See your link here
A cheat sheet for fixing the latest Windows security flaw
7 comments- TAGS:DirectShow, DirectX, Microsoft, QuickTime, Windows XP
- IT TOPICS:Security, Software, Windows & Microsoft
Here we go again. Users of Windows XP, Windows Server 2003 and Windows 2000 can get infected simply by viewing a web page. If you use Vista or Windows Server 2008, you're safe.
To get infected, the DirectShow component of Windows needs to process a malicious QuickTime video file. The easiest way for the malicious file to get on your computer is via a web browser (not just Internet Explorer) but it can also arrive via email, shared network folders, sneaker-net, etc.
There is, as yet, no fix for the problem, but Microsoft does have a work-around - a registry zap that breaks the association between QuickTime files and DirectShow. That is, you can tell the operating system not to invoke DirectShow to process QuickTime files.
For more on the problem, see Hackers exploit unpatched Windows bug.
Perhaps you're thinking, why not install QuickTime and let it process its own files? Or, if you have QuickTime installed, won't it already process its files and thus bypass DirectShow? According to the Microsoft Security Research & Defense blog
... whether you’ve installed Apple’s QuickTime or not, the vulnerability is in the Microsoft’s quartz.dll and it’s possible to craft an attack to call that DLL on the system regardless of whether Apple’s QuickTime is present.
Microsoft offers a number of work-arounds, but the one described in the cheat sheet below was recommended in the same blog posting:
This is the best workaround because it’s the most surgical. It only disables QuickTime Parsing in DirectShow. DirectShow's other functionality is not affected. This workaround covers all known attack vectors. Therefore, if you are not concerned about QuickTime content playback via DirectShow, this is the workaround we recommend you apply.
CHEAT SHEET
To zap the registry, start at the Microsoft Security Advisory: Vulnerability in Microsoft DirectShow could allow remote code execution.
Scroll down and look for the two Fixit buttons shown below.
Click on the one to enable the workaround. This downloads a small file (113KB) called EnableAdvisory971778.msi.
Before running the file, right click on it, view the properties and check the Digital Signatures tab. It should indicate that the file was digitally signed by Microsoft on Thursday May 28, 2009 at 7:54:08PM as shown below. If there is no Digital Signatures tab, do not run file.
Update June 8, 2009: The timestamp in a digital certificate is done in UTC, so everyone will not see the exact same time. When asked to confirm the timestamp, a Microsoft representative said it was 4:54PM rather than the 7:54PM that I was seeing. This is because they were in the Pacific time zone whereas I was viewing it in the Eastern time zone.
Run the program by double-clicking on it.
You have to agree to the license terms first.
Then the program runs
i
and finishes in a few seconds
The program makes a restore point called "Installed Enable advisory 971778", presumably before the registry zap. If System Restore is disabled, the program still runs.
There is, unfortunately, no simple test that it worked. If you care to verify it, then you have to peruse the registry looking for a long ugly entry that should no longer be there.
As noted above, this simply disables QuickTime processing in DirectShow and thus should not interfere with Apple's QuickTime software handling QuickTime files. I verified this on a Windows XP machine, with QuickTime version 7.6 installed. The zap did not interfere with viewing the latest QuickTime formatted ads from Apple.
Print
Email this
Digg this
