__________________________________________________________ The U.S. Department of Energy Computer Incident Advisory Capability ___ __ __ _ ___ / | /_\ / \___ __|__ / \ \___ __________________________________________________________ INFORMATION BULLETIN Microsoft Unchecked Buffer in DirectX Could Enable System Compromise [Microsoft Security Bulletin MS03-030] July 24, 2003 20:00 GMT Number N-126 [Revised 20 August 2003] ______________________________________________________________________________ PROBLEM: There are two buffer overruns with identical effects in the function used by DirectShow to check parameters in a Musical Instrument Digital Interface (MIDI) file. SOFTWARE: * Microsoft DirectX® 5.2 on Windows 98 * Microsoft DirectX 6.1 on Windows 98 SE * Microsoft DirectX 7.0a on Windows Millennium Edition * Microsoft DirectX 7.0 on Windows 2000 * Microsoft DirectX 8.1 on Windows XP * Microsoft DirectX 8.1 on Windows Server 2003 * Microsoft DirectX 9.0a when installed on Windows Millennium Edition * Microsoft DirectX 9.0a when installed on Windows 2000 * Microsoft DirectX 9.0a when installed on Windows XP * Microsoft DirectX 9.0a when installed on Windows Server 2003 * Microsoft Windows NT 4.0 with either Windows Media Player 6.4 or Internet Explorer 6 Service Pack 1 installed. * Microsoft Windows NT 4.0, Terminal Server Edition with either Windows Media Player 6.4 or Internet Explorer 6 Service Pack 1 installed. DAMAGE: It could be possible for a malicious user to attempt to exploit these flaws and execute code in the security context of the logged-on user. SOLUTION: Apply patches stated in Microsoft's bulletin. ______________________________________________________________________________ VULNERABILITY The risk is MEDIUM. An attacker would need to create a ASSESSMENT: specially crafted MIDI file designed to exploit this vulnerability and then host it on a Web site or on a network share, or send it by using an HTML-based e-mail. The attacker then needs to lure a user to open the specially crafted file or visit the Web site. ______________________________________________________________________________ LINKS: CIAC BULLETIN: http://www.ciac.org/ciac/bulletins/n-126.shtml ORIGINAL BULLETIN: http://www.microsoft.com/technet/treeview/ default.asp?url=/technet/security/bulletin/MS03-030.asp ______________________________________________________________________________ Revision History: 8/20/03 - Microsoft released details of an additional patch for supported versions of DirectX. [***** Start Microsoft Security Bulletin MS03-030 *****] Microsoft Security Bulletin MS03-030 Unchecked Buffer in DirectX Could Enable System Compromise (819696) Originally posted: July 23, 2003 Updated: August 20, 2003 Summary Who should read this bulletin: Customers using Microsoft® Windows® Impact of vulnerability: Allow an attacker to execute code on a user’s system Maximum Severity Rating: Critical Recommendation: Customers should apply the security patch immediately Affected Software: * Microsoft DirectX® 5.2 on Windows 98 * Microsoft DirectX 6.1 on Windows 98 SE * Microsoft DirectX 7.1 on Windows Millennium Edition * Microsoft DirectX 7.0 on Windows 2000 * Microsoft DirectX 8.0, 8.0a, 8.1, 8.1a, and 8.1b when installed on Windows 98, Windows 98 SE, Windows Millennium Edition or Windows 2000 * Microsoft DirectX 8.1 on Windows XP or Windows Server 2003 * Microsoft DirectX 9.0a when installed on Windows 98, Windows 98 SE, Windows Millennium Edition (Windows Me), Windows 2000, Windows XP, or Windows Server 2003 * Microsoft Windows NT 4.0 with either Windows Media Player 6.4 or Internet Explorer 6 Service Pack 1 installed * Microsoft Windows NT 4.0, Terminal Server Edition with either Windows Media Player 6.4 or Internet Explorer 6 Service Pack 1 installed An End User version of the bulletin is available at: http://www.microsoft.com/security/security_bulletins/ms03-030.asp. Technical details Technical description: Subsequent to the original release of this bulletin, customers requested that we support additional versions of DirectX that were not covered by the original patches. This bulletin has been updated to provide information about this new patch. DirectX consists of a set of low-level Application Programming Interfaces (APIs) that are used by Windows programs for multimedia support. Within DirectX, the DirectShow technology performs client-side audio and video sourcing, manipulation, and rendering. There are two buffer overruns with identical effects in the function used by DirectShow to check parameters in a Musical Instrument Digital Interface (MIDI) file. A security vulnerability results because it could be possible for a malicious user to attempt to exploit these flaws and execute code in the security context of the logged-on user. An attacker could seek to exploit this vulnerability by creating a specially crafted MIDI file designed to exploit this vulnerability and then host it on a Web site or on a network share, or send it by using an HTML-based e-mail. In the case where the file was hosted on a Web site or network share, the user would need to open the specially crafted file. If the file was embedded in a page the vulnerability could be exploited when a user visited the Web page. In