CVE-2008-0015
published 2009-07-07CVE-2008-0015: Stack-based buffer overflow in the CComVariant::ReadFromStream function in the Active Template Library (ATL), as used in the MPEG2TuneRequest ActiveX control…
PriorityP190high8.8CVSS 3.1
AVNACLPRNUIRSUCHIHAH
KEVITWEXPLOIT
CISA Known Exploited Vulnerabilitydue 2026-03-10
Exploited in the wild
EPSS
76.65%
99.5th percentile
Stack-based buffer overflow in the CComVariant::ReadFromStream function in the Active Template Library (ATL), as used in the MPEG2TuneRequest ActiveX control in msvidctl.dll in DirectShow, in Microsoft Windows 2000 SP4, XP SP2 and SP3, Server 2003 SP2, Vista Gold, SP1, and SP2, and Server 2008 Gold and SP2 allows remote attackers to execute arbitrary code via a crafted web page, as exploited in the wild in July 2009, aka "Microsoft Video ActiveX Control Vulnerability."
Detection & IOCsextracted from sources · hover to see the quote
bytes↗
\x00\x03\x00\x00\x11\x20\x34\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00
- →Exploit delivers a specially crafted GIF file to trigger the buffer overflow; detect HTTP responses serving a GIF with the malicious header byte sequence to browsers loading the MPEG2TuneRequest ActiveX object. ↗
- →Exploit targets BDATuner.MPEG2TuneRequest ActiveX control instantiated in a browser page; monitor for instantiation of any of the 12 working CLSIDs associated with msvidctl.dll in web content. ↗
- →Original in-the-wild exploitation was observed via drive-by attacks through compromised Chinese web sites; treat web traffic loading msvidctl.dll CLSIDs from untrusted domains as high-priority alerts. ↗
- →Nessus plugin 39622 checks that kill-bit workarounds for msvidctl.dll CLSIDs have been applied on Windows XP and Server 2003; use this as a compliance/detection check. ↗
- →Heap spray uses 0x0C0C0C0C as the return address; memory forensics or crash analysis showing EIP/RET pointing to 0x0C0C0C0C is indicative of this exploit. ↗
- →Payload bad characters are \x00\x09\x0a\x0d and quotes/backslash; shellcode in exploit traffic will avoid these bytes, which can help tune shellcode-detection signatures. ↗
- ·The Metasploit module randomizes the ClassID used from the 12 working CLSIDs unless overridden via the advanced 'ClassID' option; detection rules must cover all 12 working CLSIDs, not just one. ↗
- ·Setting the kill bit on the CLSIDs may not be sufficient mitigation; an in-depth analysis of msvidctl.dll suggests the kill-bit workaround alone may not fully mitigate the problem. ↗
- ·Nessus plugin 39622 only checks kill-bit status on Windows XP and Windows Server 2003; extended class ID checks require 'Thorough Tests' to be enabled. ↗
CVSS provenance
nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
nvdv2.09.3CRITICALAV:N/AC:M/Au:N/C:C/I:C/A:C
vulncheck8.8HIGH
cisa8.8HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-vhhg-3f5r-hv5g: Unspecified vulnerability in the Load method in the IPersistStreamInit interface in the Active Template Library (ATL), as used in the Microsoft Video
ghsa_unreviewed·2022-05-01·CVSS 8.8
CVE-2008-0020 [HIGH] CWE-94 GHSA-vhhg-3f5r-hv5g: Unspecified vulnerability in the Load method in the IPersistStreamInit interface in the Active Template Library (ATL), as used in the Microsoft Video
Unspecified vulnerability in the Load method in the IPersistStreamInit interface in the Active Template Library (ATL), as used in the Microsoft Video ActiveX control in msvidctl.dll in DirectShow, in Microsoft Windows 2000 SP4, XP SP2 and SP3, Server 2003 SP2, Vista Gold, SP1, and SP2, and Server 2008 Gold and SP2 allows remote attackers to execute arbitrary code via unknown vectors that trigger memory corruption, aka "ATL Header Memcopy Vulnerability," a different vulnerability than CVE-2008-0015.
