Vulnerabilities in Media Decompression Could Allow Remote Code Execution
This security update resolves two privately reported vulnerabilities in Microsoft Windows. These vulnerabilities could allow remote code execution if a user opens a specially crafted media file or receives specially crafted streaming content from a Web site or any application that delivers Web content. An attacker who successfully exploited these vulnerabilities could gain the same user rights as the local user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.
This security update is rated Critical for Quartz.dll (DirectShow) on Microsoft Windows 2000, Windows XP, Windows Server 2003, Windows Vista, and Windows Server 2008; Critical for Windows Media Format Runtime on Microsoft Windows 2000, Windows XP, and Windows Server 2003; Critical for Asycfilt.dll (COM component) on Microsoft Windows 2000, Windows XP, Windows Server 2003, Windows Vista, Windows Server 2008, Windows 7, and Windows Server 2008 R2; and Important for Windows Media Encoder 9 x86 and x64 on Microsoft Windows 2000, Windows XP, Windows Server 2003, Windows Vista, and Windows Server 2008. For more information, see the subsection, Affected and Non-Affected Software, in this section.
The security update addresses the vulnerabilities by modifying the way that Windows parses media files. For more information about the vulnerabilities, see the Frequently Asked Questions (FAQ) subsection for the specific vulnerability entry under the next section, Vulnerability Information.
For more information on this issue, including potential causes, workarounds, and resolutions, see: Microsoft KB Article KB979902.