Microsoft is warning its users of a currently unpatched hole in the ActiveX video streaming functionality of DirectShow.
According to CNet
, the vulnerability is already seeing “limited attacks
” and can result in arbitrary code execution under the privilege of the currently logged in user when a malicious website is visited.
This marks the second
major security breach in DirectShow in the past month, and as the issue affects both consumer-level and enterprise-grade Windows installations will once again be causing system administrators to wonder why something so clearly desktop oriented as DirectShow is installed by default in Windows Server 2003.
The report on Microsoft's Security Reponse
blog indicates that both Windows XP and Windows Server 2003 are affected – although changes in the way Windows Vista and Windows 7 operate mean that the issue is avoided. Describing the affected ActiveX control as having no “by-design uses
” - which raises the question of why it's there in the first place – Microsoft's current advice is to set the kill bits
which will prevent the ActiveX control from being loaded pending an official patch.
Perhaps the more interesting way to obviate risk from this latest vulnerability is to upgrade to Internet Explorer 8: reports state that only IE6 and IE7 are affected.
Do you believe that Microsoft needs to seriously investigate why it's installing vulnerable end-user technologies such as DirectShow onto a server operating system, or are you just pleased that the company has quickly identified a work-around? Share your thoughts over in the forums