Microsoft Warns Of 'Browse-And-Get-Owned' DirectX Flaw

The flaw could allow a remote attacker to execute malicious code by convincing or duping a user to open a specially crafted QuickTime media file.

Thomas Claburn, Editor at Large, Enterprise Mobility

May 28, 2009

2 Min Read
Dark Reading logo in a gray background | Dark Reading

Microsoft on Thursday issued a security advisory stating that it's investigating reports of a vulnerability in Microsoft DirectX, the company's APIs for games and multimedia.

The company said that Windows 2000 Service Pack 4, Windows XP, and Windows Server 2003 are vulnerable and that Windows Vista and Windows Server 2008 are not vulnerable.

The flaw could allow a remote attacker to execute malicious code by convincing or duping a user to open a specially crafted QuickTime media file or to visit a Web page that features QuickTime media file of this sort.

The vulnerability is not in Apple's QuickTime media software or in Microsoft Internet Explorer browser; it's in the DirectShow platform (quartz.dll). Nonetheless, Web browsers -- Internet Explorer and others -- represent an avenue of potential infection for users of vulnerable versions of Windows.

"While the vulnerability is NOT in IE or other browsers, a browse-and-get-owned attack vector does exist here via the media playback plug-ins of browsers," Microsoft security software engineer Chengyun Chu explained in a post on the Microsoft Security Research and Defense (MSRC) blog. "The attacker could construct a malicious Web page which uses the media playback plug-ins to play back a malicious QuickTime file to reach the vulnerability in Quartz.dll."

A successfully executed attack would give the attacker the same file access rights as the affected user. For users with administrative rights, the risk is greater than for users with more restricted rights.

Microsoft said it "is aware of limited, active attacks that use this exploit code." Chu has posted several steps that users can take to protect themselves on the MSRC blog.

Earlier this month, Microsoft issued a security advisory about an authentication bypass vulnerability in certain Microsoft Internet Information Services configurations.


Black Hat is like no other security conference. It happens in Las Vegas, July 25-30. Find out more and register.

About the Author

Thomas Claburn

Editor at Large, Enterprise Mobility

Thomas Claburn has been writing about business and technology since 1996, for publications such as New Architect, PC Computing, InformationWeek, Salon, Wired, and Ziff Davis Smart Business. Before that, he worked in film and television, having earned a not particularly useful master's degree in film production. He wrote the original treatment for 3DO's Killing Time, a short story that appeared in On Spec, and the screenplay for an independent film called The Hanged Man, which he would later direct. He's the author of a science fiction novel, Reflecting Fires, and a sadly neglected blog, Lot 49. His iPhone game, Blocfall, is available through the iTunes App Store. His wife is a talented jazz singer; he does not sing, which is for the best.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights