Microsoft Security Advisory (971778)

Discussion in 'other security issues & news' started by ronjor, May 28, 2009.

Thread Status:
Not open for further replies.
  1. ronjor

    ronjor Global Moderator

    Joined:
    Jul 21, 2003
    Posts:
    163,035
    Location:
    Texas
    Microsoft
     
  2. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
    Exploits of unpatched Windows bug will jump, says Symantec

    Technical details:
    DirectShow Exploit In the Wild
    DirectShow Exploit In the Wild, Part II

     
  3. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    4,020
    Location:
    California
    The first technical details article has this:

    The author shows the code that redirects to the exploit page, but does not explain how the exploit loads the corrupt .avi file.

    Pity - because this would reveal what to protect against.

    However, a good guess would be the use of script to trigger a plug-in, as did the PDF exploits. Configuring scripting in the browser per site would nullify the attack upon redirection to the exploit page.

    Regarding plug-ins - from a Microsoft Security Research & Defense blog last month:

    http://blogs.technet.com/srd/archive/2009/05/28/new-vulnerability-in-quicktime-parsing.aspx
    The plug-in for an AVI file is described on a download site:

    I don't have an AVI plug-in, but here is the PDF plug-in that displays the PDF file directly in the browser. From an exploit in April:

    [​IMG]

    This is convenient but not secure, since the file loads without the user knowing it's coming, in the case of a remote code execution exploit.

    Another danger is if the browser is configured to automatically start a media file in a player without any user action. Exploit code will start the media player and load the file:

    Code:
    < script>
    document.write('<iframe src="clock.avi"></iframe>')
    </ script>
    avi-inBrowser.gif

    While browsers offer many options in dealing with files on the web, the safest configuration is to have the browser prompt for action:

    avi-pref.gif

    avi-dl.gif

    This way, a drive-by attack is nullified.

    ----
    rich
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.