DirectShow Security

Windows Mobile 6.5
A version of this page is also available for

DirectShow should be used with caution in environments that require high security.

DirectShow does not have the intimate interaction with system hardware commonly found in other multimedia features, so it does not involve the same types of security concerns as these other features.

Instead, DirectShow can introduce vulnerabilities to a platform through interaction with other software outside the control of the platform developer or applications programmer.

DirectShow opens network ports for streaming data. This exposes DirectShow applications, and the Windows Embedded CE-based devices that they run on, to the typical security concerns associated with networking, such as denial of service attacks.

However, this means as well that you can implement typical known countermeasures, such as firewalls for streaming media, to enhance the security of your platform or application.

DirectShow opens port 80 when streaming over HTTP and it opens port 1755 when streaming from a Microsoft Media Server (MMS). These port associations hard-coded into DirectShow and therefore cannot be changed.
However, a user can override these settings by explicitly specifying a port number in the URL for their streamed content.
For example, a user could request and so long as the server recognized port 8080, DirectShow could receive the content.

DirectShow is designed around the assumption that your application will be working with privileged networks and privileged data sources. It relies on other layers in your application or system architecture to address common network security tasks, such as and authenticating requests or performing packet checksums.

It is also possible for DirectShow applications to be exposed to malicious scripts embedded within certain media file types, such as .asf files.

You should always make sure that any third-party software, like codecs, that you introduce into your DirectShow application is well-tested and comes from a privileged source.

When writing DirectShow applications, always code with the assumption that media data contains formatting or description errors.