Microsoft warns of new Windows exploit
Friday, May 29, 2009
Microsoft is warning users of a critical web security vulnerability in Windows 2000, Windows XP and Windows Server 2003 that has been exploited in the wild. If left unfixed, the flaw could allow hackers to take control of PCs.
The vulnerability is in Microsoft DirectX - the Windows subsystem used for streaming video - which hackers have exploited using malicious QuickTime video files, according to a posting on the Microsoft Security Response Center (MSRC) blog.
"An attacker would try and exploit the vulnerability by crafting a specially formed video file and then posting it on a website or sending it as an attachment in email," the post said.
In a web-based attack scenario, an attacker would have to convince users to visit a malicious website. After a user clicks on a link to the site, they would be prompted to perform several actions. "An attack could only occur after they performed these actions," Microsoft said.
MSRC said the vulnerability is not in Apple's QuickTime and the vulnerable code was removed in crafting Windows Vista, Windows 7 and Windows Server 2008.
Microsoft said in a security bulletin it is aware of limited, active attacks that use the exploit and the company has activated its Software Security Incident Response Process (SSIRP) and is continuing to investigate the issue.
Details of workarounds are posted at Microsoft's security research and defense blog.

|