Newsletter Archives

  • New 0day in DirectShow

    Microsoft has just released information about a newly discovered 0day vulnerability in DirectShow. The bad guys can use it to create a drive-by web page that can take over your system, simply by surfing to the page.

    Security Advisory 971778 says:

    Microsoft is investigating new public reports of a new vulnerability in Microsoft DirectX. The vulnerability could allow remote code execution if user opened a specially crafted QuickTime media file.

    The MS Security Research & Defense site goes on to say:

    The vulnerability is in the DirectShow platform (quartz.dll). While the vulnerability is NOT in IE or other browsers, a browse-and-get-owned attack vector does exist here via the media playback plug-ins of browsers. The attacker could construct a malicious webpage which uses the media playback plug-ins to playback a malicious QuickTime file to reach the vulnerability in Quartz.dll. Please note this type of attack could happen for any browsers, not IE specific.

    There is also a file-based attack vector by opening a malicious QuickTime file via Windows Media Player to trigger the vulnerability.

    Microsoft offers a simple solution – a “Fix It For Me” option in the related Knowledge Base article. It wouldn’t hurt a bit if you went to KB 971778 and clicked the “Fix It” button to, uh, Fix It. The worse that’ll happen? DreamScape won’t run QuickTime files.

  • Conficker lurking in updates?

    JB writes:

    Dear Woody,

    Is it good to take Adobe Flash player updates? And is AVG 8.5 Free better than AVG 8.0 Free? How do we know these updates aren’t polluted with conficker?

    Yep, it’s always best to install Flash Player updates, Adobe Reader updates, Java updates, and the like, when they’re offered. Why? If they’re screwed up they generally won’t bring your computer to a grinding halt, and the manufacturer typically gets new updates out quickly. I won’t mention QuickTime by name.

    If you use AVG 8.0, you should upgrade to AVG 8.5.

    I can’t imagine any way Conficker could get into any of those updates.

  • QuickTime only available with iTunes?

    I just went to a Web site that requires QuickTime, and discovered that my copy of QuickTime is out of date. No  biggie. I hopped over to the Apple download page and…

    And was reminded that Apple tries to get you to install iTunes when you want QuickTime.

    I vaguely recall seeing links in the past to a QuickTime download without iTunes, but when I went looking, all I could find was . If you click on that link, it re-directs to the standard QuickTime download page – which doesn’t have a standalone version of Quicktime.

    As things stand, I guess I have to install iTunes on this computer if I want QuickTime. Blech.

    Does anybody have a link to the standalone QuickTime download?