QuickTime Vulnerability in DirectShow Discovered, Microsoft Announced
Redmond-based software developer Microsoft has announced that there is a remote code execution vulnerability affecting its DirectShow Platform when parsing QuickTime files. What this means is that if a person with malicious intent gets you to open a specially crafted QuickTime media file, then said person could perform remote code execution. At this time Microsoft has identified active but limited attacks. It must be noted that no Vista OS version is affected, only Windows 2000 SP4, XP and Server 2003.
The Microsoft Security Response Center issued a statement on the subject: “We’ve just released Microsoft Security Advisory 971778 today. This discusses a new vulnerability in Microsoft DirectShow affecting Windows 2000, Windows XP and Windows Server 2003 that is under limited attack. The advisory outlines information about the vulnerability and steps customers can take to protect themselves while we’re working on a security update to address the issue. Our investigation has shown that the vulnerable code was removed as part of our work building Windows Vista. This means that Windows Vista and versions of Windows since Windows Vista (Windows Server 2008, Windows 7) are not vulnerable.”
The vulnerability is to be found in the QuickTime parser in Microsoft DirectShow. For the attacker to exploit it, then he would have to create a malicious QuickTime and then post it online or attach it to outgoing emails. This is not a browser flaw, it is a quartz.dll flaw – the attacker could set up a malicious web page that uses media playback plug-ins which would allow the malicious QuickTime file to access the quartz.dll vulnerability. If you receive a malicious QuickTime file via email and you open it via Windows Media Player, the vulnerability could be triggered this way also.
Available workarounds:
1. Disable QuickTime parsing in quartz.dll by deleting this key:
HKEY_CLASSES_ROOTCLSID{D51BD5A0-7548-11CF-A520-0080C77EF58A}
2. Kill-bit WMP ActiveX Control
Set the following registry key to apply the killbit:
[HKEY_LOCAL_MACHINESOFTWAREMicrosoftInternet ExplorerActiveX Compatibility{6BF52A52-394A-11D3-B153-00C04F79FAA6}]
"Compatibility Flags"=dword:00000400
3. Unregister/ACL quartz.dll
But according to the MSRC there is a simpler way to go about things: "we have found one workaround in particular that is simple and effective and protects against the vulnerability with limited impact. In fact, this particular workaround is simple enough that we’ve been able to give you a way to automatically implement the workaround with the click of a button. Our Customer Service and Support (CSS) group has a new capability called “ Fix it ” that can automatically apply simple solutions to your system. We’ve gone ahead and built a “Fix it” that implements the “Disable the parsing of QuickTime content in quartz.dll” registry change workaround. We have also built a "Fix it" that will undo the workaround automatically."
If you would like to read Microsoft’s Security Advisory 971778 “Vulnerability in Microsoft DirectShow Could Allow Remote Code Execution”, you can do so here.
The Knowledge Base article with the simple Fix It workaround is availabe here .
The Microsoft Security Response Center issued a statement on the subject: “We’ve just released Microsoft Security Advisory 971778 today. This discusses a new vulnerability in Microsoft DirectShow affecting Windows 2000, Windows XP and Windows Server 2003 that is under limited attack. The advisory outlines information about the vulnerability and steps customers can take to protect themselves while we’re working on a security update to address the issue. Our investigation has shown that the vulnerable code was removed as part of our work building Windows Vista. This means that Windows Vista and versions of Windows since Windows Vista (Windows Server 2008, Windows 7) are not vulnerable.”
The vulnerability is to be found in the QuickTime parser in Microsoft DirectShow. For the attacker to exploit it, then he would have to create a malicious QuickTime and then post it online or attach it to outgoing emails. This is not a browser flaw, it is a quartz.dll flaw – the attacker could set up a malicious web page that uses media playback plug-ins which would allow the malicious QuickTime file to access the quartz.dll vulnerability. If you receive a malicious QuickTime file via email and you open it via Windows Media Player, the vulnerability could be triggered this way also.
Available workarounds:
1. Disable QuickTime parsing in quartz.dll by deleting this key:
HKEY_CLASSES_ROOTCLSID{D51BD5A0-7548-11CF-A520-0080C77EF58A}
2. Kill-bit WMP ActiveX Control
Set the following registry key to apply the killbit:
[HKEY_LOCAL_MACHINESOFTWAREMicrosoftInternet ExplorerActiveX Compatibility{6BF52A52-394A-11D3-B153-00C04F79FAA6}]
"Compatibility Flags"=dword:00000400
3. Unregister/ACL quartz.dll
But according to the MSRC there is a simpler way to go about things: "we have found one workaround in particular that is simple and effective and protects against the vulnerability with limited impact. In fact, this particular workaround is simple enough that we’ve been able to give you a way to automatically implement the workaround with the click of a button. Our Customer Service and Support (CSS) group has a new capability called “ Fix it ” that can automatically apply simple solutions to your system. We’ve gone ahead and built a “Fix it” that implements the “Disable the parsing of QuickTime content in quartz.dll” registry change workaround. We have also built a "Fix it" that will undo the workaround automatically."
If you would like to read Microsoft’s Security Advisory 971778 “Vulnerability in Microsoft DirectShow Could Allow Remote Code Execution”, you can do so here.
The Knowledge Base article with the simple Fix It workaround is availabe here .
