Visit our newest sister site!
Hundreds of free aircraft flight manuals
Civilian • Historical • Military • Declassified • FREE!


TUCoPS :: Windows :: n-126.txt

Microsoft Unchecked Buffer in DirectX Could Enable System Compromise (CIAC N-126)




             __________________________________________________________

                       The U.S. Department of Energy
                   Computer Incident Advisory Capability
                           ___  __ __    _     ___
                          /       |     /_\   /
                          \___  __|__  /   \  \___
             __________________________________________________________

                             INFORMATION BULLETIN

      Microsoft Unchecked Buffer in DirectX Could Enable System Compromise
                     [Microsoft Security Bulletin MS03-030]

July 24, 2003 20:00 GMT                                           Number N-126
[Revised 20 August 2003]
______________________________________________________________________________
PROBLEM:       There are two buffer overruns with identical effects in the 
               function used by DirectShow to check parameters in a Musical 
               Instrument Digital Interface (MIDI) file. 
SOFTWARE:      * Microsoft DirectX® 5.2 on Windows 98 
	       * Microsoft DirectX 6.1 on Windows 98 SE 
	       * Microsoft DirectX 7.0a on Windows Millennium Edition
               * Microsoft DirectX 7.0 on Windows 2000 
               * Microsoft DirectX 8.1 on Windows XP 
	       * Microsoft DirectX 8.1 on Windows Server 2003 
               * Microsoft DirectX 9.0a when installed on Windows Millennium 
		 Edition 
	       * Microsoft DirectX 9.0a when installed on Windows 2000 
	       * Microsoft DirectX 9.0a when installed on Windows XP
               * Microsoft DirectX 9.0a when installed on Windows Server 2003
               * Microsoft Windows NT 4.0 with either Windows Media Player 6.4 
		 or Internet Explorer 6 Service Pack 1 installed. 
               * Microsoft Windows NT 4.0, Terminal Server Edition with either 
               	 Windows Media Player 6.4 or Internet Explorer 6 Service Pack 1 
               	 installed. 
DAMAGE:        It could be possible for a malicious user to attempt to exploit 
               these flaws and execute code in the security context of the 
               logged-on user. 
SOLUTION:      Apply patches stated in Microsoft's bulletin. 
______________________________________________________________________________
VULNERABILITY  The risk is MEDIUM. An attacker would need to create a 
ASSESSMENT:    specially crafted MIDI file designed to exploit this 
               vulnerability and then host it on a Web site or on a network 
               share, or send it by using an HTML-based e-mail. The attacker 
               then needs to lure a user to open the specially crafted file or 
               visit the Web site. 
______________________________________________________________________________
LINKS: 
 CIAC BULLETIN:      http://www.ciac.org/ciac/bulletins/n-126.shtml 
 ORIGINAL BULLETIN:                                                           
                     http://www.microsoft.com/technet/treeview/
                      default.asp?url=/technet/security/bulletin/MS03-030.asp 
______________________________________________________________________________

Revision History: 8/20/03 - Microsoft released details of an additional patch 
for supported versions of DirectX. 

[***** Start Microsoft Security Bulletin MS03-030 *****]

Microsoft Security Bulletin MS03-030

Unchecked Buffer in DirectX Could Enable System Compromise (819696)
Originally posted: July 23, 2003 
Updated: August 20, 2003

Summary
Who should read this bulletin: Customers using Microsoft® Windows® 

Impact of vulnerability: Allow an attacker to execute code on a 
user’s system 

Maximum Severity Rating: Critical 

Recommendation: Customers should apply the security patch immediately 

Affected Software: 

* Microsoft DirectX® 5.2 on Windows 98 
* Microsoft DirectX 6.1 on Windows 98 SE 
* Microsoft DirectX 7.1 on Windows Millennium Edition 
* Microsoft DirectX 7.0 on Windows 2000 
* Microsoft DirectX 8.0, 8.0a, 8.1, 8.1a, and 8.1b when installed on 
  Windows 98, Windows 98 SE, Windows Millennium Edition or Windows 2000 
* Microsoft DirectX 8.1 on Windows XP or Windows Server 2003 
* Microsoft DirectX 9.0a when installed on Windows 98, Windows 98 SE, 
  Windows Millennium Edition (Windows Me), Windows 2000, Windows XP, or 
  Windows Server 2003 
* Microsoft Windows NT 4.0 with either Windows Media Player 6.4 or Internet 
  Explorer 6 Service Pack 1 installed 
* Microsoft Windows NT 4.0, Terminal Server Edition with either Windows 
  Media Player 6.4 or Internet Explorer 6 Service Pack 1 installed 

An End User version of the bulletin is available at:
http://www.microsoft.com/security/security_bulletins/ms03-030.asp. 

