Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
securityvulnsSecurityvulnsSECURITYVULNS:DOC:4905
HistoryJul 26, 2003 - 12:00 a.m.

CERT Advisory CA-2003-18 Integer Overflows in Microsoft Windows DirectX MIDI Library

2003-07-2600:00:00
vulners.com
6
JSON

-----BEGIN PGP SIGNED MESSAGE-----

CERT Advisory CA-2003-18 Integer Overflows in Microsoft Windows DirectX
MIDI Library

Original issue date: July 25, 2003
Last revised: –
Source: CERT/CC

A complete revision history is at the end of this file.

Systems Affected

 * Microsoft  Windows  systems  running DirectX (Windows 98, 98SE, NT
   4.0, NT 4.0 TSE, 2000, Server 2003)

Overview

A set of integer overflows exists in a DirectX library included in
Microsoft Windows. An attacker could exploit this vulnerability to
execute arbitrary code or to cause a denial of service.

I. Description

Microsoft Windows operating systems include multimedia technologies
called DirectX and DirectShow. From Microsoft Security Bulletin
MS03-030, "DirectX consists of a set of low-level Application
Programming Interfaces (APIs) that are used by Windows programs for
multimedia support. Within DirectX, the DirectShow technology performs
client-side audio and video sourcing, manipulation, and rendering."

DirectShow support for MIDI files is implemented in a library called
quartz.dll. This library contains two vulnerabilities:

 VU#561284 - Microsoft Windows DirectX MIDI library does not
             adequately validate Text or Copyright parameters in
             MIDI files

 VU#265232 - Microsoft Windows DirectX MIDI library does not
             adequately validate MThd track values in MIDI files

In both cases, a specially crafted MIDI file could cause an integer
overflow, leading to incorrect memory allocation and heap corruption.

Any application that uses DirectX/DirectShow to process MIDI files may
be affected by this vulnerability. Of particular concern, Internet
Explorer (IE) uses the Windows Media Player ActiveX control and
quartz.dll to handle MIDI files embedded in HTML documents. An
attacker could therefore exploit this vulnerability by convincing a
victim to view an HTML document, such as a web page or an HTML email
message, that contains an embedded MIDI file. Note that in addition to
IE, a number of applications, including Outlook, Outlook Express,
Eudora, AOL, Lotus Notes, and Adobe PhotoDeluxe, use the WebBrowser
ActiveX control to interpret HTML documents.

Further technical details are available in eEye Digital Security
advisory AD20030723. Common Vulnerabilities and Exposures (CVE) refers
to these vulnerabilities as CAN-2003-0346.

II. Impact

By convincing a victim to access a specially crafted MIDI or HTML
file, an attacker could execute arbitrary code with the privileges of
the victim. The attacker could also cause a denial of service in any
application that uses the vulnerable functions in quartz.dll.

III. Solution

Apply a patch

Apply the appropriate patch as specified by Microsoft Security
Bulletin MS03-030.

Disable embedded MIDI files

Change the Run ActiveX controls and plug-ins security setting to
Disable in the Internet zone and the zone(s) used by Outlook, Outlook
Express, and any other application that uses the WebBrowser ActiveX
control to render HTML. This modification will prevent MIDI files from
being automatically loaded from HTML documents. This workaround is not
a complete solution and will not prevent attacks that attempt to load
MIDI files directly.

Instructions for modifying IE security zone settings can be found in
the CERT/CC Malicious Web Scripts FAQ.

Appendix A. Vendor Information

This appendix contains information provided by vendors. When vendors
report new information, this section is updated and the changes are
noted in the revision history. If a vendor is not listed below, we
have not received their comments.

Microsoft

 Please see Microsoft Security Bulletin MS03-030.

Appendix B. References

 * CERT/CC Vulnerability Note VU#561284 -
   http://www.kb.cert.org/vuls/id/561284
 * CERT/CC Vulnerability Note VU#265232 -
   http://www.kb.cert.org/vuls/id/265232
 * eEye Digital Security advisory AD20030723 -
   http://www.eeye.com/html/Research/Advisories/AD20030723.html
 * Microsoft Security Bulletin MS03-030 -
   http://microsoft.com/technet/security/bulletin/MS03-030.asp
 * Microsoft Knowledge Base article 819696 -
   http://support.microsoft.com/default.aspx?scid=kb;en-us;819696
 _________________________________________________________________

These vulnerabilities were researched and reported by eEye Digital
Security.
_________________________________________________________________

Feedback can be directed to the author, Art Manion.

This document is available from:
http://www.cert.org/advisories/CA-2003-18.html

CERT/CC Contact Information

Email: [email protected]
Phone: +1 412-268-7090 (24-hour hotline)
Fax: +1 412-268-6989
Postal address:
CERT Coordination Center
Software Engineering Institute
Carnegie Mellon University
Pittsburgh PA 15213-3890
U.S.A.

CERT/CC personnel answer the hotline 08:00-17:00 EST(GMT-5) /
EDT(GMT-4) Monday through Friday; they are on call for emergencies
during other hours, on U.S. holidays, and on weekends.

Using encryption

We strongly urge you to encrypt sensitive information sent by email.
Our public PGP key is available from
http://www.cert.org/CERT_PGP.key

If you prefer to use DES, please call the CERT hotline for more
information.

Getting security information

CERT publications and other security information are available from
our web site
http://www.cert.org/

To subscribe to the CERT mailing list for advisories and bulletins,
send email to [email protected]. Please include in the body of your
message

subscribe cert-advisory

  • "CERT" and "CERT Coordination Center" are registered in the U.S.
    Patent and Trademark Office.

NO WARRANTY
Any material furnished by Carnegie Mellon University and the Software
Engineering Institute is furnished on an "as is" basis. Carnegie
Mellon University makes no warranties of any kind, either expressed or
implied as to any matter including, but not limited to, warranty of
fitness for a particular purpose or merchantability, exclusivity or
results obtained from use of the material. Carnegie Mellon University
does not make any warranty of any kind with respect to freedom from
patent, trademark, or copyright infringement.

Conditions for use, disclaimers, and sponsorship information

Copyright 2003 Carnegie Mellon University.

Revision History

July 25, 2003: Initial release

-----BEGIN PGP SIGNATURE-----
Version: PGP 6.5.8

iQCVAwUBPyF6V2jtSoHZUTs5AQFGtgP/VJsEVZ1blK04pZhjSIlJuPJJg1PU4Xwi
/lvJFdpvkqKrEH27NHBkfJGN/rSs7kinSq6dEsJeenjb3rcDQMd/VdFEm83cF51/
NDyMt4osvtXveYSR1oorbMbSVQ4tF5yItsOchRfZsfigyk3tvzPA1kawuWBxy2KZ
Gmjs9RLgmxI=
=3ICC
-----END PGP SIGNATURE-----

Related

cve 1
nessus 1
cert 2
securityvulns 1
cve
cve
CVE-2003-0346
2003-08-27 04:00:00
nessus
nessus
MS03-030: DirectX MIDI Overflow (819696)
2003-07-23 00:00:00
cert
cert
Microsoft Windows DirectX MIDI library does not adequately validate MThd track values in MIDI files
2003-07-25 00:00:00
Microsoft Windows DirectX MIDI library does not adequately validate Text or Copyright parameters in MIDI files
2003-07-24 00:00:00
securityvulns
securityvulns
EEYE: Windows MIDI Decoder (QUARTZ.DLL) Heap Corruption
2003-07-24 00:00:00
JSON
Related for SECURITYVULNS:DOC:4905
cve1nessus1cert2securityvulns1