ThreatLevelBeta
Emergency Fix

CVE-2009-1537

Remote Code Execution in Microsoft DirectX
Loading...

Summary

Microsoft DirectShow's QuickTime Movie Parser Filter in quartz.dll on affected DirectX versions mishandles crafted QuickTime media files. An attacker can lure a user to open a malicious QuickTime file or visit a web page that serves it; no authentication is needed, but user interaction is required. Successful exploitation can execute arbitrary code with the logged-on user's privileges and may lead to full system compromise.

Why Emergency Fix?

6/6
No authentication required
Mixed internet / internal deployment
User interaction unknown (assumed none)
Exploitable in default configuration
Active exploitation in the wild
High impact vulnerability

Exploitation Details

Type
RCE (Remote Code Execution)
Is exploitable with default configuration?
Yes
Is authentication needed?
No
PoC / Exploit
No
Impact

Execute arbitrary code with the privileges of the logged-on user; admin sessions can yield full system control.

RCE (Remote Code Execution)
Exploitation Requirements

None — vulnerable in default configuration

Exploitation Process

The attacker crafts a malicious QuickTime media file that abuses DirectShow's parsing of QuickTime content in quartz.dll. The file is delivered through a web page, email attachment, or other download lure, and the victim must open or preview it on a vulnerable Windows system. When DirectShow processes the malformed media, attacker-controlled code can run and may retrieve or launch additional payloads.

Detection Resources
Manual Detection
0
Script Detection
0
Scanner Detection
Tenable Nessus
1

Affected Software

Vendor:Microsoft
ProductAffected Versions
DirectX7.0 through 9.0c on Windows 2000 SP4, Windows XP SP2/SP3, and Windows Server 2003 SP2
Description

Microsoft DirectX is a set of Windows multimedia APIs and runtime components used for graphics, video, audio, and media playback in applications and games.

Deployment:Mixed (internet/internal)
|
Protocol:HTTP
|
Ports:80, 443
Affected ComponentQuickTime Movie Parser Filter in DirectShow (quartz.dll) that parses crafted QuickTime media files.

QuickTime Movie Parser Filter in DirectShow (quartz.dll) that parses crafted QuickTime media files.

Enterprise UsageEstimated likelihood that this vendor/product is deployed in enterprise environments. AI-generated estimation based on market presence, product type and adoption signals — not exact data.
Very Low
Low
Medium
High
Very High
Vendor Size:Big
Remediation
Workaround
Disable parsing of QuickTime content in quartz.dll by removing the QuickTime parser CLSID registration, as described by Microsoft. This blocks the known attack vector but can break QuickTime playback.

Disable parsing of QuickTime content in quartz.dll by removing the QuickTime parser CLSID registration, as described by Microsoft. This blocks the known attack vector but can break QuickTime playback.

learn.microsoft.com
Patch
Apply the Microsoft security update delivered through MS09-028 for the affected DirectX release on supported Windows systems.

Apply the Microsoft security update delivered through MS09-028 for the affected DirectX release on supported Windows systems.

learn.microsoft.com
Update

Not available

Threat Intelligence
EPSS Score68.1%

Probability of exploitation in the next 30 days

EPSS Percentile99%

Worse than 99% of all CVEs

Last updated: Loading...
CISAKEV
CISA KEV
Listed
Loading...
Active Exploitation
Active
microsoft.com
Threat Actors

No known threat actors

Detection Rules2
Snort
FILE-MULTIMEDIA Microsoft Windows AVI DirectShow QuickTime parsing overflow attempt
KQL
DeviceAlertEvents | where Title == "Exploit:Win32/CVE-2009-1537"

NVD Data

Published: Loading...Modified: Loading...

Description Summary

Unspecified vulnerability in the QuickTime Movie Parser Filter in quartz.dll in DirectShow in Microsoft DirectX 7.0 through 9.0c on Windows 2000 SP4, Windows XP SP2 and SP3, and Windows Server 2003 SP2 allows remote attackers to execute arbitrary code via a crafted QuickTime media file, as exploited in the wild in May 2009, aka "DirectX NULL Byte Overwrite Vulnerability."

CVSS Base Score

9.3
Critical

CVSS Vector (AV:N/AC:M/Au:N/C:C/I:C/A:C)

Attack Vector (AV)
Physical
Local
Adjacent
Network
Attack Complexity (AC)
High
Low
Privileges Required (PR)
High
Low
None
User Interaction (UI)
Required
None
Scope (S)
Unchanged
Changed
Confidentiality (C)
None
Low
High
Integrity (I)
None
Low
High
Availability (A)
None
Low
High
CWE:
|
NVD:CVE-2009-1537
|
Version From:
|
Version Upto:

Affected Software (CPE) (17)

  • cpe:2.3:a:microsoft:directx:7.0:*:*:*:*:*:*:*
  • cpe:2.3:a:microsoft:directx:7.0a:*:*:*:*:*:*:*
  • cpe:2.3:a:microsoft:directx:7.1:*:*:*:*:*:*:*
  • cpe:2.3:a:microsoft:directx:8.1:*:*:*:*:*:*:*
  • cpe:2.3:a:microsoft:directx:8.1b:*:*:*:*:*:*:*
  • cpe:2.3:a:microsoft:directx:9.0:*:*:*:*:*:*:*
  • cpe:2.3:a:microsoft:directx:9.0a:*:*:*:*:*:*:*
  • cpe:2.3:a:microsoft:directx:9.0b:*:*:*:*:*:*:*
  • cpe:2.3:a:microsoft:directx:9.0c:*:*:*:*:*:*:*
  • cpe:2.3:o:microsoft:windows_2000:*:sp4:*:*:*:*:*:*
  • cpe:2.3:o:microsoft:windows_2003_server:*:sp2:*:*:*:*:*:*
  • cpe:2.3:o:microsoft:windows_2003_server:*:sp2:itanium:*:*:*:*:*
  • cpe:2.3:o:microsoft:windows_2003_server:*:sp2:x64:*:*:*:*:*
  • cpe:2.3:o:microsoft:windows_server_2003:*:sp2:*:*:*:*:*:*
  • cpe:2.3:o:microsoft:windows_xp:*:sp2:*:*:*:*:*:*
  • cpe:2.3:o:microsoft:windows_xp:*:sp2:professional_x64:*:*:*:*:*
  • cpe:2.3:o:microsoft:windows_xp:*:sp3:*:*:*:*:*:*

Sources

7
SourceArticle
nvd.nist.govCVE-2009-1537 Detail
learn.microsoft.comMicrosoft Security Advisory 971778
learn.microsoft.comMicrosoft Security Bulletin MS09-028
www.microsoft.comExploit:Win32/CVE-2009-1537
www.snort.orgRule Document 1:23565
www.cisa.govMicrosoft Updates for Multiple Vulnerabilities
www.tenable.comCVE-2009-1537

Priority History

Emergency FixLoading...

Initial analysis