Zero Day Attack Targets Internet Explorer Users

A zero day vulnerability exploiting the DirectShow ActiveX object of Microsoft’s Internet Explorer (IE) has been targeting Windows XP and 2003 users through compromised websites.

The exploit code for the previously unknown vulnerability seems to originate from a series of servers mostly located in China, which redirects IE users from thousands of legitimate websites to ones containing a variety of harmful malware.

Microsoft said late yesterday in an advisory that it was aware of attempting to exploit the vulnerability. “An attacker who successfully exploited this vulnerability could gain the same user rights as the local user,” it stated. “When using Internet Explorer, code execution is remote and may not require any user intervention.”

It also said that while it was working to patch the exploit, IE7, Windows Server 2008 and Vista users were not affected, due to the fact that ActiveX objects are restricted by default.

Many security researchers have given the vulnerability the highest security rating. Haowei Ren and Geok Meng Ong said in their McAfee Avert Labs blog that the web exploit tool toolkit also sends a “cocktail of exploits,” including XMLhttp.d, RealPlay.a, BBar and MS06-014, as well as the zero-day MSDirectShow.b.

“Each of these exploits targets a different application that could be vulnerable – IE6 and 7, DirectShow ActiveX, RealPlayer, Baidu Toolbar, that can be accessed via the IE browser,” wrote the researchers.

Microsoft said, as a temporary fix, users could prevent the Microsoft Video ActiveX Control from running in Internet Explorer, either manually or automatically using the solution detailed in a Microsoft Knowledge Base article, with no impact to application compatibility.