__________________________________________________________
The U.S. Department of Energy
Computer Incident Advisory Capability
___ __ __ _ ___
/ | /_\ /
\___ __|__ / \ \___
__________________________________________________________
INFORMATION BULLETIN
Microsoft Unchecked Buffer in DirectX Could Enable System Compromise
[Microsoft Security Bulletin MS03-030]
July 24, 2003 20:00 GMT Number N-126
[Revised 20 August 2003]
______________________________________________________________________________
PROBLEM: There are two buffer overruns with identical effects in the
function used by DirectShow to check parameters in a Musical
Instrument Digital Interface (MIDI) file.
SOFTWARE: * Microsoft DirectX® 5.2 on Windows 98
* Microsoft DirectX 6.1 on Windows 98 SE
* Microsoft DirectX 7.0a on Windows Millennium Edition
* Microsoft DirectX 7.0 on Windows 2000
* Microsoft DirectX 8.1 on Windows XP
* Microsoft DirectX 8.1 on Windows Server 2003
* Microsoft DirectX 9.0a when installed on Windows Millennium
Edition
* Microsoft DirectX 9.0a when installed on Windows 2000
* Microsoft DirectX 9.0a when installed on Windows XP
* Microsoft DirectX 9.0a when installed on Windows Server 2003
* Microsoft Windows NT 4.0 with either Windows Media Player 6.4
or Internet Explorer 6 Service Pack 1 installed.
* Microsoft Windows NT 4.0, Terminal Server Edition with either
Windows Media Player 6.4 or Internet Explorer 6 Service Pack 1
installed.
DAMAGE: It could be possible for a malicious user to attempt to exploit
these flaws and execute code in the security context of the
logged-on user.
SOLUTION: Apply patches stated in Microsoft's bulletin.
______________________________________________________________________________
VULNERABILITY The risk is MEDIUM. An attacker would need to create a
ASSESSMENT: specially crafted MIDI file designed to exploit this
vulnerability and then host it on a Web site or on a network
share, or send it by using an HTML-based e-mail. The attacker
then needs to lure a user to open the specially crafted file or
visit the Web site.
______________________________________________________________________________
LINKS:
CIAC BULLETIN: http://www.ciac.org/ciac/bulletins/n-126.shtml
ORIGINAL BULLETIN:
http://www.microsoft.com/technet/treeview/
default.asp?url=/technet/security/bulletin/MS03-030.asp
______________________________________________________________________________
Revision History: 8/20/03 - Microsoft released details of an additional patch
for supported versions of DirectX.
[***** Start Microsoft Security Bulletin MS03-030 *****]
Microsoft Security Bulletin MS03-030
Unchecked Buffer in DirectX Could Enable System Compromise (819696)
Originally posted: July 23, 2003
Updated: August 20, 2003
Summary
Who should read this bulletin: Customers using Microsoft® Windows®
Impact of vulnerability: Allow an attacker to execute code on a
user’s system
Maximum Severity Rating: Critical
Recommendation: Customers should apply the security patch immediately
Affected Software:
* Microsoft DirectX® 5.2 on Windows 98
* Microsoft DirectX 6.1 on Windows 98 SE
* Microsoft DirectX 7.1 on Windows Millennium Edition
* Microsoft DirectX 7.0 on Windows 2000
* Microsoft DirectX 8.0, 8.0a, 8.1, 8.1a, and 8.1b when installed on
Windows 98, Windows 98 SE, Windows Millennium Edition or Windows 2000
* Microsoft DirectX 8.1 on Windows XP or Windows Server 2003
* Microsoft DirectX 9.0a when installed on Windows 98, Windows 98 SE,
Windows Millennium Edition (Windows Me), Windows 2000, Windows XP, or
Windows Server 2003
* Microsoft Windows NT 4.0 with either Windows Media Player 6.4 or Internet
Explorer 6 Service Pack 1 installed
* Microsoft Windows NT 4.0, Terminal Server Edition with either Windows
Media Player 6.4 or Internet Explorer 6 Service Pack 1 installed
An End User version of the bulletin is available at:
http://www.microsoft.com/security/security_bulletins/ms03-030.asp.
