Plugin Spotlight: Vulnerability in Microsoft Video ActiveX Control
Browsing the web is increasingly hazardous, especially given the recently released vulnerabilities and associated exploits. It’s interesting how the vulnerabilities are being referred to as "remote". While they are remotely exploitable, there are differences in how they are executed. One form of remote exploit requires no user interaction. A process listens on a port and is exploited over the network without the end user having to perform any action. The ActiveX vulnerability referenced in this plugin is remote, but does require that the user have a web browser loaded and actually be browsing the web. The exploit can be embedded into different web pages and executed without the user's knowledge or interaction on that particular page. Exploits that are “remote” in this context, but require a user to perform an action, are called “context dependant” by several vulnerability databases. Tenable has developed a plugin to detect a vulnerability that can be exploited in this manner.
Microsoft reports that they are aware of attacks occurring that are attempting to exploit this vulnerability and has issued an advisory. The Microsoft advisory describes a workaround to use until a patch is available.
Nessus plugin 39622,Vulnerability in Microsoft Video ActiveX Control Could Allow Remote Code Execution (972890) checks for this vulnerability. It requires that you have credentials on the hosts that are being tested and checks that the appropriate workarounds and countermeasures have been put into place. Workarounds entail removing support for Class Identifiers (CLSID) associated with msvidctl.dll on Windows XP and Windows Server 2003. Plugin 39622 checks that this action has been taken on those platforms only. If "Thorough Tests" are enabled, Nessus will check extended class IDs. Following is the output of the plugin:
The plugin is available to both ProfessionalFeed and HomeFeed users as of July 7, 2009.
References
- CVE-2008-0015 Entry
- IE 0day exploit domains
- Microsoft Security Advisory: Vulnerability in Microsoft Video ActiveX control could allow remote code execution
- Poking around MSVIDCTL.DLL - An in-depth technical analysis of this vulnerability. Also provides evidence that just setting the kill bit on the Class Identifiers may not be enough to mitigate the problem.
Related Articles
Study: Tenable Offers Fastest, Broadest Coverage of CISA's KEV Catalog
October 23, 2023Tenable ranked first in multiple vulnerability management categories, including the most comprehensive coverage and quickest detection of CISA's Known Exploited Vulnerabilities, according to a Miercom report commissioned by Tenable.
Tuning Network Assessments for Performance and Resource Usage
September 13, 2022Using the correct tool for the job and optimizing scanner placement will have a large impact on scan efficiency with Nessus, Tenable.io and Tenable.sc.
Terrascan Joins the Nessus Community, Enabling Nessus To Validate Modern Cloud Infrastructures
May 17, 2022The addition of Terrascan to the Nessus family of products helps users better secure cloud native infrastructure by identifying misconfigurations, security weaknesses, and policy violations by scanning Infrastructure as Code repositories.
CloudImposer: Executing Code on Millions of Google Servers with a Single Malicious Package
September 16, 2024Tenable Research discovered a remote code execution (RCE) vulnerability in Google Cloud Platform (GCP) that is now fixed and that we dubbed CloudImposer. The vulnerability could have allowed an attacker to hijack an internal software dependency that Google pre-installs on each Google Cloud Composer pipeline-orchestration tool. Tenable Research also found risky guidance in GCP documentation that customers should be aware of.
Cybersecurity Snapshot: Russia-backed Hackers Aim at Critical Infrastructure Orgs, as Crypto Fraud Balloons
September 13, 2024Critical infrastructure operators must beware of Russian military hacking groups. Plus, cyber scammers are having a field day with crypto fraud. Meanwhile, AI and cloud vendors face stricter reporting regulations in the U.S. And get the latest on AI-model risk management and on cybersecurity understaffing!
Microsoft’s September 2024 Patch Tuesday Addresses 79 CVEs (CVE-2024-43491)
September 10, 2024Microsoft addresses 79 CVEs with seven critical vulnerabilities and four zero-day vulnerabilities, including three that were exploited in the wild.
- Nessus