1.4 Added the MS09-032 reference, patch information, and information about the Content Updates released on July 14, 2009 to address this issue.
1.5 Added MS09-037 reference, updated remediation, aliases, and added Script_ATL_Stream_Load signature to coverage section.

* According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an "industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response." IBM PROVIDES THE CVSS SCORES "AS IS" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.
The information within this database may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall IBM be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.

About IBM Security Systems

IBM Security Systems include an extensive portfolio of hardware, software solutions, professional and managed services offerings covering the spectrum of IT and business security risks: people and identity, data and information, application and process, network, server and endpoint and physical infrastructure, empowering clients to innovate and operate their businesses on the most secure infrastructure platforms. Through world-class solutions that address risk across the enterprise, IBM helps organizations build a strong security posture that helps reduce costs, improve service, and manage risk. IBM X-Force(R) Research and Development is one of the most renowned commercial security research and development groups in the world. For more information on how to address today's biggest risks, please visit us at ibm.com/security.