0 Replies Latest reply on May 29, 2009 4:32 AM by secured2k

    0-Day Microsoft DirectX 7-9 Vulnerability Discovered

    secured2k
      Microsoft has release a security advisory warning about a 0-day exploit (undisclosed and actively used in the wild by malicious hackers) in Microsoft's DirectX DirectShow Quicktime parser.

      Vulnerable: Windows 2000, XP, 2003 - 32-bit & 64-bit - (DirectX 7-9.0c)
      Not Vulnerable: Windows Vista/2008/7 - DirectX 10 removed the problem code.

      Note: You do not need to have QuickTime player installed to be vulnerable.

      At the time of this posting, a patch was not yet available, but the KB Article does have a few work arounds. Below are links to Microsoft's Easy "Fix-It for me" links that will enable and disable (when the patch is available and installed) the workaround.


      [Enable workaround]
      [Disable workaround]

       


      [SIZE="3"] Frequently Asked Questions [/SIZE][/B]

      What is the scope of the advisory?
      Microsoft is aware of a new vulnerability report affecting DirectX, a component of Microsoft Windows. This affects the software that is listed in the “Overview” section.

      Is this a security vulnerability that requires Microsoft to issue a security update?
      Microsoft is currently working to develop a security update for Windows to address this vulnerability. Microsoft will release the security update once it has reached an appropriate level of quality for broad distribution.

      What causes this threat?
      A remote code execution vulnerability exists in the way Microsoft DirectShow handles supported QuickTime format files. This vulnerability could allow code execution if a user opened a specially crafted QuickTime media file. If a user is logged on with administrative user rights, an attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.

      What is DirectX?
      Microsoft DirectX is a feature of the Windows operating system. It is used for streaming media on Microsoft Windows operating systems to enable graphics and sound when playing games or watching video.

      What is DirectShow?
      DirectX consists of a set of low-level Application Programming Interfaces (APIs) used by Windows programs for multimedia support. Within DirectX, the DirectShow technology performs client-side audio and video sourcing, manipulation and rendering.

      Microsoft DirectShow is used for streaming media on Microsoft Windows operating systems. DirectShow is used for high-quality capture and playback of multimedia streams. It automatically detects and uses video and audio acceleration hardware when available, but also supports systems without acceleration hardware. DirectShow is also integrated with other DirectX technologies. Some examples of applications that you can create using DirectShow include DVD players, video editing applications, AVI to ASF converters, MP3 players, and digital video capture applications.

      What is the QuickTime Movie Parser Filter?
      The QuickTime Movie Parser filter splits Apple QuickTime data into audio and video streams. It supports QuickTime 2.0 and earlier. The input pin connects to a source filter such as the Async File Source filter or the URL File Source filter. The Parser uses the AVI Decompressor or QT Decompressor filter to decompress QuickTime files. The filter creates one output pin for the video stream and one output pin for the audio stream. For more information, see QuickTime Movie Parser Filter.

      This component has been removed from Windows Vista and later operating systems. It is available for use in the Microsoft Windows 2000, Windows XP, and Windows Server 2003 operating systems.

      What might an attacker use this function to do?
      If a user is logged on with administrative user rights, an attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.



      Microsoft's Security Response Center Blog

      Microsoft Security Advisory (971778)
      Vulnerability in Microsoft DirectShow Could Allow Remote Code Execution


      CVE Reference: CVE-2009-1537