Technical details

Technical description: 

Subsequent to the original release of this bulletin, customers requested 
that we support additional versions of DirectX that were not covered by the 
original patches. This bulletin has been updated to provide information 
about this new patch. 

DirectX consists of a set of low-level Application Programming Interfaces 
(APIs) that are used by Windows programs for multimedia support. Within 
DirectX, the DirectShow technology performs client-side audio and video 
sourcing, manipulation, and rendering. 

There are two buffer overruns with identical effects in the function used 
by DirectShow to check parameters in a Musical Instrument Digital Interface 
(MIDI) file. A security vulnerability results because it could be possible 
for a malicious user to attempt to exploit these flaws and execute code in 
the security context of the logged-on user. 

An attacker could seek to exploit this vulnerability by creating a specially 
crafted MIDI file designed to exploit this vulnerability and then host it on 
a Web site or on a network share, or send it by using an HTML-based e-mail. 
In the case where the file was hosted on a Web site or network share, the 
user would need to open the specially crafted file. If the file was embedded 
in a page the vulnerability could be exploited when a user visited the Web 
page. In the HTML-based e-mail case, the vulnerability could be exploited 
when a user opened or previewed the HTML-based e-mail. A successful attack 
could cause DirectShow, or an application making use of DirectShow, to fail. 
A successful attack could also cause an attacker’s code to run on the user’s 
computer in the security context of the user. 

Mitigating factors: 

* By default, Internet Explorer on Windows Server 2003 runs in Enhanced 
  Security Configuration. This default configuration of Internet Explorer 
  blocks the e-mail-based vector of this attack because Microsoft Outlook 
  Express running on Windows Server 2003 by default reads e-mail in plain 
  text. If Internet Explorer Enhanced Security Configuration were disabled, 
  the protections put in place that prevent this vulnerability from being 
  exploited would be removed. 

* In the Web-based attack scenario, the attacker would have to host a Web site 
  that contained a Web page used to exploit these vulnerabilities. An attacker 
  would have no way to force users to visit a malicious Web site outside the 
  HTML-based e-mail vector. Instead, the attacker would need to lure them there, 
  typically by getting them to click a link that would take them to the attacker's 
  site. 

* The combination of the above means that on Windows Server 2003 an administrator 
  browsing only to trusted sites should be safe from this vulnerability. 

* Code executed on the system would only run under the privileges of the 
  logged-on user. 

Severity Rating: 
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Microsoft DirectX 9.0a 						Critical 
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Microsoft DirectX 9.0a when 
installed on Windows Server 2003 				Important 
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Microsoft DirectX 8.0, 8.0a, 8.1, 8.1a, and 8.1b, 
all versions except DirectX 8.1 on Windows Server 2003 		Critical 
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Microsoft DirectX 8.1 on Windows Server 2003 			Important 
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Microsoft DirectX 7.1 on Windows Millennium Edition 		Critical 
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Microsoft DirectX 7.0 on Windows 2000 				Critical 
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Microsoft Windows Media Player 6.4 or 
Internet Explorer 6 Service Pack 1 
when installed on Windows NT 4.0 				Critical 
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Microsoft Windows Media Player 6.4 or 
Internet Explorer 6 Service Pack 1 
when installed on Windows NT 4.0, Terminal 
Server Edition							Critical 
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

The above assessment is based on the types of systems affected by the vulnerability, 
their typical deployment patterns, and the effect that exploiting the vulnerability 
would have on them. 

