MS-ISAC ADVISORY NUMBER:
2009-031

DATE(S) ISSUED:
5/29/2009

SUBJECT:
Vulnerability in Microsoft DirectX Could Allow Remote Code Execution

OVERVIEW:

A vulnerability has been discovered in Microsoft DirectX that could allow a remote attacker to take complete control of a vulnerable system. DirectX is an application within Microsoft Windows used to stream various types of media and enables graphics and sound when playing games or watching video. Successful exploitation could allow an attacker to gain the same privileges as the logged on user. Depending on the privileges associated with the user, an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

Currently, there are no patches available for this vulnerability and there are reports of targeted attacks exploiting this issue on the Internet.

SYSTEMS AFFECTED:

  • DirectX 7.0 on Microsoft Windows 2000 Service Pack 4
  • DirectX 8.1 on Microsoft Windows 2000 Service Pack 4
  • DirectX 9.0, 9.0a, 9.0b, 9.0c on Microsoft Windows 2000 Service Pack 4
  • DirectX 9.0, 9.0a, 9.0b, 9.0c on Windows XP Service Pack 2 and Windows XP Service Pack 3
  • DirectX 9.0, 9.0a, 9.0b, 9.0c on Windows XP Professional x64 Edition Service Pack 2
  • DirectX 9.0, 9.0a, 9.0b, 9.0c on Windows Server 2003 Service Pack 2
  • DirectX 9.0, 9.0a, 9.0b, 9.0c on Windows Server 2003 x64 Edition Service Pack 2
  • DirectX 9.0, 9.0a, 9.0b, 9.0c on Windows Server 2003 with SP2 for Itanium-based Systems

RISK:

Government:

  • Large and medium government entities: High
  • Small government entities: High

Businesses:

  • Large and medium business entities: High
  • Small business entities: High

Home users: High

DESCRIPTION:
A vulnerability has been discovered in a component of Microsoft DirectX, named DirectShow. DirectShow is a component of Windows that enables applications to capture and play back a wide variety of audio/video inputs and formats. This vulnerability occurs when DirectShow attempts to process specially crafted QuickTime formatted media files. The vulnerable portion of the code was removed during the development of Vista, therefore Windows Server 2008 and Windows Vista are not vulnerable. This vulnerability may be exploited if a user visits a web page containing a specially crafted QuickTime media file. Additionally, a specially crafted QuickTime file received as an attachment in an email may trigger the vulnerability when opened. Successful exploitation may result in an attacker gaining user level privileges. Depending on the privileges associated with the user, an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

Microsoft has recommended three workarounds, each of which has a different level of impact. The first is to disable QuickTime parsing via DirectX. This is the Microsoft recommended method as it still allows Windows Media Player to play other media and only stops QuickTime form playing. The second is to set the Kill-Bit WMP in ActiveX. This will mitigate current attacks against Internet Explorer, but does not provide protection against other attack vectors. The third is to unregister/ACL the quartz.dll. This method provides the same level of protection as the first method. However there is a greater impact on use as all media files will fail to play in applications (i.e.. Internet Explorer, Windows Media Player) which use DirectX.

There are confirmed reports that this vulnerability is being used for specific targeted attacks. More widespread exploitation may occur when additional details regarding this vulnerability become available.

There is no patch available at this time.

RECOMMENDATIONS:
We recommend the following actions be taken:

  • After testing, apply the appropriate patch provided by Microsoft to vulnerable systems as soon as it becomes available. Consider applying the workarounds that are provided by Microsoft. http://support.microsoft.com/kb/971778(New Window)
  • Do not visit un-trusted websites or follow links provided by unknown or un-trusted sources.
  • Run all software as a non-privileged user (one without administrative privileges) to diminish the effects of a successful attack.
  • Ensure that all anti-virus software is up to date with the latest signatures.
  • Consider blocking QuickTime media at your proxy server and email gateways.
  • Do not open email attachments from unknown or un-trusted sources.

REFERENCES:

Microsoft:
http://www.microsoft.com/technet/security/advisory/971778.mspx(New Window)
http://support.microsoft.com/kb/971778(New Window)
http://blogs.technet.com/msrc/archive/2009/05/28/microsoft-security-advisory-971778-vulnerability-in-microsoft-directshow-released.aspx(New Window)
http://blogs.technet.com/srd/archive/2009/05/28/new-vulnerability-in-quicktime-parsing.aspx(New Window)

Security Focus:
http://www.securityfocus.com/bid/35139(New Window)

CVE:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1537(New Window)

Secunia:
http://secunia.com/advisories/35268/(New Window)


This cyber advisory was issued by the Multi-State Information Sharing and Analysis Center (MS-ISAC) and was intended for government entities. The information may or may not be applicable to the general public and accordingly, the MS-ISAC does not warrant its use for any specific purposes.