Microsoft today warned that hackers are using rigged QuickTime media files to exploit an unpatched vulnerability in DirectShow, the APIs used by Windows programs for multimedia support.
The company has activated its security response process to deal with the zero-day attacks has issued a pre-patch advisory with workarounds and a one-click “fix it” feature to enable the mitigations.
From the advisory:
Microsoft is aware of limited, active attacks that use this exploit code. While our investigation is ongoing, our investigation so far has shown that Windows 2000 Service Pack 4, Windows XP, and Windows Server 2003 are vulnerable; all versions of Windows Vista and Windows Server 2008 are not vulnerable.
An entry on the MSRC blog provides more details:
The vulnerability is in the QuickTime parser in Microsoft DirectShow. An attacker would try and exploit the vulnerability by crafting a specially formed video file and then posting it on a website or sending it as an attachment in e-mail. While this isn’t a browser vulnerability, because the vulnerability is in DirectShow, a browser-based vector is potentially accessible through any browser using media plug-ins that use DirectShow. Also, we’ve verified that it is possible to direct calls to DirectShow specifically, even if Apple’s QuickTime (which is not vulnerable) is installed.
Interestingly, the vulnerable component was removed from Windows Vista and later operating systems but is still available for use in the Microsoft Windows 2000, Windows XP, and Windows Server 2003 operating systems.
Vulnerable Windows users should immediately consider disabling QuickTime parsing to thwart attackers. This KB article provides fix-it button that automatically enables the workaround.
It also provides detailed instructions on using a managed script deployment for Windows shops.
Also see the Security Research and Defense blog for more information.