[SECURITY-L] CAIS-Alerta: Vulnerabilidade no DirectX (819696)
Daniela Regina Barbetti Silva
daniela em ccuec.unicamp.br
Qui Jul 24 13:06:18 -03 2003
----- Forwarded message from Centro de Atendimento a Incidentes de Seguranca <cais em cais.rnp.br> -----
From: Centro de Atendimento a Incidentes de Seguranca <cais em cais.rnp.br>
Subject: CAIS-Alerta: Vulnerabilidade no DirectX (819696)
To: rnp-alerta em cais.rnp.br, rnp-seg em cais.rnp.br
Cc: Centro de Atendimento a Incidentes de Seguranca <cais em cais.rnp.br>
Date: Thu, 24 Jul 2003 12:20:43 -0300 (BRT)
-----BEGIN PGP SIGNED MESSAGE-----
Prezados,
O CAIS está repassando o alerta divulgado pela Microsoft, Microsoft
Security Bulletin MS03-030: Unchecked Buffer in DirectX Could Enable
System Compromise (819696), tratando de uma vulnerabilidade identificada
no DirectShow cuja exploração pode permitir a execução de código
arbitrário.
A vulnerabilidade está associada as funções que checam parâmetros em um
arquivo MIDI. Criando um arquivo MIDI especial, um atacante pode executar
código malicioso no sistema do usuário. Para essa vulnerabilidade ser
explorada, o usuário deve acessar uma página web que contenha o arquivo
MIDI ou então abrir um e-mail HTML ao qual tenha sido anexado tal arquivo.
Sistemas Afetados:
. Microsoft DirectX 5.2 no Windows 98
. Microsoft DirectX 6.1 no Windows 98 SE
. Microsoft DirectX 7.0a no Windows Millennium Edition
. Microsoft DirectX 7.0 no Windows 2000
. Microsoft DirectX 8.1 no Windows XP/Server 2003
. Microsoft DirectX 9.0a instalado em Windows 98/98SE/Millenium/2000/XP/Server 2003
. Microsoft Windows NT 4.0 Server com Windows Media Player 6.4 ou
Internet Explorer 6 Service Pack 1 instalado.
. Microsoft Windows NT 4.0, Terminal Server Edition com Windows
Media Player 6.4 ou Internet Explorer 6 Service Pack 1
instalado.
É importante notar que o Microsoft Windows Server 2003 com o Internet
Explorer vem com uma configuração padrão para o OutLook Express visualizar
e-mails somente no modo texto, que impede essa vulnerabilidade de ser
explorada. Mesmo assim, esse sistema ainda está vulnerável ao ataque
através de páginas web.
Correções disponíveis:
A correção consiste na aplicação dos patches recomendados pela Microsoft e
disponíveis em:
* Microsoft DirectX 5.2, DirectX 6.1 e DirectX 7.0a no Windows 98,
Windows 98 SE e Windows Millennium Edition (Necessário atualizar para
versão DirectX 9.0b)
http://microsoft.com/downloads/details.aspx?FamilyId=141D5F9E-07C1-462A-BAEF-5EAB5C851CF5&displaylang=en
* Microsoft DirectX 7.0 no Windows 2000
http://microsoft.com/downloads/details.aspx?FamilyId=7D0E4787-A993-4C49-A5A7-9A6DE8EFDB9E&displaylang=en
* Microsoft DirectX 8.1 no Windows XP 32-bit Edition
http://microsoft.com/downloads/details.aspx?FamilyId=5ABA6A3B-F67B-4B18-B4B5-62E69A0104CE&displaylang=en
* Microsoft DirectX 8.1 no Windows XP 64-bit Edition
http://microsoft.com/downloads/details.aspx?FamilyId=8F23F7AF-5317-4502-8B17-7C1A2139EBDC&displaylang=en
* Microsoft DirectX 8.1 no Windows Server 2003 32-bit Edition
http://microsoft.com/downloads/details.aspx?FamilyId=A5156FF8-1812-4DB4-9175-BF9CA370279D&displaylang=en
* Microsoft DirectX 8.1 no Windows Server 2003 64-bit Edition
http://microsoft.com/downloads/details.aspx?FamilyId=59732FCF-993A-45E8-8BA4-064575055D86&displaylang=en
* Microsoft DirectX 9.0a: Todas as versoes de Windows
http://microsoft.com/downloads/details.aspx?FamilyId=22F990CB-E9F9-4670-8B4F-AC4F6F66C3A2&displaylang=en
* Microsoft Windows NT 4.0
http://microsoft.com/downloads/details.aspx?FamilyId=B42C5BCB-6D36-437D-A07E-053B72B1C652&displaylang=en
* Microsoft Windows NT 4.0, Terminal Server Edition
http://microsoft.com/downloads/details.aspx?FamilyId=14290AD7-EE7D-4736-8322-BCA4CBD7D7C5&displaylang=en
* Microsoft DirectX 9.0b: Todas as versoes de Windows, Com excecao do Microsoft Windows NT 4.0
http://microsoft.com/downloads/details.aspx?FamilyId=141D5F9E-07C1-462A-BAEF-5EAB5C851CF5&displaylang=en
Maiores informações:
http://www.microsoft.com/technet/security/bulletin/ms03-030.asp
Identificador do CVE: CAN-2003-0346 (http://cve.mitre.org)
O CAIS recomenda aos administradores de plataformas Microsoft que
mantenham seus sistemas e aplicativos sempre atualizados.
