Microsoft DirectX DirectShow QuickTime movie parsing vulnerability
Added: 06/03/2009CVE: CVE-2009-1537
BID: 35139
OSVDB: 54797
Background
DirectX is a feature of the Windows operating system used for streaming media. Within DirectX, the DirectShow technology performs client-side audio and video sourcing, manipulation and rendering.Problem
A command execution vulnerability in DirectShow allows command execution when a user opens a QuickTime movie file containing an invalid compressor name length value in the STSD atom.Resolution
Apply one of the workarounds described in Microsoft Security advisory 971778.References
http://isc.sans.org/diary.html?storyid=6481Limitations
Exploit works on Microsoft DirectX 9.0 and requires a user to open the exploit page in Internet Explorer 6 or 7.The .NET framework 2.0 must be installed on the target.
Platforms
Windows XPBack to exploit index