Microsoft to patch new DirectX hole

New hole in DirectX could allow an attacker to take control of a computer if the user visits a site and runs a maliciously crafted QuickTime file.

Elinor Mills Former Staff Writer
Elinor Mills covers Internet security and privacy. She joined CNET News in 2005 after working as a foreign correspondent for Reuters in Portugal and writing for The Industry Standard, the IDG News Service and the Associated Press.
Elinor Mills

Microsoft on Thursday said it is working on a security patch for a vulnerability in its DirectX streaming media technology in Windows that could allow someone to take complete control of a computer using a maliciously crafted QuickTime file.

Microsoft offers an easy way to enable a workaround for the latest security hole in DirectX. Microsoft

The remote code execution vulnerability exists in the way Microsoft DirectShow, audio and video sourcing and rendering software, handles supported QuickTime format files, the company said.

"Microsoft is aware of limited, active attacks that use this exploit code," Microsoft's security advisory said. "If a user is logged on with administrative user rights, an attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights."

Windows 2000 Service Pack 4, Windows XP, and Windows Server 2003 are vulnerable but all versions of Windows Vista and Windows Server 2008 are not vulnerable, according to the advisory.

For the attack to work an attacker would have to lure the victim to visit a malicious Web site that hosts the exploit. An attacker who successfully exploited this vulnerability could gain the same user rights as the local user.

Microsoft said it would release a patch to fix the hole as soon as it is ready for broad distribution. In the meantime, details on a workaround are available here, as well a "fix it" button.