|
Vulnerability in DirectShow Allows Remote Code Execution (MS05-050) |
|
|
|
|
Thursday, 13 October 2005 |
Summary
A remote code execution vulnerability exists in DirectShow that could allow an attacker who successfully exploited this vulnerability to take complete control of the affected system.
Credit:
The information has been provided by Microsoft Product Security.
The original article can be found at: http://www.microsoft.com/technet/security/Bulletin/MS05-050.mspx
Details
Affected Software:
* Microsoft DirectX 7.0 on Microsoft Windows 2000 with Service Pack 4 - Download the update
* Microsoft DirectX 8.1 on Microsoft Windows XP Service Pack 1 and on Microsoft Windows XP with Service Pack 2 - Download the update
* Microsoft DirectX 8.1 on Microsoft Windows XP Professional x64 Edition - Download the update
* Microsoft DirectX 8.1 on Microsoft Windows Server 2003 and on Microsoft Windows Server 2003 with Service Pack 1 - Download the update
* Microsoft DirectX 8.1 on Microsoft Windows Server 2003 for Itanium-based Systems and on Microsoft Windows Server 2003 with SP1 for Itanium-based Systems - Download the update
* Microsoft DirectX 8.1 on Microsoft Windows Server 2003 x64 Edition - Download the update
* Microsoft Windows 98, Microsoft Windows 98 Second Edition (SE), and Microsoft Windows Millennium Edition (ME) Review the FAQ section of this bulletin for details about these operating systems.
Tested Microsoft Windows Components:
Affected Components:
* Microsoft DirectX 8.0, 8.0a, 8.1, 8.1a, 8.1b, and 8.2 when installed on Windows 2000 Service Pack 4 - Download the update
* Microsoft DirectX 9.0, 9.0a, 9.0b, and 9.0c when installed on Windows 2000 Service Pack 4 - Download the update
* Microsoft DirectX 9.0, 9.0a, 9.0b, and 9.0c when installed on Windows XP Service Pack 1 - Download the update
* Microsoft DirectX 9.0, 9.0a, 9.0b, and 9.0c when installed on Windows Server 2003 - Download the update
CVE Information:
CAN-2005-2128
Mitigating Factors for DirectShow Vulnerability:
* An attacker who successfully exploited this vulnerability could gain the same user rights as the local user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.
What is the scope of the vulnerability?
This is a remote code execution vulnerability. An attacker who successfully exploited this vulnerability could remotely take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.
What causes the vulnerability?
An unchecked buffer in DirectShow.
What is DirectShow?
Microsoft DirectShow is used for streaming media on Microsoft Windows operating systems. DirectShow is used for high-quality capture and playback of multimedia streams. It automatically detects and uses video and audio acceleration hardware when available, but also supports systems without acceleration hardware. It is also integrated with other DirectX technologies
Some of the types of applications that you can create by using DirectShow include DVD players, video editing applications, AVI to ASF converters, MP3 players, and digital video capture applications.
What might an attacker use the vulnerability to do?
An attacker who successfully exploited this vulnerability could take complete control of the affected system.
Who could exploit the vulnerability?
On a Windows operating system, any anonymous user who could deliver a specially crafted .avi file to the affected system could try to exploit this vulnerability.
In a Web-based attack scenario, an attacker would have to host a Web site that contains a Web page that is used to try to exploit this vulnerability. An attacker would have no way to force users to visit a malicious Web site. Instead, an attacker would have to persuade them to visit the Web site, typically by getting them to click a link that takes them to the attackers site. It could also be possible to display malicious Web content by using banner advertisements or by using other methods to deliver Web content to affected systems.
What systems are primarily at risk from the vulnerability?
Workstations and terminal servers are primarily at risk. Servers could be at more risk if users who do not have sufficient administrative permissions are given the ability to log on to servers and to run programs. However, best practices strongly discourage allowing this.
What does the update do?
The update removes the vulnerability by modifying the way that DirectShow validates the length of a message before it passes the message to the allocated buffer.
When this security bulletin was issued, had this vulnerability been publicly disclosed?
No. Microsoft received information about this vulnerability through responsible disclosure. Microsoft had not received any information to indicate that this vulnerability had been publicly disclosed when this security bulletin was originally issued.
When this security bulletin was issued, had Microsoft received any reports that this vulnerability was being exploited?
No. Microsoft had not received any information to indicate that this vulnerability had been publicly used to attack customers and had not seen any examples of proof of concept code published when this security bulletin was originally issued.
|