Wednesday, July 8, 2009

Microsoft issues rare security warning

Hackers are launching attacks against an unpatched vulnerability in the Microsoft Video ActiveX Control

Microsoft has released an out-of-band, emergency security advisory and also investigating attacks targeting a vulnerability in Microsoft Video ActiveX Control that could allow a hacker to gain complete control of a system. This news is already making headlines in Information Security world.

An attacker who successfully exploited this vulnerability could gain the same user rights as the local user. When using Internet Explorer, code execution is remote and may not require any user intervention. At this stage, no security patch has been made available by Microsoft.

In this security advisory, Microsoft workaround refers to a setting or configuration change that does not correct the underlying vulnerability but would help block known attack vectors before you apply the update. Microsoft has tested the following workarounds and states in the discussion whether a workaround reduces functionality:

• Prevent Microsoft Video ActiveX Control from running in Internet Explorer - See Microsoft
Knowledge Base Article 972890 for information on how to implement this workaround automatically.

Popular IT news website,
eWeek has already confirmed that:

"Hackers are launching attacks against an unpatched vulnerability in the Microsoft Video ActiveX Control that could allow an attacker to take full control over the system. When using Internet Explorer, code execution is remote and requires no user interaction, Microsoft says."

Please refer
here to read the news on eWeek and refer here to read article on ComputerWorld, who claims Microsoft may have known about critical I.E bug for months.

The unpatched vulnerability in the Video ActiveX control that Microsoft has warned about was reported to the company in 2008, but one of the security researchers who found it refused to criticize Microsoft's response to the threat.

The bug was uncovered by researchers Alex Wheeler and Ryan Smith, who at the time both worked at IBM's ISS-X-Force. A Microsoft spokesperson said the company first learned of the vulnerability in 2008 and immediately began an investigation.

No comments: