Microsoft KB Archive/819696

= MS03-030: Unchecked Buffer in DirectX Could Enable System Compromise =

Article ID: 819696

Article Last Modified on 7/30/2007

-

APPLIES TO


 * Microsoft Windows Server 2003, Standard Edition (32-bit x86)
 * Microsoft Windows Server 2003, Datacenter Edition (32-bit x86)
 * Microsoft Windows Server 2003, Enterprise Edition (32-bit x86)
 * Microsoft Windows Server 2003, Web Edition
 * Microsoft Windows XP Home Edition
 * Microsoft Windows XP Professional
 * Microsoft Windows XP Tablet PC Edition
 * Microsoft Windows XP Media Center Edition 2002
 * Microsoft DirectX 9.0
 * Microsoft DirectX 8.1b
 * Microsoft Windows Millennium Edition
 * Microsoft Windows 2000 Server
 * Microsoft Windows 2000 Professional Edition
 * Microsoft Windows 2000 Advanced Server
 * Microsoft Windows NT Server 4.0 Standard Edition
 * Microsoft Windows NT Workstation 4.0 Developer Edition
 * Microsoft Windows NT Server 4.0, Terminal Server Edition
 * Microsoft Windows 98 Standard Edition

-



Technical update

 * July 25, 2003: The version number was changed from 4.90.00.0902 to 4.09.00.0902 in the &quot;Installation Information&quot; section.
 * July 31, 2003: The &quot;Download the Windows NT 4.0 security patch package now&quot; link in the Resolution section was changed to the following: http://microsoft.com/downloads/details.aspx?FamilyId=B42C5BCB-6D36-437D-A07E-053B72B1C652&displaylang=en
 * July 31, 2003: The &quot;Download the Windows NT Server 4.0, Terminal Server Edition security patch package now&quot; link in the Resolution section was changed to the following: http://microsoft.com/downloads/details.aspx?FamilyId=14290AD7-EE7D-4736-8322-BCA4CBD7D7C5&displaylang=en
 * August 20, 2003: This article was been updated to provide information about a new patch for DirectX 8.



SYMPTOMS
DirectX is made up of a set of low-level Application Programming Interfaces (APIs) that is used by Windows programs for multimedia support. The DirectShow technology in DirectX performs client-side audio and video sourcing, manipulation, and rendering. There are two buffer overruns that have the same effects in the function that is used by DirectShow to check parameters in a Musical Instrument Digital Interface (MIDI) file. These buffer overruns may cause a security vulnerability because a malicious user could try to exploit these flaws and run code in the security context of the logged on user.

An attacker might try to exploit this vulnerability by creating a specially crafted MIDI file that is designed to exploit this vulnerability and then host this file on a Web site or on a network share or send it by means of an HTML e-mail message. If the file was hosted on a Web site or on a network share, the user would have to open the specially crafted file. If the file was embedded in a page, the vulnerability could be exploited when a user visits the Web page. If the file is sent in an HTML e-mail message, the vulnerability could be exploited when a user opens or previews the HTML e-mail message. A successful attack could either cause DirectShow or a program that is using DirectShow to fail, or it could cause an attacker's code to run on the user's computer in the security context of the user.

Mitigating factors

 * By default, Microsoft Internet Explorer on Microsoft Windows Server 2003 runs in Enhanced Security Configuration mode. This default configuration of Internet Explorer blocks the e-mail based vector of this attack, by means of Microsoft Outlook Express. If Internet Explorer Enhanced Security Configuration was disabled, the protections that are put in place to help prevent this vulnerability from being exploited are removed.
 * In the Web-based attack scenario, the attacker would have to host a Web site that contains a Web page that is used to exploit this vulnerability. An attacker would have no way to force users to visit a malicious Web site outside the HTML e-mail vector. Instead, the attacker would have to lure them there, typically by making them click a link that would take them to the attacker's site.
 * Code that runs on the system would only run under the privileges of the user who is logged on.



Windows XP
The Microsoft Windows XP version of the security patch is included in Windows XP Service Pack 2 (SP2). To resolve this problem, obtain the latest service pack for Microsoft Windows XP. For additional information, click the following article number to view the article in the Microsoft Knowledge Base:

322389 How to obtain the latest Windows XP service pack

Windows 2000
The Microsoft Windows 2000 version of the security patch is included in Windows 2000 Service Pack 4 (SP4). To resolve this problem, obtain the latest service pack for Windows 2000. For additional information, click the following article number to view the article in the Microsoft Knowledge Base:

260910 How to obtain the latest Windows 2000 service pack

Download information
Microsoft has released DirectX 9.0b and individual security patches for operating systems where DirectX 9.0b is not available.

