The MsVidCtl 0day has been passed around and fully distributed since at least the 6th. We have been monitoring multiple groups abusing Internet Explorer’s capability to render streaming video.
Some of the fairly recent and interesting activity has been the exploit writers’ javascript evasion techniques, splitting what was one page of javascript into 10 files, one for each line of javascript, and rendering some pattern matching solutions useless. This sort of attack would be most effective against the most performance sensitive security layers, like network based ones, and some other fairly unsophisticated client side solutions.
The payloads vary, from adware to social network credential stealing. ThreatFire has been preventing the exploit within the community from the start. We anxiously await a hotfix, something past the killbit workaround. Georg Wicherski points out that the vulnerability is a trivial one, in which the attacker can abuse the SEH handler. But really the current heap spray attack code that we have seen is reliable and less effort to implement with the spray. What has worked in the past will continue to be put out in prevalence!
In the meantime, your information is safe and protected against observed and unknown exploits attacking this vulnerability with ThreatFire.
