Microsoft Video ActiveX Control Vulnerability

Original release date: July 06, 2009
Last revised: July 15, 2009
Source: US-CERT

Systems Affected

• Microsoft Windows XP
• Microsoft Windows Server 2003

Overview

A vulnerability in a Microsoft ActiveX control may allow an attacker to take control of your computer.

Solution

Apply Updates

Microsoft has released an update to address this issue. See Microsoft Security Bulletin MS09-032 for more details.

Apply workarounds

There is not currently a fix for this vulnerability, but there are steps you can take to minimize risk.

• Use the Fix It wizard for this vulnerability on Microsoft's Help and Support website.
• Disable ActiveX by following the instructions in the Securing Your Web Browser document.
• Upgrade to Internet Explorer 7 or later, which can help mitigate the vulnerability with its ActiveX opt-in feature.

Microsoft has provided additional, more technical workarounds for this vulnerability in Security Advisory (972890).

Description

In Security Advisory (972890), Microsoft describes a vulnerability in the Microsoft Video ActiveX control. An attacker could exploit this vulnerability by convincing a user to access a specially crafted website or HTML email message.

This vulnerability is not a risk if you are using Windows Vista.

References

• Securing Your Web Browser - <http://www.us-cert.gov/reading_room/securing_browser/>
• Microsoft Security Advisory (972890) - <http://www.microsoft.com/technet/security/advisory/972890.mspx>
• Microsoft Security Bulletin - <http://www.microsoft.com/technet/security/Bulletin/MS09-032.mspx>

---

Feedback can be directed to US-CERT.

---

Produced 2009 by US-CERT, a government organization. Terms of use

Revision History

July 06, 2009: Initial release
July 15, 2009: Updated Solution section with MS09-032