GHSA
GHSA-h58h-8g45-v677: Stack-based buffer overflow in the CComVariant::ReadFromStream function in the Active Template Library (ATL), as used in the MPEG2TuneRequest ActiveX
ghsa_unreviewed·2022-05-01
CVE-2008-0015 [HIGH] CWE-119 GHSA-h58h-8g45-v677: Stack-based buffer overflow in the CComVariant::ReadFromStream function in the Active Template Library (ATL), as used in the MPEG2TuneRequest ActiveX
Stack-based buffer overflow in the CComVariant::ReadFromStream function in the Active Template Library (ATL), as used in the MPEG2TuneRequest ActiveX control in msvidctl.dll in DirectShow, in Microsoft Windows 2000 SP4, XP SP2 and SP3, Server 2003 SP2, Vista Gold, SP1, and SP2, and Server 2008 Gold and SP2 allows remote attackers to execute arbitrary code via a crafted web page, as exploited in the wild in July 2009, aka "Microsoft Video ActiveX Control Vulnerability."
VulnCheck
Microsoft Windows Video ActiveX Control Remote Code Execution Vulnerability
vulncheck·2008·CVSS 8.8
CVE-2008-0015 [HIGH] Microsoft Windows Video ActiveX Control Remote Code Execution Vulnerability
Microsoft Windows Video ActiveX Control Remote Code Execution Vulnerability
Microsoft Windows Video ActiveX Control contains a remote code execution vulnerability. An attacker could exploit the vulnerability by constructing a specially crafted Web page. When a user views the Web page, the vulnerability could allow remote code execution. An attacker who successfully exploited this vulnerability could gain the same user rights as the logged-on user.
Affected: Microsoft Windows
Required Action: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
Exploitation References: https://www.cve.org/CVERecord?id=CVE-2008-0015; https://learn.microsoft.com/en-us/security-updates/securityb
CISA
Microsoft Windows Video ActiveX Control Remote Code Execution Vulnerability
cisa·2026-02-17·CVSS 8.8
CVE-2008-0015 [HIGH] Microsoft Windows Video ActiveX Control Remote Code Execution Vulnerability
Vulnerability: Microsoft Windows Video ActiveX Control Remote Code Execution Vulnerability
Affected: Microsoft Windows
Microsoft Windows Video ActiveX Control contains a remote code execution vulnerability. An attacker could exploit the vulnerability by constructing a specially crafted Web page. When a user views the Web page, the vulnerability could allow remote code execution. An attacker who successfully exploited this vulnerability could gain the same user rights as the logged-on user.
Required Action: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
Notes: https://web.archive.org/web/20110305211119/https://www.microsoft.com/technet/security/bulletin/ms09-032.mspx ; h
No detection rules found.
