Microsoft Warns of New Zero-day Bug for XP

Microsoft is warning users worldwide to take immediate steps to protect themselves from a new zero-day vulnerability that’s already under attack, particularly in Asia.

The bad news is that it primarily affects Windows XP, the most installed version of Windows on the planet, as well as Windows Server 2003. Later versions of Windows are not affected. Neither is Windows 2000 Service Pack 4.

Meanwhile, Microsoft is already working on a patch to fix the hole, located in a component of Microsoft’s DirectShow technology, and will release it as soon as the patch passes quality tests, a Microsoft Security Advisory said. Given the severity of the problem, Microsoft is likely to rush out the patch when it’s ready.

According to the Sans Institute’s Internet Storm Center (ISC), the attack code has been posted on multiple hacker Websites in China — and because it’s already public, the ISC also published the code on its own site.

Despite working on the patch, Microsoft’s Security Advisory does not view the hole with the same level of urgency as the ISC.

“We are aware of attacks attempting to exploit the vulnerability,” the advisory said.

In contrast, the ISC quotes Danish IT firm CSIS Security Group as saying the attacks are already widespread, especially in China.

“A zero-day exploit within [a] component of Microsoft DirectShow is actively being exploited through drive-by attacks using thousands of newly compromised Web sites, according to CSIS,” the ISC site said.

Besides the patch, however, Microsoft has also posted a workaround that will protect affected systems while users wait for the fixed code.

The problem lies in the Microsoft Video ActiveX Control, according to Microsoft’s advisory. While it was designed to enable streaming video, the company says that disabling it not only fixes the problem short term but also does not affect the functioning of applications.

“Microsoft confirmed that they are not aware of any side effects from disabling the vulnerable ActiveX control,” a company spokesperson said in an e-mail to

What the workaround does is to set the so-called “kill bit” for the affected ActiveX control in the Windows registry. Microsoft has posted instructions for implementing the workaround.

Alternately, Microsoft has also set up a Web page where non-technical users can have the workaround implemented for them automatically. The same page contains a button for undoing the workaround.

Microsoft has not given a date for when the patch will be available. It’s next planned “Patch Tuesday,” the one day per month when it issues security fixes, is next week on July 14. Microsoft may have the fix ready by then or issue the fix separately.

News Around the Web