Original issue date: July 25, 2003<br> Last revised: July 30, 2003<br> Source: CERT/CC<br> <p> A complete revision history is at the end of this file. </p> <br> <h3>Systems Affected</h3> <ul> <li>Microsoft Windows systems running DirectX (Windows 98, 98SE, NT 4.0, NT 4.0 TSE, 2000, XP, Server 2003) </li> </ul> <br> <h2>Overview</h2> <p> A set of integer overflows exists in a DirectX library included in Microsoft Windows. An attacker could exploit these vulnerabilies to execute arbitrary code or to cause a denial of service. </p> <br> <h2>I. Description</h2> <p> Microsoft Windows operating systems include multimedia technologies called DirectX and DirectShow. From Microsoft Security Bulletin <a href="http://microsoft.com/technet/security/bulletin/MS03-030.asp">MS03-030</a>, "DirectX consists of a set of low-level Application Programming Interfaces (APIs) that are used by Windows programs for multimedia support. Within DirectX, the DirectShow technology performs client-side audio and video sourcing, manipulation, and rendering." </p> <p> DirectShow support for MIDI files is implemented in a library called <font face="courier">quartz.dll</font>. This library contains two vulnerabilities: <blockquote> <a href="http://www.kb.cert.org/vuls/id/561284">VU#561284</a> - Microsoft Windows DirectX MIDI library does not adequately validate Text or Copyright parameters in MIDI files<br> <br> <a href="http://www.kb.cert.org/vuls/id/265232">VU#265232</a> - Microsoft Windows DirectX MIDI library does not adequately validate MThd track values in MIDI files </blockquote> In both cases, a specially crafted MIDI file could cause an integer overflow, leading to incorrect memory allocation and heap corruption. </p> <p> Any application that uses DirectX/DirectShow to process MIDI files may be affected by these vulnerabilities. Of particular concern, Internet Explorer (IE) uses the Windows Media Player ActiveX control and <font face="courier">quartz.dll</font> to handle MIDI files embedded in HTML documents. An attacker could therefore exploit these vulnerabilities by convincing a victim to view an HTML document, such as a web page or an HTML email message, that contains an embedded MIDI file. Note that in addition to IE, a number of applications, including Outlook, Outlook Express, Eudora, AOL, Lotus Notes, and Adobe PhotoDeluxe, use the WebBrowser ActiveX control to interpret HTML documents. </p> <p> Further technical details are available in eEye Digital Security advisory <a href="http://www.eeye.com/html/Research/Advisories/AD20030723.html">AD20030723</a>. Common Vulnerabilities and Exposures (<a href="http://cve.mitre.org/">CVE</a>) refers to these vulnerabilities as <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-00346">CAN-2003-0346</a>. </p> <br> <h2>II. Impact</h2> <p> By convincing a victim to access a specially crafted MIDI or HTML file, an attacker could execute arbitrary code with the privileges of the victim. The attacker could also cause a denial of service in any application that uses the vulnerable functions in <font face="courier">quartz.dll</font>. </p> <br> <h2>III. Solution</h2> <h4>Apply a patch</h4> <p> Apply the appropriate patch as specified by Microsoft Security Bulletin <a href="http://microsoft.com/technet/security/bulletin/MS03-030.asp">MS03-030</a>. </p> <p> The patch is a complete solution that fixes the integer overflows in <font face="courier">quartz.dll</font>. Sites that are unable to install the patch may consider the workaround described below. </p> <h4>Modify Internet Explorer settings</h4> <p> It is possible to significantly limit the ability of IE to automatically load MIDI files from HTML documents by making all of the following modifications: <ul> <li>Disable <i>Active scripting</i></li> <li>Disable <i>Run ActiveX controls and plug-ins</i></li> <li>Disable <i>Play sounds in web pages</i></li> <li>Disable <i>Play videos in web pages</i></li> </ul> As stated above, the only complete solution for these vulnerabilities is to apply the patch. For example, Outlook Express 6 SP1 will play a MIDI file in an HTML email message regardless of the settings for audio and video in web pages. There may be other methods to automatically load a MIDI file from an HTML document. Also, these modifications will prevent some web pages from functioning properly. </p> <br> <a name="vendors"></a> <h2>Appendix A. Vendor Information</h2> <p> This appendix contains information provided by vendors. When vendors report new information, this section is updated and the changes are noted in the revision history. If a vendor is not listed below, we have not received their comments. </p> <a name="microsoft"> <h4><a href="http://www.microsoft.com/">Microsoft</a></h4> <blockquote> <p> Please see Microsoft Security Bulletin <a href="http://microsoft.com/technet/security/bulletin/MS03-030.asp">MS03-030</a>. </p> </blockquote> <!-- end vendor --> <br> <a name="references"></a> <h2>Appendix B. References</h2> <ul> <li>CERT/CC Vulnerability Note VU#561284 - <a href="http://www.kb.cert.org/vuls/id/561284">http://www.kb.cert.org/vuls/id/561284</a></li> <li>CERT/CC Vulnerability Note VU#265232 - <a href="http://www.kb.cert.org/vuls/id/265232">http://www.kb.cert.org/vuls/id/265232</a></li> <li>eEye Digital Security advisory AD20030723 - <a href="http://www.eeye.com/html/Research/Advisories/AD20030723.html">http://www.eeye.com/html/Research/Advisories/AD20030723.html</a></li> <li>Microsoft Security Bulletin MS03-030 - <a href="http://microsoft.com/technet/security/bulletin/MS03-030.asp">http://microsoft.com/technet/security/bulletin/MS03-030.asp</a></li> <li>Microsoft Knowledge Base article 819696 - <a href="http://support.microsoft.com/default.aspx?scid=kb;en-us;819696">http://support.microsoft.com/default.aspx?scid=kb;en-us;819696</a></li> </ul> <hr noshade> <p> These vulnerabilities were researched and reported by <a href="http://www.eeye.com/">eEye Digital Security</a>. Jeff Johnson helped research the IE settings workaround. </p> <hr noshade> <p> Feedback can be directed to the author, <a href="mailto:cert@cert.org?subject=CA-2003-18%20VU%23561284%20VU%23265232%20Feedback">Art Manion</a>. </p> <!--#include virtual="/include/footer_nocopyright2.html" --> <p>Copyright 2003 Carnegie Mellon University.</p> <p>Revision History <p> <small> July 25, 2003: Initial release, added Windows XP to Systems Affected<br> July 29, 2003: Removed IE security settings workaround from Solution<br> July 30, 2003: Updated IE settings workaround in Solution, changed references to vulnerabilities (plural), updated credits<br> </small> </p> |