Thursday, May 28, 2009

Microsoft DirectShow Vulnerability Announced

Microsoft has announced via security advisory, blog posting, and other forums that they are working on a fix for a vulnerability in the QuickTime parser in Microsoft DirectShow.

Attackers could craft and deliver a specially-crafted video file, either via email or by posting on a web site, and use the file to exploit the vulnerability and take complete control of your computer.

Microsoft reports limited attacks so far, and notes that the flaw affects Windows 2000, Windows XP, and Windows Server 2003. Vista and Server 2008 are not impacted.

At least three workarounds are available. If you're in the habit of watching online video, or have preview pane enabled in your mail reader, you'd be wise to implement one of the workarounds until a patch is released.

The bad news is that certain browser plug-ins could be attack vectors, and it's possible to make direct calls to DirectShow specifically, even if QuickTime is installed. QT itself is NOT vulnerable.

No comments:

Post a Comment

Please tell me what you think.