CERT Advisory CA-2003-18 Integer Overflows in Microsoft Windows DirectX MIDI Library
From: CERT Advisory (cert-advisory_at_cert.org)
Date: Fri, 25 Jul 2003 14:48:43 -0400 To: firstname.lastname@example.org
-----BEGIN PGP SIGNED MESSAGE-----
CERT Advisory CA-2003-18 Integer Overflows in Microsoft Windows DirectX
Original issue date: July 25, 2003
Last revised: --
A complete revision history is at the end of this file.
* Microsoft Windows systems running DirectX (Windows 98, 98SE, NT
4.0, NT 4.0 TSE, 2000, Server 2003)
A set of integer overflows exists in a DirectX library included in
Microsoft Windows. An attacker could exploit this vulnerability to
execute arbitrary code or to cause a denial of service.
Microsoft Windows operating systems include multimedia technologies
called DirectX and DirectShow. From Microsoft Security Bulletin
MS03-030, "DirectX consists of a set of low-level Application
Programming Interfaces (APIs) that are used by Windows programs for
multimedia support. Within DirectX, the DirectShow technology performs
client-side audio and video sourcing, manipulation, and rendering."
DirectShow support for MIDI files is implemented in a library called
quartz.dll. This library contains two vulnerabilities:
VU#561284 - Microsoft Windows DirectX MIDI library does not
adequately validate Text or Copyright parameters in
VU#265232 - Microsoft Windows DirectX MIDI library does not
adequately validate MThd track values in MIDI files
In both cases, a specially crafted MIDI file could cause an integer
overflow, leading to incorrect memory allocation and heap corruption.
Any application that uses DirectX/DirectShow to process MIDI files may
be affected by this vulnerability. Of particular concern, Internet
Explorer (IE) uses the Windows Media Player ActiveX control and
quartz.dll to handle MIDI files embedded in HTML documents. An
attacker could therefore exploit this vulnerability by convincing a
victim to view an HTML document, such as a web page or an HTML email
message, that contains an embedded MIDI file. Note that in addition to
IE, a number of applications, including Outlook, Outlook Express,
Eudora, AOL, Lotus Notes, and Adobe PhotoDeluxe, use the WebBrowser
ActiveX control to interpret HTML documents.
Further technical details are available in eEye Digital Security
advisory AD20030723. Common Vulnerabilities and Exposures (CVE) refers
to these vulnerabilities as CAN-2003-0346.
By convincing a victim to access a specially crafted MIDI or HTML
file, an attacker could execute arbitrary code with the privileges of
the victim. The attacker could also cause a denial of service in any
application that uses the vulnerable functions in quartz.dll.
Apply a patch
Apply the appropriate patch as specified by Microsoft Security
Disable embedded MIDI files
Change the Run ActiveX controls and plug-ins security setting to
Disable in the Internet zone and the zone(s) used by Outlook, Outlook
Express, and any other application that uses the WebBrowser ActiveX
control to render HTML. This modification will prevent MIDI files from
being automatically loaded from HTML documents. This workaround is not
a complete solution and will not prevent attacks that attempt to load
MIDI files directly.
Instructions for modifying IE security zone settings can be found in
the CERT/CC Malicious Web Scripts FAQ.
Appendix A. Vendor Information
This appendix contains information provided by vendors. When vendors
report new information, this section is updated and the changes are
noted in the revision history. If a vendor is not listed below, we
have not received their comments.
Please see Microsoft Security Bulletin MS03-030.
Appendix B. References
* CERT/CC Vulnerability Note VU#561284 -
* CERT/CC Vulnerability Note VU#265232 -
* eEye Digital Security advisory AD20030723 -
* Microsoft Security Bulletin MS03-030 -
* Microsoft Knowledge Base article 819696 -
These vulnerabilities were researched and reported by eEye Digital
Feedback can be directed to the author, Art Manion.
This document is available from:
CERT/CC Contact Information
Phone: +1 412-268-7090 (24-hour hotline)
Fax: +1 412-268-6989
CERT Coordination Center
Software Engineering Institute
Carnegie Mellon University
Pittsburgh PA 15213-3890
CERT/CC personnel answer the hotline 08:00-17:00 EST(GMT-5) /
EDT(GMT-4) Monday through Friday; they are on call for emergencies
during other hours, on U.S. holidays, and on weekends.
We strongly urge you to encrypt sensitive information sent by email.
Our public PGP key is available from
If you prefer to use DES, please call the CERT hotline for more
Getting security information
CERT publications and other security information are available from
our web site
To subscribe to the CERT mailing list for advisories and bulletins,
send email to email@example.com. Please include in the body of your
* "CERT" and "CERT Coordination Center" are registered in the U.S.
Patent and Trademark Office.
Any material furnished by Carnegie Mellon University and the Software
Engineering Institute is furnished on an "as is" basis. Carnegie
Mellon University makes no warranties of any kind, either expressed or
implied as to any matter including, but not limited to, warranty of
fitness for a particular purpose or merchantability, exclusivity or
results obtained from use of the material. Carnegie Mellon University
does not make any warranty of any kind with respect to freedom from
patent, trademark, or copyright infringement.
Conditions for use, disclaimers, and sponsorship information
Copyright 2003 Carnegie Mellon University.
July 25, 2003: Initial release
-----BEGIN PGP SIGNATURE-----
Version: PGP 6.5.8
-----END PGP SIGNATURE-----