'There is another vulnerability that could completely overshadow last week's events. On 23 July Microsoft posted a security bulletin on its Web site that describes a "critical" vulnerability in DirectX. According to Microsoft, unprotected systems could be at the mercy of an attacker by simply playing a midi file or visiting a malicious Web page.'

Unlike the blaster it also affects 9x and Me also.

Get the Patch from Microsoft (http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/ms03-030.asp)

cheers Shanmuga

There is only one problem with the fix for 9x......it requires bumping up to DX 9.0b. Not all video cards are capable of handling DX8.....

This was posted some time ago by microsoft.



Summary
DirectX consists of a set of low-level Application Programming Interfaces (APIs) that are used by Windows programs for multimedia support.
Within DirectX, the DirectShow technology performs client-side audio and video sourcing, manipulation, and rendering.
There are two buffer overruns with identical effects in the function used by DirectShow to check parameters in a Musical Instrument Digital Interface (MIDI) file.
A security vulnerability results because it could be possible for a malicious user to attempt to exploit these flaws and execute code in the security context of the logged-on user.
An attacker could seek to exploit this vulnerability by creating a specially crafted MIDI file designed to exploit this vulnerability and then host it on a Web site or on a network share, or send it by using an HTML-based e-mail. In the case where the file was hosted on a Web site or network share, the user would need to open the specially crafted file.
If the file was embedded in a page the vulnerability could be exploited when a user visited the Web page. In the HTML-based e-mail case, the vulnerability could be exploited when a user opened or previewed the HTML-based e-mail. A successful attack could cause DirectShow, or an application making use of DirectShow, to fail. A successful attack could also cause an attacker's code to run on the user's computer in the security context of the user.



Vulnerable Systems:

* Microsoft DirectX® 5.2 on Windows 98
* Microsoft DirectX 6.1 on Windows 98 SE
* Microsoft DirectX 7.0a on Windows Millennium Edition
* Microsoft DirectX 7.0 on Windows 2000
* Microsoft DirectX 8.1 on Windows XP
* Microsoft DirectX 8.1 on Windows Server 2003
* Microsoft DirectX 9.0a when installed on Windows Millennium Edition
* Microsoft DirectX 9.0a when installed on Windows 2000
* Microsoft DirectX 9.0a when installed on Windows XP
* Microsoft DirectX 9.0a when installed on Windows Server 2003
* Microsoft Windows NT 4.0 with either Windows Media Player 6.4 or Internet Explorer 6 Service Pack 1 installed.
* Microsoft Windows NT 4.0, Terminal Server Edition with either Windows Media Player 6.4 or Internet Explorer 6 Service Pack 1 installed.



Scope:
This is a buffer overrun vulnerability. An attacker who successfully exploited the vulnerability could, in the worst case, run code of his or her choice on a user's system.
The attacker's code would run with the same privileges as the user: any restrictions on the user's ability to change the system would apply to the attacker's code.
For example, if the user were prevented from deleting files on the hard disk, the attacker's code would similarly be prevented.
Conversely, if a user were using an account with high privileges, such as an administrator's account, the attacker's code would also run with the same high privileges.
The vulnerability exists in the component responsible for parsing MIDI files. This function is included in a component of DirectX known as DirectShow.

Method of System Compromise:
An attacker could seek to exploit this vulnerability by creating a specially crafted MIDI file and then taking one of several actions with it:
* Host the file on a Web site or network share. In this case, if a user were to click the link or file, the vulnerability could be exploited.
* If a user were to visit a Web site that had an embedded MIDI file, this could cause the vulnerability to be exploited.
* Create an HTML-based e-mail message with a link to a Web page or a share that contained the file. If the user viewed the message in the preview pane or opened the message, the vulnerability could be exploited. In addition, an attacker could create an e-mail message with a link to a Web page or a share that contained the file, along with a suggestion that the user click the link.
* Finally, an attacker could send a malformed MIDI file by using e-mail. An attacker could attach the file to an e-mail message and send it to a user with a suggestion that the user save the file on their system and then play it.

Patch Availability:
* Microsoft DirectX 5.2, DirectX 6.1 and DirectX 7.0a on Windows 98, Windows 98 SE and Windows Millennium Edition
Note: Windows 98, Windows 98 SE and Windows Millennium Edition users who are running a version of DirectX earlier than DirectX 9.0a must upgrade to DirectX 9.0b.


