What is Microsoft DirectShow?
DirectShow is the multimedia streaming and playback framework in Windows, part of the DirectX suite. It handles decoding and rendering of audio and video content in formats including AVI, MPEG, Windows Media, and — via format-specific parser filters — QuickTime (.mov) files. The quartz.dll library is the central DirectShow filter graph manager and includes a built-in QuickTime Movie Parser Filter for handling .mov files embedded in web pages or opened directly. Because DirectShow is invoked automatically when Windows processes media files — including those previewed in Internet Explorer, Windows Media Player, and many other applications — vulnerabilities in its file parsers are reachable through simply viewing a web page or opening an email attachment.
Overview
CVE-2009-1537 is a NULL byte overwrite vulnerability in the QuickTime Movie Parser Filter in quartz.dll, the core DirectShow library. Processing a specially crafted QuickTime .mov file causes an out-of-bounds write, enabling an attacker to corrupt memory and achieve arbitrary code execution. Microsoft acknowledged active exploitation in a security advisory before patching, and released MS09-028 on June 10, 2009 (June Patch Tuesday) covering CVE-2009-1537 alongside two related DirectShow flaws (CVE-2009-1538 and CVE-2009-1539). CISA added it to KEV in May 2026, 17 years after the patch.
Affected Versions
| Product | Vulnerable | Fixed |
|---|---|---|
| Windows 2000 SP4 with DirectX 7.0 | Yes | MS09-028 |
| Windows XP SP2, SP3 with DirectX 9.0c | Yes | MS09-028 |
| Windows Server 2003 SP2 | Yes | MS09-028 |
Note: Windows Vista and Windows Server 2008 are not affected — they do not include the vulnerable QuickTime Movie Parser Filter (Microsoft removed native QuickTime parsing in later DirectX versions). All affected Windows versions are now end-of-life.
Technical Details
CWE-787 (Out-of-bounds Write). The QuickTime Movie Parser Filter in quartz.dll processes QuickTime .mov file structures including atoms (QuickTime's data block format). A flaw in how the parser handles atom size fields causes it to write a NULL byte at a calculated address outside the intended buffer boundary. By crafting a .mov file with a specific atom layout, an attacker can control the target address of the NULL byte overwrite, corrupting a function pointer or other control-flow-relevant memory structure to redirect execution.
Attack delivery: .mov files are processed by DirectShow automatically when embedded in web pages (Internet Explorer invokes DirectShow for media content) or when opened in any application that uses DirectShow for media handling. A victim visiting a malicious web page or opening a malicious email attachment containing a crafted .mov reference is sufficient to trigger the vulnerability.
MS09-028 also patched CVE-2009-1538 (another QuickTime parser NULL pointer dereference) and CVE-2009-1539 (QuickTime parser heap corruption), all within the same quartz.dll QuickTime parsing code path.
Discovery
Microsoft released Security Advisory 971778 on May 28, 2009 — the day before CVE-2009-1537 was published — acknowledging reports of active exploitation in the wild before a patch was available. The advisory offered workarounds (unregistering quartz.dll) while the patch was prepared.
Exploitation Context
CVE-2009-1537 was exploited as a zero-day before Microsoft's patch. The attack surface — media files in web pages and email — made it an effective vector for drive-by download campaigns and targeted attacks in the 2009 threat landscape, when Internet Explorer 6 and 7 were dominant and browser plugin exploitation was a primary initial access technique. CISA's May 2026 KEV addition indicates the vulnerability is still being exploited against legacy Windows XP / Server 2003 systems.
Remediation
- Apply MS09-028 — the patch has been available since June 2009. Any Windows system with post-2009 updates is already patched.
- For legacy Windows XP / Server 2003 systems that cannot be patched: apply the workaround from Security Advisory 971778 — unregister the vulnerable DirectShow filter (
regsvr32 /u quartz.dll), which disables QuickTime playback in DirectShow but prevents exploitation. - Prioritize replacement of Windows XP / Server 2003 systems — these are permanently unpatched against thousands of known vulnerabilities beyond this one.
- Block or restrict .mov file handling on legacy systems through application control policies or disabling Windows Media Player/DirectShow previewing features.
Key Details
| Property | Value |
|---|---|
| CVE ID | CVE-2009-1537 |
| Vendor / Product | Microsoft — DirectX |
| NVD Published | 2009-05-29 |
| NVD Last Modified | 2026-05-21 |
| CVSS 3.1 Score | 8.8 |
| CVSS 3.1 Vector | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H |
| Severity | HIGH |
| CWE | CWE-787 find similar ↗ |
| CISA KEV Added | 2026-05-20 |
| CISA KEV Deadline | 2026-06-03 |
| Known Ransomware Use | No |
CVSS 3.1 Breakdown
Required Action
Timeline
| Date | Event |
|---|---|
| 2009-05-28 | Microsoft releases Security Advisory 971778 acknowledging a vulnerability in DirectShow's QuickTime Movie Parser; exploitation confirmed in the wild before the patch |
| 2009-06-10 | Microsoft patches CVE-2009-1537 (and related CVE-2009-1538, CVE-2009-1539) in MS09-028, June 2009 Patch Tuesday |
| 2026-05-20 | CISA adds CVE-2009-1537 to Known Exploited Vulnerabilities catalog — 17 years after the patch |
| 2026-06-03 | CISA BOD 22-01 remediation deadline |
References
| Resource | Type |
|---|---|
| Microsoft Security Bulletin MS09-028 — Critical | Vendor Advisory |
| NVD — CVE-2009-1537 | Vulnerability Database |
| CISA KEV Catalog Entry | US Government |