On TechRepublic: The 5 worst tech products of 2009
BNET Business Network:
BNET
TechRepublic
ZDNet

May 28th, 2009

Dangerous Microsoft DirectX vulnerability under attack

Posted by Ryan Naraine @ 2:13 pm

Categories: Anti Virus, Arbitrary Code Execution, Browsers, Complex Attacks, Data theft, Exploit code, Malware, Microsoft, Patch Watch, Responsible disclosure, Viruses and Worms, Vulnerability research, Windows Vista

Tags: Apple QuickTime, Vulnerability, Microsoft Corp., Web Browser, Attack, Microsoft Windows, Operating Systems, Security, Software, Ryan Naraine

Microsoft today warned that hackers are using rigged QuickTime media files to exploit an unpatched vulnerability in DirectShow, the APIs used by Windows programs for multimedia support.

The company has activated its security response process to deal with the zero-day attacks has issued a pre-patch advisory with workarounds and a one-click “fix it” feature to enable the mitigations.

From the advisory:

Microsoft is aware of limited, active attacks that use this exploit code. While our investigation is ongoing, our investigation so far has shown that Windows 2000 Service Pack 4, Windows XP, and Windows Server 2003 are vulnerable; all versions of Windows Vista and Windows Server 2008 are not vulnerable.

An entry on the MSRC blog provides more details:

The vulnerability is in the QuickTime parser in Microsoft DirectShow. An attacker would try and exploit the vulnerability by crafting a specially formed video file and then posting it on a website or sending it as an attachment in e-mail. While this isn’t a browser vulnerability, because the vulnerability is in DirectShow, a browser-based vector is potentially accessible through any browser using media plug-ins that use DirectShow. Also, we’ve verified that it is possible to direct calls to DirectShow specifically, even if Apple’s QuickTime (which is not vulnerable) is installed.

Interestingly, the vulnerable component was removed from Windows Vista and later operating systems but is still available for use in the Microsoft Windows 2000, Windows XP, and Windows Server 2003 operating systems.

Vulnerable Windows users should immediately consider disabling QuickTime parsing to thwart attackers.  This KB article provides fix-it button that automatically enables the workaround.

It also provides detailed instructions on using a managed script deployment for Windows shops.

Also see the Security Research and Defense blog for more information.

Ryan NaraineRyan Naraine is a journalist and security evangelist at Kaspersky Lab. He manages Threatpost.com, a security news portal. Here is Ryan's full profile and disclosure of his industry affiliations.


Email Ryan Naraine

For daily updates on Ryan's activities, follow him on Twitter.

Subscribe to Zero Day via Email alerts or RSS.

Related Discussions on TechRepublic

Did you know you can take part in these discussions with your ZDNet membership?

  • Talkback
  • Most Recent of 161 Talkback(s)
RE: Dangerous Microsoft DirectX vulnerability under attack
I think these things are going to happen and no matter how much code ms throws at their OS there will be people who find exploits and use them.

