Microsoft on Thursday said it is working on a security patch for a vulnerability in its DirectX streaming media technology in Windows. The flaw could allow someone to take complete control of a computer using a maliciously crafted QuickTime file.
The remote-code execution vulnerability exists in the way Microsoft DirectShow, audio and video sourcing and rendering software handles supported QuickTime format files, the company said.
"Microsoft is aware of limited, active attacks that use this exploit code," Microsoft's security advisory said. "If a user is logged on with administrative user rights, an attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights."
Windows 2000 Service Pack 4, Windows XP, and Windows Server 2003 are vulnerable but all versions of Windows Vista and Windows Server 2008 are not vulnerable, according to the advisory.
For the attack to work, an attacker would have to lure the victim to visit a malicious website that hosts the exploit. An attacker who successfully exploited this vulnerability could gain the same user rights as the local user.
Microsoft said it would release a patch to fix the hole as soon as it is ready for broad distribution. In the meantime, details on a workaround are available on Microsoft's support site, as well a 'fix it' button.
Talkback
This vulnerability involving a Direct X component of Microsoft’s Windows QuickTime Parser is facilitating current drive-by hacking incidents. It is reported that the vulnerability is automatically being activated without user intervention when a user simply browses a website that contains a maliciously crafted QuickTime file and can provide the hacker with complete control over the compromised PC.
Windows 2000, XP and Server 2003 users are at risk and as Vista and later versions of Windows do not use the vulnerable code “QuickTime Parser” they are not impacted.
Microsoft has taken a rather unique approach to the issue by setting up a Web link that can automatically make the necessary registry changes to facilitate a workaround until a patch is officially released.
Home users are encouraged to use the Microsoft automatic workaround solution & enterprise users should consider an immediate implementation of the managed deployment script in order to maximise risk mitigation until an official patch is released by Microsoft.