Integer Overflows in Microsoft Windows DirectX MIDI Library
Last revised: July 30, 2003
A complete revision history is at the end of this file.
- Microsoft Windows systems running DirectX (Windows 98, 98SE, NT 4.0, NT 4.0 TSE, 2000, XP, Server 2003)
A set of integer overflows exists in a DirectX library included in Microsoft Windows. An attacker could exploit these vulnerabilies to execute arbitrary code or to cause a denial of service.
Microsoft Windows operating systems include multimedia technologies called DirectX and DirectShow. From Microsoft Security Bulletin MS03-030, "DirectX consists of a set of low-level Application Programming Interfaces (APIs) that are used by Windows programs for multimedia support. Within DirectX, the DirectShow technology performs client-side audio and video sourcing, manipulation, and rendering."
DirectShow support for MIDI files is implemented in a library called quartz.dll. This library contains two vulnerabilities:
VU#561284 - Microsoft Windows DirectX MIDI library does not adequately validate Text or Copyright parameters in MIDI filesIn both cases, a specially crafted MIDI file could cause an integer overflow, leading to incorrect memory allocation and heap corruption.
VU#265232 - Microsoft Windows DirectX MIDI library does not adequately validate MThd track values in MIDI files
Any application that uses DirectX/DirectShow to process MIDI files may be affected by these vulnerabilities. Of particular concern, Internet Explorer (IE) uses the Windows Media Player ActiveX control and quartz.dll to handle MIDI files embedded in HTML documents. An attacker could therefore exploit these vulnerabilities by convincing a victim to view an HTML document, such as a web page or an HTML email message, that contains an embedded MIDI file. Note that in addition to IE, a number of applications, including Outlook, Outlook Express, Eudora, AOL, Lotus Notes, and Adobe PhotoDeluxe, use the WebBrowser ActiveX control to interpret HTML documents.
By convincing a victim to access a specially crafted MIDI or HTML file, an attacker could execute arbitrary code with the privileges of the victim. The attacker could also cause a denial of service in any application that uses the vulnerable functions in quartz.dll.
Apply a patch
Apply the appropriate patch as specified by Microsoft Security Bulletin MS03-030.
The patch is a complete solution that fixes the integer overflows in quartz.dll. Sites that are unable to install the patch may consider the workaround described below.
Modify Internet Explorer settings
It is possible to significantly limit the ability of IE to automatically load MIDI files from HTML documents by making all of the following modifications:
- Disable Active scripting
- Disable Run ActiveX controls and plug-ins
- Disable Play sounds in web pages
- Disable Play videos in web pages
Appendix A. Vendor Information
This appendix contains information provided by vendors. When vendors report new information, this section is updated and the changes are noted in the revision history. If a vendor is not listed below, we have not received their comments.
Please see Microsoft Security Bulletin MS03-030.
Appendix B. References
- CERT/CC Vulnerability Note VU#561284 - http://www.kb.cert.org/vuls/id/561284
- CERT/CC Vulnerability Note VU#265232 - http://www.kb.cert.org/vuls/id/265232
- eEye Digital Security advisory AD20030723 - http://www.eeye.com/html/Research/Advisories/AD20030723.html
- Microsoft Security Bulletin MS03-030 - http://microsoft.com/technet/security/bulletin/MS03-030.asp
- Microsoft Knowledge Base article 819696 - http://support.microsoft.com/default.aspx?scid=kb;en-us;819696
These vulnerabilities were researched and reported by eEye Digital Security. Jeff Johnson helped research the IE settings workaround.
Feedback can be directed to the author, Art Manion.
Copyright 2003 Carnegie Mellon University.
July 25, 2003: Initial release, added Windows XP to Systems Affected
July 29, 2003: Removed IE security settings workaround from Solution
July 30, 2003: Updated IE settings workaround in Solution, changed references to vulnerabilities (plural), updated credits