Technical details
Technical description:
Subsequent to the original release of this bulletin, customers requested
that we support additional versions of DirectX that were not covered by the
original patches. This bulletin has been updated to provide information
about this new patch.
DirectX consists of a set of low-level Application Programming Interfaces
(APIs) that are used by Windows programs for multimedia support. Within
DirectX, the DirectShow technology performs client-side audio and video
sourcing, manipulation, and rendering.
There are two buffer overruns with identical effects in the function used
by DirectShow to check parameters in a Musical Instrument Digital Interface
(MIDI) file. A security vulnerability results because it could be possible
for a malicious user to attempt to exploit these flaws and execute code in
the security context of the logged-on user.
An attacker could seek to exploit this vulnerability by creating a specially
crafted MIDI file designed to exploit this vulnerability and then host it on
a Web site or on a network share, or send it by using an HTML-based e-mail.
In the case where the file was hosted on a Web site or network share, the
user would need to open the specially crafted file. If the file was embedded
in a page the vulnerability could be exploited when a user visited the Web
page. In the HTML-based e-mail case, the vulnerability could be exploited
when a user opened or previewed the HTML-based e-mail. A successful attack
could cause DirectShow, or an application making use of DirectShow, to fail.
A successful attack could also cause an attacker’s code to run on the user’s
computer in the security context of the user.
Mitigating factors:
* By default, Internet Explorer on Windows Server 2003 runs in Enhanced
Security Configuration. This default configuration of Internet Explorer
blocks the e-mail-based vector of this attack because Microsoft Outlook
Express running on Windows Server 2003 by default reads e-mail in plain
text. If Internet Explorer Enhanced Security Configuration were disabled,
the protections put in place that prevent this vulnerability from being
exploited would be removed.
* In the Web-based attack scenario, the attacker would have to host a Web site
that contained a Web page used to exploit these vulnerabilities. An attacker
would have no way to force users to visit a malicious Web site outside the
HTML-based e-mail vector. Instead, the attacker would need to lure them there,
typically by getting them to click a link that would take them to the attacker's
site.
* The combination of the above means that on Windows Server 2003 an administrator
browsing only to trusted sites should be safe from this vulnerability.
* Code executed on the system would only run under the privileges of the
logged-on user.
Severity Rating:
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Microsoft DirectX 9.0a Critical
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Microsoft DirectX 9.0a when
installed on Windows Server 2003 Important
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Microsoft DirectX 8.0, 8.0a, 8.1, 8.1a, and 8.1b,
all versions except DirectX 8.1 on Windows Server 2003 Critical
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Microsoft DirectX 8.1 on Windows Server 2003 Important
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Microsoft DirectX 7.1 on Windows Millennium Edition Critical
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Microsoft DirectX 7.0 on Windows 2000 Critical
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Microsoft Windows Media Player 6.4 or
Internet Explorer 6 Service Pack 1
when installed on Windows NT 4.0 Critical
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Microsoft Windows Media Player 6.4 or
Internet Explorer 6 Service Pack 1
when installed on Windows NT 4.0, Terminal
Server Edition Critical
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
The above assessment is based on the types of systems affected by the vulnerability,
their typical deployment patterns, and the effect that exploiting the vulnerability
would have on them.