the HTML-based e-mail case, the vulnerability could be exploited when a user opened or previewed the HTML-based e-mail. A successful attack could cause DirectShow, or an application making use of DirectShow, to fail. A successful attack could also cause an attacker’s code to run on the user’s computer in the security context of the user. Mitigating factors: * By default, Internet Explorer on Windows Server 2003 runs in Enhanced Security Configuration. This default configuration of Internet Explorer blocks the e-mail-based vector of this attack because Microsoft Outlook Express running on Windows Server 2003 by default reads e-mail in plain text. If Internet Explorer Enhanced Security Configuration were disabled, the protections put in place that prevent this vulnerability from being exploited would be removed. * In the Web-based attack scenario, the attacker would have to host a Web site that contained a Web page used to exploit these vulnerabilities. An attacker would have no way to force users to visit a malicious Web site outside the HTML-based e-mail vector. Instead, the attacker would need to lure them there, typically by getting them to click a link that would take them to the attacker's site. * The combination of the above means that on Windows Server 2003 an administrator browsing only to trusted sites should be safe from this vulnerability. * Code executed on the system would only run under the privileges of the logged-on user. Severity Rating: ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Microsoft DirectX 9.0a Critical ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Microsoft DirectX 9.0a when installed on Windows Server 2003 Important ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Microsoft DirectX 8.0, 8.0a, 8.1, 8.1a, and 8.1b, all versions except DirectX 8.1 on Windows Server 2003 Critical ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Microsoft DirectX 8.1 on Windows Server 2003 Important ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Microsoft DirectX 7.1 on Windows Millennium Edition Critical ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Microsoft DirectX 7.0 on Windows 2000 Critical ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Microsoft Windows Media Player 6.4 or Internet Explorer 6 Service Pack 1 when installed on Windows NT 4.0 Critical ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Microsoft Windows Media Player 6.4 or Internet Explorer 6 Service Pack 1 when installed on Windows NT 4.0, Terminal Server Edition Critical ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ The above assessment is based on the types of systems affected by the vulnerability, their typical deployment patterns, and the effect that exploiting the vulnerability would have on them. Vulnerability identifier: CAN-2003-0346 Tested Versions: Microsoft tested Microsoft DirectX 9.0a, Microsoft DirectX 8.1, Microsoft DirectX 7.0, Microsoft DirectX 7.0a on Windows Millennium Edition, DirectX 6.1 on Windows 98 SE, DirectX 5.2 on Windows 98, Microsoft Windows NT 4.0 with Windows Media Player 6.4 and Internet Explorer 6 Service Pack 1 installed, Microsoft Windows NT 4.0, Terminal Server Edition with Windows Media Player 6.4 and Internet Explorer 6 Service Pack 1 installed to assess whether they are affected by this vulnerability. Previous versions are no longer supported and may or may not be affected by this vulnerability Patch availability Download locations for this patch * Microsoft DirectX 5.2, DirectX 6.1 and DirectX 7.1 on Windows 98, Windows 98 SE and Windows Millennium Edition respectively * Microsoft DirectX 7.0 on Windows 2000 * Microsoft DirectX 8.0, Direct X8.0a, DirectX 8.1, DirectX 8.1a, and DirectX 8.1b on Windows 98, Windows 98 SE, Windows Millennium Edition, or Windows 2000 Note: This update will be available via Windows Update at a later date. * Microsoft DirectX 8.1 on Windows XP 32-bit Edition * Microsoft DirectX 8.1 on Windows XP 64-bit Edition * Microsoft DirectX 8.1 on Windows Server 2003 32-bit Edition * Microsoft DirectX 8.1 on Windows Server 2003 64-bit Edition * Microsoft DirectX 9.0a: All Windows versions except Windows NT 4.0 * Microsoft Windows NT 4.0 * Microsoft Windows NT 4.0, Terminal Server Edition Note: DirectX 9.0b has been released at the same time as this security bulletin and contains the security fix discussed in the security bulletin. DirectX 9.0b can be installed on all versions of Windows except Windows NT 4.0 and can be downloaded from the following location: * All Windows versions except Windows NT 4.0 Additional information about this patch Installation platforms: DirectX 9.0b can be installed on systems running: * Windows 98 * Windows 98 SE * Windows Millennium Edition * Windows 2000 Service Pack 3 * Windows XP Gold * Windows XP Service Pack 1 * Windows Server 2003 The patch for DirectX 9.0a can be installed on systems running: * Windows 98 * Windows 98 SE * Windows Millennium Edition * Windows 2000 Service Pack 3 * Windows XP Gold * Windows XP Service Pack 1 * Windows Server 2003 The patch for DirectX 8.1 can be installed on systems running: * Windows XP Gold * Windows XP Service Pack 1 * Windows Server 2003 Gold The patch for Direct X8.0a, DirectX 8.1, DirectX 8.1a, and DirectX 