Perform the following steps to determine the current version of DirectX on all operating systems except Microsoft Windows NT 4.0:
 * 1) Click Start, and then click Run.
 * 2) Type dxdiag, and then click OK.

The DirectX version is listed on the System tab.

In Windows NT 4.0, the vulnerability exists if the following registry key is present and it has a value of 1:

DirectX 9.0b can be installed on all affected operating systems except 64-bit editions of Windows Server 2003, 64-bit editions of Microsoft Windows XP, and Windows NT 4.0, regardless of the previous version of DirectX. The following files are available for download from the Microsoft Download Center:

Download the DirectX 9.0b package now.

The DirectX 9.0a patch can be installed on all affected operating systems except 64-bit editions of Windows Server 2003, 64-bit editions of Windows XP, and Windows NT 4.0 that are running DirectX 9.0 or 9.0a. The following files are available for download from the Microsoft Download Center:

Download the DirectX 9.0a security patch package now.

If you use DirectX 8.1 on Windows Server 2003 or Windows XP, install one of the following patches as appropriate.

Download the Windows Server 2003 (32-bit) security patch package now.

Download the Windows Server 2003 (64-bit) security patch package now.

Download the Windows XP (32-bit) security patch package now.

Download the Windows XP (64-bit) security patch package now.

If you use DirectX 8.0, 8.0a, 8.1, 8.1a, or 8.1b on Windows 2000 or Windows Millennium Edition, install the following patch:Download the Windows 2000 or Windows Millennium Edition security patch package now.

Note This patch also installs on Windows 98 Second Edition and Windows 98 with DirectX 8, although these versions of Windows are no longer supported.

If you use DirectX 7.0 on Windows 2000, install the following patch:

Download the Windows 2000 security patch package now.

If you use Windows NT Server 4.0, install the following patch:

Download the Windows NT 4.0 security patch package now.

If you use Windows NT Server 4.0, Terminal Server Edition, install the following patch:

Download the Windows NT Server 4.0, Terminal Server Edition security patch package now.

Release Date: July 23, 2003

For additional information about how to download Microsoft Support files, click the following article number to view the article in the Microsoft Knowledge Base:

119591 How to Obtain Microsoft Support Files from Online Services

Microsoft scanned this file for viruses. Microsoft used the most current virus-detection software that was available on the date that the file was posted. The file is stored on security-enhanced servers that help to prevent any unauthorized changes to the file.

Prerequisites
DirectX 8 and DirectX 9 do not support systems with 486-class processors. DirectX 9.0b requires Windows Server 2003 (all versions except Windows Server 2003 64-bit editions), Windows XP (all versions except Windows XP 64-bit editions), Windows 2000 Service Pack 3 (SP3), Windows 2000 Service Pack 4 (SP4), or Microsoft Windows Millennium Edition.

The DirectX 9.0a security patch requires a previous installation of DirectX 9.0 or 9.0a on Windows Server 2003 (all versions except Windows Server 2003 64-bit editions), Windows XP (all versions except Windows XP 64-bit editions), Windows 2000 Service Pack 3 (SP3), Windows 2000 Service Pack 4 (SP4), or Windows Millennium Edition. The use of the DirectX 9.0b package is preferred because it provides additional non-security core graphics and DirectShow fixes.

The DirectX 8.1 security patch requires the released version of Windows Server 2003, the released version of Windows XP, or Windows XP Service Pack 1 (SP1). For additional information, click the following article number to view the article in the Microsoft Knowledge Base:

322389 How to obtain the latest Windows XP Service Pack

The DirectX 8 security patch for Windows 2000 and Windows Millennium Edition requires a previous installation of DirectX 8.0, 8.0a, 8.1, 8.1a, or 8.1b on Windows 2000 Service Pack 3 (SP3), Windows 2000 Service Pack 4 (SP4), or Windows Millennium Edition. Note that Microsoft recommends the use of DirectX 9.0b on this platform, because it provides additional non-security core graphics and DirectShow fixes.