Vulnerability identifier: CAN-2003-0346
Tested Versions:
Microsoft tested Microsoft DirectX 9.0a, Microsoft DirectX 8.1, Microsoft DirectX 7.0,
Microsoft DirectX 7.0a on Windows Millennium Edition, DirectX 6.1 on Windows 98 SE,
DirectX 5.2 on Windows 98, Microsoft Windows NT 4.0 with Windows Media Player 6.4
and Internet Explorer 6 Service Pack 1 installed, Microsoft Windows NT 4.0, Terminal
Server Edition with Windows Media Player 6.4 and Internet Explorer 6 Service Pack 1
installed to assess whether they are affected by this vulnerability. Previous versions
are no longer supported and may or may not be affected by this vulnerability
Patch availability
Download locations for this patch
* Microsoft DirectX 5.2, DirectX 6.1 and DirectX 7.1 on Windows 98, Windows 98 SE
and Windows Millennium Edition respectively
* Microsoft DirectX 7.0 on Windows 2000
* Microsoft DirectX 8.0, Direct X8.0a, DirectX 8.1, DirectX 8.1a, and DirectX 8.1b
on Windows 98, Windows 98 SE, Windows Millennium Edition, or Windows 2000
Note: This update will be available via Windows Update at a later date.
* Microsoft DirectX 8.1 on Windows XP 32-bit Edition
* Microsoft DirectX 8.1 on Windows XP 64-bit Edition
* Microsoft DirectX 8.1 on Windows Server 2003 32-bit Edition
* Microsoft DirectX 8.1 on Windows Server 2003 64-bit Edition
* Microsoft DirectX 9.0a: All Windows versions except Windows NT 4.0
* Microsoft Windows NT 4.0
* Microsoft Windows NT 4.0, Terminal Server Edition
Note: DirectX 9.0b has been released at the same time as this security bulletin and
contains the security fix discussed in the security bulletin. DirectX 9.0b can be
installed on all versions of Windows except Windows NT 4.0 and can be downloaded from
the following location:
* All Windows versions except Windows NT 4.0
Additional information about this patch
Installation platforms:
DirectX 9.0b can be installed on systems running:
* Windows 98
* Windows 98 SE
* Windows Millennium Edition
* Windows 2000 Service Pack 3
* Windows XP Gold
* Windows XP Service Pack 1
* Windows Server 2003
The patch for DirectX 9.0a can be installed on systems running:
* Windows 98
* Windows 98 SE
* Windows Millennium Edition
* Windows 2000 Service Pack 3
* Windows XP Gold
* Windows XP Service Pack 1
* Windows Server 2003
The patch for DirectX 8.1 can be installed on systems running:
* Windows XP Gold
* Windows XP Service Pack 1
* Windows Server 2003 Gold
The patch for Direct X8.0a, DirectX 8.1, DirectX 8.1a, and DirectX 8.1b can be
installed on systems running:
* Windows 98
* Windows 98 SE
* Windows Millennium Edition
* Windows 2000 Service Pack 3 and Service Pack 2
The patch for DirectX 7.0 can be installed on systems running:
* Windows 2000 Service Pack 3
The patch for Windows NT 4.0 can be installed on systems running:
* Windows NT 4 Service Pack 6a
* Windows NT 4 Service Pack 6, Terminal Server Edition
Inclusion in future service packs:
The fix for this issue is included in Windows 2000 Service Pack 4.
The fix for this issue will be included in the following Service Packs:
* Windows XP Service Pack 2
* Windows Server 2003 Service Pack 1
Reboot needed: Yes
Patch can be uninstalled:
* DirectX 9.0b: No
* DirectX 9.0a patch: No
* DirectX 8.1 patch on Windows XP or Windows Server 2003: Yes
* DirectX 8.0, DirectX 8.0a, DirectX 8.1, DirectX 8.1a, and DirectX 8.1b patch
on Windows 98, Windows 98 SE, Windows Millennium Edition or Windows 2000: No
* DirectX 7.1 patch: Yes
* Windows NT 4.0 patch: Yes
Superseded patches: None.
