Find the perfect gift for everyone
Spyware, viruses, & security : Microsoft Security Advisory (971778)
- 5/28/09 10:08 PM
Microsoft Security Advisory (971778)
by Donna Buenaventura - 5/28/09 10:08 PM
Microsoft Security Advisory (971778)
Vulnerability in Microsoft DirectShow Could Allow Remote Code Execution
Microsoft is investigating new public reports of a new vulnerability in Microsoft DirectX. The vulnerability could allow remote code execution if user opened a specially crafted QuickTime media file. Microsoft is aware of limited, active attacks that use this exploit code. While our investigation is ongoing, our investigation so far has shown that Windows 2000 Service Pack 4, Windows XP, and Windows Server 2003 are vulnerable; all versions of Windows Vista and Windows Server 2008 are not vulnerable. Microsoft has activated its Software Security Incident Response Process (SSIRP) and is continuing to investigate this issue.
Upon completion of this investigation, Microsoft will take the appropriate action to help protect our customers. This may include providing a security update through our monthly release process or providing an out-of-cycle security update, depending on customer needs.
Workarounds
Microsoft has tested the following workarounds. Although these workarounds will not correct the underlying vulnerability, they help block known attack vectors. When a workaround reduces functionality, it is identified in the following section.
Disable the parsing of QuickTime content in quartz.dll
Modify the Access Control List (ACL) on quartz.dll
Unregister quartz.dll
For non-multimedia folder types, the Windows shell attack vector can be mitigated by using Windows Classic Folders
To let Microsoft apply a work-around for you, use the FixIt solution at http://support.microsoft.com/kb/971778
Affected:
Microsoft Windows Server 2003 Service Pack 1, when used with:
Microsoft Windows Server 2003, Standard Edition (32-bit x86)
Microsoft Windows Server 2003, Enterprise Edition (32-bit x86)
Microsoft Windows Server 2003, Datacenter Edition (32-bit x86)
Microsoft Windows Server 2003, Web Edition
Microsoft Windows Server 2003, Datacenter Edition for Itanium-Based Systems
Microsoft Windows Server 2003, Enterprise Edition for Itanium-based Systems
Microsoft Windows Server 2003, Datacenter x64 Edition
Microsoft Windows Server 2003, Enterprise x64 Edition
Microsoft Windows Server 2003, Standard x64 Edition
Microsoft Windows XP Professional x64 Edition
Microsoft Windows Server 2003 Service Pack 2, when used with:
Microsoft Windows Server 2003, Standard Edition (32-bit x86)
Microsoft Windows Server 2003, Enterprise Edition (32-bit x86)
Microsoft Windows Server 2003, Datacenter Edition (32-bit x86)
Microsoft Windows Server 2003, Web Edition
Microsoft Windows Server 2003, Datacenter x64 Edition
Microsoft Windows Server 2003, Enterprise x64 Edition
Microsoft Windows Server 2003, Standard x64 Edition
Microsoft Windows XP Professional x64 Edition
Microsoft Windows Server 2003, Datacenter Edition for Itanium-Based Systems
Microsoft Windows Server 2003, Enterprise Edition for Itanium-based Systems
Microsoft Windows XP Service Pack 2, when used with:
Microsoft Windows XP Home Edition
Microsoft Windows XP Professional
Microsoft Windows XP Service Pack 3, when used with:
Microsoft Windows XP Home Edition
Microsoft Windows XP Professional
Microsoft Windows 2000 Service Pack 4, when used with:
Microsoft Windows 2000 Advanced Server
Microsoft Windows 2000 Datacenter Server
Microsoft Windows 2000 Professional Edition
Microsoft Windows 2000 Server
More info: http://www.microsoft.com/technet/security/advisory/971778.mspx
NOTE: Vista and Windows 7 users are not affected
See also the Microsoft Security Response Center
by Donna Buenaventura - 5/28/09 10:12 PM
In reply to: Microsoft Security Advisory (971778) by Donna Buenaventura
FAQ on vulnerability in quartz.dll Quicktime parsing
by Donna Buenaventura - 6/5/09 10:27 AM
In reply to: Microsoft Security Advisory (971778) by Donna Buenaventura
If I have installed Apple’s QuickTime, am I safe?
Our investigation has found that the installation of Apple’s QuickTime does NOT mitigate this DirectShow’s vulnerability.
To be clear, whether you’ve installed Apple’s QuickTime or not, the vulnerability is in the Microsoft’s quartz.dll and it’s possible to craft an attack to call that DLL on the system regardless of whether Apple’s QuickTime is present.
Why is this a high risk vulnerability?
The vulnerability is in the DirectShow platform (quartz.dll). While the vulnerability is NOT in IE or other browsers, a browse-and-get-owned attack vector does exist here via the media playback plug-ins of browsers. The attacker could construct a malicious webpage which uses the media playback plug-ins to playback a malicious QuickTime file to reach the vulnerability in Quartz.dll. Please note this type of attack could happen for any browsers, not IE specific.
There is also a file-based attack vector by opening a malicious QuickTime file via Windows Media Player to trigger the vulnerability.
More in http://blogs.technet.com/srd/archive/2009/05/28/new-vulnerability-in-quicktime-parsing.aspx
| Forum legend: | |
 |
Locked thread |
 |
Moderator |
 |
CNET staff |
 |
Samsung staff |
 |
Norton Authorized Support team |
 |
AVG staff |
 |
Windows Outreach team |
 |
Dell staff |
 |
Intel staff |
%20-%20CNET%20Spyware,%20viruses,%20%26%20security%20Forums&srcUrl=http://forums.cnet.com/5208-6132_102-0.html?threadID%3D344334){kind=small}