Another 0-day was released in-the-wild targeting Microsoft Internet Explorer. The bug is inside msvidctl.dll when working with media file (*.gif have been used in the wild exploitation). Below is the in-the-wild exploit analyzed by us (we modified the shellcode to %uxcccc).

Figure 1.0 showed the exception handler is executed and will pointing to our jump address (0c0c0c0c).

Figure 2.0 show the shellcode (xcc) been executed.

Figure 2.0

It’s not really a common stack overflow bug. Please read excellent vulnerability analysis done by websense here.

We released the advisory and workaround (yes, with pictures) on how to do the ‘kill-bit’ thing for this particular CLSID.