The vulnerability has been exploited in the wild since June 11, 2009 (as discovered by X-Force) and was touted by the media and by SANS as being exploited in the wild on July 6, 2009.
According to Symantec research first exploitation of the vulnerability was detected on 2008-12-28.
HTML/CVE-2008-0015
Bloodhoud.Exploit.259
Vulnerability details
Advisory: SB2009070601 - Remote code execution in Microsoft Video ActiveX Control
Vulnerable component: Microsoft Video ActiveX Control
CVE-ID: CVE-2008-0015
CVSSv3 score: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H/E:H/RL:O/RC:C
CWE-ID: CWE-121 - Stack-based buffer overflow
Description:
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The weakness exists due to stack-based buffer overflow in the Microsoft Video ActiveX Control, msvidctl.dll. By persuading a victim to visit a specially crafted Web page, a remote attacker can trigger memory corruption and execute arbitrary code on the target system with privileges of the current user.
Successful exploitation of the vulnerability results in arbitrary code execution on the vulnerable system.
Note: the vulnerability was being actively exploited.
Public Exploits:
- Microsoft DirectShow - 'msvidctl.dll' MPEG-2 Memory Corruption (MS09-032/MS09-037) (Metasploit) [Exploit-DB]
- Microsoft Internet Explorer 7 Video - ActiveX Remote Buffer Overflow [Exploit-DB]
External links:
https://technet.microsoft.com/en-us/library/security/972890
https://technet.microsoft.com/en-us/library/security/ms09-032.aspx
https://isc.sans.edu/diary/0-day+in+Microsoft+DirectShow+%28msvidctl.dll%29+used+in+drive-by+attacks...
https://blogs.technet.microsoft.com/srd/2009/08/11/ms09-037-why-we-are-using-cves-already-used-in-ms...
https://www.symantec.com/security_response/writeup.jsp?docid=2009-070605-3347-99
http://www.pandasecurity.com/mediacenter/malware/social-engineering-pdfs-and-banking-trojans/
http://tpmitigation.sourceforge.net/
https://users.ece.cmu.edu/~tdumitra/public_documents/bilge12_zero_day.pdf