[CDP-development] TLP:GREEN (Vulnerability Alert Notification) CVE-2009-1537: Microsoft DirectX QuickTime Parser RCE

ESO_SOC * DAS ESO.SOC at das.oregon.gov
Wed May 20 14:53:30 PDT 2026 

Good afternoon,

The SOC Services team is reporting on the vulnerability CVE-2009-1537 affecting Microsoft Windows 2000 SP4, Windows XP SP2/SP3, and Windows Server 2003 SP2 systems running vulnerable DirectX components. Because CISA added the vulnerability to the KEV catalog following confirmed active exploitation in the wild, targeting vulnerable Windows systems through malicious media files, we are providing this in-depth information.

History: On May 29, 2009, CVE-2009-1537 was publicly disclosed after Microsoft confirmed active exploitation involving crafted QuickTime media files abusing the QuickTime Movie Parser Filter in quartz.dll within DirectShow. The CVSS v3.x base score is 8.8 (HIGH) as assigned by CISA-ADP.

Affected Versions

  *   Microsoft DirectX 7.0 through 9.0c
  *   Windows 2000 Service Pack 4
  *   Windows XP Service Pack 2
  *   Windows XP Service Pack 3
  *   Windows XP Professional x64 Edition
  *   Windows Server 2003 Service Pack 2
  *   Windows Server 2003 x64 Edition SP2
  *   Windows Server 2003 Itanium SP2

Fixed Versions

  *   Microsoft Security Bulletin MS09-028
  *   Security update KB971633
  *   Systems updated with the June 2009 DirectShow/DirectX security patch set

Microsoft DirectShow contains a NULL byte overwrite vulnerability in the QuickTime Movie Parser Filter within quartz.dll. Successful exploitation allows remote attackers to execute arbitrary code via a specially crafted QuickTime media file. Microsoft confirmed limited active exploitation in the wild at the time of disclosure.

Vendor Advisory: Microsoft Security Advisory 971778 / MS09-028<https://learn.microsoft.com/en-us/security-updates/securitybulletins/2009/ms09-028>

Intelligence: On May 20, 2026, CISA confirmed the vulnerability in the Known Exploited Vulnerabilities Catalog.

Exploitability: Network Exploitability
Complexity: Low
User Interaction: Required
Remotely Exploitable: Yes
Proof of Concept: Publicly Available
Zero Day: No

Workarounds: Disable the QuickTime Movie Parser Filter in quartz.dll, Restrict handling of QuickTime media files in vulnerable environments, block untrusted media attachments at email gateways, prevent execution of media content from untrusted websites, and implement least privilege user controls to reduce impact of successful exploitation.
How it Works: The vulnerability exists in the QuickTime Movie Parser Filter within quartz.dll used by Microsoft DirectShow. Attackers craft malformed QuickTime media files containing malicious NULL byte overwrite conditions that corrupt memory during parsing operations. When a user opens the malicious media file through a vulnerable application or browser context, the parser improperly handles embedded metadata structures, triggering memory corruption and arbitrary code execution under the context of the logged-in user. The vulnerability aligns closely with CWE-158 (Improper Neutralization of Null Byte or NUL Character). Exploitation commonly involved malicious websites or email-delivered multimedia attachments during observed campaigns.

Post-Exploit Impact:

  *   Remote code execution (CWE-94)
  *   Arbitrary process execution under user context (CWE-119)
  *   System compromise (CWE-284)
  *   Malware installation (CWE-506)
  *   Credential theft (CWE-522)

Indicators of Compromise (IoCs):
Type
Value
Description / Notes
Source
File
.mov or QuickTime media files with malformed metadata structures
Crafted QuickTime media files used to trigger memory corruption during parsing
Microsoft Advisory
Process
Unexpected crashes involving quartz.dll
Application crashes or faults during media playback or preview
Microsoft Security Response Center
Network
Outbound connections following media file execution
Potential command-and-control activity after successful exploitation
Threat Intelligence Reporting


Tenable Plugins:
Plugin ID
Plugin Title
Severity
Platform
39791<https://www.tenable.com/plugins/nessus/39791>
Vulnerabilities in Microsoft DirectShow Could Allow Remote Code Execution (971633)
High
Nessus
Recommended Actions:

Date Added to KEV Catalog: May 20, 2026
Due Date for Remediation: June 3, 2026

  *   Immediately deploy Microsoft MS09-028 security updates across all vulnerable Windows systems
  *   Prioritize remediation of legacy Windows XP and Windows Server 2003 systems still operating within enterprise environments
  *   Verify host has not been compromised before applying patches.
  *   Apply appropriate updates provided by the vendor to vulnerable systems after testing.
  *   Run all software as a non-privileged user to reduce the impact of a successful attack.
  *   Apply the Principle of Least Privilege to all systems and services.

[cid:image001.png at 01DCE867.B7ED4CD0]
Cyber Security Services
State of Oregon Cyber Security Services
Enterprise Information Services | SOC
Cyber Security Services (CSS)
SOC Hotline: (503) 378-5930 | SOC Services (503) 373-0378



-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://omls.oregon.gov/pipermail/cdp-development/attachments/20260520/1df7d5bf/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image001.png
Type: image/png
Size: 21907 bytes
Desc: image001.png
URL: <https://omls.oregon.gov/pipermail/cdp-development/attachments/20260520/1df7d5bf/attachment-0001.png>

More information about the CDP-development mailing list