-----BEGIN PGP SIGNED MESSAGE-----


CERT Advisory CA-2003-18 Integer Overflows in Microsoft Windows DirectX
MIDI Library

   Original issue date: July 25, 2003
   Last revised: --
   Source: CERT/CC

   A complete revision history is at the end of this file.


Systems Affected

     * Microsoft  Windows  systems  running DirectX (Windows 98, 98SE, NT
       4.0, NT 4.0 TSE, 2000, Server 2003)


Overview

   A  set  of  integer  overflows exists in a DirectX library included in
   Microsoft  Windows.  An  attacker  could exploit this vulnerability to
   execute arbitrary code or to cause a denial of service.


I. Description

   Microsoft  Windows  operating  systems include multimedia technologies
   called  DirectX  and  DirectShow.  From  Microsoft  Security  Bulletin
   MS03-030,   "DirectX  consists  of  a  set  of  low-level  Application
   Programming  Interfaces  (APIs)  that are used by Windows programs for
   multimedia support. Within DirectX, the DirectShow technology performs
   client-side audio and video sourcing, manipulation, and rendering."

   DirectShow  support  for MIDI files is implemented in a library called
   quartz.dll. This library contains two vulnerabilities:

     VU#561284 - Microsoft Windows DirectX MIDI library does not
                 adequately validate Text or Copyright parameters in
                 MIDI files

     VU#265232 - Microsoft Windows DirectX MIDI library does not
                 adequately validate MThd track values in MIDI files

   In  both  cases,  a specially crafted MIDI file could cause an integer
   overflow, leading to incorrect memory allocation and heap corruption.

   Any application that uses DirectX/DirectShow to process MIDI files may
   be  affected  by  this  vulnerability. Of particular concern, Internet
   Explorer  (IE)  uses  the  Windows  Media  Player  ActiveX control and
   quartz.dll  to  handle  MIDI  files  embedded  in  HTML  documents. An
   attacker  could  therefore  exploit this vulnerability by convincing a
   victim  to  view an HTML document, such as a web page or an HTML email
   message, that contains an embedded MIDI file. Note that in addition to
   IE,  a  number  of  applications,  including Outlook, Outlook Express,
   Eudora,  AOL,  Lotus  Notes, and Adobe PhotoDeluxe, use the WebBrowser
   ActiveX control to interpret HTML documents.

   Further  technical  details  are  available  in  eEye Digital Security
   advisory AD20030723. Common Vulnerabilities and Exposures (CVE) refers
   to these vulnerabilities as CAN-2003-0346.


II. Impact

   By  convincing  a  victim  to  access a specially crafted MIDI or HTML
   file,  an attacker could execute arbitrary code with the privileges of
   the  victim.  The attacker could also cause a denial of service in any
   application that uses the vulnerable functions in quartz.dll.


III. Solution

Apply a patch

   Apply  the  appropriate  patch  as  specified  by  Microsoft  Security
   Bulletin MS03-030.

Disable embedded MIDI files

   Change  the  Run  ActiveX  controls  and  plug-ins security setting to
   Disable  in the Internet zone and the zone(s) used by Outlook, Outlook
   Express,  and  any  other application that uses the WebBrowser ActiveX
   control to render HTML. This modification will prevent MIDI files from
   being automatically loaded from HTML documents. This workaround is not
   a  complete solution and will not prevent attacks that attempt to load
   MIDI files directly.

   Instructions  for  modifying IE security zone settings can be found in
   the CERT/CC Malicious Web Scripts FAQ.


Appendix A. Vendor Information

   This  appendix  contains information provided by vendors. When vendors
   report  new  information,  this section is updated and the changes are
   noted  in  the  revision  history. If a vendor is not listed below, we
   have not received their comments.

Microsoft

     Please see Microsoft Security Bulletin MS03-030.


Appendix B. References

     * CERT/CC Vulnerability Note VU#561284 -
       http://www.kb.cert.org/vuls/id/561284
     * CERT/CC Vulnerability Note VU#265232 -
       http://www.kb.cert.org/vuls/id/265232
     * eEye Digital Security advisory AD20030723 -
       http://www.eeye.com/html/Research/Advisories/AD20030723.html
     * Microsoft Security Bulletin MS03-030 -
       http://microsoft.com/technet/security/bulletin/MS03-030.asp
     * Microsoft Knowledge Base article 819696 -
       http://support.microsoft.com/default.aspx?scid=kb;en-us;819696
     _________________________________________________________________

   These  vulnerabilities were  researched and reported by  eEye  Digital
   Security.
     _________________________________________________________________

   Feedback can be directed to the author, Art Manion.
   ______________________________________________________________________

   This document is available from:
   http://www.cert.org/advisories/CA-2003-18.html
   ______________________________________________________________________


CERT/CC Contact Information

   Email: cert@cert.org
          Phone: +1 412-268-7090 (24-hour hotline)
          Fax: +1 412-268-6989
          Postal address:
          CERT Coordination Center
          Software Engineering Institute
          Carnegie Mellon University
          Pittsburgh PA 15213-3890
          U.S.A.

   CERT/CC   personnel   answer  the  hotline  08:00-17:00  EST(GMT-5)  /
   EDT(GMT-4)  Monday  through  Friday;  they are on call for emergencies
   during other hours, on U.S. holidays, and on weekends.

Using encryption

   We  strongly  urge you to encrypt sensitive information sent by email.
   Our public PGP key is available from
   http://www.cert.org/CERT_PGP.key

   If  you  prefer  to  use  DES,  please  call the CERT hotline for more
   information.

Getting security information

   CERT  publications  and  other security information are available from
   our web site
   http://www.cert.org/

   To  subscribe  to  the CERT mailing list for advisories and bulletins,
   send  email  to majordomo@cert.org. Please include in the body of your
   message

   subscribe cert-advisory

   *  "CERT"  and  "CERT  Coordination Center" are registered in the U.S.
   Patent and Trademark Office.
   ______________________________________________________________________

   NO WARRANTY
   Any  material furnished by Carnegie Mellon University and the Software
   Engineering  Institute  is  furnished  on  an  "as is" basis. Carnegie
   Mellon University makes no warranties of any kind, either expressed or
   implied  as  to  any matter including, but not limited to, warranty of
   fitness  for  a  particular purpose or merchantability, exclusivity or
   results  obtained from use of the material. Carnegie Mellon University
   does  not  make  any warranty of any kind with respect to freedom from
   patent, trademark, or copyright infringement.
   ______________________________________________________________________

   Conditions for use, disclaimers, and sponsorship information

   Copyright 2003 Carnegie Mellon University.


Revision History

   July 25, 2003: Initial release


-----BEGIN PGP SIGNATURE-----
Version: PGP 6.5.8

iQCVAwUBPyF6V2jtSoHZUTs5AQFGtgP/VJsEVZ1blK04pZhjSIlJuPJJg1PU4Xwi
/lvJFdpvkqKrEH27NHBkfJGN/rSs7kinSq6dEsJeenjb3rcDQMd/VdFEm83cF51/
NDyMt4osvtXveYSR1oorbMbSVQ4tF5yItsOchRfZsfigyk3tvzPA1kawuWBxy2KZ
Gmjs9RLgmxI=
=3ICC
-----END PGP SIGNATURE-----