CISA has added CVE‑2009‑1537 to its Known Exploited Vulnerabilities (KEV) catalogue. The flaw affects Microsoft DirectX, specifically the QuickTime Movie Parser Filter in quartz.dll, and is named the Microsoft DirectX NULL Byte Overwrite Vulnerability. It allows remote attackers to execute arbitrary code by supplying a specially crafted QuickTime media file.
The vulnerability resides in the QuickTime Movie Parser Filter within quartz.dll, a component of DirectShow in Microsoft DirectX. An attacker can trigger a NULL byte overwrite by supplying a specially crafted QuickTime media file, which when processed may allow remote code execution with the privileges of the current user. The attack is delivered over the network and requires user interaction to open the malicious file. The vulnerability carries a CVSS v2 base score of 8.8 (High). Microsoft has