CVE-2008-0015

What is the Windows Video ActiveX Control?

The Microsoft Windows Video ActiveX Control (msvidctl.dll) is a Windows component that provides video mixing and rendering capabilities for television tuners, digital broadcast applications, and DirectShow-based multimedia applications. The control registers COM objects including MPEG2TuneRequest that could be instantiated and used by web pages through Internet Explorer's ActiveX support. ActiveX controls — binary components that could execute with full user privileges when loaded in Internet Explorer — were a major attack surface throughout the 2000s. Microsoft shipped numerous ActiveX controls as part of Windows that were "safe for scripting" and therefore accessible to any website visited in IE, creating opportunities for drive-by exploitation.

Overview

CVE-2008-0015 is a high-severity remote code execution vulnerability (CWE-119, CVSS 8.8) in the Microsoft Windows Video ActiveX Control. A stack buffer overflow in the MPEG2TuneRequest COM object allows a remote attacker to execute arbitrary code when a victim visits a malicious web page in Internet Explorer. The vulnerability was actively exploited as a zero-day — public exploit code circulated the day before Microsoft's advisory. Microsoft released an out-of-band patch in MS09-032 (July 2009). CISA added to KEV in February 2026, seventeen years after the patch, reflecting continued exploitation against legacy Windows and IE environments.

Affected Versions

Note: Internet Explorer 8 on Windows Vista and Server 2008 was not affected due to Protected Mode providing an additional security boundary.

Technical Details

The vulnerability (CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer) exists in the MPEG2TuneRequest COM object implemented in msvidctl.dll. This component is registered as "safe for scripting," meaning IE-hosted web pages could instantiate it without triggering security prompts.

When a web page instantiated MPEG2TuneRequest and invoked certain methods on it with crafted arguments, the underlying C++ code copied attacker-controlled data into a stack-allocated buffer without checking that the data fit within the buffer's bounds. The stack overflow corrupted the saved return address and other stack data.

The typical exploitation path:

1. Victim visits a malicious web page in Internet Explorer (no download or additional user interaction beyond visiting the page)
2. JavaScript on the page instantiates the MPEG2TuneRequest ActiveX control
3. A crafted method call triggers the stack overflow
4. With heap spraying (pre-filling memory with NOP sleds and shellcode), the overwritten return address redirects to the sprayed shellcode
5. Code executes with the privileges of the IE process — the logged-in user's privileges on pre-Protected Mode configurations

The vulnerability was disclosed and exploited as a zero-day in July 2009, with exploit code publicly available within days of Microsoft's advisory — forcing an out-of-band patch release rather than waiting for the next Patch Tuesday.

Discovery

The vulnerability was discovered and exploited in the wild before public disclosure. Active exploitation was observed in drive-by download campaigns in early July 2009. Microsoft confirmed the vulnerability on July 7, 2009, and released an emergency out-of-band patch (MS09-032) one week later on July 14 — one of Microsoft's relatively rare out-of-band patch releases, triggered by the severity and active exploitation of the zero-day.

Exploitation Context

The February 2026 CISA KEV addition for a 16-year-old vulnerability indicates ongoing exploitation:

• Legacy IE on Windows XP/Server 2003: Internet Explorer 6 and 7 on Windows XP ran in a low-security context where ActiveX controls executed with full user privileges. Systems still running Windows XP (which reached EoL in April 2014) remain vulnerable and cannot be patched via normal means.
• Industrial and embedded Windows: Windows XP and Server 2003 persist in OT/ICS environments where the control systems cannot be updated. Attackers targeting these environments can use this vulnerability for initial access.
• IE-dependent legacy applications: Some organizations maintain Internet Explorer specifically for legacy web applications, accepting the security risk — these systems remain vulnerable to drive-by exploitation.
• Attack chain component: This vulnerability provides a reliable, well-documented code execution primitive for attackers who already know a target is running legacy Windows/IE.

Remediation

1. Apply MS09-032: For any remaining Windows XP/Server 2003/Vista/Server 2008 systems, apply the July 2009 out-of-band patch.
2. Migrate off Windows XP and IE: Windows XP and IE 6/7/8 are end-of-life with no security support. Replace with current Windows versions and modern browsers (Chrome, Edge, Firefox).
3. Set the kill bit for MPEG2TuneRequest: As a workaround, the MPEG2TuneRequest CLSID can be disabled via the IE kill bit registry setting to prevent IE from instantiating the control, even on unpatched systems.
4. Network isolation for legacy systems: Air-gap or strictly network-isolate any Windows XP systems that cannot be replaced, preventing web browsing from these systems.
5. Disable ActiveX in IE: Configure IE Security Zone settings to disable ActiveX controls or prompt for each installation as a compensating control for systems that cannot be patched immediately.