QUOTE
Thursday, May 28, 2009 12:46 PM by MSRCTEAM
Microsoft Security Advisory 971778 Vulnerability in Microsoft DirectShow Released
We’ve just released Microsoft Security Advisory 971778 today. This discusses a new vulnerability in Microsoft DirectShow affecting Windows 2000, Windows XP and Windows Server 2003 that is under limited attack. The advisory outlines information about the vulnerability and steps customers can take to protect themselves while we’re working on a security update to address the issue.
Our investigation has shown that the vulnerable code was removed as part of our work building Windows Vista. This means that Windows Vista and versions of Windows since Windows Vista (Windows Server 2008, Windows 7) are not vulnerable.
The vulnerability is in the QuickTime parser in Microsoft DirectShow. An attacker would try and exploit the vulnerability by crafting a specially formed video file and then posting it on a website or sending it as an attachment in e-mail. While this isn’t a browser vulnerability, because the vulnerability is in DirectShow, a browser-based vector is potentially accessible through any browser using media plug-ins that use DirectShow. Also, we’ve verified that it is possible to direct calls to DirectShow specifically, even if Apple’s QuickTime (which is not vulnerable) is installed.
Our investigation has found three workarounds that you can implement to protect yourself and we’ve documented these in the security advisory. In addition, we’ve got more technical details on the workarounds and the issue over at the Security Research and Defense (SRD) blog.
More about:
Microsoft TechNet Blog
Microsoft Security Advisory 971778 Vulnerability in Microsoft DirectShow Released
We’ve just released Microsoft Security Advisory 971778 today. This discusses a new vulnerability in Microsoft DirectShow affecting Windows 2000, Windows XP and Windows Server 2003 that is under limited attack. The advisory outlines information about the vulnerability and steps customers can take to protect themselves while we’re working on a security update to address the issue.
Our investigation has shown that the vulnerable code was removed as part of our work building Windows Vista. This means that Windows Vista and versions of Windows since Windows Vista (Windows Server 2008, Windows 7) are not vulnerable.
The vulnerability is in the QuickTime parser in Microsoft DirectShow. An attacker would try and exploit the vulnerability by crafting a specially formed video file and then posting it on a website or sending it as an attachment in e-mail. While this isn’t a browser vulnerability, because the vulnerability is in DirectShow, a browser-based vector is potentially accessible through any browser using media plug-ins that use DirectShow. Also, we’ve verified that it is possible to direct calls to DirectShow specifically, even if Apple’s QuickTime (which is not vulnerable) is installed.
Our investigation has found three workarounds that you can implement to protect yourself and we’ve documented these in the security advisory. In addition, we’ve got more technical details on the workarounds and the issue over at the Security Research and Defense (SRD) blog.
More about:
Microsoft TechNet Blog