Today, Microsoft published Security Advisory 972890: "Vulnerability in Microsoft Video ActiveX Control Could Allow Remote Code Execution".
Although not reflected in the advisory (as of writing), the bug was discovered and reported by Ryan Smith of Hustle Labs. Ryan was due to announce the type confusion bug (use of incompatible pointer types) at Black Hat in Las Vegas later this month.
Quoting from the MS advisory:
"Microsoft is investigating a privately reported vulnerability in Microsoft Video ActiveX Control. An attacker who successfully exploited this vulnerability could gain the same user rights as the local user. When using Internet Explorer, code execution is remote and may not require any user intervention. We are aware of attacks attempting to exploit the vulnerability."
Note 3 key points in the above quote:
- The bug was reported privately.
- Remote, unauthenticated code execution.
- Reports of exploitation in the wild.
The advisory goes on to state that Windows XP and Windows 2003 are vulnerable.
This all roughly translates as "the bulk of Corporate America and a significant portion of home users are remotely exploitable".
Over the weekend, reports were emerging of drive-by download attacks. The SANS Internet Storm Center states:
"A 0-day exploit within the msVidCtl component of Microsoft DirectShow is actively being exploited through drive-by attacks using thousands of newly compromised web sites, according to CSIS. The code has been published in the public domain via a number of Chinese web sites."
From the CSIS report, it would appear the AV industry knew of the issue last week.
So when did Microsoft first know about the bug?
Microsoft haven't provided a full disclosure timeline information as yet but check out the assigned CVE number included in the "Overview" section of the advisory...
CVE-2008-0015. The '0015' sequence number is highly suggestive an early 2008 notification.
I normally "talk up" the security achievements of Microsoft. There is no question they've made major inroads since the dark days of IIS/4. There will be always be the "Microsoft Haters", but I don't count myself in that group. But this? This was an Independence day present to Incident Responders across the globe that was entirely avoidable.
Dear Microsoft, how long did you sit on this and how does this sit with protecting your customers?