Microsoft warns of new Windows exploit
Friday, May 29, 2009
Microsoft is warning users of a critical web security vulnerability in Windows 2000, Windows XP and Windows Server 2003 that has been exploited in the wild. If left unfixed, the flaw could allow hackers to take control of PCs.
The vulnerability is in Microsoft DirectX - the Windows subsystem used for streaming video - which hackers have exploited using malicious QuickTime video files, according to a posting on the Microsoft Security Response Center (MSRC) blog.
"An attacker would try and exploit the vulnerability by crafting a specially formed video file and then posting it on a website or sending it as an attachment in email," the post said.
In a web-based attack scenario, an attacker would have to convince users to visit a malicious website. After a user clicks on a link to the site, they would be prompted to perform several actions. "An attack could only occur after they performed these actions," Microsoft said.
MSRC said the vulnerability is not in Apple's QuickTime and the vulnerable code was removed in crafting Windows Vista, Windows 7 and Windows Server 2008.
Microsoft said in a security bulletin it is aware of limited, active attacks that use the exploit and the company has activated its Software Security Incident Response Process (SSIRP) and is continuing to investigate the issue.
Details of workarounds are posted at Microsoft's security research and defense blog.

Related News:
Nearly 3,000 smartcard phones infected - 3.19.2010 Nearly 3,000 memory cards in HTC Magic smartphones released by Vodafone were infected by malware before purchase, Vodafone Spain reported on Friday. The initial scare came last week when a researcher for Panda Security discovered the breach on her newly purhcased phone.
Google removes malware-spreading site from searches - 3.19.2010 Google announced on Friday that DealsDirect, Australia's largest discount estore, was temporarily blocked from direct access by users after the search engine detected malware on the site.
Facebook bigger threat to web security than Twitter - 3.19.2010 The amount of information available on a person's Facebook profile page makes the popular social networking site more dangerous than other popular competitors such as Twitter, according to AVG Technologies.
Web security professionals skeptical of national broadband - 3.18.2010 Leading web security experts believe that the recently released National Broadband Program is potentially a major risk to national web security. As more people move from dial-up and other slower forms of internet access, they will be exposed to malware and be unable to handle it.
Authorities call for increased URL regulation - 3.18.2010 In an effort to attack malware at the root of the problem, the Federal Bureau of Investigation and the UK's Serious Organised Crime Agency submitted a new list of recommendations to the Internet Corporation for Assigned Names and Numbers that would make it more difficult to register a domain on the web, according to IT World Canada.
|