Exploit-DB
Microsoft DirectShow - 'msvidctl.dll' MPEG-2 Memory Corruption (MS09-032/MS09-037) (Metasploit)
exploitdb·2010-04-30
CVE-2008-0015 Microsoft DirectShow - 'msvidctl.dll' MPEG-2 Memory Corruption (MS09-032/MS09-037) (Metasploit)
Microsoft DirectShow - 'msvidctl.dll' MPEG-2 Memory Corruption (MS09-032/MS09-037) (Metasploit)
---
##
# $Id: msvidctl_mpeg2.rb 9179 2010-04-30 08:40:19Z jduck $
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
##
# msvidctl_mpeg2.rb
#
# Microsoft DirectShow (msvidctl.dll) MPEG-2 Memory Corruption exploit for the Metasploit Framework
#
# Tested successfully on the following platforms (fully patched 06/07/09):
# - Internet Explorer 6, Windows XP SP2
# - Internet Explorer 7, Windows XP SP3
#
# Original exploit was found in-the-wild used to preform drive-by attacks via compromised C
Exploit-DB
Microsoft Internet Explorer 7 Video - ActiveX Remote Buffer Overflow
exploitdb·2009-07-10
CVE-2008-0015 Microsoft Internet Explorer 7 Video - ActiveX Remote Buffer Overflow
Microsoft Internet Explorer 7 Video - ActiveX Remote Buffer Overflow
---
#!/usr/bin/env python
######################################################################################
# MS Internet Explorer 7 DirectShow (msvidctl.dll) Heap Spray (Advisory 972890) #
######################################################################################
# #
# Written by SecureState R&D Team #
# Authors: David Kennedy (ReL1K), John Melvin (Whipsmack), Steve Austin #
# http://www.securestate.com #
# #
# win32_bind EXITFUNC=seh LPORT=5500 Size=314 Encoder=ShikataGaNai Shell=bind #
# #
######################################################################################
# Tested on WinXPSP3, Win2k3SP2, WinXPSP2 on IE6 and IE7 #
####################################################################
Metasploit
Microsoft DirectShow (msvidctl.dll) MPEG-2 Memory Corruption
metasploit
Microsoft DirectShow (msvidctl.dll) MPEG-2 Memory Corruption
Microsoft DirectShow (msvidctl.dll) MPEG-2 Memory Corruption
This module exploits a memory corruption within the MSVidCtl component of Microsoft DirectShow (BDATuner.MPEG2TuneRequest). By loading a specially crafted GIF file, an attacker can overrun a buffer and execute arbitrary code. ClassID is now configurable via an advanced option (otherwise randomized) - I)ruid
Talos
Only whitehat journalists need Metasploit to hack oracle
blogs_talos·2009-07-27·CVSS 8.8
[HIGH] Only whitehat journalists need Metasploit to hack oracle
I'm astounded at the number of crazy articles concerning the release of Oracle exploits for PATCHED vulnerabilities. How is it that oracle in particular gets this kind of response, when Metasploit has been doing this with other vendors for years and years? Never mind the fact that I released a module for my oracle weblogic bug the day it was patched. Metasploit is useful in that it allows sysadmins to demonstrate to their bosses that they need time and money to patch by demonstrating concretely that they are vulnerable. This does NOT mean that if an exploit is not in metasploit that no one can own you. This is not rocket science.
From Olney:
In the end, this whole argument stems from one of the most egregious thought errors in the industry: The absence of PoC code, or worse, the lack of a
Talos
Only whitehat journalists need Metasploit to hack oracle
blogs_talos·2009-07-27·CVSS 8.8
[HIGH] Only whitehat journalists need Metasploit to hack oracle
## Only whitehat journalists need Metasploit to hack oracle
I'm astounded at the number of crazy articles concerning the release of Oracle exploits for PATCHED vulnerabilities. How is it that oracle in particular gets this kind of response, when Metasploit has been doing this with other vendors for years and years? Never mind the fact that I released a module for my oracle weblogic bug the day it was patched. Metasploit is useful in that it allows sysadmins to demonstrate to their bosses that they need time and money to patch by demonstrating concretely that they are vulnerable. This does NOT mean that if an exploit is not in metasploit that no one can own you. This is not rocket science.
