Microsoft Security Advisory (971778)

Discussion in 'other security issues & news' started by ronjor, May 28, 2009.

Thread Status:
Not open for further replies.
  1. ronjor

    ronjor Global Moderator

    Joined:
    Jul 21, 2003
    Posts:
    57,719
    Location:
    Texas
    Microsoft
     
  2. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
    Exploits of unpatched Windows bug will jump, says Symantec

    Technical details:
    DirectShow Exploit In the Wild
    DirectShow Exploit In the Wild, Part II

     
  3. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    The first technical details article has this:

    The author shows the code that redirects to the exploit page, but does not explain how the exploit loads the corrupt .avi file.

    Pity - because this would reveal what to protect against.

    However, a good guess would be the use of script to trigger a plug-in, as did the PDF exploits. Configuring scripting in the browser per site would nullify the attack upon redirection to the exploit page.

    Regarding plug-ins - from a Microsoft Security Research & Defense blog last month:

    http://blogs.technet.com/srd/archive/2009/05/28/new-vulnerability-in-quicktime-parsing.aspx
    The plug-in for an AVI file is described on a download site:

    I don't have an AVI plug-in, but here is the PDF plug-in that displays the PDF file directly in the browser. From an exploit in April:

    [​IMG]

    This is convenient but not secure, since the file loads without the user knowing it's coming, in the case of a remote code execution exploit.

    Another danger is if the browser is configured to automatically start a media file in a player without any user action. Exploit code will start the media player and load the file:

    Code:
    < script>
    document.write('<iframe src="clock.avi"></iframe>')
    </ script>
    avi-inBrowser.gif

    While browsers offer many options in dealing with files on the web, the safest configuration is to have the browser prompt for action:

    avi-pref.gif

    avi-dl.gif

    This way, a drive-by attack is nullified.

    ----
    rich
     
Loading...
Thread Status:
Not open for further replies.