Microsoft announced May 28th that it is aware of a possibly dangerous vulnerability present in many of its operating systems. The threat advisory revealed that the source of the problem comes from hackers who have released compromised QuickTime media files. If you use Windows 2000, Windows XP or Windows Server 2003 your computer may be at risk.

The Direct X vulnerability targets an unprotected sector in DirectShow programming interface used by many of the programs Windows uses for multimedia applications. Microsoft has revealed that it is possible to direct an attack to DirectShow even if QuickTime is not installed. For this reason even if you do not use the video format on a daily basis you could still be at risk. The Microsoft Security Response Center blog explains the issue in greater detail:
“The vulnerability is in the QuickTime parser in Microsoft DirectShow. An attacker would try and exploit the vulnerability by crafting a specially formed video file and then posting it on a website or sending it as an attachment in e-mail. While this isn’t a browser vulnerability, because the vulnerability is in DirectShow, a browser-based vector is potentially accessible through any browser using media plug-ins that use DirectShow.”

While older versions of Windows are at risk newer versions such as Vista have already had the vulnerability removed. This in itself brings up an interesting question. If Microsoft was aware of the threat to the point that they patched it out in its newer OS versions than why did it take them until attacks started to patch the older versions. So far Microsoft has remained silent to this complaint.

Regardless, users who feel they are at risk should disable and discontinue the use of QuickTime and Windows Media Player immediately until they have time to patch. Microsoft has already addressed the issue with a quick fix that you can find here. Even though it is an official Microsoft release we still strongly recommend you contact your IT department before you attempt to install it yourself.

– Richard Keene
IT Computer Support of New York
Design and Optimization Department