• On The Insider: Britney's Bikini-Clad Top 10
advertisementGet Smart about Business Spending
May 28, 2009 2:24 PM PDT

Microsoft to patch new DirectX hole

by Elinor Mills

Microsoft on Thursday said it is working on a security patch for a vulnerability in its DirectX streaming media technology in Windows that could allow someone to take complete control of a computer using a maliciously crafted QuickTime file.

Microsoft offers an easy way to enable a workaround for the latest security hole in DirectX.

(Credit: Microsoft)

The remote code execution vulnerability exists in the way Microsoft DirectShow, audio and video sourcing and rendering software, handles supported QuickTime format files, the company said.

"Microsoft is aware of limited, active attacks that use this exploit code," Microsoft's security advisory said. "If a user is logged on with administrative user rights, an attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights."

Windows 2000 Service Pack 4, Windows XP, and Windows Server 2003 are vulnerable but all versions of Windows Vista and Windows Server 2008 are not vulnerable, according to the advisory.

For the attack to work an attacker would have to lure the victim to visit a malicious Web site that hosts the exploit. An attacker who successfully exploited this vulnerability could gain the same user rights as the local user.

Microsoft said it would release a patch to fix the hole as soon as it is ready for broad distribution. In the meantime, details on a workaround are available here, as well a "fix it" button.

Elinor Mills covers Internet security and privacy. She joined CNET News in 2005 after working as a foreign correspondent for Reuters in Portugal and writing for The Industry Standard, the IDG News Service, and the Associated Press. E-mail Elinor.
Topics:

News,

Vulnerabilities & attacks

Tags:

Microsoft

Share:
Digg
Del.icio.us
Reddit
advertisement
Click here!
Recent posts from Security
Apple security updates address domain spoofing and other attacks
Microsoft launches Forefront Protection 2010
'60 Minutes'--Cyberwar: Sabotaging the system
Microsoft to fix holes in Windows, Office
Google privacy controls: Most people won't care
Zero-day flaw found in Web encryption
Mac Game: Art project or malware?
Corporate bank accounts targeted in online fraud
Related
Critical Windows 7 holes fixed in record Patch Tuesday
From its glass house, Nvidia throws stones at AMD over Windows 7 support
Adobe fixes 28 holes in Reader and Acrobat
Time Warner home routers still open to attack, blogger says
Nvidia in the throes of remaking itself
Time Warner testing fix to hole in home router
Firefox 3.5.4 closes security holes
Phishing, worms spike this year, say Microsoft and McAfee
Add a Comment (Log in or register) (16 Comments)
  • prev
  • 1
  • next
by Vegaman_Dan May 28, 2009 2:56 PM PDT
An Apple Quicktime file is the exploit vector to compromise a Windows system. Oh my, the fanboys are going to just have all sorts of fun with this one spinning back and forth.

Let the flamewars begin- I have marshmellows.
Reply to this comment
by rhsc May 28, 2009 3:40 PM PDT
We've been calling it the quicktime virus for years
by 01Phyxius May 28, 2009 3:49 PM PDT
@rhsc:
It's a pretty well known fact that QuickTime on windows needs to die. However, having said that, I'd like to see what the Mac fanboys are going to say about it.
by Seaspray0 May 29, 2009 9:45 AM PDT
Ever since quicktime started loading other software, it was removed from my computers. So far, I haven't run into any circumstances where I needed it.
by monkeyfun14 May 28, 2009 3:47 PM PDT
Quicktime is the IE of media players
Reply to this comment
by shellcodes_coder May 28, 2009 5:10 PM PDT
This hole can only be exploited if you have CrApple SlowTime aka BloatTime installed and I don't have any crap wares from CrApple installed and will neither install
Reply to this comment
by catbutt5 May 29, 2009 12:43 AM PDT
The exploit does not affect QuickTime - the player. It affects MS DirectShow when opening a malicious file masquerading as a QuickTime file. That's why MS is fixing it... not Apple.

Note: You don't have to have QuickTime installed to be affected.
by Seaspray0 May 29, 2009 9:50 AM PDT
@catbutt5. Files are opened according to what application is associated with the extension. If you have quicktime loaded, quicktime files will be loaded by quicktime.
by damesJ May 28, 2009 5:17 PM PDT
hahahaha i think its funny how everyone gets so defensive over a stupid hole. every operating system has bugs and holes. as long as apple and microsoft fix them who cares?
Reply to this comment
by monkeyfun14 May 28, 2009 5:24 PM PDT
This doesn't affect Vista so im good.
Reply to this comment
by B-Ri May 28, 2009 6:10 PM PDT
MS will fail to patch the real hole that is responsible since that is the one that is sitting in front of the computer. But this is yet another answer for all those who say that they have no reason to upgrade to Vista or 7.
Reply to this comment
by May 29, 2009 6:59 AM PDT
Apple good, Quicktime not so.
Reply to this comment
by Vegaman_Dan May 29, 2009 9:09 AM PDT
If it were not for movie trailers released in Quicktime format, would it even be still around?

I had to think about what Quicktime is used for these days and ... .yeah. Most people have moved on to YouTube or other services.

is it time for Quicktime to go away?
by mnl1121 May 29, 2009 10:34 AM PDT
Alls I have to say is +1 for Vista!
Reply to this comment
by howardisme May 29, 2009 7:29 PM PDT
http://news.cnet.com/8301-1009_3-10251544-83.html?part=rss&subj=news&tag=2547-1009_3-0-20, the fix it diaogue box does not work. No links!
Reply to this comment
by fdunn3 June 3, 2009 4:50 AM PDT
Microsoft is not doing anyone a service by patching the Directshow flaw. It is obvious that it is of no value and just another vector to be compromised otherwise MS would have continued DirectShow support for QT files beyond Windows XP, which they did not.

I don't understand the rational behind fixing DirectShow and contuing to support the file class. They should just remove it from the DirectShow supported filetypes and leave it at that.

If anybody wants to play a QT file then let them install QuickTime and keep it updated.

I think this is a very bad move on MSs side.
Reply to this comment
(16 Comments)
  • prev
  • 1
  • next
advertisement

After 5 years, Firefox faces new challenges

Mozilla helped reshape the Web since releasing Firefox 1.0 five years ago. Now it's got a reawakened Microsoft and Google Chrome to reckon with.

There's a map for that: GPS or smartphone?

Almost every handset comes with mapping software these days, but standalone GPS devices are becoming more affordable than ever.

About Security

Online security is threatened by more than hacking and phishing attempts. Check here for the latest updates on software vulnerabilities, data leaks, and rapidly spreading viruses--and learn how to protect your systems.

Add this feed to your online news reader

Security topics

advertisement
advertisement

Inside CNET News

Scroll Left Scroll Right
News
News site map
Latest headlines
Contact News
News staff
Corrections
CNET blogs
Popular topics
Apple iPhone
Apple iPod
Cell phones
Dell
GPS
LCD TV
CNET sites
CNET Site map
CNET TV
Downloads
News
Reviews
Shopper.com
More information
Newsletters
CNET Mobile
Customer Help Center
RSS
CNET Widgets
About CNET