[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]
Subject: CERT Advisory CA-2003-18 Integer Overflows in Microsoft Windows DirectX MIDI Library
From: CERT Advisory <
Date: Fri, 25 Jul 2003 14:49:29 -0400
-----BEGIN PGP SIGNED MESSAGE----- CERT Advisory CA-2003-18 Integer Overflows in Microsoft Windows DirectX MIDI Library Original issue date: July 25, 2003 Last revised: -- Source: CERT/CC A complete revision history is at the end of this file. Systems Affected * Microsoft Windows systems running DirectX (Windows 98, 98SE, NT 4.0, NT 4.0 TSE, 2000, Server 2003) Overview A set of integer overflows exists in a DirectX library included in Microsoft Windows. An attacker could exploit this vulnerability to execute arbitrary code or to cause a denial of service. I. Description Microsoft Windows operating systems include multimedia technologies called DirectX and DirectShow. From Microsoft Security Bulletin MS03-030, "DirectX consists of a set of low-level Application Programming Interfaces (APIs) that are used by Windows programs for multimedia support. Within DirectX, the DirectShow technology performs client-side audio and video sourcing, manipulation, and rendering." DirectShow support for MIDI files is implemented in a library called quartz.dll. This library contains two vulnerabilities: VU#561284 - Microsoft Windows DirectX MIDI library does not adequately validate Text or Copyright parameters in MIDI files VU#265232 - Microsoft Windows DirectX MIDI library does not adequately validate MThd track values in MIDI files In both cases, a specially crafted MIDI file could cause an integer overflow, leading to incorrect memory allocation and heap corruption. Any application that uses DirectX/DirectShow to process MIDI files may be affected by this vulnerability. Of particular concern, Internet Explorer (IE) uses the Windows Media Player ActiveX control and quartz.dll to handle MIDI files embedded in HTML documents. An attacker could therefore exploit this vulnerability by convincing a victim to view an HTML document, such as a web page or an HTML email message, that contains an embedded MIDI file. Note that in addition to IE, a number of applications, including Outlook, Outlook Express, Eudora, AOL, Lotus Notes, and Adobe PhotoDeluxe, use the WebBrowser ActiveX control to interpret HTML documents. Further technical details are available in eEye Digital Security advisory AD20030723. Common Vulnerabilities and Exposures (CVE) refers to these vulnerabilities as CAN-2003-0346. II. Impact By convincing a victim to access a specially crafted MIDI or HTML file, an attacker could execute arbitrary code with the privileges of the victim. The attacker could also cause a denial of service in any application that uses the vulnerable functions in quartz.dll. III. Solution Apply a patch Apply the appropriate patch as specified by Microsoft Security Bulletin MS03-030. Disable embedded MIDI files Change the Run ActiveX controls and plug-ins security setting to Disable in the Internet zone and the zone(s) used by Outlook, Outlook Express, and any other application that uses the WebBrowser ActiveX control to render HTML. This modification will prevent MIDI files from being automatically loaded from HTML documents. This workaround is not a complete solution and will not prevent attacks that attempt to load MIDI files directly. Instructions for modifying IE security zone settings can be found in the CERT/CC Malicious Web Scripts FAQ. Appendix A. Vendor Information This appendix contains information provided by vendors. When vendors report new information, this section is updated and the changes are noted in the revision history. If a vendor is not listed below, we have not received their comments. Microsoft Please see Microsoft Security Bulletin MS03-030. Appendix B. References * CERT/CC Vulnerability Note VU#561284 - http://www.kb.cert.org/vuls/id/561284 * CERT/CC Vulnerability Note VU#265232 - http://www.kb.cert.org/vuls/id/265232 * eEye Digital Security advisory AD20030723 - http://www.eeye.com/html/Research/Advisories/AD20030723.html * Microsoft Security Bulletin MS03-030 - http://microsoft.com/technet/security/bulletin/MS03-030.asp * Microsoft Knowledge Base article 819696 - http://support.microsoft.com/default.aspx?scid=kb;en-us;819696 _________________________________________________________________ These vulnerabilities were researched and reported by eEye Digital Security. _________________________________________________________________ Feedback can be directed to the author, Art Manion. ______________________________________________________________________ This document is available from: http://www.cert.org/advisories/CA-2003-18.html ______________________________________________________________________ CERT/CC Contact Information Email:This email address is being protected from spambots. You need JavaScript enabled to view it. Phone: +1 412-268-7090 (24-hour hotline) Fax: +1 412-268-6989 Postal address: CERT Coordination Center Software Engineering Institute Carnegie Mellon University Pittsburgh PA 15213-3890 U.S.A. CERT/CC personnel answer the hotline 08:00-17:00 EST(GMT-5) / EDT(GMT-4) Monday through Friday; they are on call for emergencies during other hours, on U.S. holidays, and on weekends. Using encryption We strongly urge you to encrypt sensitive information sent by email. Our public PGP key is available from http://www.cert.org/CERT_PGP.key If you prefer to use DES, please call the CERT hotline for more information. Getting security information CERT publications and other security information are available from our web site http://www.cert.org/ To subscribe to the CERT mailing list for advisories and bulletins, send email toThis email address is being protected from spambots. You need JavaScript enabled to view it. . Please include in the body of your message subscribe cert-advisory * "CERT" and "CERT Coordination Center" are registered in the U.S. Patent and Trademark Office. ______________________________________________________________________ NO WARRANTY Any material furnished by Carnegie Mellon University and the Software Engineering Institute is furnished on an "as is" basis. Carnegie Mellon University makes no warranties of any kind, either expressed or implied as to any matter including, but not limited to, warranty of fitness for a particular purpose or merchantability, exclusivity or results obtained from use of the material. Carnegie Mellon University does not make any warranty of any kind with respect to freedom from patent, trademark, or copyright infringement. ______________________________________________________________________ Conditions for use, disclaimers, and sponsorship information Copyright 2003 Carnegie Mellon University. Revision History July 25, 2003: Initial release -----BEGIN PGP SIGNATURE----- Version: PGP 6.5.8 iQCVAwUBPyF6V2jtSoHZUTs5AQFGtgP/VJsEVZ1blK04pZhjSIlJuPJJg1PU4Xwi /lvJFdpvkqKrEH27NHBkfJGN/rSs7kinSq6dEsJeenjb3rcDQMd/VdFEm83cF51/ NDyMt4osvtXveYSR1oorbMbSVQ4tF5yItsOchRfZsfigyk3tvzPA1kawuWBxy2KZ Gmjs9RLgmxI= =3ICC -----END PGP SIGNATURE-----
Powered by: | MHonArc |