Atenciosamente,
################################################################
# CENTRO DE ATENDIMENTO A INCIDENTES DE SEGURANCA / RNP #
# #
# cais em cais.rnp.br http://www.cais.rnp.br #
# Tel. 019-37873300 Fax. 019-37873301 #
# Chave PGP disponivel em: http://www.cais.rnp.br/cais-pgp.key #
################################################################
- ----------------------------------------------------------------------
Title: Unchecked Buffer in DirectX Could Enable System
Compromise (819696)
Date: July 23, 2003
Software: Microsoft DirectX(r) 5.2 on Windows 98
Microsoft DirectX 6.1 on Windows 98 SE
Microsoft DirectX 7.0a on Windows Millennium Edition
Microsoft DirectX 7.0 on Windows 2000
Microsoft DirectX 8.1 on Windows XP
Microsoft DirectX 8.1 on Windows Server 2003
Microsoft DirectX 9.0a when installed on Windows 98
Microsoft DirectX 9.0a when installed on Windows 98 SE
Microsoft DirectX 9.0a when installed on Windows
Millennium Edition
Microsoft DirectX 9.0a when installed on Windows 2000
Microsoft DirectX 9.0a when installed on Windows XP
Microsoft DirectX(r) 9.0a when installed on Windows
Server 2003
Microsoft Windows NT 4.0 Server with either Windows
Media Player 6.4 or Internet Explorer 6 Service Pack 1
installed.
Microsoft Windows NT 4.0, Terminal Server Edition with
either Windows Media Player 6.4 or Internet Explorer 6
Service Pack 1 installed.
Impact: Allow an attacker to execute code on a user's system
Max Risk: Critical
Bulletin: MS03-030
Microsoft encourages customers to review the Security Bulletins at:
http://www.microsoft.com/technet/security/bulletin/MS03-030.asp
http://www.microsoft.com/security/security_bulletins/ms03-030.asp
- ----------------------------------------------------------------------
Issue:
======
DirectX consists of a set of low-level Application Programming
Interfaces (APIs) that are used by Windows programs for multimedia
support. Within DirectX, the DirectShow technology performs client-
side audio and video sourcing, manipulation, and rendering.
There are two buffer overruns with identical effects in the
function used by DirectShow to check parameters in a Musical
Instrument Digital Interface (MIDI) file. A security vulnerability
results because it would be possible for a malicious user to
attempt to exploit these flaws and execute code in the security
context of the logged-on user.
An attacker could seek to exploit this vulnerability by creating a
specially crafted MIDI file designed to exploit this vulnerability
and then host it on a Web site or on a network share, or send it by
using an HTML-based e-mail. In the case where the file was hosted
on a Web site or network share, the user would need to open the
specially crafted file. If the file was embedded in a page the
vulnerability could be exploited when a user visited the Web page.
In the HTML-based e-mail case, the vulnerability could be exploited
when a user opened or previewed the HTML-based e-mail. A successful
attack could cause DirectShow, or an application making use of
DirectShow, to fail. A successful attack could also cause an
attacker's code to run on the user's computer in the security
context of the user.
Mitigating Factors:
====================
- - By default, Internet Explorer on Windows Server 2003 runs in
Enhanced Security Configuration. This default configuration of
Internet Explorer blocks the e-mail-based vector of this attack
because Microsoft Outlook Express running on Windows Server 2003 by
default reads e-mail in plain text. If Internet Explorer Enhanced
Security Configuration were disabled, the protections put in place
that prevent this vulnerability from being exploited would be
removed.
- - In the Web-based attack scenario, the attacker would have to host
a Web site that contained a Web page used to exploit these
vulnerabilities. An attacker would have no way to force users to
visit a malicious Web site outside the HTML-based e-mail vector.
Instead, the attacker would need to lure them there, typically by
getting them to click a link that would take them to the attacker's
site.
- -The combination of the above means that on Windows Server 2003 an
administrator browsing only to trusted sites should be safe from
this vulnerability.
- - Code executed on the system would only run under the privileges
of the logged-on user.
Risk Rating:
============
- Critical
Patch Availability:
===================
- A patch is available to fix this vulnerability. Please read the
Security Bulletins at
http://www.microsoft.com/technet/security/bulletin/ms03-030.asp
http://www.microsoft.com/security/security_bulletins/ms03-030.asp
for information on obtaining this patch.
Acknowledgment:
===============
- eEye Digital Security, http://www.eeye.com
- ---------------------------------------------------------------------
THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS
PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. MICROSOFT DISCLAIMS
ALL WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING THE
WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.
IN NO EVENT SHALL MICROSOFT CORPORATION OR ITS SUPPLIERS BE LIABLE
FOR ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL,
CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF
MICROSOFT CORPORATION OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE
POSSIBILITY OF SUCH DAMAGES. SOME STATES DO NOT ALLOW THE EXCLUSION
OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES
SO THE FOREGOING LIMITATION MAY NOT APPLY.
*******************************************************************
-----BEGIN PGP SIGNATURE-----
Version: PGP 6.5.8
iQCVAwUBPx/5aukli63F4U8VAQGeRgP+I4weMXFWTkQwCy6kdn6HgSOgkzRYcN9S
+BpGR6S1/L2raoBuOQiGNTQfVC4Temxo1Yzg3Thzdz1273nm+uyiOk8jlvcPmSZl
+wkSvmPajX9PbdB+4O14BItoRVSMQdd/q8XtJwUdV4ReDFBZiMeLVJduCsk1gkEQ
Y1xauSyLHps=
=fFSF
-----END PGP SIGNATURE-----
----- End forwarded message -----
Mais detalhes sobre a lista de discussão SECURITY-L