Verifying patch installation:
* Windows Server 2003: To verify that the patch has been installed on the machine,
confirm that the following registry key has been created on the machine:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\Windows Server 2003\SP1\KB819696
To verify the individual files, use the date/time and version information provided
in the following registry key:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\Windows Server 2003\SP1\KB819696\Filelist
* Windows XP Gold: To verify that the patch has been installed on the machine, confirm
that the following registry key has been created on the machine:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\Windows XP\SP1\Q819696 To verify the
individual files, use the date/time and version information provided in the following
registry key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\Windows XP\SP1\Q819696\Filelist
* Windows XP Service Pack 1: To verify that the patch has been installed on the machine,
confirm that the following registry key has been created on the machine:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\Windows XP\SP2\Q819696 To verify the
individual files, use the date/time and version information provided in the following
registry key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\Windows XP\SP2\Q819696\Filelist
* Windows 2000 Service Pack 2: To verify that the patch has been installed on the machine,
confirm that the following registry key has been created on the machine:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\Windows 2000\SP5\KB819696 To verify the
individual files, use the date/time and version information provided in the following
registry key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\Windows 2000\SP5\KB819696\Filelist
* Windows 2000 Service Pack 3: To verify that the patch has been installed on the machine,
confirm that the following registry key has been created on the machine:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\Windows 2000\SP5\KB819696 To verify the
individual files, use the date/time and version information provided in the following
registry key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\Windows 2000\SP5\KB819696\Filelist
* Windows NT 4.0 Service Pack 6a: To verify that the patch has been installed on the machine,
confirm that the following registry key has been created on the machine:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Hotfix\Q819696
* Windows NT 4.0 Service Pack 6 Terminal Server Edition: To verify that the patch has been
installed on the machine, confirm that the following registry key has been created on the
machine: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Hotfix\Q819696
* Windows Server 2003, Windows XP Gold, Windows XP Service Pack 1, Windows 2000 Service Pack 3,
Windows Millennium Edition, Windows 98, or Windows 98 Second Edition with DirectX 9.0a: To
verify that the DirectX 9.0a patch has been installed on the machine, confirm that the
following registry key has been created and has a value of 1:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\DirectX\dx819696\IsInstalled To verify the
individual files, use the version information provided in the following registry key:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\DirectX\dx819696\Filelist
* Windows 2000 Service Pack 3, Windows Millennium Edition, Windows 98, or Windows 98 Second
Edition with DirectX 8.0 through DirectX 8.1b: To verify that the DirectX 8 patch has been
installed on the machine, confirm that the following registry key has been created and has
a value of 1: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\DirectX\dx819696\IsInstalled
To verify the individual files, use the version information provided in the following
registry key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\DirectX\dx819696\Filelist
* For all DirectX 9.0b updates:
To verify that the patch has been installed on the machine, confirm that the following
registry key has been created on the machine:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\DirectX\Version If 9.0b is actually installed, the
value will be 4.09.00.0902.
To verify the individual files, use the File List tab of the Dxdiag.exe command-line
utility.
1. On the taskbar at the bottom of your screen, click Start, and then click Run.
2. In the Run dialog box, type dxdiag
3. Click OK.
4. Click the DirectX Files tab of the dialog box that appears to display the file manifest
of DirectX.
Caveats:
None
Localization:
Localized versions of this patch are available at the locations discussed in “Patch
Availability”.
Obtaining other security patches:
Patches for other security issues are available from the following locations:
* Security patches are available from the Microsoft Download Center, and can be most easily
found by doing a keyword search for "security_patch".
* Patches for consumer platforms are available from the WindowsUpdate web site
Other information:
Acknowledgments
Microsoft thanks eEye Digital Security for reporting this issue to us and working with us
to help protect customers
Support:
* Microsoft Knowledge Base article 819696 discusses this issue and will be available
approximately 24 hours after the release of this bulletin. Knowledge Base articles can be
found on the Microsoft Online Support Web site.
* Technical support is available from Microsoft Product Support Services. There is no charge
for support calls associated with security patches.
Security Resources: The Microsoft TechNet Security Web Site provides additional information
about security in Microsoft products.
