• All Community
    • All Community
    • Forums
    • Ideas
    • Blogs
Advanced

Not what you are looking for? Ask the experts!

This forum thread needs a solution.
Kudos1 Stats

In-the-Wild DirectX, DirectShow and QuickTime Attacks

Microsoft has Released an Out-of-Cycle Security Bulletin and Workarounds that Address a Serious Flaw Affecting Microsoft DirectX. DirectShow is prone to a Vulnerability that can lead to Code Execution when a Specially-Crafted QuickTime Media File is Viewed. This Vulnerability is being Exploited In-the-Wild in Limited Attacks.

For more information, see the following:

New Vulnerability in quartz.dll Quicktime Parsing:
http://blogs.technet.com/srd/archive/2009/05/28/new-vulnerability-in-quicktime-parsing.aspx.

Microsoft Security Advisory (971778):
Vulnerability in Microsoft DirectShow Could Allow Remote Code Execution: http://www.microsoft.com/technet/security/advisory/971778.mspx.

Thursday, November 21, 2013: The THREATCON was changed to Level 1: Normal | Tue., Nov. 05, 2013: Zero-Day Vulnerability: Microsoft Security Advisory 2896666 | Saturday, November 09, 2013: Cyber-Criminals Serve Up A Veritable Smorgasbord Of Threats For South Koreans | Wednesday, October 09, 2013: New Internet Explorer Zero-Day Targeted In Attacks Against Korea And Japan [C.V.E.-2013-3897]

Replies

Kudos0

Re: In-the-Wild DirectX, DirectShow and QuickTime Attacks

Why has the symantec Internet Threat Meter not been Updated with this Information?

Thursday, November 21, 2013: The THREATCON was changed to Level 1: Normal | Tue., Nov. 05, 2013: Zero-Day Vulnerability: Microsoft Security Advisory 2896666 | Saturday, November 09, 2013: Cyber-Criminals Serve Up A Veritable Smorgasbord Of Threats For South Koreans | Wednesday, October 09, 2013: New Internet Explorer Zero-Day Targeted In Attacks Against Korea And Japan [C.V.E.-2013-3897]
Kudos0

Re: In-the-Wild DirectX, DirectShow and QuickTime Attacks

Thanks again Floating
"All that we are is the result of what we have thought"
Kudos0

Re: In-the-Wild DirectX, DirectShow and QuickTime Attacks

To All Users who have not Applied the Workarounds: Please do so as soon as possible.  And let Family and Friends know!

Message Edited by Floating_Red on 05-29-2009 11:25 PM
Thursday, November 21, 2013: The THREATCON was changed to Level 1: Normal | Tue., Nov. 05, 2013: Zero-Day Vulnerability: Microsoft Security Advisory 2896666 | Saturday, November 09, 2013: Cyber-Criminals Serve Up A Veritable Smorgasbord Of Threats For South Koreans | Wednesday, October 09, 2013: New Internet Explorer Zero-Day Targeted In Attacks Against Korea And Japan [C.V.E.-2013-3897]
Kudos4 Stats

Re: In-the-Wild DirectX, DirectShow and QuickTime Attacks

Microsoft has made implimenting the workarounds easy, even for the computer-challenged, by offering a "fix-it" button that will run a wizard to effect the necessary registry changes.  It can be found at this Microsoft Security Advisory page.

Kudos0

Re: In-the-Wild DirectX, DirectShow and QuickTime Attacks

Hi all -

Just a tidbit from Microsoft -


"Microsoft will take the appropriate action to help protect our customers. This may include providing a security update through our monthly release process or providing an out-of-cycle security update, depending on customer needs."


In other words, expect the fix to be pushed out automatically on Windows Update.

Cheers

CompumindNIS 2009, XP-SP3, Vista-SP2, IE 8
Kudos0

Re: In-the-Wild DirectX, DirectShow and QuickTime Attacks

Thanks for the instant push button link, SOJ, that really helps.  Thanks for the heads up, Red.
Under certain circumstances profanity provides relief denied even to prayer.Mark Twain
Kudos0

Re: In-the-Wild DirectX, DirectShow and QuickTime Attacks

Be very careful about one of the workarounds offered by Microsoft.  I chose the command line option of modifying quartz.dll.

I did this last night.

This morning I got a MS Update ready-to-install message for KB961373.

I let it install in the background.

Then two minutes later I got the same message again.

This time I watched the install.  Unsuccessful!

And again.

I won't drag you through everything I tried, one of which was uninstalling KB961373 using ADD/REMOVE.  It had been installed back in April; but I uninstalled it, hoping that the new install would take, which it didn't.

Finally, I worked out after looking at info on this item that it was related to Quartz.dll, which is what the current workaround I had applied was dealing with.

Using the undo option on the same MS page, I was then able to have a successful installation of KB961373 and my heart's pounding is greatly reduced.

Once I am calm enough, I may try the buttons option given in a later post by SOJ.

Sheesh.

mijN360 2013, v.20.1.0.24; Win7 Pro, SP1 (32 bit), IE 9, Firefox 14, No other active securityware
Kudos0

Re: In-the-Wild DirectX, DirectShow and QuickTime Attacks

Interesting observation:

I tried the "Fix It" button to enable the workaround and it failed to make any registry changes. Also, I was still able to view Quicktime movies.

Thanks to mijcar posting his experience, I don't think I'll take command line route. 

Anyone else have success with it?