8.1b can be installed on systems running: * Windows 98 * Windows 98 SE * Windows Millennium Edition * Windows 2000 Service Pack 3 and Service Pack 2 The patch for DirectX 7.0 can be installed on systems running: * Windows 2000 Service Pack 3 The patch for Windows NT 4.0 can be installed on systems running: * Windows NT 4 Service Pack 6a * Windows NT 4 Service Pack 6, Terminal Server Edition Inclusion in future service packs: The fix for this issue is included in Windows 2000 Service Pack 4. The fix for this issue will be included in the following Service Packs: * Windows XP Service Pack 2 * Windows Server 2003 Service Pack 1 Reboot needed: Yes Patch can be uninstalled: * DirectX 9.0b: No * DirectX 9.0a patch: No * DirectX 8.1 patch on Windows XP or Windows Server 2003: Yes * DirectX 8.0, DirectX 8.0a, DirectX 8.1, DirectX 8.1a, and DirectX 8.1b patch on Windows 98, Windows 98 SE, Windows Millennium Edition or Windows 2000: No * DirectX 7.1 patch: Yes * Windows NT 4.0 patch: Yes Superseded patches: None. Verifying patch installation: * Windows Server 2003: To verify that the patch has been installed on the machine, confirm that the following registry key has been created on the machine: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\Windows Server 2003\SP1\KB819696 To verify the individual files, use the date/time and version information provided in the following registry key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\Windows Server 2003\SP1\KB819696\Filelist * Windows XP Gold: To verify that the patch has been installed on the machine, confirm that the following registry key has been created on the machine: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\Windows XP\SP1\Q819696 To verify the individual files, use the date/time and version information provided in the following registry key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\Windows XP\SP1\Q819696\Filelist * Windows XP Service Pack 1: To verify that the patch has been installed on the machine, confirm that the following registry key has been created on the machine: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\Windows XP\SP2\Q819696 To verify the individual files, use the date/time and version information provided in the following registry key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\Windows XP\SP2\Q819696\Filelist * Windows 2000 Service Pack 2: To verify that the patch has been installed on the machine, confirm that the following registry key has been created on the machine: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\Windows 2000\SP5\KB819696 To verify the individual files, use the date/time and version information provided in the following registry key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\Windows 2000\SP5\KB819696\Filelist * Windows 2000 Service Pack 3: To verify that the patch has been installed on the machine, confirm that the following registry key has been created on the machine: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\Windows 2000\SP5\KB819696 To verify the individual files, use the date/time and version information provided in the following registry key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\Windows 2000\SP5\KB819696\Filelist * Windows NT 4.0 Service Pack 6a: To verify that the patch has been installed on the machine, confirm that the following registry key has been created on the machine: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Hotfix\Q819696 * Windows NT 4.0 Service Pack 6 Terminal Server Edition: To verify that the patch has been installed on the machine, confirm that the following registry key has been created on the machine: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Hotfix\Q819696 * Windows Server 2003, Windows XP Gold, Windows XP Service Pack 1, Windows 2000 Service Pack 3, Windows Millennium Edition, Windows 98, or Windows 98 Second Edition with DirectX 9.0a: To verify that the DirectX 9.0a patch has been installed on the machine, confirm that the following registry key has been created and has a value of 1: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\DirectX\dx819696\IsInstalled To verify the individual files, use the version information provided in the following registry key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\DirectX\dx819696\Filelist * Windows 2000 Service Pack 3, Windows Millennium Edition, Windows 98, or Windows 98 Second Edition with DirectX 8.0 through DirectX 8.1b: To verify that the DirectX 8 patch has been installed on the machine, confirm that the following registry key has been created and has a value of 1: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\DirectX\dx819696\IsInstalled To verify the individual files, use the version information provided in the following registry key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\DirectX\dx819696\Filelist * For all DirectX 9.0b updates: To verify that the patch has been installed on the machine, confirm that the following registry key has been created on the machine: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\DirectX\Version If 9.0b is actually installed, the value will be 4.09.00.0902. To verify the individual files, use the File List tab of the Dxdiag.exe command-line utility. 