CERT® Advisory CA-2003-18 Integer Overflows in Microsoft Windows DirectX MIDI LibraryOriginal issue date: July 25, 2003
Last revised: July 30, 2003
A complete revision history is at the end of this file.
A set of integer overflows exists in a DirectX library included in Microsoft Windows. An attacker could exploit these vulnerabilies to execute arbitrary code or to cause a denial of service.
Microsoft Windows operating systems include multimedia technologies called DirectX and DirectShow. From Microsoft Security Bulletin MS03-030, "DirectX consists of a set of low-level Application Programming Interfaces (APIs) that are used by Windows programs for multimedia support. Within DirectX, the DirectShow technology performs client-side audio and video sourcing, manipulation, and rendering."
DirectShow support for MIDI files is implemented in a library called quartz.dll. This library contains two vulnerabilities:
VU#561284 - Microsoft Windows DirectX MIDI library does not adequately validate Text or Copyright parameters in MIDI filesIn both cases, a specially crafted MIDI file could cause an integer overflow, leading to incorrect memory allocation and heap corruption.
Any application that uses DirectX/DirectShow to process MIDI files may be affected by these vulnerabilities. Of particular concern, Internet Explorer (IE) uses the Windows Media Player ActiveX control and quartz.dll to handle MIDI files embedded in HTML documents. An attacker could therefore exploit these vulnerabilities by convincing a victim to view an HTML document, such as a web page or an HTML email message, that contains an embedded MIDI file. Note that in addition to IE, a number of applications, including Outlook, Outlook Express, Eudora, AOL, Lotus Notes, and Adobe PhotoDeluxe, use the WebBrowser ActiveX control to interpret HTML documents.
By convincing a victim to access a specially crafted MIDI or HTML file, an attacker could execute arbitrary code with the privileges of the victim. The attacker could also cause a denial of service in any application that uses the vulnerable functions in quartz.dll.
Apply a patch
Apply the appropriate patch as specified by Microsoft Security Bulletin MS03-030.
The patch is a complete solution that fixes the integer overflows in quartz.dll. Sites that are unable to install the patch may consider the workaround described below.
Modify Internet Explorer settings
It is possible to significantly limit the ability of IE to automatically load MIDI files from HTML documents by making all of the following modifications:
Appendix A. Vendor Information
This appendix contains information provided by vendors. When vendors report new information, this section is updated and the changes are noted in the revision history. If a vendor is not listed below, we have not received their comments.
Appendix B. References
These vulnerabilities were researched and reported by eEye Digital Security. Jeff Johnson helped research the IE settings workaround.
Feedback can be directed to the author, Art Manion.
This document is available from: http://www.cert.org/advisories/CA-2003-18.html
CERT/CC Contact Information
Phone: +1 412-268-7090 (24-hour hotline)
Fax: +1 412-268-6989
CERT/CC personnel answer the hotline 08:00-17:00 EST(GMT-5) / EDT(GMT-4) Monday through Friday; they are on call for emergencies during other hours, on U.S. holidays, and on weekends.
We strongly urge you to encrypt sensitive information sent by email. Our public PGP key is available from
If you prefer to use DES, please call the CERT hotline for more information.
Getting security information
CERT publications and other security information are available from our web site
* "CERT" and "CERT Coordination Center" are registered in the U.S. Patent and Trademark Office.
Conditions for use, disclaimers, and sponsorship information
Copyright 2003 Carnegie Mellon University.
July 25, 2003: Initial release, added Windows XP to Systems Affected