Vulnerability identifier: CAN-2003-0346 

Tested Versions:
Microsoft tested Microsoft DirectX 9.0a, Microsoft DirectX 8.1, Microsoft DirectX 7.0, 
Microsoft DirectX 7.0a on Windows Millennium Edition, DirectX 6.1 on Windows 98 SE, 
DirectX 5.2 on Windows 98, Microsoft Windows NT 4.0 with Windows Media Player 6.4 
and Internet Explorer 6 Service Pack 1 installed, Microsoft Windows NT 4.0, Terminal 
Server Edition with Windows Media Player 6.4 and Internet Explorer 6 Service Pack 1 
installed to assess whether they are affected by this vulnerability. Previous versions 
are no longer supported and may or may not be affected by this vulnerability

Patch availability

Download locations for this patch 

* Microsoft DirectX 5.2, DirectX 6.1 and DirectX 7.1 on Windows 98, Windows 98 SE 
  and Windows Millennium Edition respectively

* Microsoft DirectX 7.0 on Windows 2000 

* Microsoft DirectX 8.0, Direct X8.0a, DirectX 8.1, DirectX 8.1a, and DirectX 8.1b 
  on Windows 98, Windows 98 SE, Windows Millennium Edition, or Windows 2000 

Note: This update will be available via Windows Update at a later date. 

* Microsoft DirectX 8.1 on Windows XP 32-bit Edition 
* Microsoft DirectX 8.1 on Windows XP 64-bit Edition 
* Microsoft DirectX 8.1 on Windows Server 2003 32-bit Edition 
* Microsoft DirectX 8.1 on Windows Server 2003 64-bit Edition 
* Microsoft DirectX 9.0a: All Windows versions except Windows NT 4.0 
* Microsoft Windows NT 4.0 
* Microsoft Windows NT 4.0, Terminal Server Edition 

Note: DirectX 9.0b has been released at the same time as this security bulletin and 
contains the security fix discussed in the security bulletin. DirectX 9.0b can be 
installed on all versions of Windows except Windows NT 4.0 and can be downloaded from 
the following location: 

* All Windows versions except Windows NT 4.0 

Additional information about this patch

Installation platforms: 
DirectX 9.0b can be installed on systems running: 

* Windows 98 
* Windows 98 SE 
* Windows Millennium Edition 
* Windows 2000 Service Pack 3 
* Windows XP Gold 
* Windows XP Service Pack 1 
* Windows Server 2003 

The patch for DirectX 9.0a can be installed on systems running: 

* Windows 98 
* Windows 98 SE 
* Windows Millennium Edition 
* Windows 2000 Service Pack 3 
* Windows XP Gold 
* Windows XP Service Pack 1 
* Windows Server 2003 

The patch for DirectX 8.1 can be installed on systems running: 

* Windows XP Gold 
* Windows XP Service Pack 1 
* Windows Server 2003 Gold 

The patch for Direct X8.0a, DirectX 8.1, DirectX 8.1a, and DirectX 8.1b can be 
installed on systems running:
 
* Windows 98 
* Windows 98 SE 
* Windows Millennium Edition 
* Windows 2000 Service Pack 3 and Service Pack 2 

The patch for DirectX 7.0 can be installed on systems running: 

* Windows 2000 Service Pack 3 

The patch for Windows NT 4.0 can be installed on systems running: 

* Windows NT 4 Service Pack 6a 
* Windows NT 4 Service Pack 6, Terminal Server Edition 

Inclusion in future service packs:
The fix for this issue is included in Windows 2000 Service Pack 4.
The fix for this issue will be included in the following Service Packs: 

* Windows XP Service Pack 2 
* Windows Server 2003 Service Pack 1 

Reboot needed: Yes 

Patch can be uninstalled: 

* DirectX 9.0b: No 
* DirectX 9.0a patch: No 
* DirectX 8.1 patch on Windows XP or Windows Server 2003: Yes 
* DirectX 8.0, DirectX 8.0a, DirectX 8.1, DirectX 8.1a, and DirectX 8.1b patch 
  on Windows 98, Windows 98 SE, Windows Millennium Edition or Windows 2000: No 
* DirectX 7.1 patch: Yes 
* Windows NT 4.0 patch: Yes 

Superseded patches: None. 

