Original issue date: July 25, 2003<br>
Last revised: July 30, 2003<br>
Source: CERT/CC<br>

<p>
A complete revision history is at the end of this file.
</p>

<br>
<h3>Systems Affected</h3>
<ul>
<li>Microsoft Windows systems running DirectX (Windows 98, 98SE, NT 4.0, NT 4.0 TSE, 2000, XP, Server 2003)
</li>
</ul>

<br>
<h2>Overview</h2>
<p>
A set of integer overflows exists in a DirectX library included in
Microsoft Windows.  An attacker could exploit these vulnerabilies to
execute arbitrary code or to cause a denial of service.
</p>

<br>
<h2>I. Description</h2>
<p>
Microsoft Windows operating systems include multimedia technologies
called DirectX and DirectShow.  From Microsoft Security Bulletin <a
href="http://microsoft.com/technet/security/bulletin/MS03-030.asp">MS03-030</a>,
"DirectX consists of a set of low-level Application
Programming Interfaces (APIs) that are used by Windows programs for
multimedia support.  Within DirectX, the DirectShow technology
performs client-side audio and video sourcing, manipulation, and
rendering."
</p>
<p>
DirectShow support for MIDI files is implemented in a library called
<font face="courier">quartz.dll</font>.  This library contains two vulnerabilities:
<blockquote>
<a href="http://www.kb.cert.org/vuls/id/561284">VU#561284</a> -
Microsoft Windows DirectX MIDI library does not adequately validate
Text or Copyright parameters in MIDI files<br>
<br>
<a href="http://www.kb.cert.org/vuls/id/265232">VU#265232</a> -
Microsoft Windows DirectX MIDI library does not adequately validate
MThd track values in MIDI files
</blockquote>
In both cases, a specially crafted MIDI file could cause an integer
overflow, leading to incorrect memory allocation and heap corruption.
</p>
<p>
Any application that uses DirectX/DirectShow to process MIDI files may
be affected by these vulnerabilities.  Of particular concern, Internet
Explorer (IE) uses the Windows Media Player ActiveX control and <font
face="courier">quartz.dll</font> to handle MIDI files embedded in HTML
documents.  An attacker could therefore exploit these vulnerabilities by
convincing a victim to view an HTML document, such as a web page or an
HTML email message, that contains an embedded MIDI file.  Note that in
addition to IE, a number of applications, including Outlook, Outlook
Express, Eudora, AOL, Lotus Notes, and Adobe PhotoDeluxe, use the
WebBrowser ActiveX control to interpret HTML documents.
</p>
<p>
Further technical details are available in eEye Digital Security
advisory <a href="http://www.eeye.com/html/Research/Advisories/AD20030723.html">AD20030723</a>.  Common Vulnerabilities and Exposures (<a href="http://cve.mitre.org/">CVE</a>) refers to these vulnerabilities as <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-00346">CAN-2003-0346</a>.
</p>

<br>
<h2>II. Impact</h2>
<p>
By convincing a victim to access a specially crafted MIDI or HTML
file, an attacker could execute arbitrary code with the privileges of
the victim.  The attacker could also cause a denial of service in any
application that uses the vulnerable functions in <font
face="courier">quartz.dll</font>.
</p>

<br>
<h2>III. Solution</h2>

<h4>Apply a patch</h4>
<p>
Apply the appropriate patch as specified by Microsoft Security Bulletin <a href="http://microsoft.com/technet/security/bulletin/MS03-030.asp">MS03-030</a>.
</p>
<p>
The patch is a complete solution that fixes the integer overflows in
<font face="courier">quartz.dll</font>.  Sites that are unable to
install the patch may consider the workaround described below.
</p>

<h4>Modify Internet Explorer settings</h4>
<p>
It is possible to significantly limit the ability of IE to
automatically load MIDI files from HTML documents by making all of the
following modifications:
<ul>
<li>Disable <i>Active scripting</i></li>
<li>Disable <i>Run ActiveX controls and plug-ins</i></li>
<li>Disable <i>Play sounds in web pages</i></li>
<li>Disable <i>Play videos in web pages</i></li>
</ul>

As stated above, the only complete solution for these vulnerabilities
is to apply the patch.  For example, Outlook Express 6 SP1 will play a
MIDI file in an HTML email message regardless of the settings for
audio and video in web pages.  There may be other methods to
automatically load a MIDI file from an HTML document.  Also, these
modifications will prevent some web pages from functioning properly.
</p>

<br>
<a name="vendors"></a>
<h2>Appendix A.  Vendor Information</h2>

<p>
This appendix contains information provided by vendors.  When vendors
report new information, this section is updated and the changes are
noted in the revision history.  If a vendor is not listed below, we
have not received their comments.
</p>

<a name="microsoft">
<h4><a href="http://www.microsoft.com/">Microsoft</a></h4>
<blockquote>
<p>
Please see Microsoft Security Bulletin <a href="http://microsoft.com/technet/security/bulletin/MS03-030.asp">MS03-030</a>.
</p>
</blockquote>
<!-- end vendor -->

<br>
<a name="references"></a>
<h2>Appendix B.  References</h2>
<ul>
<li>CERT/CC Vulnerability Note VU#561284 - <a href="http://www.kb.cert.org/vuls/id/561284">http://www.kb.cert.org/vuls/id/561284</a></li>
<li>CERT/CC Vulnerability Note VU#265232 - <a href="http://www.kb.cert.org/vuls/id/265232">http://www.kb.cert.org/vuls/id/265232</a></li>
<li>eEye Digital Security advisory AD20030723 - <a href="http://www.eeye.com/html/Research/Advisories/AD20030723.html">http://www.eeye.com/html/Research/Advisories/AD20030723.html</a></li>
<li>Microsoft Security Bulletin MS03-030 - <a href="http://microsoft.com/technet/security/bulletin/MS03-030.asp">http://microsoft.com/technet/security/bulletin/MS03-030.asp</a></li>
<li>Microsoft Knowledge Base article 819696 - <a href="http://support.microsoft.com/default.aspx?scid=kb;en-us;819696">http://support.microsoft.com/default.aspx?scid=kb;en-us;819696</a></li>
</ul>

<hr noshade>
<p>
These vulnerabilities were researched and reported by <a href="http://www.eeye.com/">eEye Digital Security</a>.  Jeff Johnson helped research the IE settings workaround.
</p>
<hr noshade>
<p>
Feedback can be directed to the author, <a href="mailto:cert@cert.org?subject=CA-2003-18%20VU%23561284%20VU%23265232%20Feedback">Art Manion</a>.
</p>

<!--#include virtual="/include/footer_nocopyright2.html" -->

<p>Copyright 2003 Carnegie Mellon University.</p>

<p>Revision History
<p>
<small>
July 25, 2003:  Initial release, added Windows XP to Systems Affected<br>
July 29, 2003:  Removed IE security settings workaround from Solution<br>
July 30, 2003:  Updated IE settings workaround in Solution, changed references to vulnerabilities (plural), updated credits<br>
</small>
</p>