Dangerous Microsoft DirectX vulnerability under attack

Dangerous Microsoft DirectX vulnerability under attack

Summary: Microsoft today warned that hackers are using rigged QuickTime media files to exploit an unpatched vulnerability in DirectShow, the APIs used by Windows programs for multimedia support.The company has activated its security response process to deal with the zero-day attacks has issued a pre-patch advisory with workarounds and a one-click "fix it" feature to enable the mitigations.

SHARE:

Microsoft today warned that hackers are using rigged QuickTime media files to exploit an unpatched vulnerability in DirectShow, the APIs used by Windows programs for multimedia support.

The company has activated its security response process to deal with the zero-day attacks has issued a pre-patch advisory with workarounds and a one-click "fix it" feature to enable the mitigations.

From the advisory:

Microsoft is aware of limited, active attacks that use this exploit code. While our investigation is ongoing, our investigation so far has shown that Windows 2000 Service Pack 4, Windows XP, and Windows Server 2003 are vulnerable; all versions of Windows Vista and Windows Server 2008 are not vulnerable.

An entry on the MSRC blog provides more details:

The vulnerability is in the QuickTime parser in Microsoft DirectShow. An attacker would try and exploit the vulnerability by crafting a specially formed video file and then posting it on a website or sending it as an attachment in e-mail. While this isn’t a browser vulnerability, because the vulnerability is in DirectShow, a browser-based vector is potentially accessible through any browser using media plug-ins that use DirectShow. Also, we’ve verified that it is possible to direct calls to DirectShow specifically, even if Apple’s QuickTime (which is not vulnerable) is installed.

Interestingly, the vulnerable component was removed from Windows Vista and later operating systems but is still available for use in the Microsoft Windows 2000, Windows XP, and Windows Server 2003 operating systems.

Vulnerable Windows users should immediately consider disabling QuickTime parsing to thwart attackers.  This KB article provides fix-it button that automatically enables the workaround.

It also provides detailed instructions on using a managed script deployment for Windows shops.

Also see the Security Research and Defense blog for more information.

Topics: Software, Browser, Microsoft, Operating Systems, Security, Windows

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

162 comments
Log in or register to join the discussion
  • Command prompt ping an IP address

    Call up a command prompt>type ping zdnet.com.You'll see ZDNet's IP address.You can type the IP address into your browser's address spot and hope that your site doesn't time out and that you are authorized to view it.USA Today works,the White House timed out.
    BALTHOR
  • One of Us Misread the Article

    Quote1: "... to exploit an unpatched vulnerability in DirectShow, the
    APIs used by Windows programs for multimedia support."

    Quote2: "Also, we?ve verified that it is possible to direct calls to
    DirectShow specifically, even if Apple?s QuickTime (which is not
    vulnerable) is installed."

    I'm getting that the exploit consists of a downloaded QuickTime file
    which is handled by Microsoft code, and, more seriously, the
    exploiting files can choose to be handled by DirectShow should one
    have QuickTime installed. It looks like sandboxing and/or advanced
    security features in Vista prevent the exploit from taking hold.

    DannyO_0x98
    • By the Way

      This morning, after a 40 day hiatus, my server started getting bogus
      dictionary log ins. Last time this happened was as conficker activated
      right before April 15. Because I hadn't noticed any significant security
      things recently, I thought that maybe someone looked at the calendar
      and threw a switch.

      Nope. When I get these (so far) it's when some thing is going wild in
      Windows land.
      DannyO_0x98
    • Speaking of "misreading..."

      Quote 3: "Interestingly, [b]the vulnerable component was removed from Windows Vista and later operating systems[/b] but is still available for use in the Microsoft Windows 2000, Windows XP, and Windows Server 2003 operating systems."

      'Nuff said...
      Wolfie2K3
      • conspiracy theory

        Sounds to me like they are punishing XP users to push Vista and Windows 7. That's why I'm using W7 RC right now. I'll let someone else start the OS flame wars.

        Paul

        An Operating System is a tool, not a religion.
        pfyearwood
        • but some say

          religon is also a tool to control the masses.

          So also, the Operating System

          ;-)
          oldbaritone
  • According to the information we have Vista isn't vulnerable.

    [i]QuickTime runs outside the IE sandbox, so not even the IE or Chrome sandboxes can mitigate this.[/i]

    So it's irrelevant if it runs outside the sandbox or not.
    ye
    • Just ditch Windows.

      That'll solve it.
      fr0thy2
      • What will it solve?

        [i]That'll solve it.[/i]
        ye
        • Costs, single vendor lock-in, anti-competitive activities

          and entering of silly licence keys, all just to have a software platform that will be pulled from under your feet at Microsoft shareholders' whim.
          fr0thy2
          • LOL! Could you put together a more meaningless list?

