CERT Advisory CA-2003-18 Integer Overflows in Microsoft Windows DirectX MIDI Library

From: CERT Advisory (cert-advisory_at_cert.org)
Date: 07/25/03

  • Next message: CERT Advisory: "CERT Advisory CA-2003-18 Integer Overflows in Microsoft Windows DirectX MIDI Library"
    Date: Fri, 25 Jul 2003 14:48:43 -0400
    To: cert-advisory@cert.org


    CERT Advisory CA-2003-18 Integer Overflows in Microsoft Windows DirectX
    MIDI Library

       Original issue date: July 25, 2003
       Last revised: --
       Source: CERT/CC

       A complete revision history is at the end of this file.

    Systems Affected

         * Microsoft Windows systems running DirectX (Windows 98, 98SE, NT
           4.0, NT 4.0 TSE, 2000, Server 2003)


       A set of integer overflows exists in a DirectX library included in
       Microsoft Windows. An attacker could exploit this vulnerability to
       execute arbitrary code or to cause a denial of service.

    I. Description

       Microsoft Windows operating systems include multimedia technologies
       called DirectX and DirectShow. From Microsoft Security Bulletin
       MS03-030, "DirectX consists of a set of low-level Application
       Programming Interfaces (APIs) that are used by Windows programs for
       multimedia support. Within DirectX, the DirectShow technology performs
       client-side audio and video sourcing, manipulation, and rendering."

       DirectShow support for MIDI files is implemented in a library called
       quartz.dll. This library contains two vulnerabilities:

         VU#561284 - Microsoft Windows DirectX MIDI library does not
                     adequately validate Text or Copyright parameters in
                     MIDI files

         VU#265232 - Microsoft Windows DirectX MIDI library does not
                     adequately validate MThd track values in MIDI files

       In both cases, a specially crafted MIDI file could cause an integer
       overflow, leading to incorrect memory allocation and heap corruption.

       Any application that uses DirectX/DirectShow to process MIDI files may
       be affected by this vulnerability. Of particular concern, Internet
       Explorer (IE) uses the Windows Media Player ActiveX control and
       quartz.dll to handle MIDI files embedded in HTML documents. An
       attacker could therefore exploit this vulnerability by convincing a
       victim to view an HTML document, such as a web page or an HTML email
       message, that contains an embedded MIDI file. Note that in addition to
       IE, a number of applications, including Outlook, Outlook Express,
       Eudora, AOL, Lotus Notes, and Adobe PhotoDeluxe, use the WebBrowser
       ActiveX control to interpret HTML documents.

       Further technical details are available in eEye Digital Security
       advisory AD20030723. Common Vulnerabilities and Exposures (CVE) refers
       to these vulnerabilities as CAN-2003-0346.

    II. Impact

       By convincing a victim to access a specially crafted MIDI or HTML
       file, an attacker could execute arbitrary code with the privileges of
       the victim. The attacker could also cause a denial of service in any
       application that uses the vulnerable functions in quartz.dll.

    III. Solution

    Apply a patch

       Apply the appropriate patch as specified by Microsoft Security
       Bulletin MS03-030.

    Disable embedded MIDI files

       Change the Run ActiveX controls and plug-ins security setting to
       Disable in the Internet zone and the zone(s) used by Outlook, Outlook
       Express, and any other application that uses the WebBrowser ActiveX
       control to render HTML. This modification will prevent MIDI files from
       being automatically loaded from HTML documents. This workaround is not
       a complete solution and will not prevent attacks that attempt to load
       MIDI files directly.

       Instructions for modifying IE security zone settings can be found in
       the CERT/CC Malicious Web Scripts FAQ.

    Appendix A. Vendor Information

       This appendix contains information provided by vendors. When vendors
       report new information, this section is updated and the changes are
       noted in the revision history. If a vendor is not listed below, we
       have not received their comments.


         Please see Microsoft Security Bulletin MS03-030.

    Appendix B. References

         * CERT/CC Vulnerability Note VU#561284 -
         * CERT/CC Vulnerability Note VU#265232 -
         * eEye Digital Security advisory AD20030723 -
         * Microsoft Security Bulletin MS03-030 -
         * Microsoft Knowledge Base article 819696 -

       These vulnerabilities were researched and reported by eEye Digital

       Feedback can be directed to the author, Art Manion.

       This document is available from:

    CERT/CC Contact Information

       Email: cert@cert.org
              Phone: +1 412-268-7090 (24-hour hotline)
              Fax: +1 412-268-6989
              Postal address:
              CERT Coordination Center
              Software Engineering Institute
              Carnegie Mellon University
              Pittsburgh PA 15213-3890

       CERT/CC personnel answer the hotline 08:00-17:00 EST(GMT-5) /
       EDT(GMT-4) Monday through Friday; they are on call for emergencies
       during other hours, on U.S. holidays, and on weekends.

    Using encryption

       We strongly urge you to encrypt sensitive information sent by email.
       Our public PGP key is available from

       If you prefer to use DES, please call the CERT hotline for more

    Getting security information

       CERT publications and other security information are available from
       our web site

       To subscribe to the CERT mailing list for advisories and bulletins,
       send email to majordomo@cert.org. Please include in the body of your

       subscribe cert-advisory

       * "CERT" and "CERT Coordination Center" are registered in the U.S.
       Patent and Trademark Office.

       Any material furnished by Carnegie Mellon University and the Software
       Engineering Institute is furnished on an "as is" basis. Carnegie
       Mellon University makes no warranties of any kind, either expressed or
       implied as to any matter including, but not limited to, warranty of
       fitness for a particular purpose or merchantability, exclusivity or
       results obtained from use of the material. Carnegie Mellon University
       does not make any warranty of any kind with respect to freedom from
       patent, trademark, or copyright infringement.

       Conditions for use, disclaimers, and sponsorship information

       Copyright 2003 Carnegie Mellon University.

    Revision History

       July 25, 2003: Initial release

    Version: PGP 6.5.8

    -----END PGP SIGNATURE-----

  • Next message: CERT Advisory: "CERT Advisory CA-2003-18 Integer Overflows in Microsoft Windows DirectX MIDI Library"

    Relevant Pages