What is starting to bug me is I now have a folder... (Read the rest)
Posted by: WildBill47 Posted on: 07/15/09 You are currently: a Guest | | Terms of Use
Command prompt ping an IP address  BALTHOR | 05/28/09
Very bad  honeymonster | 05/28/09
One of Us Misread the Article  DannyO_0x98 | 05/28/09
By the Way  DannyO_0x98 | 05/28/09
Speaking of "misreading..."  Wolfie2K3 | 05/29/09
conspiracy theory  pfyearwood | 06/01/09
but some say  oldbaritone | 06/02/09
According to the information we have Vista isn't vulnerable.  ye | 05/28/09
Just ditch Windows.  fr0thy2 | 05/28/09
What will it solve?  ye | 05/29/09
Costs, single vendor lock-in, anti-competitive activities  fr0thy2 | 05/29/09
LOL! Could you put together a more meaningless list?  ye | 05/29/09
About as meaningless as yours...  Wintel BSOD | 05/29/09
uh...  914four | 06/02/09
I call BS  rtk | 06/02/09
@rtk Re: Rights  914four | 06/02/09
@914four  rtk | 06/02/09
@rtf  914four | 06/02/09
do you own any stock?  pcguy777 | 06/01/09
It'll solve the same thing your suggestion to ditch XP will.  AzuMao | 06/03/09
How about just ditching QUICKTIME.  Scubajrr | 05/29/09
Doesn't matter...  Erroneous | 05/29/09
Quicktime format is flawed by design  NonZealot | 05/29/09
That is why I refuse...  Erroneous | 05/29/09
@NonZealot  Axsimulate | 05/29/09
@Ax: a little practice reading would do you a lot of good  NonZealot | 05/29/09
@NonZealot  Axsimulate | 05/29/09
Discussion with the technologically ignorant is impossible  NonZealot | 05/29/09
@NonZealot  Axsimulate | 05/29/09
@NonZealot  brble | 05/29/09
The proof is in the story  NonZealot | 05/29/09
@brble: Yes, MS will once again have to clean up Apple's mess  NonZealot | 05/29/09
You seem not to understand the problem...  msalzberg | 05/29/09
@Zealot: The proof is in the story.  msalzberg | 05/29/09
@NonZealot  Axsimulate | 05/29/09
@axsimilate. First, nowhere does it say "even with QT NOT installed".  xuniL_z | 05/29/09
Yet Again...  rm.squires@... | 05/29/09
Easier said than done  Wintel BSOD | 05/29/09
sure seems like its a good thing Apple has such a small  tech_walker | 05/29/09
@ xuniL_z  Axsimulate | 05/29/09
@ax_man  xuniL_z | 05/29/09
NonZealot is a zealot.  bendib | 05/29/09
Nonzealot, relax. Take a breath  honeymonster | 05/30/09
Well finally some sense  Wintel BSOD | 05/31/09
Nah, just a fact  honeymonster | 06/01/09
Without footnotes or external sources to back it up  Wintel BSOD | 06/01/09
Thank you Honey  Ole Man | 06/02/09
Haven't used quicktime for 6 years  Spiritusindomit@... | 05/29/09
Or Windows Media?  comp_indiana | 06/01/09
lol  rtk | 06/01/09
Riiiiight  comp_indiana | 06/03/09
the new zune and palm products are  pcguy777 | 06/01/09
Quicktime is the victim  oldbaritone | 06/02/09
yeah..  rm.squires@... | 05/29/09
RE:Just ditch Windows.  billbryan516 | 05/29/09
But the majority of people....  storm14k | 05/29/09
Your point is? (nt)  ye | 05/29/09
You won't like the extension to your comment  NonZealot | 05/29/09
Not much really  InAction Man | 05/29/09
RE: V*sta is pretty much irrelevant these days.  dougbeer | 05/31/09
22.86% of the market share...  Erroneous | 05/29/09
Ever so slightly  Wintel BSOD | 05/29/09
Oh.  Jkirk3279 | 05/29/09
What does that say about the other two...  Erroneous | 05/29/09
Popular myth  honeymonster | 05/30/09
So what - What does that prove..  Wintel BSOD | 05/31/09
How was your math grade?  honeymonster | 06/02/09
So what, again  Wintel BSOD | 06/04/09
Nice try. But the reason Vista share is climbing.....  xuniL_z | 05/30/09
Cite  Wintel BSOD | 05/31/09
RE: 22.86% of the market share..  dougbeer | 05/31/09
Looks like Microsoft still gets the win...  MKleinpaste | 05/29/09
They need hundreds  honeymonster | 05/30/09
RE: Dangerous Microsoft DirectX vulnerability under attack  goingbust | 05/28/09
Quicktime app and format  trm1945 | 05/29/09
No...  Jkirk3279 | 05/29/09
must be the faceless "MS Fix It"  oldbaritone | 06/02/09
RE: Dangerous Microsoft DirectX vulnerability under attack  shellcodes_coder | 05/28/09
If you had actually read the article...  msalzberg | 05/28/09
hmm  shellcodes_coder | 05/29/09
It isn't Quicktime.  Erroneous | 05/29/09
If that were so, why is MS picking on Apple?  xuniL_z | 05/30/09
Umm... Worng again!  wineaux | 05/29/09
you are correct. That is why QT parsing needs disabled.  xuniL_z | 05/30/09
I guess you missed this part...  msalzberg | 05/29/09