From Olney: In the end, this whole argument stems from one of the most egregious thought errors in t
Tenable
Plugin Spotlight: Vulnerability in Microsoft Video ActiveX Control
blogs_tenable·2009-07-10
Plugin Spotlight: Vulnerability in Microsoft Video ActiveX Control
Blog /
Subscribe
# Plugin Spotlight: Vulnerability in Microsoft Video ActiveX Control
Paul Asadoorian
July 10, 2009
2 Min Read
Browsing the web is increasingly hazardous, especially given the recently released vulnerabilities and associated exploits. It’s interesting how the vulnerabilities are being referred to as "remote". While they are remotely exploitable, there are differences in how they are executed. One form of remote exploit requires no user interaction. A process listens on a port and is exploited over the network without the end user having to perform any action. The ActiveX vulnerability referenced in this plugin is remote, but does require that the user have a web browser loaded and actually be browsing the web. The exploit can be embedded into different web pages and ex
Tenable
Plugin Spotlight: Vulnerability in Microsoft Video ActiveX Control
blogs_tenable·2009-07-10
Plugin Spotlight: Vulnerability in Microsoft Video ActiveX Control
## Cloud Exposure
Tenable Cloud Security (CNAPP) Request a demo
Tenable Cloud Vulnerability Management Request a demo
Tenable CIEM Request a demo
Secure your cloud
## Vulnerability Exposure
Tenable Vulnerability Management Try for free
Tenable Security Center Request a demo
Tenable Web App Scanning Try for free
Tenable Patch Management Request a demo
Tenable Enclave Security Request a demo
Tenable Attack Surface Management Request a demo
Tenable Nessus Try for free
## AI Exposure
Tenable AI Exposure Request a demo
## OT/IoT Exposure
Tenable OT Security Request a demo
## Identity Exposure
Tenable Identity Exposure Request a demo
## Business needs
Active Directory
AI Security Posture Management (AI-SPM)
AWS security
Azure security
Cloud Security Posture Man
arXiv
Integrating Network and Attack Graphs for Service-Centric Impact Analysis
arxiv_fulltext·2026-02-11
Integrating Network and Attack Graphs for Service-Centric Impact Analysis
Integrating Network and Attack Graphs for Service-Centric Impact Analysis
Joni Herttuainene1
Vesa Kuikka
Kimmo K. Kaski
e1e-mail: [email protected]
Department of Computer Science, Aalto University School of Science,
P.O. Box 11000, 00076 Aalto, Finland
Received: date / Accepted: date
## Abstract
We present a novel methodology for modelling, visualising, and analysing cyber threats, attack paths, as well as their impact on user services in enterprise or infrastructure networks of digital devices and services they provide. Using probabilistic methods to track the propagation of an attack through attack graphs, via the service or application layers, and on physical communication networks, our model enables us to analyse cyber attacks at different levels of detail. Understanding
Bugzilla
CVE-2008-5345 JRE allows unauthorized file access and connections to localhost
bugzilla·2008-12-05·CVSS 7.5
CVE-2008-5345 [HIGH] CVE-2008-5345 JRE allows unauthorized file access and connections to localhost
CVE-2008-5345 JRE allows unauthorized file access and connections to localhost
Name: CVE-2008-5345
Status: Candidate
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5345
Reference: SUNALERT:246387
Reference: URL:http://sunsolve.sun.com/search/document.do?assetkey=1-26-246387-1
Unspecified vulnerability in Java Runtime Environment (JRE) with Sun
JDK and JRE 6 Update 10 and earlier; JDK and JRE 5.0 Update 16 and
earlier; SDK and JRE 1.4.2_18 and earlier; and SDK and JRE 1.3.1_23
and earlier allows code that is loaded from a local filesystem to read
arbitrary files and make unauthorized connections to localhost via
unknown vectors.
Discussion:
Another mention of this issue:
http://secunia.com/advisories/32991/
---
Red Hat advisory RHSA-2009-0015 says that this is one of the
Bugzilla
CVE-2008-5339 JavaWebStart allows unauthorized network connections
bugzilla·2008-12-05·CVSS 5.0
CVE-2008-5339 [MEDIUM] CVE-2008-5339 JavaWebStart allows unauthorized network connections
CVE-2008-5339 JavaWebStart allows unauthorized network connections
Name: CVE-2008-5339
Status: Candidate
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5339
Reference: SUNALERT:244988
Reference: URL:http://sunsolve.sun.com/search/document.do?assetkey=1-26-244988-1
Unspecified vulnerability in Java Web Start (JWS) and Java Plug-in
with Sun JDK and JRE 6 Update 10 and earlier; JDK and JRE 5.0 Update
16 and earlier; and SDK and JRE 1.4.2_18 and earlier allows untrusted
JWS applications to perform network connections to unauthorized hosts
via unknown vectors.