Verifying patch installation: 

* Windows Server 2003: To verify that the patch has been installed on the machine, 
  confirm that the following registry key has been created on the machine: 
  HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\Windows Server 2003\SP1\KB819696 
  To verify the individual files, use the date/time and version information provided 
  in the following registry key: 
  HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\Windows Server 2003\SP1\KB819696\Filelist 

* Windows XP Gold: To verify that the patch has been installed on the machine, confirm 
  that the following registry key has been created on the machine: 
  HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\Windows XP\SP1\Q819696 To verify the 
  individual files, use the date/time and version information provided in the following 
  registry key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\Windows XP\SP1\Q819696\Filelist 

* Windows XP Service Pack 1: To verify that the patch has been installed on the machine, 
  confirm that the following registry key has been created on the machine: 
  HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\Windows XP\SP2\Q819696 To verify the 
  individual files, use the date/time and version information provided in the following 
  registry key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\Windows XP\SP2\Q819696\Filelist 

* Windows 2000 Service Pack 2: To verify that the patch has been installed on the machine, 
  confirm that the following registry key has been created on the machine: 
  HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\Windows 2000\SP5\KB819696 To verify the 
  individual files, use the date/time and version information provided in the following 
  registry key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\Windows 2000\SP5\KB819696\Filelist 

* Windows 2000 Service Pack 3: To verify that the patch has been installed on the machine, 
  confirm that the following registry key has been created on the machine: 
  HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\Windows 2000\SP5\KB819696 To verify the 
  individual files, use the date/time and version information provided in the following 
  registry key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\Windows 2000\SP5\KB819696\Filelist 

* Windows NT 4.0 Service Pack 6a: To verify that the patch has been installed on the machine, 
  confirm that the following registry key has been created on the machine: 
  HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Hotfix\Q819696 

* Windows NT 4.0 Service Pack 6 Terminal Server Edition: To verify that the patch has been 
  installed on the machine, confirm that the following registry key has been created on the 
  machine: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Hotfix\Q819696 

* Windows Server 2003, Windows XP Gold, Windows XP Service Pack 1, Windows 2000 Service Pack 3, 
  Windows Millennium Edition, Windows 98, or Windows 98 Second Edition with DirectX 9.0a: To 
  verify that the DirectX 9.0a patch has been installed on the machine, confirm that the 
  following registry key has been created and has a value of 1: 
  HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\DirectX\dx819696\IsInstalled To verify the 
  individual files, use the version information provided in the following registry key: 
  HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\DirectX\dx819696\Filelist 

* Windows 2000 Service Pack 3, Windows Millennium Edition, Windows 98, or Windows 98 Second 
  Edition with DirectX 8.0 through DirectX 8.1b: To verify that the DirectX 8 patch has been 
  installed on the machine, confirm that the following registry key has been created and has 
  a value of 1: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\DirectX\dx819696\IsInstalled 
  To verify the individual files, use the version information provided in the following 
  registry key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\DirectX\dx819696\Filelist 

* For all DirectX 9.0b updates: 

  To verify that the patch has been installed on the machine, confirm that the following 
  registry key has been created on the machine: 
  HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\DirectX\Version If 9.0b is actually installed, the 
  value will be 4.09.00.0902. 

  To verify the individual files, use the File List tab of the Dxdiag.exe command-line 
  utility. 

  1. On the taskbar at the bottom of your screen, click Start, and then click Run.

  2. In the Run dialog box, type dxdiag

  3. Click OK.

  4. Click the DirectX Files tab of the dialog box that appears to display the file manifest 
     of DirectX.

Caveats:
None 

Localization:
Localized versions of this patch are available at the locations discussed in “Patch 
Availability”. 

Obtaining other security patches: 
Patches for other security issues are available from the following locations: 

* Security patches are available from the Microsoft Download Center, and can be most easily 
  found by doing a keyword search for "security_patch". 

* Patches for consumer platforms are available from the WindowsUpdate web site 

Other information: 

Acknowledgments
Microsoft thanks eEye Digital Security for reporting this issue to us and working with us 
to help protect customers

Support: 

* Microsoft Knowledge Base article 819696 discusses this issue and will be available 
  approximately 24 hours after the release of this bulletin. Knowledge Base articles can be 
  found on the Microsoft Online Support Web site. 

* Technical support is available from Microsoft Product Support Services. There is no charge 
  for support calls associated with security patches. 

