Today we published a notification to our security customers advising them that the latest Microsoft vulnerability, discovered only after in-the-wild criminal attacks, should be treated as “Hot.” Hot is our term for something which needs to be addressed within seven days.

In June we published a similar advisory regarding the DirectShow vulnerability, also discovered only after in-the-wild criminal attacks, wherein we advised the issue as “Important.” Important means to take action within thirty days.

Both issues were discovered only after in-the-wild criminal attacks, so why would we rate them different?

The answer is actually fairly simple. The exploitation in-the-wild of this latest issue can be mitigated by simply setting the killbits for the control. It is extremely unlikely that people are using the control with Internet Explorer as its host application. While it doesn’t eliminate the vulnerability, it does block the most likely attack vector today and in the near future. So why wait to deploy such mitigation? It could be pushed out by Group Policy Object, login scripts, or a number of other easy to deploy methods.

The earlier issue requires a patch, unfortunately, or you risk breaking functionality more widely deployed.

This latest issue is yet another example of why our policy of “Default Deny” should be employed when possible. It is possible to create a default deny environment in IE by using the Administrator Approval of ActiveX Controls features. We’re not suggesting this is trivial, but even if you allowed virtually all instantiated controls, msvidctl.dll would not have been one of them until the exploit appeared. Ergo, you’d have been protected ahead of time.

Cheers,
Russ

Tags: 0-day, attacks, Drive-by-downloads, risk, Threat

This entry was posted on Thursday, July 9th, 2009 at 4:19 pm and is filed under Analysis. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.