PGP SIGNED MESSAGE-----
CERT Advisory CA-2003-18 Integer Overflows in Microsoft Windows DirectX
issue date: July 25, 2003
Last revised: --
revision history is at the end of this file.
Windows systems running DirectX (Windows 98, 98SE, NT
4.0, NT 4.0 TSE, 2000, Server 2003)
of integer overflows exists in a DirectX library included in
Microsoft Windows. An attacker could exploit this vulnerability to
execute arbitrary code or to cause a denial of service.
Windows operating systems include multimedia technologies
called DirectX and DirectShow. From Microsoft Security Bulletin
MS03-030, "DirectX consists of a set of low-level Application
Programming Interfaces (APIs) that are used by Windows programs for
multimedia support. Within DirectX, the DirectShow technology performs
client-side audio and video sourcing, manipulation, and rendering."
support for MIDI files is implemented in a library called
quartz.dll. This library contains two vulnerabilities:
- Microsoft Windows DirectX MIDI library does not
adequately validate Text or Copyright parameters in
- Microsoft Windows DirectX MIDI library does not
adequately validate MThd track values in MIDI files
cases, a specially crafted MIDI file could cause an integer
overflow, leading to incorrect memory allocation and heap corruption.
that uses DirectX/DirectShow to process MIDI files may
be affected by this vulnerability. Of particular concern, Internet
Explorer (IE) uses the Windows Media Player ActiveX control and
quartz.dll to handle MIDI files embedded in HTML documents. An
attacker could therefore exploit this vulnerability by convincing a
victim to view an HTML document, such as a web page or an HTML email
message, that contains an embedded MIDI file. Note that in addition
IE, a number of applications, including Outlook, Outlook Express,
Eudora, AOL, Lotus Notes, and Adobe PhotoDeluxe, use the WebBrowser
ActiveX control to interpret HTML documents.
technical details are available in eEye Digital Security
advisory AD20030723. Common Vulnerabilities and Exposures (CVE) refers
to these vulnerabilities as CAN-2003-0346.
a victim to access a specially crafted MIDI or HTML
file, an attacker could execute arbitrary code with the privileges of
the victim. The attacker could also cause a denial of service in any
application that uses the vulnerable functions in quartz.dll.
the appropriate patch as specified by Microsoft Security
embedded MIDI files
the Run ActiveX controls and plug-ins security setting to
Disable in the Internet zone and the zone(s) used by Outlook, Outlook
Express, and any other application that uses the WebBrowser ActiveX
control to render HTML. This modification will prevent MIDI files from
being automatically loaded from HTML documents. This workaround is not
a complete solution and will not prevent attacks that attempt to load
MIDI files directly.
for modifying IE security zone settings can be found in
the CERT/CC Malicious Web Scripts FAQ.
Appendix A. Vendor Information
contains information provided by vendors. When vendors
report new information, this section is updated and the changes are
noted in the revision history. If a vendor is not listed below, we
have not received their comments.
see Microsoft Security Bulletin MS03-030.
Appendix B. References
Vulnerability Note VU#561284 -
* CERT/CC Vulnerability Note VU#265232 -
* eEye Digital Security advisory AD20030723 -
* Microsoft Security Bulletin MS03-030 -
* Microsoft Knowledge Base article 819696 -
vulnerabilities were researched and reported by eEye Digital
can be directed to the author, Art Manion.
is available from:
CERT/CC Contact Information
Phone: +1 412-268-7090 (24-hour hotline)
Fax: +1 412-268-6989
CERT Coordination Center
Software Engineering Institute
Carnegie Mellon University
Pittsburgh PA 15213-3890
personnel answer the hotline 08:00-17:00 EST(GMT-5) /
EDT(GMT-4) Monday through Friday; they are on call for emergencies
during other hours, on U.S. holidays, and on weekends.
urge you to encrypt sensitive information sent by email.
Our public PGP key is available from
prefer to use DES, please call the CERT hotline for more
and other security information are available from
our web site
to the CERT mailing list for advisories and bulletins,
send email to firstname.lastname@example.org. Please include in the body of your
and "CERT Coordination Center" are registered in the U.S.
Patent and Trademark Office.
Any material furnished by Carnegie Mellon University and the Software
Engineering Institute is furnished on an "as is" basis. Carnegie
Mellon University makes no warranties of any kind, either expressed
implied as to any matter including, but not limited to, warranty of
fitness for a particular purpose or merchantability, exclusivity or
results obtained from use of the material. Carnegie Mellon University
does not make any warranty of any kind with respect to freedom from
patent, trademark, or copyright infringement.
for use, disclaimers, and sponsorship information
2003 Carnegie Mellon University.
2003: Initial release
-----BEGIN PGP SIGNATURE-----
Version: PGP 6.5.8
-----END PGP SIGNATURE-----