Critical DirectX flaw affects many Windows systems

A Critical flaw has been discovered in DirectX. This week's installment of The Locksmith offers the details, along with information about flaws in Oracle software and a fast new method for cracking Windows passwords.

Microsoft Security Bulletin MS03-030, "Unchecked Buffer in DirectX Could Enable System Compromise," describes a threat that's been rated Critical. Microsoft recommends that the security patch listed in the bulletin be immediately installed on all affected systems that currently have DirectX installed.

DirectX is an API that provides multimedia support for Windows software. Exploiting this vulnerability allows an attacker to run any code on the user's computer. A specially crafted Musical Instrument Digital Interface file can be inserted in a Web site or an HTML e-mail. When the site is visited or the e-mail is previewed or opened, the MIDI code will execute on the user's computer when DirectShow, which performs client-side audio and video sourcing, attempts to play the file. The vulnerability does not lie in Windows Media Player.

Microsoft lists the following systems as vulnerable:
  • Microsoft DirectX 5.2 on Windows 98
  • DirectX 6.1 on Windows 98 SE
  • DirectX 7.0a on Windows Me
  • DirectX 7.0 on Windows 2000
  • DirectX 8.1 on Windows XP
  • DirectX 8.1 on Windows Server 2003
  • DirectX 9.0a on Windows Me
  • DirectX 9.0a on Windows 2000
  • DirectX 9.0a on Windows XP
  • DirectX 9.0a on Windows Server 2003
  • Windows NT 4.0 with Media Player 6.4 or IE 6 SP 1 installed
  • Windows NT 4.0, Terminal Server Edition with Media Player 6.4 or IE 6 SP 1

You can learn which DirectX version is installed on a system by running the Dxdiag.exe diagnostic utility.

These may not be the only systems affected by this vulnerability, but they're the only ones still supported by Microsoft that are identified with the problem. You may also want to consider patching older, unsupported operating systems that are running DirectX.

Risk level—Important to Critical
This flaw can allow an attacker to run code on a vulnerable system. Microsoft has rated this flaw differently depending on the OS and DirectX environment. Here's the breakdown:
  • DirectX 9.0a—Critical
  • DirectX 9.0a installed on WS2K3—Important
  • DirectX 8.1—Critical
  • DirectX 8.1 installed on WS2K3—Important
  • DirectX 7.0a on WinMe—Critical
  • DirectX 7.0 on Win2K—Critical
  • Media Player 6.4 or Internet Explorer 6 SP 1 installed on NT 4.0—Critical
  • Media Player 6.4 or Internet Explorer 6 SP 1 installed on NT 4.0, Terminal Server Edition—Critical

You should assume that other configurations not listed above are Critical.

Mitigating factors
Any system that opens e-mails as plain text is protected, and any code from Web pages will execute only at the user's privilege level. The Microsoft bulletin emphasizes that Windows 2003 Servers are configured by default to open HTML e-mail as plain text, which is why that OS has just an Important rating.

Fix—apply patch
The patch corrects the way DirectX validates MIDI file parameters. For some versions of DirectX, the patch can be uninstalled, but not in most versions.

Final word
If you have systems with DirectX installed, you should patch them as soon as possible. If DirectX is not needed, consider uninstalling it altogether.

Also watch out for…
New critical-rated vulnerabilities have been announced by Oracle for two of its products. The first is "Buffer Overflows in EXTPROC of Oracle Database Server" (Alert #57); the second is "Buffer Overflow Vulnerability in Oracle E-Business Suite" (Alert #56); the third is "Unauthorized Disclosure of Information in Oracle E-Business Suite" (Alert #55). Users should check these bulletins and apply the supplied patches where appropriate.

Swiss researchers from the Security and Cryptography Laboratory (LASEC) have discovered a new way to crack alphanumeric Windows passwords in seconds, according to a report. The researchers have published a demo, which you can access here. The best way to nullify this new method of attack (which will probably filter down to hackers shortly) is to require users to include nonalphanumeric symbols in their passwords. You can view the original paper here.

MS03-031 is a cumulative patch for SQL server that Microsoft has rated Important. It affects Microsoft SQL Server 7.0, Microsoft Data Engine (MSDE) 1.0, SQL Server 2000, and SQL Server 2000 Desktop Engine (MSDE 2000). The patch limits the data read by the SQL Server to the amount that will fit into the buffer.

Microsoft recently announced a Moderate-rated denial of service vulnerability in Windows NT 4.0 Server. It doesn't affect other software. The vulnerability is covered by Microsoft Security Bulletin MS03-029, which includes a link to the patch.

CERT Advisory CA-2003-15 covers this Cisco IOS Interface IPv4 packet vulnerability, which has the CVE designation CAN-2003-0567. The Cisco Security Advisory 44020 details the problem and has been updated several times since the original release in mid-July.

A recent paper from iDefense explains the Windows "shatter" vulnerability. According to the story, this is a class of attacks that uses the messaging system to cause malicious code to run via privileged, but actually insecure, applications.

Editor's Picks

Free Newsletters, In your Inbox