Zero-day Directx Flaw

[Rage Skywolfe]

has this been patched within the latest release of updates or does the
workaround still need to be applied. if it has then what is the KB update
number?

 

[Leonard Grey]

Even though you didn't specify what "zero-day directX flaw" you mean,
you may be assured that all patches needed by your computer are
delivered by Microsoft Update. That's the main idea behind Microsoft Update.

 

[Rage Skywolfe]

it is a flaw that was discovered on the 28th of may and haven't heard anyn
more about it since then other thanthw roak arounds. I just wondered if it
had actually been patched or not :s because I don't remember seeing it in the
security advisory :s
http://www.microsoft.com/technet/security/advisory/971778.mspx

 

[Rage Skywolfe]

Even though you didn't specify what "zero-day directX flaw" you mean,

you may be assured that all patches needed by your computer are
delivered by Microsoft Update. That's the main idea behind Microsoft Update.

Yes, I realise that.

 

[VanguardLH]

it is a flaw that was discovered on the 28th of may

You expected a patch in just 10 business days (2 business weeks)? Once
they determine what solution to implement and the code change needed for
that solution, then they have to regression test the change on every
vulnerable version of Windows in which a version of DirectX is affected.
That code change may need to be incorporated in MANY versions of DirectX
starting with the first version of it that is supported on the
vulnerable versions of Windows. Wow, you don't ask for much.

http://www.microsoft.com/technet/security/advisory/971778.mspx

"In a Web-based attack scenario, an attacker would have to host a Web
site that contains a Web page that is used to exploit this
vulnerability. An attacker would have no way to force users to visit a
malicious Web site. Instead, an attacker would have to convince them to
visit the Web site, typically by getting them to click a link that takes
them to the attacker's Web site."

You might want to stick with well-known, highly-trafficked, and trusted
sites in the meantime. No "blue movie" sites for you for awhile. >;->
Do you actually visit sites using QT video formats? I can find them but
I have to actually go search for them. When I wanted to test a QT
install, I knew a couple of game sites with video movies of previews or
gameplays but they switched to Flash.

My first thought was to reassociate the Quicktime filetypes back to the
QuickTime Player and have it play those files. Guess that won't help.
According to Microsoft's Security Research & Defense blog at
http://blogs.technet.com/srd/archive/2009/05/28/new-vulnerability-in-quicktime-parsing.aspx,
"whether you¢ve installed Apple¢s QuickTime or not, the vulnerability is
in the Microsoft¢s quartz.dll and it¢s possible to craft an attack to
call that DLL on the system regardless of whether Apple¢s QuickTime is
present."

Guess you can perform the workarounds that the Microsoft advisory
suggests or wait until a patch is released and be paranoid in the
meantime (or just be safer as to where you surf).

 

[Rage Skywolfe]

You expected a patch in just 10 business days (2 business weeks)? Once
they determine what solution to implement and the code change needed for
that solution, then they have to regression test the change on every
vulnerable version of Windows in which a version of DirectX is affected.
That code change may need to be incorporated in MANY versions of DirectX
starting with the first version of it that is supported on the
vulnerable versions of Windows. Wow, you don't ask for much.


"In a Web-based attack scenario, an attacker would have to host a Web
site that contains a Web page that is used to exploit this
vulnerability. An attacker would have no way to force users to visit a
malicious Web site. Instead, an attacker would have to convince them to
visit the Web site, typically by getting them to click a link that takes
them to the attacker's Web site."

You might want to stick with well-known, highly-trafficked, and trusted
sites in the meantime. No "blue movie" sites for you for awhile. >;->
Do you actually visit sites using QT video formats? I can find them but
I have to actually go search for them. When I wanted to test a QT
install, I knew a couple of game sites with video movies of previews or
gameplays but they switched to Flash.

My first thought was to reassociate the Quicktime filetypes back to the
QuickTime Player and have it play those files. Guess that won't help.
According to Microsoft's Security Research & Defense blog at
http://blogs.technet.com/srd/archive/2009/05/28/new-vulnerability-in-quicktime-parsing.aspx,
"whether youʼve installed Appleʼs QuickTime or not, the vulnerability is
in the Microsoftʼs quartz.dll and itʼs possible to craft an attack to
call that DLL on the system regardless of whether Appleʼs QuickTime is
present."

