CERT^® Advisory CA-2003-18 Integer Overflows in Microsoft Windows DirectX MIDI Library

A complete revision history is at the end of this file.

Systems Affected

• Microsoft Windows systems running DirectX (Windows 98, 98SE, NT 4.0, NT 4.0 TSE, 2000, XP, Server 2003)

Overview

A set of integer overflows exists in a DirectX library included in Microsoft Windows. An attacker could exploit these vulnerabilies to execute arbitrary code or to cause a denial of service.

I. Description

Microsoft Windows operating systems include multimedia technologies called DirectX and DirectShow. From Microsoft Security Bulletin MS03-030, "DirectX consists of a set of low-level Application Programming Interfaces (APIs) that are used by Windows programs for multimedia support. Within DirectX, the DirectShow technology performs client-side audio and video sourcing, manipulation, and rendering."

DirectShow support for MIDI files is implemented in a library called quartz.dll. This library contains two vulnerabilities:

VU#561284 - Microsoft Windows DirectX MIDI library does not adequately validate Text or Copyright parameters in MIDI files

VU#265232 - Microsoft Windows DirectX MIDI library does not adequately validate MThd track values in MIDI files

Any application that uses DirectX/DirectShow to process MIDI files may be affected by these vulnerabilities. Of particular concern, Internet Explorer (IE) uses the Windows Media Player ActiveX control and quartz.dll to handle MIDI files embedded in HTML documents. An attacker could therefore exploit these vulnerabilities by convincing a victim to view an HTML document, such as a web page or an HTML email message, that contains an embedded MIDI file. Note that in addition to IE, a number of applications, including Outlook, Outlook Express, Eudora, AOL, Lotus Notes, and Adobe PhotoDeluxe, use the WebBrowser ActiveX control to interpret HTML documents.

Further technical details are available in eEye Digital Security advisory AD20030723. Common Vulnerabilities and Exposures (CVE) refers to these vulnerabilities as CAN-2003-0346.

II. Impact

By convincing a victim to access a specially crafted MIDI or HTML file, an attacker could execute arbitrary code with the privileges of the victim. The attacker could also cause a denial of service in any application that uses the vulnerable functions in quartz.dll.

III. Solution

Apply a patch

Apply the appropriate patch as specified by Microsoft Security Bulletin MS03-030.

The patch is a complete solution that fixes the integer overflows in quartz.dll. Sites that are unable to install the patch may consider the workaround described below.

Modify Internet Explorer settings

It is possible to significantly limit the ability of IE to automatically load MIDI files from HTML documents by making all of the following modifications:

• Disable Active scripting
• Disable Run ActiveX controls and plug-ins
• Disable Play sounds in web pages
• Disable Play videos in web pages

Appendix A. Vendor Information

This appendix contains information provided by vendors. When vendors report new information, this section is updated and the changes are noted in the revision history. If a vendor is not listed below, we have not received their comments.

Microsoft

Please see Microsoft Security Bulletin MS03-030.

Appendix B. References

• CERT/CC Vulnerability Note VU#561284 - http://www.kb.cert.org/vuls/id/561284
• CERT/CC Vulnerability Note VU#265232 - http://www.kb.cert.org/vuls/id/265232
• eEye Digital Security advisory AD20030723 - http://www.eeye.com/html/Research/Advisories/AD20030723.html
• Microsoft Security Bulletin MS03-030 - http://microsoft.com/technet/security/bulletin/MS03-030.asp
• Microsoft Knowledge Base article 819696 - http://support.microsoft.com/default.aspx?scid=kb;en-us;819696

These vulnerabilities were researched and reported by eEye Digital Security. Jeff Johnson helped research the IE settings workaround.

Feedback can be directed to the author, Art Manion.

CERT/CC Contact Information

Email: cert@cert.org
Phone: +1 412-268-7090 (24-hour hotline)
Fax: +1 412-268-6989
Postal address:

CERT Coordination Center
Software Engineering Institute
Carnegie Mellon University
Pittsburgh PA 15213-3890
U.S.A.

CERT/CC personnel answer the hotline 08:00-17:00 EST(GMT-5) / EDT(GMT-4) Monday through Friday; they are on call for emergencies during other hours, on U.S. holidays, and on weekends.

Using encryption

We strongly urge you to encrypt sensitive information sent by email. Our public PGP key is available from

http://www.cert.org/CERT_PGP.key

If you prefer to use DES, please call the CERT hotline for more information.

Getting security information

CERT publications and other security information are available from our web site

http://www.cert.org/

* "CERT" and "CERT Coordination Center" are registered in the U.S. Patent and Trademark Office.

NO WARRANTY
Any material furnished by Carnegie Mellon University and the Software Engineering Institute is furnished on an "as is" basis. Carnegie Mellon University makes no warranties of any kind, either expressed or implied as to any matter including, but not limited to, warranty of fitness for a particular purpose or merchantability, exclusivity or results obtained from use of the material. Carnegie Mellon University does not make any warranty of any kind with respect to freedom from patent, trademark, or copyright infringement.

Copyright 2003 Carnegie Mellon University.

Revision History

July 25, 2003: Initial release, added Windows XP to Systems Affected
July 29, 2003: Removed IE security settings workaround from Solution
July 30, 2003: Updated IE settings workaround in Solution, changed references to vulnerabilities (plural), updated credits