The DirectX 7.0/7.0a security patch requires Windows 2000 Service Pack 3 (SP3). For additional information, click the following article number to view the article in the Microsoft Knowledge Base:

260910 How to obtain the latest Windows 2000 service pack

The Windows NT 4.0 security patch requires Windows NT 4.0 Service Pack 6a (SP6a) or Windows NT Server 4.0, Terminal Server Edition Service Pack 6 (SP6) running Internet Explorer 6.0 SP1 or Microsoft Windows Media Player 6.4. For additional information, click the following article number to view the article in the Microsoft Knowledge Base:

152734 How to obtain the latest Windows NT 4.0 service pack

The following table lists the appropriate patch to install based on your operating system and your DirectX version:

Notes for table:
 * 9.0b refers to DirectX 9.0b.
 * The End-User Runtime is an approximately 300 KB Web installation resulting in a 10-16 MB download. The Redistribution Runtime for Developers is a 32 MB installation. The updates cannot be installed silently. You must accept the End User License Agreement to install these updates.
 * The OPK Runtime is an approximately 11 - 13 MB stand-alone installer. By default, this installation is silent. The OPK Runtime is available only to OEMs and Volume License customers.
 * P1: DirectX 9.0a Patch. This is a small (approximately 900 KB) patch for DirectX 9.0 or 9.0a. This patch is offered on Windows Update for critical and automatic updates.
 * P2: DirectX 8 Patch. This is a small (approximately 800 KB) patch for DirectX 8.0, 8.0a, 8.1, 8.1a, and 8.1b.
 * P3: DirectX 8.1 Patch for Windows XP and Windows XP Service Pack 1.
 * P4: DirectX 8.1 Patch for Windows Server 2003.
 * P5: DirectX 7.0 Patch for Windows 2000.
 * P6: DirectX Media 6 Patch for Windows NT 4.0 and Windows NT 4.0, Terminal Server Edition.
 * N/R: Not required. The release contains the fix.
 * N/A: The configuration does not exist.

Installation Information
You must be logged on as an administrator to install DirectX 9.0b or the security patch. Because of End User Licensing Agreement (EULA) acceptance requirements, DirectX 9.0b has no Setup switches.

Microsoft recommends that you create a System Restore point on Windows XP or Windows Millennium Edition before you install DirectX 9.0b. For additional information about System Restore, click Start and then click Help and Support. In the Search box, type system restore, and then press ENTER.

The DirectX 9.0a and DirectX 8 security patches supports the following Setup switches:
 * /? Display the list of installation switches.
 * /q Use Quiet mode (no user intervention).
 * /q:u Use User-Quiet mode. This mode presents some dialog boxes to the user.
 * /q:a Use Administrator-Quiet mode. This mode does not present any dialog boxes to the user.
 * /t:full path : Specifies the temporary working folder.
 * /c: Extract the files without running Setup when used with /t.
 * /c:cmd Override the installation command that was defined by the author.
 * /r:n Never restart the computer after installation.
 * /r:i Restart the computer if it is required. This switch automatically restarts the computer if a restart is required to complete the installation.
 * /r:a Always restart the computer after installation.

The DirectX 8.1 and DirectX 7.0/7.0a security patches support the following Setup switches:
 * /? Display the list of installation switches.
 * /u Use Unattended mode.
 * /f Force other programs to quit when the computer shuts down.
 * /n Do not back up files for removal.
 * /o Overwrite OEM files without prompting.
 * /z Do not restart when installation is complete.
 * /q Use Quiet mode (no user interaction).
 * /l List installed hotfixes.
 * /x Extract the files without running Setup.

The Windows NT 4.0 security patch supports the following Setup switches:
 * /y Perform removal (only with /m or /q).
 * /f Force programs to be closed at shutdown.
 * /n Do not create an Uninstall folder.
 * /z Do not restart when update completes.
 * /q Use Quiet or Unattended mode with no user interface (this switch is a superset of /m ).
 * /m Use Unattended mode with user interface.
 * /l List installed hotfixes.
 * /x Extract the files without running Setup.

