Home Page | Skip to Navigation | Skip to Content | Skip to Search | Skip to Footer

Microsoft DirectShow Exploit

(CVE-2008-0015, 972890)

This exploit involves drive-by attacks originating from thousands of newly-compromised Websites. These Websites transfer malware to the victim computer through a vulnerable DLL in Microsoft DirectShow video streaming software. Exploit code is currently available in the wild and there is no patch available at the time of this writing.

Attack Details

This attack affects the following operating systems:

  • Windows XP Service Pack 2 and Windows XP Service Pack 3
  • Windows XP Professional x64 Edition Service Pack 2
  • Windows Server 2003 Service Pack 2
  • Windows Server 2003 x64 Edition Service Pack 2
  • Windows Server 2003 with SP2 for Itanium-based Systems

The attack works in the following way:

  1. The user visits (or is redirected) to either a legitimate Website that has been infected or an entirely malicious Website.  In either case, the Website hosts a JavaScript file and a data file that allow the hacker to exploit the vulnerability that exists in Microsoft DirectShow.
  2.  Computers with the affected OS and IE browser versions and the DirectShow ActiveX plug-in (msvidctl.dll) receive a malicious payload via drive-by. (This drive-by is undetectable to the user.)

The malicious payload allows the attacker to gain the same user rights as the local user.  Such rights give the attacker a range of abilities such as downloading more malicious programs, redirecting a victim’s Web searches, and intercepting information that the user types or keeps on the computer.

Protection Details

At the time of this writing no patch is available from Microsoft. Check Point offers immediate protection for both its enterprise and consumer customers:

Enterprise

Check Point’s IPS offerings protect against this attack by detecting and blocking attempts to utilize specific ActiveX components. This protection is immediately available for Smart Defense and the new IPS Software Blade. See CPAI-2009-190.

Consumer

ZoneAlarm Extreme Security and ZoneAlarm ForceField (both with browser virtualization enabled) will stop infected sites from being able to silently download malicious programs onto the victim computer.

The antivirus protection in ZoneAlarm Antivirus, ZoneAlarm Security Suite and ZoneAlarm Extreme Security will detect and remove the drive-by downloads known to be emanating from this attack as of this writing. Customers should ensure they have the latest updates.