When first investigating the zero day vulnerability in Microsoft DirectShow over the weekend, signs pointed to CVE-2008-0015, which was a placeholder for an unidisclosed vulnerability. Thinking there was no way such a serious flaw could have been left unpatched for well over a year, I made the assumption that surely the flaw must be the one described in the far more recent CVE-2009-1537 and posted accordingly.

Boy was I wrong.

It later became clear that the exploit was in a different component of Microsoft DirectShow (the MSVidCtl ActiveX control in Microsoft DirectShow and not the more recent quartz.dll flaw in DirectShow). In other words, the vulnerability had been reported to Microsoft over a year ago, a placeholder CVE number had been established, but no patch had ever been released. Kelly Jackson Higgings of Dark Reading leads an interesting discussion of the delayed response to this serious vulnerability.

The Dark Reading article also notes that, "A few security vendors today announced their products can now detect the malware being used in the attacks, including Finjan, Zscaler, Sophos, and F-Secure."

Fortunately for ScanSafe customers, we detected and blocked the attacks from the onset, without requiring special updates, thus none of our customers were left waiting for protection.