"Anyone who isn't confused really doesn't understand the situation."   Edward R. Murrow
Kudos0

Re: In-the-Wild DirectX, DirectShow and QuickTime Attacks

Phil,

There are several workarounds.  The one the "fix it" button implements deletes the following registry key in 32-bit systems:

HKEY_CLASSES_ROOT\CLSID\{D51BD5A0-7548-11CF-A520-0080C77EF58A}

Copy and paste this into the regedit's "find" field and if the search comes up empty, the fix worked.

I believe you are still able to view Quicktime movies because this only affects the vulnerability in DirectShow, at least as I understand this explanation of the fix in this Technet blog:


#1: Disable Quick Time Parsing in Quartz.dll by deleting the following registry key:
HKEY_CLASSES_ROOT\CLSID\{D51BD5A0-7548-11CF-A520-0080C77EF58A}

This is the best workaround because it’s the most surgical. It only
disables QuickTime Parsing in DirectShow.  DirectShow's other
functionality is not affected. This workaround covers all known attack
vectors. Therefore, if you are not concerned about QuickTime content
playback via DirectShow, this is the workaround we recommend you apply


.

But I did have some trouble running the wizard online as it reported it could not find a necessary file it had placed in a temp folder on my machine.  I had to save the fix to my hard drive and then run it.  So it was not without glitch.

Kudos1 Stats

Re: In-the-Wild DirectX, DirectShow and QuickTime Attacks

Yes, that is the registry key I was referring to. It was not deleted nor modified. It was still present.  And, I did Save the fix as opposed to running it online.

According to the MS Security Advisory: Impact of workaround. QuickTime content playback will be disabled.

You may be right about the DirectShow aspect of this, but since the registry key was not deleted. I can't test it.

The other two workarounds (Modify ACL and Unregister quartz.dll) are not satisfactory as the impact listed indicates inability of WMP to play .AVI or .WAV files.

I may have to go for the manual deletion. Probably tomorrow; I don't feel like any headaches tonight!

Message Edited by Phil_D on 05-31-2009 12:01 AM
"Anyone who isn't confused really doesn't understand the situation."   Edward R. Murrow
Kudos0

Re: In-the-Wild DirectX, DirectShow and QuickTime Attacks

Interesting, indeed, then.  So it ran but nothing happened?  Hm.
Kudos0

Re: In-the-Wild DirectX, DirectShow and QuickTime Attacks

I tried to find it in regedit but it came up empty.  I looked for it manually, and it was still there but with a " _backup"  at the end of the number. It must just disable it and hold it for the undo button.
Under certain circumstances profanity provides relief denied even to prayer.Mark Twain
Kudos0

Re: In-the-Wild DirectX, DirectShow and QuickTime Attacks

Please Apply the Work-arounds as soon as you can as Current Malicious Activity is Elevated and as such, the symantec ThreatCon has been Raised to Level 02: Elevated on Tuesday, June 09, 2009.

Message Edited by Floating_Red on 06-09-2009 05:22 PMMessage Edited by Floating_Red on 06-09-2009 05:55 PM
Thursday, November 21, 2013: The THREATCON was changed to Level 1: Normal | Tue., Nov. 05, 2013: Zero-Day Vulnerability: Microsoft Security Advisory 2896666 | Saturday, November 09, 2013: Cyber-Criminals Serve Up A Veritable Smorgasbord Of Threats For South Koreans | Wednesday, October 09, 2013: New Internet Explorer Zero-Day Targeted In Attacks Against Korea And Japan [C.V.E.-2013-3897]
Kudos0

Re: In-the-Wild DirectX, DirectShow and QuickTime Attacks

Thursday, November 21, 2013: The THREATCON was changed to Level 1: Normal | Tue., Nov. 05, 2013: Zero-Day Vulnerability: Microsoft Security Advisory 2896666 | Saturday, November 09, 2013: Cyber-Criminals Serve Up A Veritable Smorgasbord Of Threats For South Koreans | Wednesday, October 09, 2013: New Internet Explorer Zero-Day Targeted In Attacks Against Korea And Japan [C.V.E.-2013-3897]
Kudos0

Re: In-the-Wild DirectX, DirectShow and QuickTime Attacks

Thursday, November 21, 2013: The THREATCON was changed to Level 1: Normal | Tue., Nov. 05, 2013: Zero-Day Vulnerability: Microsoft Security Advisory 2896666 | Saturday, November 09, 2013: Cyber-Criminals Serve Up A Veritable Smorgasbord Of Threats For South Koreans | Wednesday, October 09, 2013: New Internet Explorer Zero-Day Targeted In Attacks Against Korea And Japan [C.V.E.-2013-3897]
Kudos0

Re: In-the-Wild DirectX, DirectShow and QuickTime Attacks

Microsoft DirectX DirectShow Size Field Remote Code Execution Vulnerability: http://www.symantec.com/business/security_response/vulnerability.jsp?bid=35616.

_____________________________________

Microsoft have Released a Security Update to Address this Issue on Tuesday, July 14, 2009.

Microsoft Security Bulletin M.S.09-028 - Critical:

Vulnerabilities in Microsoft DirectShow Could Allow Remote Code Execution (971633):

http://www.microsoft.com/technet/security/Bulletin/MS09-028.mspx.

Message Edited by Floating_Red on 07-14-2009 11:50 PM
Thursday, November 21, 2013: The THREATCON was changed to Level 1: Normal | Tue., Nov. 05, 2013: Zero-Day Vulnerability: Microsoft Security Advisory 2896666 | Saturday, November 09, 2013: Cyber-Criminals Serve Up A Veritable Smorgasbord Of Threats For South Koreans | Wednesday, October 09, 2013: New Internet Explorer Zero-Day Targeted In Attacks Against Korea And Japan [C.V.E.-2013-3897]

This thread is closed from further comment. Please visit the forum to start a new thread.