A Microsoft Windows DirectX library, quartz.dll, does not properly validate the number of tracks value in Musical Instrument Digital Interface (MIDI) files. An attacker could exploit this vulnerability to execute arbitrary code or crash any application using the library, causing a denial of service.
Microsoft Windows operating systems includes multimedia technologies called DirectX and DirectShow. From MS03-030,
DirectX consists of a set of low-level Application Programming Interfaces (APIs) that are used by Windows programs for multimedia support. Within DirectX, the DirectShow technology performs client-side audio and video sourcing, manipulation, and rendering.
By convincing a victim to access a specially crafted MIDI or HTML file, an attacker could execute arbitrary code with the privileges of the victim. The attacker could also cause a denial of service in any application that uses the vulnerable library.
Apply a patch or upgrade
This vulnerability was reported by eEye Digital Security. Information from eEye Digital Security advisory AD20030723 and Microsoft Security Bulletin MS03-030 was used to write this document.
This document was written by Art Manion.