Vulnerability Assessment

Re: Microsoft Windows DirectShow QuickTime Parsing 0day (971778)

nomuus — Wed, 15 Jul 2009 23:58:43 GMT

gekko357:

One of our guys found a way to make the High go away if you're interested

No need for a "workaround" or a way to make it go away. This audit was removed with the release of MS09-028 and replaced with a patch check.

http://www.microsoft.com/technet/security/bulletin/MS09-028.mspx

Also, the reason this 0day audit was always showing was to keep you aware that the system has a 0day vulnerability. Applying a workaround and assuming the system is okay is not a good practice. Better to know that you could still be vulnerable should for some reason (be it based in paranoia or not) that the workaround become disabled.

Re: Microsoft Windows DirectShow QuickTime Parsing 0day (971778)

Blue1978 — Wed, 15 Jul 2009 23:44:05 GMT

gekko357:
One of our guys found a way to make the High go away if you're interested

Sure, go ahead and post it so the other users are aware of it.

Re: Microsoft Windows DirectShow QuickTime Parsing 0day (971778)

gekko357 — Wed, 15 Jul 2009 16:59:08 GMT

One of our guys found a way to make the High go away if you're interested

Re: Microsoft Windows DirectShow QuickTime Parsing 0day (971778)

gekko357 — Wed, 15 Jul 2009 16:31:52 GMT

there is a way to make this High go away ... anyone interested post here

Re: Microsoft Windows DirectShow QuickTime Parsing 0day (971778)

Blue1978 — Tue, 07 Jul 2009 01:54:37 GMT

Nicula, Blink's team lead from eEye, just passed along to me information on a new Zero Day (IE ActiveX form) of the DirectShow vulnerability.

http://safelab.spaces.live.com/blog/cns!A6B213403DBD59AF!1420.entry

Blink's Application Protection Layer (aka "Kevlar") already protected its users from this (without a signature of any kind).

To give a face to the exploit name (to be able to recognize it), eEye created a new ActiveX signature to detect and the alert the user.

Blink's AV component, I was also told, detects the initial shell code that exploits the vulnerability itself.

Re: Microsoft Windows DirectShow QuickTime Parsing 0day (971778)

nomuus — Fri, 03 Jul 2009 18:59:44 GMT

gekko357:

I pulled my hair out today trying to get rid of that new Directshow high, and I thought audit stig 2090 was going to make my day simple haaaa... are there any email lists for unfixable retina items like this so we don't chase our tail? thanks

As bpatten said, zero day vulnerabilities will typically always alert even if workarounds are applied to deter exploitation of the vulnerability. For Zero day type vulnerabilities, usually indicated by "(Zero-Day)" in the title, if you mitigate the vulnerability recommended by the vendor then you theoretically should be safe. There are numerous reasons for having an audit alert about a vulnerability, for example so it is not overlooked once a patch is released, so that proper awareness can be focused on a unpatched threat, so workarounds can be removed once a patch is released, etc. It can be miscontrued as paranoia, but when its the integrity of a system (or perhaps user) at risk, sometimes a red flashing light as a reminder is better than a system being compromised that was thought to be safe.

Re: Microsoft Windows DirectShow QuickTime Parsing 0day (971778)

Blue1978 — Thu, 02 Jul 2009 03:18:40 GMT

Speaking of the DirectShow QuickTime Parsing Zero Day, here is a article about how it recently has been used against users.

http://blogs.technet.com/mmpc/

In the article is a link to the original advisory also:

http://www.microsoft.com/technet/security/advisory/971778.mspx

Yet again, I make note of the fact that Blink is proactively protecting you from this vulnerabilty (with no signature needed) while most all other vendor products are scrambling to make signatures for the only "known" malicious media files being used to target the vulnerability instead. Once again the "reactive" method used in AV products today shows its limitations.

Re: Microsoft Windows DirectShow QuickTime Parsing 0day (971778)

bpatten — Thu, 18 Jun 2009 23:23:29 GMT

Hi Gekko357,

Retina audits that are 0day will never have a patch to remove the audit flagging because the exploitable code still resides on the system even if it it somehow mitigated until the patch is released.

I would search for 0day to locate those audits. There typically arent very many because vendors usually patch them pretty quickly, depending on what the vulnerability is.

Hope that helps.

Thanks,

Brian

Re: Microsoft Windows DirectShow QuickTime Parsing 0day (971778)

gekko357 — Thu, 18 Jun 2009 00:37:09 GMT

I pulled my hair out today trying to get rid of that new Directshow high, and I thought audit stig 2090 was going to make my day simple haaaa... are there any email lists for unfixable retina items like this so we don't chase our tail? thanks

Re: Microsoft Windows DirectShow QuickTime Parsing 0day (971778)

bpatten — Mon, 15 Jun 2009 21:58:08 GMT

Hopefully you dont have any FPs. :)

Its just that with 0 day vulnerabilities since there's no fix, we only report if you're vulnerable.

Good luck w/ your audit.

Re: Microsoft Windows DirectShow QuickTime Parsing 0day (971778)

sp00led — Mon, 15 Jun 2009 14:41:42 GMT

Thanks guys. I have an inspection coming up so I'm having to stay on my toes for all the false positives in Retina. These guys love to nitpick from what I'm told.

Re: Microsoft Windows DirectShow QuickTime Parsing 0day (971778)

bpatten — Fri, 12 Jun 2009 19:01:12 GMT

You're correct that Retina (Blink VA) will still pick it up even after you apply the remediation (until the patch comes). The audit is simply looking for the existing of the vulenrable dll (quartz.dll). Once the patch comes out, the audit will be updated to properly check for the patch.

Re: Microsoft Windows DirectShow QuickTime Parsing 0day (971778)

maineblackbear — Thu, 11 Jun 2009 19:41:40 GMT

I did the same as you and this did not remove the risk from my scan. You are right that it is looking at the version of quartz.dll which is actually used by DirectX(DirectShow) when it needs to process quicktime content. That is why it still shows up, even tho you don't have QuickTime installed. Since the workaround is not an acceptable means of remediation (in the eyes of Retina), I guess we will just have to wait for MS to send out a patch some day...

Microsoft Windows DirectShow QuickTime Parsing 0day (971778)

sp00led — Thu, 11 Jun 2009 14:41:10 GMT

I deleted the registry key manually per microsoft KB but I'm still getting a hit in Retina for this Cat I. Did anyone have to do something besides backup and delete the registry key like the instructions said? This is a 32bit system, fyi

Using the interactive method

Click Start, click Run, type regedit in the Open box, and then click OK.
Locate and then click the following subkeys in the registry:
- For 32-bit Windows systems:
  HKEY_CLASSES_ROOT\CLSID\{D51BD5A0-7548-11CF-A520-0080C77EF58A}
- For 64 bit Windows Systems:
  HKEY_CLASSES_ROOT\CLSID\{D51BD5A0-7548-11CF-A520-0080C77EF58A}
  HKEY_CLASSES_ROOT\Wow6432Node\CLSID\{D51BD5A0-7548-11CF-A520-0080C77EF58A}
On the File menu, click Export.
In the Export Registry File dialog box, type Quicktime_Parser_Backup.reg, and then click Save.

Note By default, this will create a backup of this registry key in the My Documents folder.
Press DELETE on the keyboard to delete the registry key. When prompted to delete the registry key in the Confirm Key Delete dialog box, click Yes.
Exit Registry Editor.

Above is the method I used. Still getting a hit though. It appears to be seeing quartz.dll and flagging me. Also i'm not against removing quicktime all together. It doesn't appear to be installed though which is puzzling. IMO, the less programs on a system the better!