Disclaimer:
The information provided in the Microsoft Knowledge Base is provided "as is" without warranty
of any kind. Microsoft disclaims all warranties, either express or implied, including the
warranties of merchantability and fitness for a particular purpose. In no event shall
Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct,
indirect, incidental, consequential, loss of business profits or special damages, even if
Microsoft Corporation or its suppliers have been advised of the possibility of such damages.
Some states do not allow the exclusion or limitation of liability for consequential or
incidental damages so the foregoing limitation may not apply.
Revisions:
* V1.0 (July 23, 2003): Bulletin Created.
* V1.1 (July 23, 2003): Fixed Download Link for Windows NT 4.
* V1.2 (July 23, 2003): Updated Download Links in Patch Availability section.
* V2.0 (August 20, 2003): Updated to include details of an additional patch for
supported versions of DirectX.
[***** End Microsoft Security Bulletin MS03-030 *****]
_______________________________________________________________________________
CIAC wishes to acknowledge the contributions of Microsoft Corporation for the
information contained in this bulletin.
_______________________________________________________________________________
CIAC, the Computer Incident Advisory Capability, is the computer
security incident response team for the U.S. Department of Energy
(DOE) and the emergency backup response team for the National
Institutes of Health (NIH). CIAC is located at the Lawrence Livermore
National Laboratory in Livermore, California. CIAC is also a founding
member of FIRST, the Forum of Incident Response and Security Teams, a
global organization established to foster cooperation and coordination
among computer security teams worldwide.
CIAC services are available to DOE, DOE contractors, and the NIH. CIAC
can be contacted at:
Voice: +1 925-422-8193 (7x24)
FAX: +1 925-423-8002
STU-III: +1 925-423-2604
E-mail: ciac@ciac.org
Previous CIAC notices, anti-virus software, and other information are
available from the CIAC Computer Security Archive.
World Wide Web: http://www.ciac.org/
Anonymous FTP: ftp.ciac.org
PLEASE NOTE: Many users outside of the DOE, ESnet, and NIH computing
communities receive CIAC bulletins. If you are not part of these
communities, please contact your agency's response team to report
incidents. Your agency's team will coordinate with CIAC. The Forum of
Incident Response and Security Teams (FIRST) is a world-wide
organization. A list of FIRST member organizations and their
constituencies can be obtained via WWW at http://www.first.org/.
This document was prepared as an account of work sponsored by an
agency of the United States Government. Neither the United States
Government nor the University of California nor any of their
employees, makes any warranty, express or implied, or assumes any
legal liability or responsibility for the accuracy, completeness, or
usefulness of any information, apparatus, product, or process
disclosed, or represents that its use would not infringe privately
owned rights. Reference herein to any specific commercial products,
process, or service by trade name, trademark, manufacturer, or
otherwise, does not necessarily constitute or imply its endorsement,
recommendation or favoring by the United States Government or the
University of California. The views and opinions of authors expressed
herein do not necessarily state or reflect those of the United States
Government or the University of California, and shall not be used for
advertising or product endorsement purposes.
LAST 10 CIAC BULLETINS ISSUED (Previous bulletins available from CIAC)
N-116: Flaw in Microsoft Windows Message Handling through Utility Manager Could Enable Privilege Elevation
N-117: Microsoft RPC Interface Buffer Overrun Vulnerability
N-118: Cisco IOS Interface Blocked by IPv4 Packet
N-119: Microsoft Internet Security and Acceleration (ISA) Server Error Pages Could Allow Cross-Site Scripting Attack
N-120: Unchecked Buffer in Microsoft Windows Shell Could Enable System Compromise
N-121: Red Hat Updated Mozilla Packages Fix Security Vulnerability
N-122: Red Hat Updated 2.4 Kernel Fixes Vulnerabilities
N-123: SGI Login Vulnerabilities
N-124: Sun Solaris 8 LDAP Clients May Log the Proxy Agent User's Password as Clear Text
N-125: Cumulative Patch for Microsoft SQL Server
TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH
