Potential cybercriminals have been found to be inserting a data-stealing Trojan onto PCs left vulnerable by a flaw in the Microsoft Video ActiveX Control, security experts have warned today.
The discovery, which was made yesterday by researchers in China and since confirmed by several authoritative security software vendors, enables remote code execution on targeted machines.
Finjan CTO Yuval Ben-Itzhak told us, “It stands as a zero-day attack until a patch is issued or a workaround is made, and it basically means that a hacker could take control of a remote PC by someone visiting a compromised web site.”
Some popular European music download and gaming sites are among those he said had already been be comprised. “It is low volume at present, but we expect to see it increase in the coming weeks,” he said.
In a Security Advisory produced yesterday Microsoft confirmed that a vulnerability in Microsoft Video ActiveX Control could indeed allow remote code execution. “An attacker who successfully exploited this vulnerability could gain the same user rights as the local user,” it said, adding that the company was aware of attacks attempting to exploit the vulnerability.
It said users could prevent the Microsoft Video ActiveX Control from running in Internet Explorer, either manually or automatically, and that the company is currently working to develop a security update for Windows to address the vulnerability.
Machines that are running Windows Vista or Windows Server 2008 are not affected because the ability to pass data to this control within Internet Explorer has been restricted.
Ben-Itzhak said that the case demonstrates the value of having security systems like Finjan’s own that are set up to monitor and detect changes in content behaviour, rather than scanning for malware signatures.
“Security products need to be able to block proactively, without any need for updates. Even when patch becomes available, it can take money and time to deploy.”
Finjan’s Vital Security Web Gateway had been able to detect the exploit and block this particular attack without prior knowledge of the specific technique, he added.