To verify that DirectX 9.0b is installed on your computer, confirm that the following registry key exists and that its value is 4.09.00.0902:

To verify that the DirectX 9.0a security patch is installed on your computer, confirm that the following registry key is present and that it has a value of 1:

To verify that DirectX 8.0, 8.0a, 8.1, 8.1a, or 8.1b is installed on your Windows 2000 or Windows Millennium Edition computer, confirm that the following registry key exists and that its value is in the range of 4.08.00.0400 to 4.08.01.0901, inclusive:

To verify that the DirectX 8 security patch is installed on your computer, confirm that the following registry key is present and that it has a value of 1:

To verify that the DirectX 8.1 or 7.0/7.0a patch is installed on your computer, confirm that the following registry key exists, as appropriate:  Windows Server 2003:

 Windows XP:

 Windows XP with SP1:

 Windows 2000:

or



To verify that the Windows NT 4.0 patch is installed on your computer, confirm that the following registry key exists:

Deployment information
Because of EULA acceptance requirements, DirectX 9.0b cannot be installed silently. Volume license customers may obtain a modified package that supports silent installation by contacting [mailto:DirectX@Microsoft.com DirectX@Microsoft.com].

To install the DirectX 9.0a security patch without any user intervention, use the following command line:

directx9-kb819696-x86-enu /q:a

To install this patch without forcing the computer to restart, use the following command line:

directx9-kb819696-x86-enu /q:r

Note These switches can be combined in one command line.

To install the DirectX 8.1 or 7.0/7.0a security patch without any user intervention, use the following command line:

windowsserver2003-kb819696-x86-enu /u /q

To install this patch without forcing the computer to restart, use the following command line:

windowsserver2003-kb819696-x86-enu /z

Note The file name in these examples may differ depending on the patch that you are installing. These switches can be combined in one command line.

For information about how to deploy this patch with Software Update Services, visit the following Microsoft Web site:

http://technet.microsoft.com/en-us/wsus/bb466201.aspx

Restart requirement
You must restart your computer after you install DirectX 9.0b or after you apply this patch.

Removal information
DirectX 9.0b replaces key operating system components and cannot be removed. To remove the security patch, use the Add/Remove Programs tool in Control Panel. System administrators can use the Spunist.exe utility to remove the patch from Windows Server 2003-based, Windows XP-based, and Windows 2000-based computers. Spuninst.exe is in the %Windir%\$NTUninstallKB819696$\Spuninst folder, and it supports the following Setup switches:
 * /? Display the list of installation switches.
 * /u Use unattended mode.
 * /f Force other programs to quit when the computer shuts down.
 * /z Do not restart when the installation is complete.
 * /q Use Quiet mode (no user interaction).

Patch replacement information
The Windows NT 4.0 version of this patch replaces the patch that is available in Microsoft Knowledge Base article 269849. For additional information, click the following article number to view the article in the Microsoft Knowledge Base:

269849 Access violation error message when you use Windows Media Player 6.4 to play .wav files

File information
The English version of this hotfix has the file attributes (or later) that are listed in the following table. The dates and times for these files are listed in coordinated universal time (UTC). When you view the file information, it is converted to local time. To find the difference between UTC and local time, use the Time Zone tab in the Date and Time tool in Control Panel.

819696 patch for Windows Server 2003 and Windows XP:   Date         Time   Version     Size       File name 13-May-2003 23:41  6.4.3790.9  1,173,504  Quartz.dll  (gdr) 13-May-2003 23:48  6.4.3790.9  1,117,184  Quartz.dll  (qfe) 819696 patch for Windows Server 2003 64-bit versions and Windows XP 64-Bit Edition, Version 2003:   Date         Time   Version     Size       File name    Platform ---  16-May-2003  00:50  6.4.3790.9  3,348,480  Quartz.dll   IA64  (gdr) 16-May-2003 01:10  6.4.3790.9  1,129,984  Wquartz.dll  IA64  (gdr)

