Microsoft's DirectX Hit By Zero-day Remote Code Execution Bug

Microsoft has issued a security advisory to notify users about an unpatched vulnerability in Microsoft DirectX which is being exploited by hackers to perform remote code execution on victims' computers.

In a Security Bulletin posted on its website, the software maker alerts about a critical flaw in the quartz.dll library, which comes integrated with DirectX and performs parsing of the QuickTime format video files.

The vulnerability reportedly affects all the iterations prior to Windows Vista, including Windows XP as well as Windows 2000 Service Pack 4 (SP4). Along with this, Server versions prior to Windows Server 2008 are also said to be affected by the flaw.

Cybercriminals are using maliciously crafted QuickTime files to seize control over PCs. Quoting the same, Microsoft said in a statement, “The vulnerability could allow remote code execution if [the] user opened a specially crafted QuickTime media file”.

Elaborating on the issue, a spokesperson for Microsoft Security Response Centre (MSRC) Christopher Budd asserted that QuickTime itself isn't vulnerable, but its parsing component, tagged as DirectShow, carries the critical bug.

Until a complete security patch is available, users can safeguard their PCs by disabling the QuickTime parsing, which can be achieved by editing the Windows registry. Users can disable the QuickTime parsing by clicking on to “Fix It” option.

You can follow ITProPortal.com on Twitter@itproportal.

Our Comments

DirectX is one of the more arcane sets of code within Microsoft's Windows Operating System and could well attract hackers and cybercriminals due to the fact that its code is present in its original form in all current versions of Windows excluding Windows 7.

Related Links

Microsoft: DirectX vulnerability allows remote code execution

(Product Reviews)

Microsoft Warns About DirectX Exploit

(Tom's Hardware)

Hackers exploit unpatched Windows bug

(Computerworld Australia)

DirectX suffers zero-day vuln

(Bit-Tech.Net)

Microsoft reports high-risk vulnerability in DirectX

(Beta News)

Microsoft issues advisory for vulnerability in Microsoft DirectShow

(Secure Computing)