Security Resources: The Microsoft TechNet Security Web Site provides additional information 
about security in Microsoft products. 

Disclaimer: 
The information provided in the Microsoft Knowledge Base is provided "as is" without warranty 
of any kind. Microsoft disclaims all warranties, either express or implied, including the 
warranties of merchantability and fitness for a particular purpose. In no event shall 
Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, 
indirect, incidental, consequential, loss of business profits or special damages, even if 
Microsoft Corporation or its suppliers have been advised of the possibility of such damages. 
Some states do not allow the exclusion or limitation of liability for consequential or 
incidental damages so the foregoing limitation may not apply. 

Revisions: 

* V1.0 (July 23, 2003): Bulletin Created. 
* V1.1 (July 23, 2003): Fixed Download Link for Windows NT 4. 
* V1.2 (July 23, 2003): Updated Download Links in Patch Availability section. 
* V2.0 (August 20, 2003): Updated to include details of an additional patch for 
  supported versions of DirectX. 

[***** End Microsoft Security Bulletin MS03-030 *****]

_______________________________________________________________________________

CIAC wishes to acknowledge the contributions of Microsoft Corporation for the 
information contained in this bulletin.
_______________________________________________________________________________


CIAC, the Computer Incident Advisory Capability, is the computer
security incident response team for the U.S. Department of Energy
(DOE) and the emergency backup response team for the National
Institutes of Health (NIH). CIAC is located at the Lawrence Livermore
National Laboratory in Livermore, California. CIAC is also a founding
member of FIRST, the Forum of Incident Response and Security Teams, a
global organization established to foster cooperation and coordination
among computer security teams worldwide.

CIAC services are available to DOE, DOE contractors, and the NIH. CIAC
can be contacted at:
    Voice:    +1 925-422-8193 (7x24)
    FAX:      +1 925-423-8002
    STU-III:  +1 925-423-2604
    E-mail:   ciac@ciac.org

Previous CIAC notices, anti-virus software, and other information are
available from the CIAC Computer Security Archive.

   World Wide Web:      http://www.ciac.org/
   Anonymous FTP:       ftp.ciac.org

PLEASE NOTE: Many users outside of the DOE, ESnet, and NIH computing
communities receive CIAC bulletins.  If you are not part of these
communities, please contact your agency's response team to report
incidents. Your agency's team will coordinate with CIAC. The Forum of
Incident Response and Security Teams (FIRST) is a world-wide
organization. A list of FIRST member organizations and their
constituencies can be obtained via WWW at http://www.first.org/.

This document was prepared as an account of work sponsored by an
agency of the United States Government. Neither the United States
Government nor the University of California nor any of their
employees, makes any warranty, express or implied, or assumes any
legal liability or responsibility for the accuracy, completeness, or
usefulness of any information, apparatus, product, or process
disclosed, or represents that its use would not infringe privately
owned rights. Reference herein to any specific commercial products,
process, or service by trade name, trademark, manufacturer, or
otherwise, does not necessarily constitute or imply its endorsement,
recommendation or favoring by the United States Government or the
University of California. The views and opinions of authors expressed
herein do not necessarily state or reflect those of the United States
Government or the University of California, and shall not be used for
advertising or product endorsement purposes.

LAST 10 CIAC BULLETINS ISSUED (Previous bulletins available from CIAC)

N-116: Flaw in Microsoft Windows Message Handling through Utility Manager Could Enable Privilege Elevation
N-117: Microsoft RPC Interface Buffer Overrun Vulnerability
N-118: Cisco IOS Interface Blocked by IPv4 Packet
N-119: Microsoft Internet Security and Acceleration  (ISA) Server Error Pages Could Allow Cross-Site Scripting Attack
N-120: Unchecked Buffer in Microsoft Windows Shell Could Enable System Compromise
N-121: Red Hat Updated Mozilla Packages Fix Security Vulnerability
N-122: Red Hat Updated 2.4 Kernel Fixes Vulnerabilities
N-123: SGI Login Vulnerabilities
N-124: Sun Solaris 8 LDAP Clients May Log the Proxy Agent User's Password as Clear Text
N-125: Cumulative Patch for Microsoft SQL Server



TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2014 AOH