HOW-TO: Microsoft DirectShow Vulnerability Exploit

Microsoft says hackers are targeting a security flaw in the DirectX feature of Windows. According to Microsoft, attackers are using malicious QuickTime videos to exploit the bug. From the security advisory:

Microsoft is investigating new public reports of a new vulnerability in Microsoft DirectX. The vulnerability could allow remote code execution if user opened a specially crafted QuickTime media file. Microsoft is aware of limited, active attacks that use this exploit code. While our investigation is ongoing, our investigation so far has shown that Windows 2000 Service Pack 4, Windows XP, and Windows Server 2003 are vulnerable; all versions of Windows Vista and Windows Server 2008 are not vulnerable. Microsoft has activated its Software Security Incident Response Process (SSIRP) and is continuing to investigate this issue.

According to security bulletin KB971778, one of the workarounds is to delete the registry subkey: HKEY_CLASSES_ROOT\CLSID\{D51BD5A0-7548-11CF-A520-0080C77EF58A}.

The quickest copy-n-paste procedure is to open a command terminal (Start --> Run.. --> "cmd"). Copy and paste the commands below..

First backup the registry subkey before deleting it (execute this in the command terminal)..
reg export HKEY_CLASSES_ROOT\CLSID\{D51BD5A0-7548-11CF-A520-0080C77EF58A} QuickTime.reg

It follows that the newly created file QuickTime.reg is the backup. Then upon successful backup, delete the subkey (execute this in the command terminal as well)..
reg delete HKEY_CLASSES_ROOT\CLSID\{D51BD5A0-7548-11CF-A520-0080C77EF58A}

Confirm deletion when prompted.

Although this procedure will not correct the underlying vulnerability, it is a workaround to mitigate the threat and block the potential attack.

Having a backup of the registry subkey will make it easier to revert the change when a permanent patch is available.

You might also be interested in:


We at pimp-my-rig strive to keep on improving, help us reach that goal by leaving comments or constructive criticisms. Don't miss out on our next feature -- subscribe via RSS (What is RSS?).

Share This