DirectX Security Patch ...

[phongn]

Yet again, there is another Microsoft problem, this time relating to DirectX and MIDIs. Yes, MIDIs.

Microsoft wants you to download the enormous DirectX 9.0b runtime, but that's silly. A bunch of much smaller patches can be found here on the Knowledge Base.

[Faram]

Old news but still good to bring out the word.

DirectX is made up of a set of low-level Application Programming Interfaces (APIs) that is used by Windows programs for multimedia support. The DirectShow technology in DirectX performs client-side audio and video sourcing, manipulation, and rendering. There are two buffer overruns that have the same effects in the function that is used by DirectShow to check parameters in a Musical Instrument Digital Interface (MIDI) file. These buffer overruns may cause a security vulnerability because it would be possible for a malicious user to try to exploit these flaws and run code in the security context of the logged on user.

An attacker might try to exploit this vulnerability by creating a specially crafted MIDI file that is designed to exploit this vulnerability and then host this file on a Web site or on a network share, or send it by means of an HTML e-mail message. If the file was hosted on a Web site or network share, the user would have to open the specially crafted file. If the file was embedded in a page, the vulnerability could be exploited when a user visits the Web page. If the file is sent in an HTML e-mail message, the vulnerability could be exploited when a user opens or previews the HTML e-mail message. A successful attack could either cause DirectShow or a program that is using DirectShow to fail, or it could cause an attacker's code to run on the user's computer in the security context of the user.

[Sektor31]

MIDI virii? Gosh darnit, next we'll be seeing virii in text files.

[phongn]

The term is viruses. Look up the etymology of the word in a decent dictionary if you don't know why it's not "virii"

[Tribun]

Ah.... M$ srewed up again. But that is not really a wonder.
It was only a matter of time.....

[Xon]

Ah.... M$ srewed up again. But that is not really a wonder.
It was only a matter of time.....

Well it took people awhile to find this flaw. Its been around for a long time. Heck it effects DierctX 5.2 on win98!

This flaw isnt new, but the discovery is fairly rescent.

[Einhander Sn0m4n]

Ergh. MIDI? I already go to great lengths to break MIDI functionality in my browsers anyway. Nothing worse than listenin to a nice slow elektronika MP3 and then just by visiting a site getting blasted with:

BWEEP BWOP BWEEP BWOP BLOOP BLOOP BLOOP!!!!

And it's always some truly horrid disco song that for some reason the crack-smoking fucktard who wrote the site thinks the whole world should hear. DEATH TO MIDI!

[Sektor31]

Ergh. MIDI? I already go to great lengths to break MIDI functionality in my browsers anyway. Nothing worse than listenin to a nice slow elektronika MP3 and then just by visiting a site getting blasted with:

BWEEP BWOP BWEEP BWOP BLOOP BLOOP BLOOP!!!!

And it's always some truly horrid disco song that for some reason the crack-smoking fucktard who wrote the site thinks the whole world should hear. DEATH TO MIDI!

There are MP3 viruses out there too.

[phongn]

Yep. Buffer overflow in the ID3v2 tag, IIRC.

[Faram]

Yep. Buffer overflow in the ID3v2 tag, IIRC.

CERT is your friend:

Linky

CERT® Advisory CA-2002-37 Buffer Overflow in Microsoft Windows Shell
Original release date: December 19, 2002
Last revised: --
Source: CERT/CC

A complete revision history can be found at the end of this file.
Systems Affected

* All versions of Microsoft Windows XP

Overview
A buffer overflow vulnerability exists in the Microsoft Windows Shell. An attacker can exploit this vulnerability by enticing a victim to read a malicious email message, visit a malicious web page, or browse to a folder containing a malicious .MP3 or .WMA file. The attacker can then execute arbitrary code with the privileges of the victim.

And:

Linky

Winamp MP3 Player Buffer Overflow in the Mini-Browser Lets Remote Users Cause Arbitrary Code Inserted into MP3 Files to Be Executed
SecurityTracker Alert ID: 1004168
CVE Reference: GENERIC-MAP-NOMATCH (Links to External Site)
Date: Apr 26 2002
Impact: Execution of arbitrary code via network, User access via network
Fix Available: Yes Exploit Included: Yes Vendor Confirmed: Yes
Version(s): 2.79
Description: A buffer overflow vulnerability has been reported in the Winamp MP3 player. A remote user can cause arbitrary code to be executed.

A remote user can reportedly create an MP3 file with a specially crafted ID3v2 tag that will cause the Winamp player to execute arbitrary code when the MP3 file is loaded.

According to the report, the Winamp mini-browser (if enabled) will attempt to query a certain URL on the Winamp web site based on the ID3v2 tag contents to obtain addition information about the song. The buffer overflow can reportedly be triggered when this URL is created.

To test the buffer overflow, apply at least 159 "?" characters in the title field of the ID3v2 tag. Additional information about exploit methods is provided in the Source Message.
Impact: A remote user can embed malicious code in an MP3 file so that, when the MP3 file is loaded by Winamp, arbitary code will be executed by the Winamp player.
Solution: The vendor has released a fixed version (2.80), available at:

http://www.winamp.com/download/

Or, users can reportedly disable the mini-browser.

And:

Linky

Overview:

One buffer overflow exists in Winamp 2.81 (latest 2.x release) and two buffer overflows exist in Winamp 3.0 (latest 3.x release). The Winamp 2.81 overflow is with the handling of the Artist ID3v2 tag upon immediate loading of an MP3. The two Winamp 3.0 overflows are present in Media Library's handling of the Artist and Album ID3v2 tags.

Detailed Description:

Winamp 2.81 Overflow

If a long Artist ID3v2 tag is present within an MP3, Winamp 2.81 will crash yielding privileges immediately upon loading the MP3.

Two Winamp 3.0 Media Library Overflows

If an MP3 is loaded into Winamp 3.0 that has an ID3v2 tag, the Artist and Album fields of the ID3v2 tag are displayed within the Media Library window of Winamp3. An attacker could create a malicious MP3 file, that if loaded via the Media Library window, would compromise the system and allow for remote code execution.

An attacker could create a malicious MP3 file that exploits either the overflow of the Artist ID3v2 tag or the Album ID3v2 tag (or both). For either overflow to occur, the user has to attempt to load the MP3 file from the Media Library by at least single clicking on either the MP3 via the Artist or Album window.

Vendor Response:

Nullsoft has released fixed versions of Winamp 2.81 and Winamp 3.0 and both are available at: http://www.winamp.com

Foundstone would like to thank Nullsoft for their cooperation with the remediation of this vulnerability.

Solution:

For Winamp 2.81 users

We recommend either upgrading to Winamp 3.0 or redownloading Winamp 2.81 (which has since been fixed) from: http://www.winamp.com

For Winamp 3.0 users

Only Winamp 3.0 build #488 built on December 15, 2002 and later are not vulnerable. We recommend if the About Winamp3 dialog box within Winamp 3.0 displays a 3.0 release that has a lower build number than 488 or earlier date than Dec 15 2002, we recommend redownloading Winamp 3.0 from: http://www.winamp.com