Discussion:
Another mention of this issue:
http://secunia.com/advisories/32991/ (Point 5) )
---
This bug is listed in Red Hat advisory RHSA-2009-0015 as being fixed, yet is in state NEW.
https://rhn.redhat.com/errata/
Bugzilla
CVE-2008-5344 Java WebStart unprivileged local file and network access
bugzilla·2008-12-05·CVSS 7.5
CVE-2008-5344 [HIGH] CVE-2008-5344 Java WebStart unprivileged local file and network access
CVE-2008-5344 Java WebStart unprivileged local file and network access
Name: CVE-2008-5344
Status: Candidate
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5344
Reference: SUNALERT:244988
Reference: URL:http://sunsolve.sun.com/search/document.do?assetkey=1-26-244988-1
Unspecified vulnerability in Java Web Start (JWS) and Java Plug-in
with Sun JDK and JRE 6 Update 10 and earlier; JDK and JRE 5.0 Update
16 and earlier; and SDK and JRE 1.4.2_18 and earlier allows untrusted
applets to read arbitrary files and make unauthorized network
connections via unknown vectors related to applet classloading.
Discussion:
Another mention of this issue:
http://secunia.com/advisories/32991/
---
Red Hat advisory RHSA-2009-0015 states that this bug is fixed:
https://rhn.redhat.com/errata/R
http://blogs.technet.com/srd/archive/2009/08/11/ms09-037-why-we-are-using-cve-s-already-used-in-ms09-035.aspxhttp://isc.sans.org/diary.html?storyid=6733http://osvdb.org/55651http://secunia.com/advisories/36187http://www.csis.dk/dk/nyheder/nyheder.asp?tekstID=799http://www.iss.net/threats/329.htmlhttp://www.kb.cert.org/vuls/id/180513http://www.microsoft.com/technet/security/advisory/972890.mspxhttp://www.securityfocus.com/bid/35558http://www.securityfocus.com/bid/35585http://www.securitytracker.com/id?1022514http://www.us-cert.gov/cas/techalerts/TA09-187A.htmlhttp://www.us-cert.gov/cas/techalerts/TA09-195A.htmlhttp://www.us-cert.gov/cas/techalerts/TA09-223A.htmlhttp://www.vupen.com/english/advisories/2009/2232https://docs.microsoft.com/en-us/security-updates/securitybulletins/2009/ms09-032https://docs.microsoft.com/en-us/security-updates/securitybulletins/2009/ms09-037https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A6333https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A6363https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A7436http://blogs.technet.com/srd/archive/2009/08/11/ms09-037-why-we-are-using-cve-s-already-used-in-ms09-035.aspxhttp://isc.sans.org/diary.html?storyid=6733http://osvdb.org/55651http://secunia.com/advisories/36187http://www.csis.dk/dk/nyheder/nyheder.asp?tekstID=799http://www.iss.net/threats/329.htmlhttp://www.kb.cert.org/vuls/id/180513http://www.microsoft.com/technet/security/advisory/972890.mspxhttp://www.securityfocus.com/bid/35558http://www.securityfocus.com/bid/35585http://www.securitytracker.com/id?1022514http://www.us-cert.gov/cas/techalerts/TA09-187A.htmlhttp://www.us-cert.gov/cas/techalerts/TA09-195A.htmlhttp://www.us-cert.gov/cas/techalerts/TA09-223A.htmlhttp://www.vupen.com/english/advisories/2009/2232https://docs.microsoft.com/en-us/security-updates/securitybulletins/2009/ms09-032https://docs.microsoft.com/en-us/security-updates/securitybulletins/2009/ms09-037https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A6333https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A6363https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A7436https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2008-0015
2009-07-07
Published
2026-02-17
Added to CISA KEV
Exploited in the wild