Microsoft is warning users to watch out for a new zero-day
This latest vulnerability threatens users of Windows 2000 Service Pack 4 (SP4), Windows XP and Windows Server 2003 with complete compromise of their systems.
However, so far the attacks are “limited,” according to a Microsoft (NASDAQ: MSFT) Security Advisory, issued Thursday afternoon.
To trigger an attack, all the user would have to do is click on a booby-trapped QuickTime media file, either via a link or an attachment in an e-mail or instant message, or through a malicious link on a Web site.
Microsoft played down the immediate danger, pointing out that, after invoking the poisoned media file, the user would still have to perform other actions that enable an attack.
“After they click the link, they would be prompted to perform several actions. An attack could only occur after they performed these actions,” the advisory said.
A successful attack, though, could result in complete compromise of the affected system.
Windows Vista, Windows Server 2008 and Windows 7 are not vulnerable to the problem. That may be little consolation for most users though, since XP runs on the vast majority of PCs worldwide.
At issue is a component of Windows called DirectX, which provides services such as streaming media under Windows. The zero-day was found within DirectX, in a technology called DirectShow, which provides programming hooks that enable Windows to “perform client-side audio and video sourcing, manipulation and rendering.”
A part of that — called the QuickTime Movie Parser filter — has the flaw. The parser divides Apple QuickTime files into two data streams, one for audio and the other for video. It’s an older technology that supports QuickTime 2.0 files and earlier.
The reason why newer systems do not have the flaw is that, from Vista on, they simply don’t include support for the outmoded technology. Systems running DirectX versions 7.0 through 9.0 are at risk.
As a temporary fix, Microsoft has posted both automated and manual workarounds for the vulnerability on its support Web site. The workaround disables QuickTime parsing on Windows 2000 through Windows Server 2003.