Microsoft warns about critical DirectShow vulnerability
Microsoft has found a critical vulnerability in the DirectX library for Quicktime video playback, and it appears that the flaw is now being actively exploited. The software giant has issued a security advisory which contains quite detailed information about the vulnerability.
The affected DirectShow filter is apparently not present in Windows Vista and Server 2008, which only leaves older platforms like Windows XP vulnerable to the problem. On vulnerable systems, however, an attacker can reportedly exploit the hole, even if the victim uses an alternative browser instead of Internet Explorer, as the multimedia extensions of other browsers also access the operating system's DirectX functionality. Installing Apple's Quicktime package does not solve the problem, either. The flaw can be triggered both through specially crafted web pages and directly via files that are associated, for example, with the Media Player.
In a blog entry, Microsoft's security experts recommend deleting the
registry key as the simplest and safest solution, which is also described in the security advisory. This prevents Quicktime from being parsed in the vulnerable Quartz.dll library. As an alternative, Microsoft had created a web page to immunise systems, however, at the time of writing, this Fix it page is undergoing maintenance.
Microsoft reveals its action plan with unusual clarity: developers are reportedly working on a patch which will be released as soon as investigations are completed. Whether this means that a patch will become available before the next Patch Tuesday on the 9th of June, remains to be seen.
- Vulnerability in Microsoft DirectShow Could Allow Remote Code Execution, Microsoft Security Advisory (971778).
- Help and Fix page from Microsoft.