1. On the taskbar at the bottom of your screen, click Start, and then click Run. 2. In the Run dialog box, type dxdiag 3. Click OK. 4. Click the DirectX Files tab of the dialog box that appears to display the file manifest of DirectX. Caveats: None Localization: Localized versions of this patch are available at the locations discussed in “Patch Availability”. Obtaining other security patches: Patches for other security issues are available from the following locations: * Security patches are available from the Microsoft Download Center, and can be most easily found by doing a keyword search for "security_patch". * Patches for consumer platforms are available from the WindowsUpdate web site Other information: Acknowledgments Microsoft thanks eEye Digital Security for reporting this issue to us and working with us to help protect customers Support: * Microsoft Knowledge Base article 819696 discusses this issue and will be available approximately 24 hours after the release of this bulletin. Knowledge Base articles can be found on the Microsoft Online Support Web site. * Technical support is available from Microsoft Product Support Services. There is no charge for support calls associated with security patches. Security Resources: The Microsoft TechNet Security Web Site provides additional information about security in Microsoft products. Disclaimer: The information provided in the Microsoft Knowledge Base is provided "as is" without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply. Revisions: * V1.0 (July 23, 2003): Bulletin Created. * V1.1 (July 23, 2003): Fixed Download Link for Windows NT 4. * V1.2 (July 23, 2003): Updated Download Links in Patch Availability section. * V2.0 (August 20, 2003): Updated to include details of an additional patch for supported versions of DirectX. [***** End Microsoft Security Bulletin MS03-030 *****] _______________________________________________________________________________ CIAC wishes to acknowledge the contributions of Microsoft Corporation for the information contained in this bulletin. _______________________________________________________________________________ CIAC, the Computer Incident Advisory Capability, is the computer security incident response team for the U.S. Department of Energy (DOE) and the emergency backup response team for the National Institutes of Health (NIH). CIAC is located at the Lawrence Livermore National Laboratory in Livermore, California. CIAC is also a founding member of FIRST, the Forum of Incident Response and Security Teams, a global organization established to foster cooperation and coordination among computer security teams worldwide. CIAC services are available to DOE, DOE contractors, and the NIH. CIAC can be contacted at: Voice: +1 925-422-8193 (7x24) FAX: +1 925-423-8002 STU-III: +1 925-423-2604 E-mail: ciac@ciac.org Previous CIAC notices, anti-virus software, and other information are available from the CIAC Computer Security Archive. World Wide Web: http://www.ciac.org/ Anonymous FTP: ftp.ciac.org PLEASE NOTE: Many users outside of the DOE, ESnet, and NIH computing communities receive CIAC bulletins. If you are not part of these communities, please contact your agency's response team to report incidents. Your agency's team will coordinate with CIAC. The Forum of Incident Response and Security Teams (FIRST) is a world-wide organization. A list of FIRST member organizations and their constituencies can be obtained via WWW at http://www.first.org/. This document was prepared as an account of work sponsored by an agency of the United States Government. Neither the United States Government nor the University of California nor any of their employees, makes any warranty, express or implied, or assumes any legal liability or responsibility for the accuracy, completeness, or usefulness of any information, apparatus, product, or process disclosed, or represents that its use would not infringe privately owned rights. Reference herein to any specific commercial products, process, or service by trade name, trademark, manufacturer, or otherwise, does not necessarily constitute or imply its endorsement, recommendation or favoring by the United States Government or the University of California. The views and opinions of authors expressed herein do not necessarily state or reflect those of the United States Government or the University of California, and shall not be used for advertising or product endorsement purposes. LAST 10 CIAC BULLETINS ISSUED (Previous bulletins available from CIAC) N-116: Flaw in Microsoft Windows Message Handling through Utility Manager Could Enable Privilege Elevation N-117: Microsoft RPC Interface Buffer Overrun Vulnerability N-118: Cisco IOS Interface Blocked by IPv4 Packet N-119: Microsoft Internet Security and Acceleration (ISA) Server Error Pages Could Allow Cross-Site Scripting Attack N-120: Unchecked Buffer in Microsoft Windows Shell Could Enable System Compromise N-121: Red Hat Updated Mozilla Packages Fix Security Vulnerability N-122: Red Hat Updated 2.4 Kernel Fixes Vulnerabilities N-123: SGI Login Vulnerabilities N-124: Sun Solaris 8 LDAP Clients May Log the Proxy Agent User's Password as Clear Text N-125: Cumulative Patch for Microsoft SQL Server