Guess you can perform the workarounds that the Microsoft advisory
suggests or wait until a patch is released and be paranoid in the
meantime (or just be safer as to where you surf).

hmm so I am guessing that means that only those types of websites can be
compromised?. if that were the case. viruses and worms wouldn't be comming up
on social networking sites all the time. I was ASKING THIS merely as a
question. because in my case? usualy when work arounds and things like that
are applied when I have a program like say windows defender on the computer
it causes problems. you want to get on my back about something? find
something that makes sense to get angry about.

 

[David H. Lipman]

From: "Rage Skywolfe" <[email protected]>

| Even though you didn't specify what "zero-day directX flaw" you mean,
| Yes, I realise that.
| --
| Four Generations Of Trust And Betrayal...One Legacy

| Skywolfe

The important thing is I haven't seen nor heard of exploits in the wild.

 

[Rage Skywolfe]

that is what I was wondering.. but still how would you know which type of
site would have it.? now some would be obvious but most aren't

 

[David H. Lipman]

From: "Rage Skywolfe" <[email protected]>

| that is what I was wondering.. but still how would you know which type of
| site would have it.? now some would be obvious but most aren't
| --
| Four Generations Of Trust And Betrayal...One Legacy

I know because it would be the "hot" topic of discussion in forums you don't have access
to.

As for the site, it could be anyone of the of the many sites using a laundry list of
exploits. So far, it hasn't been noted.

Search yourself.

 

[Rage Skywolfe]

that is all I was wondering

 

[Virus Guy]

The important thing is I haven't seen nor heard of exploits in the
wild.

Are you talking about this:

Apple QuickTime Image Description Atom Sign Extension Vulnerability

If so, there is POC code out in the open for about a week now.

===============
Apple QuickTime is prone to a vulnerability that occurs because the bit
width of a number is increased without changing its sign in certain
image description atoms.

A remote attacker can exploit this issue by enticing an unsuspecting
user to open a specially crafted Apple video file.

Successful exploits will allow the attacker to execute arbitrary code in
the context of the user running the application. Failed exploit attempts
likely result in denial-of-service conditions.

This issue affects Apple QuickTime running on Microsoft Windows Vista,
Windows XP SP3, and Mac OS X.

Solution:

http://www.securityfocus.com/bid/35166/solution
===============

 

[Rage Skywolfe]

I was talking about this
http://blogs.technet.com/srd/archive/2009/05/28/new-vulnerability-in-quicktime-parsing.aspx

and this from the security advisory
Microsoft Security Advisory (971778)
Vulnerability in Microsoft DirectShow Could Allow Remote Code Execution
Published: May 28, 2009

Version: 1.0

Microsoft is investigating new public reports of a new vulnerability in
Microsoft DirectX. The vulnerability could allow remote code execution if
user opened a specially crafted QuickTime media file. Microsoft is aware of
limited, active attacks that use this exploit code. While our investigation
is ongoing, our investigation so far has shown that Windows 2000 Service Pack
4, Windows XP, and Windows Server 2003 are vulnerable; all versions of
Windows Vista and Windows Server 2008 are not vulnerable. Microsoft has
activated its Software Security Incident Response Process (SSIRP) and is
continuing to investigate this issue.

Upon completion of this investigation, Microsoft will take the appropriate
action to help protect our customers. This may include providing a security
update through our monthly release process or providing an out-of-cycle
security update, depending on customer needs.

We are actively working with partners in our Microsoft Active Protections
Program (MAPP) and our Microsoft Security Response Alliance (MSRA) program to
provide information that they can use to provide broader protections to
customers.

Mitigating Factors:
•

In a Web-based attack scenario, an attacker would have to host a Web site
that contains a Web page that is used to exploit this vulnerability. An
attacker would have no way to force users to visit a malicious Web site.
Instead, an attacker would have to convince them to visit the Web site,
typically by getting them to click a link that takes them to the attacker's
Web site. After they click the link, they would be prompted to perform
several actions. An attack could only occur after they performed these
actions.
•

An attacker who successfully exploited this vulnerability could gain the
same user rights as the local user. Users whose accounts are configured to
have fewer user rights on the system could be less impacted than users who
operate with administrative user rights.