16-May-2003 01:08  6.4.3790.9  3,348,480  Quartz.dll   IA64  (qfe) 16-May-2003 01:11  6.4.3790.9  1,117,184  Wquartz.dll  IA64  (qfe) 819696 patch for Windows XP SP1:   Date         Time   Version        Size       File name 13-May-2003 17:28  6.4.2600.1221  1,132,032  Quartz.dll 819696 patch (32-Bit) for Windows XP: <pre class="fixed_text">  Date         Time   Version        Size      File name ---  13-May-2003  19:27  6.4.2600.113  1,123,840  Quartz.dll 819696 patch (64-Bit) for Windows XP 64-Bit Edition, Version 2002 SP1: <pre class="fixed_text">  Date         Time   Version        Size       File name    Platform ---  13-May-2003  17:29  6.4.2600.1221  3,881,472  Quartz.dll   IA64 12-May-2003 04:34  6.4.2600.1221  1,132,032  Wquartz.dll  IA64 819696 patch (32-Bit) for Windows 2000 SP3: <pre class="fixed_text">  Date         Time   Version    Size     File name --  03-Jul-2003  17:28  6.1.9.729  791.312  Quartz.dll 819696 patch (32-Bit) for Windows NT 4.0 SP6: <pre class="fixed_text">  Date         Time   Version    Size     File name --  08-Jul-2003  21:49  6.1.5.132  762,128  Quartz.dll DirectX 9.0b and DirectX 9.0a patch (32-Bit) for Windows Server 2003 and Windows XP: <pre class="fixed_text">  Date         Time   Version    Size       File name 30-May-2003 09:00  6.5.1.902  1,246,208  Quartz.dll  (end user) 30-May-2003 09:00  6.5.1.902  1,962,496  Quartz.dll  (redist) DirectX 9.0b and DirectX 9.0a patch (32-Bit) for Windows 2000: <pre class="fixed_text">  Date         Time   Version    Size       File name 30-May-2003 09:00  6.5.1.902  1,136,640  Quartz.dll  (end user) 30-May-2003 09:00  6.5.1.902  1,962,496  Quartz.dll  (redist) DirectX 9.0b and DirectX 9.0a patch (32-Bit) for Windows Millennium Edition: <pre class="fixed_text">  Date         Time   Version    Size       File name 30-May-2003 09:00  6.5.1.902  1,128,960  Quartz.dll  (end user) 30-May-2003 09:00  6.5.1.902  1,845,248  Quartz.dll  (redist) DirectX 8 patch for Windows 2000 and Windows Millennium Edition: <pre class="fixed_text">  Date         Time   Version    Size       File name 06-Aug-2003 19:44  6.3.1.886  1,696,748  Quartz.dll You can also verify the files that the DirectX 8.1 or 7.0/7.0a patch installed by reviewing the following registry key, as appropriate:  Windows Server 2003:

</li> Windows XP:

</li> Windows XP with SP1:

</li> Windows 2000:

</li></ul>

<div class="status_section">

STATUS
Microsoft has confirmed that this problem may cause a degree of security vulnerability in the Microsoft products that are listed at the beginning of this article.

Windows XP This problem was first corrected in Microsoft Windows XP Service Pack 2.

<div class="moreinformation_section">

MORE INFORMATION
For more information about this vulnerability, visit the following Microsoft Web site:

http://www.microsoft.com/technet/security/bulletin/MS03-030.mspx

For additional information about the Microsoft DirectX diagnostic tool, click the following article number to view the article in the Microsoft Knowledge Base:

190900 DirectX: Description of the DirectX diagnostic tool

The following sections describe the DirectX versions that are reported by Dxdiag.exe for the original Microsoft shipping configuration.

DirectX 8.1

 * Windows Server 2003
 * Windows Server 2003, 64-Bit Datacenter Edition
 * Windows Server 2003, 64-Bit Enterprise Edition
 * Windows XP 64-Bit Edition Version 2003
 * Windows XP 64-Bit Edition Version 2002 SP1
 * Windows XP

DirectX 7.0a

 * Windows Millennium Edition

DirectX 7.0

 * Windows 2000

DirectX 6.1

 * Windows 98 Second Edition

DirectX 5.2

 * Windows 98

DirectX and DirectX Media were separate products until the release of DirectX 8.0. Subsequent releases have integrated both products under the DirectX name. Dxdiag only reports the DirectX version, but the affected file is in DirectX Media for systems that have versions that are earlier than DirectX 8.0.

Additional query words: security_patch

Keywords: kbhotfixserver kbqfe atdownload kbwinxpsp2fix kbwinnt400presp7fix kbwin2000presp4fix kbwin2ksp4fix kbwinserv2003presp1fix kbfix kbbug kbwinxppresp2fix kbsecvulnerability kbsecbulletin kbsecurity KB819696

-

[mailto:TECHNET@MICROSOFT.COM Send feedback to Microsoft]

© Microsoft Corporation. All rights reserved.