Recently, we found a remote code execution vulnerability in Microsoft’s DirectShow platform (quartz.dll) when processing the QuickTime format. We have released advisory 971778 providing guidance to help protect customers. We’d like to go into more detail in this blog to help you understand:
- Which configurations are at risk?
- Why is this a high risk vulnerability?
- How can I protect myself?
Which configurations are at risk?
The vulnerability is in DirectShow’s code to process QuickTime format. The QuickTime Movie Parser Filter in DirectShow has been removed from Windows Vista and later operating systems (see http://msdn.microsoft.com/en-us/library/dd377491(VS.85).aspx). Windows Vista, Window Server 2008, and later versions of Windows are not affected by this vulnerability. Older Windows platforms are vulnerable, as shown in the advisory.
If I have installed Apple’s QuickTime, am I safe?
Our investigation has found that the installation of Apple’s QuickTime does NOT mitigate this DirectShow’s vulnerability.
To be clear, whether you’ve installed Apple’s QuickTime or not, the vulnerability is in the Microsoft’s quartz.dll and it’s possible to craft an attack to call that DLL on the system regardless of whether Apple’s QuickTime is present.
Why is this a high risk vulnerability?
The vulnerability is in the DirectShow platform (quartz.dll). While the vulnerability is NOT in IE or other browsers, a browse-and-get-owned attack vector does exist here via the media playback plug-ins of browsers. The attacker could construct a malicious webpage which uses the media playback plug-ins to playback a malicious QuickTime file to reach the vulnerability in Quartz.dll. Please note this type of attack could happen for any browsers, not IE specific.
There is also a file-based attack vector by opening a malicious QuickTime file via Windows Media Player to trigger the vulnerability.
How can I protect myself?
There are several workarounds that you may consider here.
#1: Disable Quick Time Parsing in Quartz.dll by deleting the following registry key:
HKEY_CLASSES_ROOT\CLSID\{D51BD5A0-7548-11CF-A520-0080C77EF58A}
For X64 delete the following registry key as well:
HKEY_CLASSES_ROOT\Wow6432Node\CLSID\{D51BD5A0-7548-11CF-A520-0080C77EF58A}
This is the best workaround because it’s the most surgical. It only disables QuickTime Parsing in DirectShow. DirectShow’s other functionality is not affected. This workaround covers all known attack vectors. Therefore, if you are not concerned about QuickTime content playback via DirectShow, this is the workaround we recommend you apply.
#2: Kill-bit WMP ActiveX Control
If you are using IE, this helps mitigate current attacks we have seen in the wild. You can set the following registry key to apply the killbit:
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{6BF52A52-394A-11D3-B153-00C04F79FAA6}]
"Compatibility Flags"=dword:00000400
The advantage of this workaround is that it still allows you to use Windows Media Player (or other applications) to playback QuickTime content via DirectShow. The disadvantage is that it only protects against the current attacks we see that use IE. Other attack vectors are not covered. For example, it won’t protect other browsers.
#3: Unregister/ACL quartz.dll
This workaround is effective but can have significant impacts in your environment. Please refer to our previous SRD blog: “MS08-033: So what breaks when you ACL quartz.dll?” to get more details on this.
We don’t recommend this workaround because #1 provides the same level of protection with less impact. However, it is an option listed in the advisory because it is effective protection and to give customers as full a range of options as possible to better protect their environment.
Chengyun, MSRC Engineering
*Postings are provided “AS IS” with no warranties, and confers no rights.*