All versions of Windows Vista and Windows Server 2008 are not affected by
this issue.

 

[VanguardLH]

Rage Skywolfe wrote (on Thu, 11 Jun 2009 12:51:01 -0700):

hmm so I am guessing that means that only those types of websites can be
compromised?. if that were the case. viruses and worms wouldn't be comming up
on social networking sites all the time. I was ASKING THIS merely as a
question. because in my case? usualy when work arounds and things like that
are applied when I have a program like say windows defender on the computer
it causes problems. you want to get on my back about something? find
something that makes sense to get angry about.

The exploit, according to the articles, is something implemented up on
the server that is feeding you the streamed video. The site has to be
compromised (or deliver 3rd party compromised content).

You were the one that was obviously impatient for a fix and unaware or
ignorant of the level of testing that must be performed on such an
immensely pervasive piece of code.

 

[Virus Guy]

I was talking about this
http://blogs.technet.com/srd/archive/2009/05/28/new-vulnerability-in-quicktime-parsing.aspx

and this from the security advisory
Microsoft Security Advisory (971778)
Vulnerability in Microsoft DirectShow Could Allow Remote Code Execution
Published: May 28, 2009

If the following is true, then Micro$haft is admitting here that this
vulnerability is currently being exploited in the wild.

========================================

http://voices.washingtonpost.com/se..._warns_of_attacks_on_2.html?wprss=securityfix

Microsoft Warns of Attacks on Unpatched Windows Flaw

Microsoft is warning that hackers are using booby-trapped QuickTime
media files to exploit a newly discovered security hole in Windows 2000,
Windows XP, and Windows Server 2003 systems.

Microsoft said it is aware of "limited attacks" against an unpatched
vulnerability in a Windows DirectShow component designed to process
QuickTime files. The vulnerability is present in those operating systems
and can be exploited whether or not users have QuickTime installed.

========================================

http://www.microsoft.com/technet/security/advisory/971778.mspx

Microsoft is aware of limited, active attacks that use this exploit
code.

 

[Rage Skywolfe]

thanks for the update

 

[Twayne]

has this been patched within the latest release of updates or does the
workaround still need to be applied. if it has then what is the KB
update number?

Probalby not, but several have been. The latest ones are still being
worked on. When you do updates, use the Custom button; it'll show you
the KB for every update.

 

[Rage Skywolfe]

ok. one of the things I was wondering is the advisories that are issued for
different updates, are they the kb numbers for those particular updates when
they are issued?

 

[Twayne]

ok. one of the things I was wondering is the advisories that are
issued for different updates, are they the kb numbers for those
particular updates when they are issued?

Yes.
I always use Custom when updates arrive now so I can check to see
what's being downloaded. If I'm not sure I trust it, I'll check that
stated KB article to see just what it's about. I recently for
instance caught IE8 and stopped it from downloading. If you do that
from the Custom window, it'll also give you the opportunity to tell it
to not offer that update toyou again, saving having to go off and do it
yourself, or keep denying it over and over each update cycle. Use that
capability sparingly though; you do NOT want to tell it to not download
fixes and improvements; they are usually quite important. I don't think
IE8 will be offered either unless you already have IE7. I'd already
tried IE8 and discovered it was a clunker so I sure didn't want it! IMO
it doesn't belong in the auto-updates anyway.

HTH,

Twayne`

 

[Rage Skywolfe]

I use the custom updates as well. have for years. I just wondered if the
advisories that are issued as numbers are issued as KB numbers later I have
never deniesd important updates usualy just the optional updates like windows
search for example. and IE 8 will be delivered even if you do have IE7
because it has done that with me. I have had no real problems with it except
page loading delays if I install spybot and ad aware together.

 

[dooolley]

has this been patched within the latest release of updates or does the
workaround still need to be applied. if it has then what is the KB update
number?

???? Question : is internet explorer the only browser effected???