Tuesday, July 7, 2009

DirectShow 0day in the wild

DirectShow 0day is a high rate of 0day exploit, the current outbreak has already begun last week online. In order for the attack to work the victim needs to use XP built-in Windows Media Player to play media files which in turn triggers internal loopholes.

This is a client side (IE) exploit, so visiting a malicious site will result in infection.

Attack characteristics are as follows:
(I`ve found the code on http://**.****.cn website)

var appllaa='0';
myObject.classid='clsid:0955AC62-BF2E-4CBA-A2B9-A63F772D46CF';

Microsoft's advisory offers workarounds for the issue (from today), including setting the killbit for the ActiveX control.

There is one known hotfix and that is to set a "kill bit" in the registry for the ActiveX component.

\x1 Create the following Key

Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{0955AC62-BF2E-4CBA-A2B9-A63F772D46CF}]
"Compatibility Flags"=dword:00000400

\x2 Create a dword value named "Compatibility Flags" and give it a value of 400.