Wednesday, June 3, 2009

Microsoft warns of DirectX attacks

Microsoft warned users last week that attackers had begun using malicious QuickTime files to target a vulnerability in the way its DirectX library handles Apple's multimedia format.

The vulnerability — which affects Windows 2000 and XP, but not Windows Vista — allows an attacker to compromise the system with the rights of a user. In an advisory published on Thursday, Microsoft called the attacks "limited," a qualifier that frequents the software giant's warnings on security issues.

"While this isn’t a browser vulnerability, because the vulnerability is in DirectShow, a browser-based vector is potentially accessible through any browser using media plug-ins that use DirectShow," a member of Microsoft's Security Response Center stated on the group's blog. "Also, we’ve verified that it is possible to direct calls to DirectShow specifically, even if Apple’s QuickTime — which is not vulnerable — is installed."

The company is currently working on a fix for the vulnerability, the MSRC stated.

Microsoft has implemented a workaround for the vulnerability that can be automatically applied to affected Windows systems to "disable the parsing of QuickTime content in quartz.dll."


No comments: