Zero Day Vulnerability in Microsoft DirectX 9

Severity: High

28 May, 2009

Summary:

§ This vulnerability affects: Microsoft DirectX 9.0 and earlier versions (does not affect DirectX 10)  

§ How an attacker exploits it: By enticing your users into downloading and playing a malicious Quicktime movie, or into visiting a malicious web page

§ Impact: An attacker can execute code on your computer, potentially gaining control of it

§ What to do: Implement the workarounds described in the Solution Path section of this alert

Exposure:

Today, Microsoft released a security advisory warning of a serious unpatched DirectX vulnerability, which attackers have already begun exploiting on the Internet. The vulnerability affects DirectX 9.0 (and earlier versions) running on Windows 2000, XP and Server 2003 computers. It does not seem to affect DirectX 10 running on Windows Vista or Server 2008 computers.

Since Microsoft just learned about this flaw, they don't describe it in much technical detail. They only say the flaw involves the way DirectShow (a component of DirectX) handles specially crafted Quicktime files. However, the advisory does tell how attackers can leverage the flaw. By enticing one of your users into downloading and opening a malicious Quicktime movie, or into visiting a malicious web page, an attacker can exploit this vulnerability to execute code on a victim's computer, inheriting that user's level of privileges and permissions. If your user has local administrative privileges, the attacker gains full control of the user's machine. 

With attackers actively exploiting this vulnerability in the wild, it poses a significant threat to Windows 2000, XP, and Server 2003 users. We recommend you implement the workarounds described below to mitigate the risk of this dangerous zero day attack.

Solution Path:

Microsoft has not had time to release a full patch for this zero day vulnerability. However, they have released a "Fix it" workaround that will disable DirectX's ability to handle Quicktime files. If you don't mind disabling Quicktime file handling in Windows, we recommend you apply this "Fix it" workaround until Microsoft releases their final patch. The workarounds described below can also help mitigate the risk of this zero day vulnerability:

1. Inform your users of this vulnerability. Advise them to remain wary of unsolicited Quicktime (.mov) movies. If they don't absolutely need to view a Quicktime movie, and don't fully trust the entity it came from, they should avoid watching it until Microsoft releases a patch.

2. Use up-to-date antivirus (AV) software. AV companies are sure to release signatures that detect these malicious Quicktime files. Make sure to update your AV regularly.

3. Use a gateway device, like your Firebox, to block Quicktime files. If your users can't download Quicktime files, this exploit won't affect them. Unfortunately, doing this blocks legitimate Quicktime files as well. Nonetheless, depending on your business needs, you may still consider blocking Quicktime files until Microsoft releases a patch.

We will update this alert when Microsoft releases a patch.

Courtesy of WatchGuard

So you just installed XP SP3 and on reboot you get a big Blue Screen of Death, BSOD, with various stop errors such as 0x000000FC or 0X0000007E. You think no problem you can just boot into Safe Mode and undo the SP install but find even Safe Mode fails to boot. Now your under the gun, what do you do?

Well first off you can call Microsoft as they offer FREE Service Pack Support so call 866 234-6020. Although support was to end in April they appear to still be honoring this offer. If you can’t get to support and are willing to take things into your own hands you can attempt to uninstall SP3 by doing the following.

1. First off we need a Bootable Windows XP CD, preferably XP SP2. Let’s boot from that CD and select Repair from the first set of options.

2. Select the Partition that has your Windows install and log into it using the Administrator password.

3. At the Command Prompt type:

cd $ntservicepackuninstall$\spuninst\  <enter>

batch spuninst.txt  <enter>

4. Once the above command has completed reboot into Safe Mode. If all goes well you should get to the Desktop after logging in. At this point go to Start, Run and type Regedit. Here we need to edit the following:

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\RpcSs

Right Click ObjectName, Modify and change to “LocalSystem” and reboot

5. Allow Windows to boot normally, Log In using the Administrator account. Right Click on My Computer and verify the system is listed as Service Pack 2. If not, and even if it is, we want to go to Control Panel, Add Remove Programs, Click Show Updates and see if Windows XP SP3 is listed. If it is let’s now uninstall it.

6. Reboot and verify system is listed as SP2 and you have no errors.

This is why Microsoft shouldn’t get into a Apple/Oranges marketing fight with Apple. I think it’s pretty easy to see Apple turned Microsoft whole marketing campaign right around on them and into an Apple marketing campaign.

Information coming from Acer is that they will start shipping Windows 7 loaded PC’s on October 23rd. Combine this with the post made by Microsoft Sweden Partner Team’s Lotta Bath (which was pulled by MS) that the RTM was set for October 3^rd and I think we have enough information to know Windows 7 will be in the stores by the end of October. For those buying a machine prior to October there will be a period of FREE upgrades to Windows 7 of not less than 30 days and maybe as much as 90 days.