Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email email@example.com
Alert: Microsoft Security Bulletin - MS03-030
From: Russ (Russ.CooperRC.ON.CA)
Date: Wed Jul 23 2003 - 15:30:12 CDT
Unchecked Buffer in DirectX Could Enable System Compromise (819696)
Originally posted: July 23, 2003
Who should read this bulletin: Customers using Microsoft® Windows®
Impact of vulnerability: Allow an attacker to execute code on a user's system
Maximum Severity Rating: Critical
Recommendation: Customers should apply the security patch immediately
- Microsoft DirectX® 5.2 on Windows 98
- Microsoft DirectX 6.1 on Windows 98 SE
- Microsoft DirectX 7.0a on Windows Millennium Edition
- Microsoft DirectX 7.0 on Windows 2000
- Microsoft DirectX 8.1 on Windows XP
- Microsoft DirectX 8.1 on Windows Server 2003
- Microsoft DirectX 9.0a when installed on Windows Millennium Edition
- Microsoft DirectX 9.0a when installed on Windows 2000
- Microsoft DirectX 9.0a when installed on Windows XP
- Microsoft DirectX 9.0a when installed on Windows Server 2003
- Microsoft Windows NT 4.0 with either Windows Media Player 6.4 or Internet Explorer 6 Service Pack 1 installed.
- Microsoft Windows NT 4.0, Terminal Server Edition with either Windows Media Player 6.4 or Internet Explorer 6 Service Pack 1 installed.
DirectX consists of a set of low-level Application Programming Interfaces (APIs) that are used by Windows programs for multimedia support. Within DirectX, the DirectShow technology performs client-side audio and video sourcing, manipulation, and rendering.
There are two buffer overruns with identical effects in the function used by DirectShow to check parameters in a Musical Instrument Digital Interface (MIDI) file. A security vulnerability results because it could be possible for a malicious user to attempt to exploit these flaws and execute code in the security context of the logged-on user.
An attacker could seek to exploit this vulnerability by creating a specially crafted MIDI file designed to exploit this vulnerability and then host it on a Web site or on a network share, or send it by using an HTML-based e-mail. In the case where the file was hosted on a Web site or network share, the user would need to open the specially crafted file. If the file was embedded in a page the vulnerability could be exploited when a user visited the Web page. In the HTML-based e-mail case, the vulnerability could be exploited when a user opened or previewed the HTML-based e-mail. A successful attack could cause DirectShow, or an application making use of DirectShow, to fail. A successful attack could also cause an attacker's code to run on the user's computer in the security context of the user.
- By default, Internet Explorer on Windows Server 2003 runs in Enhanced Security Configuration. This default configuration of Internet Explorer blocks the e-mail-based vector of this attack because Microsoft Outlook Express running on Windows Server 2003 by default reads e-mail in plain text. If Internet Explorer Enhanced Security Configuration were disabled, the protections put in place that prevent this vulnerability from being exploited would be removed.
- In the Web-based attack scenario, the attacker would have to host a Web site that contained a Web page used to exploit these vulnerabilities. An attacker would have no way to force users to visit a malicious Web site outside the HTML-based e-mail vector. Instead, the attacker would need to lure them there, typically by getting them to click a link that would take them to the attacker's site.
- The combination of the above means that on Windows Server 2003 an administrator browsing only to trusted sites should be safe from this vulnerability.
- Code executed on the system would only run under the privileges of the logged-on user.
Vulnerability identifier: CAN-2003-0346
This email is sent to NTBugtraq automatically as a service to my subscribers. (v1.18)
Russ - Surgeon General of TruSecure Corporation/NTBugtraq Editor
Are You "Certifiable"? Summer's Hottest Certification Just Got HOTTER!
With a growth rate exceeding 110%, the TICSA security practitioner
certification is one of the hottest IT credentials available. And now, for
a limited time, you can save 33% off of the TICSA certification exam! To
learn more about the TICSA certification, and to register as a TICSA
candidate online, just go to