Note: DirectX 9.0b has been released at the same time as this security bulletin and contains the security fix discussed in the security bulletin. DirectX 9.0b can be installed on all versions of Windows except Windows NT 4.0 and can be downloaded from the following location:

All Windows Versions except Windows NT 4.0.

The patch eliminates the vulnerability by ensuring that DirectX correctly validates parameters when opening a MIDI file.

Known Issues:
Users making this update have reported significant conflicts between the Dx9b & Direct3D applications, in many cases they have opted to perform a system rollback instead of retaining the newer dx version.

Further Details:
Microsoft provides a component called QUARTZ.DLL that allows Windows applications to play MIDI music through a common interface. Windows Media Player and Internet Explorer, for example, both use QUARTZ.DLL to play MIDI music files (.mid extension); in the case of Internet Explorer, MIDI files can be played automatically when a web page is visited through the use of a specific HTML tag.

eEye Digital Security has discovered a pair of flaws in all versions of QUARTZ.DLL that would allow a specially-crafted MIDI file to cause the execution of arbitrary code when played. In the worst case, an attacker could construct a malicious .mid file and have it play automatically whenever a victim attempts to view certain HTML, such as an attacker-controlled website, resulting in the compromise of the victim's machine.

The QUARTZ.DLL vulnerability discussed in this advisory is a heap buffer overrun resulting from an integer overflow. If a Text or Copyright string with a specified length of FFFFFFFFh is included in the MIDI file, QUARTZ will attempt to allocate a zero-byte heap block, then copy the text string -- and any data following it -- to the newly-allocated location in the heap. As a result, all contiguous pages of heap memory following the zero-byte block are overwritten until the source pointer reaches an invalid page boundary, the destination pointer reaches the end of heap memory, or another thread is dispatched and faults out trying to use corrupted heap memory.

The reason this vulnerability exists is that QUARTZ increments the specified string length (in order to make room for a null terminator) without checking for a potential overflow condition. The incremented value (now 0) is passed to LocalAlloc(), which succeeds, while the original value
(FFFFFFFFh) is given to memcpy() to copy the string data from the file image into the heap buffer.

For the sake of brevity, we have unfortunately omitted the details of the MIDI file format from this advisory, and will instead skip straight to the following example of a malicious MIDI:

4D 54 68 64 ; 'MThd' header chunk tag
00 00 00 06 ; size of header chunk data (6)
00 01 ; MIDI file version (1)
00 01 ; number of tracks (1)
65 49 ; pulses per quarter note (PPQN)

4D 54 72 6B ; 'MTrk' track chunk tag
00 00 00 10 ; size of track chunk data (16)
00 ; delta-time for event (0)
FF 02 ; non-MIDI event (Copyright)
8F FF FF FF 7F ; VLQ for text length (FFFFFFFFh)
65 45 79 65 32 30 30 33 ; (start of malicious data)

There are many possible ways to exploit this overflow; the following is a sampling of instructions at which exceptions were observed in the aftermath of loading a malicious MIDI in Internet Explorer:

CALL [EAX] ; we control EAX
CALL [EAX+C4h] ; we control EAX
CALL [ECX+0Ch] ; we control ECX
JMP [EAX+28h] ; we control EAX
MOV [ECX], EAX ; we control EAX, ECX
MOV [ESI], ECX ; we control ECX, ESI

Of particular interest are "unlink" sequences such as "MOV [ECX], EAX / MOV [EAX+4], ECX", which could be used to overwrite the unhandled exception filter in KERNEL32 during the first instruction, then cause an exception with the second (for instance, if EAX pointed somewhere into read-only memory, or if EAX was near a page boundary such that EAX+4..7 landed in an invalid memory region).

A second heap buffer overrun involving a 16-bit integer overflow and subsequent memory allocation was also discovered, but to save space we will only briefly mention it here. The number of tracks in the MThd chunk, a 16-bit field, is subjected to some arithmetic in order to determine the necessary size for an array of track data structures. In particular, the size of the block is calculated as:

(number_of_tracks * 24h) + 9E0h

However, the arithmetic is performed entirely in 16 bits, and as a result, setting the number of tracks to 1751 (6D7h) or greater will cause an insufficiently small heap block to be allocated. This vulnerability can be leveraged to overwrite DWORDs in the heap at specific intervals with arbitrary data. Note that Windows 2003 is not susceptible to this vulnerability, as it contained a check to ensure that the number of tracks is never greater than the exact highest value safe for the 16-bit arithmetic.

information courtesy of Derek Soeder [mailto:dsoeder at eeye.com].

MJC, Then what is the fix for those running 9x with videocards not capable of handling DX8?