            Costs: The majority of Windows users obtain Windows as part of a PC purchase. Therefore they get it for a relatively low cost.

            single vendor lock-in: Few people care about this.

            anti-competitive activities: This happened over 10 years ago. Time to give it a rest.

            entering of silly licence keys: Most people obtain Windows as part of a new system purchase thus they never have to worry about this. For those who purchase retail it's an activity that takes all of a few seconds. Hardly a reason to switch.

            all just to have a software platform that will be pulled from under your feet at Microsoft shareholders' whim: Has this ever happened?
            ye
          • About as meaningless as yours...

            [i]Costs: The majority of Windows users obtain Windows as part of a PC purchase. Therefore they get it for a relatively low cost.[/i]

            Sure when only one OS is installed by default due to proprietary agreements with the OEMs, the costs are buried. Didn't we argue about this last week? And you still like to keep deceiving yourself?

            [i]single vendor lock-in: Few people care about this.[/i]

            And in relation to what I said up above, they don't know any better.

            [i]anti-competitive activities: This happened over 10 years ago. Time to give it a rest.[/i]

            The EEC hasn't given it a rest and I doubt the Obama Administration will either. The situation and conditions that occurred 10 years ago, still exist today.

            [i]entering of silly licence keys: Most people obtain Windows as part of a new system purchase thus they never have to worry about this. For those who purchase retail it's an activity that takes all of a few seconds. Hardly a reason to switch.[/i]

            That's because the sheep have gotten used to it. They don't know any better.

            [i]all just to have a software platform that will be pulled from under your feet at Microsoft shareholders' whim: Has this ever happened?[/i]

            Ya never know. It's a pretty volatile marketplace out there. When you rely on only one vendor, one can be at their mercy any time they want to.
            Wintel BSOD
          • uh...

            [i]single vendor lock-in: Few people care about this.[/i]

            Only business people care about this. Oh, and people who have data they care about. I have a customer who told me horror stories about losing about several GB of digital photos he took himself on his home computer because Vista's DRM decided they were copyrighted and he wasn't allowed to copy them to a DVD. I didn't get the details, I just let him rant, but he told me this in response to my asking him if they were considering moving from XP to Win7.

            [i]anti-competitive activities: This happened over 10 years ago. Time to give it a rest.[/i]

            Again I must respectfully disagree. See http://www.vi411.org/2007/02/26/microsoft-anti-competitive-again.html and http://www.groklaw.net/article.php?story=20090421111327711 if you would like to understand why.
            914four
          • I call BS

            [i]I have a customer who told me horror stories about losing about several GB of digital photos he took himself on his home computer because Vista's DRM decided they were copyrighted and he wasn't allowed to copy them to a DVD.[/i]

            The true story was, he didn't bother to back up his pictures, and when his drive inevitably failed, he decided to blame MS and Vista rather than his own incompetence.

            Vista didn't add "DRM" to his pictures, that's ridiculous.
            rtk
          • @rtk Re: Rights

            The way I understood his situation (after discussing with a colleague who also heard the rant) was that he can show people the pictures on his computer, a tablet PC, and even use it as an electronic frame using the slideshow feature but he could not copy them to a USB key nor could he burn them to a DVD. He called the tablet vendor, and based on the error message he gave them they told him it was a DRM issue with the preloaded Vista Ultimate, or at least that is what he said to me and did not give him any suggestions on how to fix it.

            I didn't see the tablet nor did I ask any questions about it beyond if he had accidentally logged on as another user or guest, which he assured me he hadn't.

            If you have any suggestions I'd love to hear them, solving this issue for him would help me greatly in other ways.
            914four
          • @914four

            We'd probably have to see the exact error message he got.

            Either way, it's highly unlikely that DRM is/was the problem.
            rtk
          • @rtf

            My colleague says the message was along the lines of "You do not have permission to copy these files", which makes sense because that ties in with my question about being administrator, but he insisted that there was only his account on the machine. I'd rather not ask him for the exact error code as he got really worked up telling me about it and if I can't fix it I don't want to be associated with the problem. If there was a known issue or a settings website that I could point him to that would certainly help however.
            914four
          • do you own any stock?

            if not.

            be quiet.
            pcguy777
        • It'll solve the same thing your suggestion to ditch XP will.

          Only much more permanently.
          AzuMao
      • How about just ditching QUICKTIME.

        Seems to me that if you don't load quicktime there's no problem. Oh that's right. If you have an iPhone, iPod, iTouch, iTunes, iAnything iApple you are locked into using the bug ridden quicktime code. Guess I'm just lucky.
        Scubajrr