A highly critical vulnerability has been found in the Live Picture Corporation DirectTransform FlashPix ActiveX control included in the Microsoft DirectX Media SDK, which can be exploited by malicious people to compromise a vulnerable system. The vulnerability is caused due to a buffer overflow vulnerability in the "SourceUrl" property of Live Picture Corporation's DXSurface.LivePicture.FLashPix.1 ActiveX control (provided by DXTLIPI.DLL). Internet Explorer can be used as an attack vector for this vulnerability because the FlashPix ActiveX control is marked "Safe for Scripting".
This vulnerability can be exploited to cause a heap-based buffer overflow by assigning an overly long (greater than 1024 bytes) string to the affected property. Successful exploitation allows a remote, unauthenticated attacker to execute arbitrary code on the vulnerable system. Exploit code for this vulnerability exists and is publicly available. At this time there have been no reported incidences of this exploit from Purdue hosts.
*DirectX Media SDK version 6.0 including DXTLIPI.DLL version 18.104.22.1687
*Other versions of the DirectX Media SDK and applications that use the FlashPix ActiveX control may also be affected.
While there is currently no patch available the following workarounds exist:
* Disable the FlashPix ActiveX control in Internet Explorer -
The vulnerable ActiveX control can be disabled in Internet Explorer by setting the kill bit for
the following CLSID:
More information about how to set the kill bit is available in Microsoft Support Document 240797.
* Disable ActiveX -
Disabling ActiveX controls in the Internet Zone (or any zone used by an attacker) appears to
prevent exploitation of this and other ActiveX vulnerabilities. Instructions for disabling
ActiveX in the Internet Zone can be found in the "Securing Your Web Browser" document.
==FURTHER INFORMATION AND RESOURCES==
Secunia Advisory SA26426:
Microsoft Support Document 240797:
Securing Your Web Browser:
Posted by Nathan Heck on August 15, 2007, in Handlers Log.