Not a bad response  LiquidLearner | 05/28/09
Uh...  Jkirk3279 | 05/29/09
Re; UH, why would anyone be running an eight year old Linux  dougbeer | 05/31/09
yet another reason to use Vista!  directory | 05/28/09
ACTUALLY  gnesterenko | 05/29/09
I have to disagree to a point.  Erroneous | 05/29/09
That's still no excuse...  Wintel BSOD | 05/29/09
agreed  shellcodes_coder | 05/29/09
yet another reason to use Commodore 64!  InAction Man | 05/29/09
What about my Amiga?  Stuka | 05/29/09
Get an Osbourne.  Erroneous | 05/29/09
The PDP-8  Scubajrr | 05/29/09
The PDP-8  dougbeer | 05/31/09
The PDP-8  charles.kronenwetter@... | 06/01/09
What browser?  mswift@... | 06/01/09
gotta say...  Spiritusindomit@... | 05/29/09
yet another reason to use Linux!  fwalls@... | 05/29/09
yet another reason to use Linux!  dougbeer | 05/31/09
One other thing, Ryan...  RocketEater | 05/29/09
Why is it any time quicktime gets involved...  Spiritusindomit@... | 05/29/09
Try again...  RocketEater | 05/29/09
Yeah, but if you care about this topic...  Spiritusindomit@... | 05/29/09
I suggest deleting Quicktime for now and even forever.  Gillman_Zorgam | 05/29/09
Apparently you didn't read...  MKleinpaste | 05/29/09
You can't if you use iTunes  Wintel BSOD | 05/29/09
Actually...  MKleinpaste | 05/29/09
You sure about that?  Wintel BSOD | 05/31/09
Is Problem DirectX version specific?  wkulecz | 05/29/09
The better fix is to avoid all QuickTime files  NonZealot | 05/29/09
How many times do I have to say this...  MKleinpaste | 05/29/09
No, the problem is in rigged QuickTime files  NonZealot | 05/29/09
Reading Comprehension...  MKleinpaste | 05/29/09
Say it all you like, doesn't change the facts.  No_Ax_to_Grind | 05/29/09
Yawn...  Jkirk3279 | 05/29/09
QuickTime seems pretty good at it?  NonZealot | 05/29/09
That has nothing to do with this issue  Wintel BSOD | 05/29/09
But you admit then that QuickTime is a security nightmare?  NonZealot | 05/29/09
Oh it's got it's problems all right...  Wintel BSOD | 05/29/09
Any vulnerabilities for VLC?  JCitizen | 06/01/09
While I hate to agree with....  Erroneous | 05/29/09
Hehe, you got one thing right!  NonZealot | 05/29/09
@NonZealot  Axsimulate | 05/29/09
You need to clean your screen buddy!!  NonZealot | 05/29/09
Windows Vista and 7 not affected!  tech_walker | 05/29/09
I know this will start a debauchle but..  billbryan516 | 05/29/09
Apple was already caught red handed doing this  NonZealot | 05/29/09
Oh come now.  ye | 05/29/09
Some reading material for you..  msalzberg | 05/29/09
Makes sence if it where not for the fact  tech_walker | 05/29/09
I'm with you  Crestview | 05/29/09
RE: Dangerous Microsoft DirectX vulnerability under attack  Richard.Vickery@... | 05/29/09
Quicktime  Crestview | 05/29/09
I certainly hope...  JCitizen | 05/29/09
Re: I certainly hope...  dougbeer | 05/31/09
doug, did you see the MS bulletin on this?..  JCitizen | 06/01/09
RE: Dangerous Microsoft DirectX vulnerability under attack  Louis Ross Focke | 05/30/09
Yes.  msalzberg | 05/30/09
Is anyone else as disgusted as I am?  msalzberg | 05/30/09
Disgusted, no.  honeymonster | 05/30/09
Thank you for illustrating my point.  msalzberg | 05/30/09
Not my intention  honeymonster | 05/30/09
Re: msalzberg  dougbeer | 05/31/09
Dangerous Microsoft DirectX vulnerability under attack  interested_amateur@... | 05/30/09
Explanation  honeymonster | 05/31/09
A question, and some corrections (major):  msalzberg | 05/31/09
Thanks  honeymonster | 05/31/09
Secunia PSI will usually tell you if...  JCitizen | 06/01/09
RE: Dangerous Microsoft DirectX vulnerability under attack  ColdFusionRules | 06/01/09
RE: Dangerous Microsoft DirectX vulnerability under attack  Insight Driver | 06/01/09
Digging through the FUD...  msalzberg | 06/01/09
Unfortunately  honeymonster | 06/02/09
RE: Dangerous Microsoft DirectX vulnerability under attack  mojorison67@... | 06/01/09
Simple solution: don't use QT anymore  Gradius2 | 06/01/09
What part of ...  msalzberg | 06/01/09
RE: Dangerous Microsoft DirectX vulnerability under attack  Mashman | 07/15/09
RE: Dangerous Microsoft DirectX vulnerability under attack  WildBill47 | 07/15/09

What do you think?

SponsoredWhite Papers, Webcasts, and Downloads

advertisement

Recent Entries

advertisement
Click Here

Archives

Favorite Links

ZDNet Blogs

White Papers, Webcasts, and Downloads

SmartPlanet

Click Here