Microsoft issued a warning about a flaw in the Microsoft Video ActiveX Control. This ActiveX control is used to capture, record and play video using DirectShow filters.
According to Microsoft “An attacker who successfully exploited this vulnerability could gain the same user rights as the local user. When using Internet Explorer, code execution is remote and may not require any user intervention.”
This flaw affects only Windows XP and Windows Server 2003 users. Windows Vista and Windows Server 2008 are not affected but it is recommended to remove support for this ActiveX Control within Internet Explorer using the same Class Identifiers as a defense-in-depth measure.
Microsoft warns that there are no by-design uses for this ActiveX Control in Internet Explorer which includes all of the Class Identifiers within the msvidctl.dll that hosts this ActiveX Control.
When the Microsoft Video Control is used in Internet Explorer, an attacker could run arbitrary code if the control corrupts the system state. When the user is logged on with administrative user rights, the attacker could take complete control of the system and then install programs, view, change, or delete data; or create new accounts with full user rights. If the users have accounts with restricted rights they will be less affected by the attack. To fix this flaw, Microsoft posted a workaround until a security update will be available.
Related posts:
No comments yet.
RSS feed for comments on this post. TrackBack URL
