Microsoft acknowledges new DirectShow vulnerability
by Steve Ragan - May 28 2009, 21:27Microsoft has acknowledged a vulnerability in DirectShow and the fact that criminals are actively exploiting it. The DirectShow flaw can be exploited once a malicious QuickTime media file is accessed. If exploited, the attacker would have the ability for remote code execution.
Microsoft says the likely attack scenario would be Phishing or other means linking the user to a malicious Web site hosting the rogue video content. Once the page is loaded, if the user opens the malicious video, the attack is considered successful. However, according to the advisory, users of Windows Vista, Windows Server 2008, and Windows 7 RC1 are not affected.
"The vulnerability is in DirectShow’s code to process QuickTime format. The QuickTime Movie Parser Filter in DirectShow has been removed from Windows Vista and later operating systems," Microsoft stated on its Security Research and Defense blog.
"To be clear, whether you’ve installed Apple’s QuickTime or not, the vulnerability is in the Microsoft’s quartz.dll and it’s possible to craft an attack to call that DLL on the system regardless of whether Apple’s QuickTime is present," it added.
Three workarounds help limit the attack surface used by the vulnerability. While they are not something that remove the underlying vulnerability itself, they will help IT mitigate various risks until an official patch is deployed by the Redmond-based software giant.
The first workaround is accomplished by simply unregistering quartz.dll, or you can disable the parsing of QuickTime content in quartz.dll. You can also modify the ACL in quartz.dll, which makes it more restrictive, as well as limit shell attack vectors by using Windows Classic Folders on non-multimedia folder types. Each of the workarounds is listed in detail here.
However, for most users, the 'Fix it for me' feature on the associated Knowledge Base article will offer a quick and painless solution. The 'Fix it for me' offering can be run online (through: http://support.microsoft.com/kb/971778) or downloaded to a CD or Flash Drive for later deployment.
There isn’t much to go on at this time, but Microsoft has said it will keep the advisory page updated with new developments.
The Tech Herald: Microsoft Security Advisory (971778)
Comment on this Story