| IMPACT ASSESSMENT: |
This risk is high. Successfully exploiting this issue allows remote attackers to execute arbitrary code in the context of the user running the application that uses DirectX. |
[***** Start CVE-2009-1537 *****]
Discussion:
Microsoft DirectX is prone to remote code-execution vulnerability because the DirectShow component fails to properly handle
QuickTime media files. The vulnerability could allow remote code execution if user opened a specially crafted QuickTime
media file. Successfully exploiting this issue allows remote attackers to execute arbitrary code in the context of the user
running the application that uses DirectX. Failed exploit attempts will result in a denial-of-service condition.
The high risk vulnerability is in the DirectShow platform (quartz.dll). While the vulnerability is NOT in IE or other
browsers, a browse-and-get-owned attack vector does exist here via the media playback plug-ins of browsers. The attacker
could construct a malicious webpage which uses the media playback plug-ins to playback a malicious QuickTime file to reach
the vulnerability in Quartz.dll. Please note this type of attack could happen for any browsers, not IE specific.
There is also a file-based attack vector by opening a malicious QuickTime file via Windows Media Player to trigger the
vulnerability.
Vulnerable:
DirectX 7.0 on Microsoft Windows 2000 Service Pack 4
DirectX 8.1 on Microsoft Windows 2000 Service Pack 4
DirectX 9.0x on Microsoft Windows 2000 Service Pack 4
DirectX 9.0x on Microsoft Windows XP Service Pack 2
DirectX 9.0x on Microsoft Windows XP Service Pack 3
DirectX 9.0x on Microsoft Windows XP Professional x64 Edition Service Pack 2
DirectX 9.0x on Microsoft Windows Server 2003 Service Pack 2
DirectX 9.0x on Microsoft Windows Server 2003 x64 Edition Service Pack 2
DirectX 9.0x on Microsoft Windows Server 2003 SP2 (Itanium)
Solution:
Currently Microsoft has not released any vendor-supplied patches for this vulnerability. Microsoft's investigation is
currently ongoing. In the advisory, Microsoft have indicated that a patch will be produced for this but give no timescales.
Workarounds are available, reference link below:
http://blogs.technet.com/srd/archive/2009/05/28/new-vulnerability-in-quicktime-parsing.aspx
#1: Disable Quick Time Parsing in Quartz.dll by deleting the following registry key:
HKEY_CLASSES_ROOT\CLSID\{D51BD5A0-7548-11CF-A520-0080C77EF58A}
This is the best workaround because it's the most surgical. It only disables QuickTime Parsing in DirectShow. DirectShow's
other functionality is not affected. This workaround covers all known attack vectors. Therefore, if you are not concerned
about QuickTime content playback via DirectShow, this is the workaround we recommend you apply.
#2: Kill-bit WMP ActiveX Control
If you are using IE, this helps mitigate current attacks we have seen in the wild. You can set the following registry key
to apply the killbit:
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{6BF52A52-394A-11D3-B153-00C04F79FAA6}]
"Compatibility Flags"=dword:00000400
The advantage of this workaround is that it still allows you to use Windows Media Player (or other applications) to
playback QuickTime content via DirectShow. The disadvantage is that it only protects against the current attacks we see
that use IE. Other attack vectors are not covered. For example, it won't protect other browsers.
Mitigating Factors:
-In a Web-based attack scenario, an attacker would have to host a Web site that contains a Web page that is used to exploit
this vulnerability. An attacker would have no way to force users to visit a malicious Web site. Instead, an attacker would
have to convince them to visit the Web site, typically by getting them to click a link that takes them to the attacker's
Web site. After they click the link, they would be prompted to perform several actions. An attack could only occur after
they performed these actions.
-An attacker who successfully exploited this vulnerability could gain the same user rights as the local user. Users whose
accounts are configured to have fewer user rights on the system could be less impacted than users who operate with
administrative user rights.
-All versions of Windows Vista and Windows Server 2008 are not affected by this issue.
[***** End CVE-2009-1537 *****]
DOECIRC services are available to DOE, DOE Contractors, and the NIH.
DOE-CIRC can be contacted at:
Voice: 866-941-2472
E-mail: doecirc@doecirc.energy.gov
World Wide Web: http://www.doecirc.energy.gov
UCRL-MI-119788
TECHNICAL BULLETIN