Microsoft to patch new DirectX hole

Microsoft on Thursday said it is working on a security patch for a vulnerability in its DirectX streaming media technology in Windows that could allow someone to take complete control of a computer using a maliciously crafted QuickTime file.

Microsoft offers an easy way to enable a workaround for the latest security hole in DirectX.

(Credit: Microsoft)

The remote code execution vulnerability exists in the way Microsoft DirectShow, audio and video sourcing and rendering software, handles supported QuickTime format files, the company said.

"Microsoft is aware of limited, active attacks that use this exploit code," Microsoft's security advisory said. "If a user is logged on with administrative user rights, an attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights."

Windows 2000 Service Pack 4, Windows XP, and Windows Server 2003 are vulnerable but all versions of Windows Vista and Windows Server 2008 are not vulnerable, according to the advisory.

For the attack to work an attacker would have to lure the victim to visit a malicious Web site that hosts the exploit. An attacker who successfully exploited this vulnerability could gain the same user rights as the local user.

Microsoft said it would release a patch to fix the hole as soon as it is ready for broad distribution. In the meantime, details on a workaround are available here, as well a "fix it" button.

[Vegaman_Dan]

An Apple Quicktime file is the exploit vector to compromise a Windows system. Oh my, the fanboys are going to just have all sorts of fun with this one spinning back and forth.

Let the flamewars begin- I have marshmellows.

[rhsc]

We've been calling it the quicktime virus for years

[01Phyxius]

@rhsc:
It's a pretty well known fact that QuickTime on windows needs to die. However, having said that, I'd like to see what the Mac fanboys are going to say about it.

[Seaspray0]

Ever since quicktime started loading other software, it was removed from my computers. So far, I haven't run into any circumstances where I needed it.

[monkeyfun14]

Quicktime is the IE of media players

[shellcodes_coder]

This hole can only be exploited if you have CrApple SlowTime aka BloatTime installed and I don't have any crap wares from CrApple installed and will neither install

[catbutt5]

The exploit does not affect QuickTime - the player. It affects MS DirectShow when opening a malicious file masquerading as a QuickTime file. That's why MS is fixing it... not Apple.

Note: You don't have to have QuickTime installed to be affected.

[Seaspray0]

@catbutt5. Files are opened according to what application is associated with the extension. If you have quicktime loaded, quicktime files will be loaded by quicktime.

[damesJ]

hahahaha i think its funny how everyone gets so defensive over a stupid hole. every operating system has bugs and holes. as long as apple and microsoft fix them who cares?

[monkeyfun14]

This doesn't affect Vista so im good.

[B-Ri]

MS will fail to patch the real hole that is responsible since that is the one that is sitting in front of the computer. But this is yet another answer for all those who say that they have no reason to upgrade to Vista or 7.

Apple good, Quicktime not so.

[Vegaman_Dan]

If it were not for movie trailers released in Quicktime format, would it even be still around?

I had to think about what Quicktime is used for these days and ... .yeah. Most people have moved on to YouTube or other services.

is it time for Quicktime to go away?

[mnl1121]

Alls I have to say is +1 for Vista!

[howardisme]

http://news.cnet.com/8301-1009_3-10251544-83.html?part=rss&subj=news&tag=2547-1009_3-0-20, the fix it diaogue box does not work. No links!

[fdunn3]

Microsoft is not doing anyone a service by patching the Directshow flaw. It is obvious that it is of no value and just another vector to be compromised otherwise MS would have continued DirectShow support for QT files beyond Windows XP, which they did not.

I don't understand the rational behind fixing DirectShow and contuing to support the file class. They should just remove it from the DirectShow supported filetypes and leave it at that.

If anybody wants to play a QT file then let them install QuickTime and keep it updated.

I think this is a very bad move on MSs side.