Microsoft Warns against Critical Vulnerability in Windows

Microsoft has reported that a security flaw, critical in nature, exists in the previous editions of its widely-used operating software Windows OS that attackers are already exploiting to run malicious software on affected computers from a remote location.

The flaw, which allows hackers to get full control of the vulnerable system, is being exploited through the use of maliciously crafted QuickTime files that are parsed. Since a lot of browsers can automatically play movie files, users' machines can be hijacked merely by visiting a site that harbors the specially crafted QuickTime files.

If the attack is successfully executed, then the hacker can gain the same rights to access files as the vulnerable end-user get. Meanwhile, users having administrative privileges are at higher risk compared to users with limited privileges.

Moreover, Microsoft says that the flaw is not found in its Internet Explorer browser or in QuickTime media application of Apple, rather it exists within the DirectShow environment (quartz.dll). Nevertheless, Web browsers such as IE or others work as an effective channel to potentially infect computers running the vulnerable Windows versions.

The Microsoft security researchers state that Vista along with the successive editions of Windows remain unaffected as these were cleared of the flawed QuickTime parser cleaner.

Chengyun Chu, Security Software Engineer at Microsoft, explains that although the bug does not exist in IE or other web browsers, they do feature an attack vector of the browse-and-get-owned type, which emanates from their media playing plug-ins, as reported by InformationWeek on May 28, 2009.

Chu further adds that the attacker by creating a malevolent web page could play a malevolent QuickTime video file using the media playing plug-ins and reach the security flaw in Quartz.dll.

Since a patch to fix the flaw is not yet available, Microsoft has provided a 'downloadable' registry script with which certain QuickTime parsing-enabling registries can be eliminated. Microsoft provides yet another script that re-enables the parsing.

Microsoft issuing alert against security flaw is nothing new. In May 2009, the company warned against the authentication bypass bug within particular configurations of its Internet Information Services.

Related article: Microsoft Patches Live OneCare to Tackle Quarantined E-Mails

» SPAMfighter News - 6/2/2009