On July 14th, 2009 Microsoft released Microsoft Security Bulletin MS09-032 to address a remote code execution vulnerability in the Microsoft Video ActiveX Control (msvidctl.dll). Microsoft initially announced this vulnerability via Microsoft Security Advisory 972890. Cisco Security Intelligence Operations (SIO) released IPS Signature Updates S411 and S414 which contain signatures that detect attempts to exploit this vulnerability. Additional information about this and other vulnerabilities in Microsoft’s Security Bulletin for July 2009 is available in the corresponding Cisco Event Response.
Analysis of IPS Network Participation data in the Cisco SensorBase Network confirms that this vulnerability is being exploited.
What is particularly noteworthy is that the attacker IP addresses have a bad Reputation score. There are two concepts I mentioned above that I’d like to explain: Network Participation and Reputation. These features are components of Cisco Global Correlation and were introduced in IPS 7.0. Network Participation enables IPS devices to send data to the Cisco SensorBase Network. The data sent to SensorBase includes signature IDs, attacker ports and addresses, reputation score and risk rating. The second component, Reputation, provides an IPS with a probability that a given IP address is malicious based on known previous activity. IPS devices interact with the Cisco SensorBase Network to send Network Participation data and receive Reputation data. Global Correlation works hand in hand with both existing and new signatures. Specifically, these features allow us to verify that the IP addresses in the Microsoft DirectShow msvidctl.dll Code Execution signature alerts are known to be malicious and confirm that an attack is underway.