SkipNavigation
Home | FAQ | Contact | Privacy Policy
US-CERT
American Flag
  Vulnerability
Notes
Database

Search Vulnerability Notes

Vulnerability Notes Help Information


 
 View Notes By
  Name

ID Number

CVE Name

Date Public

Date Published

Date Updated

Severity Metric
 Other Documents
  Technical Alerts

Technical Bulletins

Alerts

Security Tips

Vulnerability Note VU#265232

Microsoft Windows DirectX MIDI library does not adequately validate MThd track values in MIDI files

Overview

A Microsoft Windows DirectX library, quartz.dll, does not properly validate the number of tracks value in Musical Instrument Digital Interface (MIDI) files. An attacker could exploit this vulnerability to execute arbitrary code or crash any application using the library, causing a denial of service.

I. Description

Microsoft Windows operating systems includes multimedia technologies called DirectX and DirectShow. From MS03-030,

    DirectX consists of a set of low-level Application Programming Interfaces (APIs) that are used by Windows programs for multimedia support. Within DirectX, the DirectShow technology performs client-side audio and video sourcing, manipulation, and rendering.

DirectShow support for MIDI files is implemented in a library called quartz.dll. This library does not adequately validate the tracks value in the MThd section of MIDI files. As a result, a specially crafted MIDI file could cause an integer overflow, leading to heap memory corruption. Further technical details are available in eEye Digital Security advisory AD20030723.

Any application that uses DirectX/DirectShow to process MIDI files could be affected by this vulnerability. Of particular concern, Internet Explorer (IE) loads the vulnerable library to process MIDI files embedded in HTML documents. An attacker could therefore exploit this vulnerability by convincing a victim to view an HTML document (web page, HTML email message) containing an embedded MIDI file. Note that a number of applications (Outlook, Outlook Express, Eudora, AOL, Lotus Notes, Adobe PhotoDeluxe, others) use the IE HTML rendering engine (WebBrowser ActiveX control) to interpret HTML documents.

A similar vulnerability in quartz.dll is documented in VU#561284.

II. Impact

By convincing a victim to access a specially crafted MIDI or HTML file, an attacker could execute arbitrary code with the privileges of the victim. The attacker could also cause a denial of service in any application that uses the vulnerable library.

III. Solution

Apply a patch or upgrade

Apply the appropriate patch as referenced in Microsoft Security Bulletin MS03-030. The updated library (quartz.dll) is included in DirectX 9.0b and Service Pack 4 for Windows 2000. eEye notes that Windows Server 2003 is not vulnerable.

Modify IE settings

It is possible to significantly limit the ability of IE to automatically load MIDI files from HTML documents by making all of the following modifications:

  • Disable Active scripting
  • Disable Run ActiveX controls and plug-ins (stops <EMBED src=x.mid>)
  • Disable Play sounds in web pages (stops <BGSOUND src=x.mid>)
  • Disable Play videos in web pages (stops <IMG dynsrc=x.mid>)
The only complete solution for these vulnerabilities is to apply the patch. For example, Outlook Express 6 SP1 will play a MIDI file in an HTML email message regardless of the settings for audio and video in web pages. There may be other methods to automatically load a MIDI file from an HTML document. Also, these modifications will prevent some web pages from functioning properly.

Systems Affected
VendorStatusDate NotifiedDate Updated
Microsoft CorporationVulnerable25-Jul-2003

References

VU#561284
http://www.eeye.com/html/Research/Advisories/AD20030723.html
http://www.microsoft.com/technet/security/bulletin/MS03-030.asp
http://support.microsoft.com/default.aspx?scid=kb;en-us;819696

Credit

This vulnerability was reported by eEye Digital Security. Information from eEye Digital Security advisory AD20030723 and Microsoft Security Bulletin MS03-030 was used to write this document.

This document was written by Art Manion.

Other Information

Date Public:2003-07-23
Date First Published:2003-07-25
Date Last Updated:2003-07-30
CERT Advisory:CA-2003-18
CVE-ID(s):CAN-2003-0346
NVD-ID(s):CAN-2003-0346
US-CERT Technical Alerts: 
Metric:29.83
Document Revision:19

If you have feedback, comments, or additional information about this vulnerability, please send us email.
 

 
Page Corner Image
Copyright 2003 Carnegie Mellon University
Disclaimers and copyright information
Get Adobe Reader Get Adobe Reader