Microsoft has announced that they have discovered a vulnerability in DirectShow. Exploitation of the vulnerability could allow a criminal to run code of their choice in the victim’s security context simply by the victim browsing to a website while allowing scripts to run. The browser being used doesn’t matter providing it allows scripting. Microsoft is aware of limited attacks in-the-wild. Patches are being developed.

All versions of Windows are vulnerable, except Vista and Server 2008. It is worth noting that DirectShow was patched for similar vulnerabilities in April 2009, and previously in December of 2007. Neither of those vulnerabilities was ever significantly exploited.

The most direct method to prevent an attack is either to disable scripting, or, remove the binding between DirectShow and the Quicktime Movie Parser filter. Deleting the registry key:

HKEY_CLASSES_ROOT\CLSID\{D51BD5A0-7548-11CF-A520-0080C77EF58A}

will achieve this goal. Microsoft have discussed other ways to mitigate attacks. Microsoft have also provided clickable links in their KB article regarding this issue which will automatically, with your permission, remove or restore that registry entry.

Microsoft is actively working on a patch. Which this issue might normally warrant an Out of Cycle patch from them, it is unlikely given Patch Tuesday is only nine days off. Taking nine days to instrument and test a patch is not unreasonable. We would expect, however, an OOC patch to be released if the number of sites using the attack significantly increases, so we’ll be watching for that.

Tags: Computer Attacks, Information Security, Microsoft Security Bulletins, risk, Threat, Vulnerabilities

This entry was posted on Friday, May 29th, 2009 at 5:47 pm and is filed under Analysis. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.