ITSS-Advisory : Medium : Microsoft : ActiveX control : Potentially unauthenticated remote code execution

THREAT LEVEL
============
Medium

INFORMATION
===========
Product: Microsoft video streaming ActiveX control
Impact/Access: Execute Arbitrary Code/Commands -- Remote/Unauthenticated
Resolution: Mitigation

AFFECTED PLATFORMS
==================
Operating System: Windows

ACTION
======
A patch for this vulnerability is not available from the Vendor. In order to protect systems, review the Mitigation practices below.

MITIGATION
==========
Currently there is no patch to correct this issue.
It is recommended by IT-Security to advise users to use alternative web browsers when accessing accessing multi-media websites and not to use MS Internet Explorer.

Possible Workaround Registry fix
You can set the killbit to mitigate this vulnerability [1] or download and execute the Vendor released MSI [2].
By saving the included text below as a .REG file and importing into your registry.

--- BEGIN INCLUDED TEXT ---
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{0955AC62-BF2E-4CBA-A2B9-A63F772D46CF}]
"Compatibility Flags"=dword:00000400

--- END INCLUDED TEXT ---

An MSI [2] is now available to set the killbit automatically

REFERENCES

[1] How to stop an ActiveX control from running in Internet Explorer
http://support.microsoft.com/kb/240797

[2] New vulnerability in MPEG2TuneRequest ActiveX Control Object in msvidctl.dll
http://go.microsoft.com/?linkid=9672398

Administrators of affected computer systems are advised to review the
bulletins, test and apply relevant mitigation strategies and updates.