HighProventia Network IPS, Proventia Desktop, RealSecure Network, RealSecure Server Sensor, Proventia-G 1.1 and earlier, Proventia Network IDS, Proventia Network MFS, IBM Security Server Protection for Windows, Proventia Server IPS for Linux technology, Virtual Server Protection for Vmware:
This signature detects QuickTime media files exploiting a Microsoft DirectShow vulnerability within 'quartz.dll' that could allow remote code execution. Windows 2000 Service Pack 4, Windows XP, and Windows Server 2003 are vulnerable.
Proventia Network IPS, Proventia Desktop, RealSecure Network, RealSecure Server Sensor, Proventia-G 1.1 and earlier, Proventia Network IDS, Proventia Network MFS, IBM Security Server Protection for Windows, Proventia Server IPS for Linux technology, Virtual Server Protection for Vmware: DirectShow is misinterpreting the QuickTime file structure. It is possible that a legitimate QuickTime file may coincidentally have a byte sequence causing the DirectShow error and triggering this signature.
High
Proventia Network IPS: XPU 29.060, Proventia Desktop: 2400, RealSecure Network: XPU 29.060, RealSecure Server Sensor: XPU 29.060, Proventia-G 1.1 and earlier: XPU 29.060, Proventia Network IDS: XPU 29.060, Proventia Network MFS: XPU 29.060, IBM Security Server Protection for Windows: 2.0.300.2400, IBM Security Server Protection for Windows: 1.0.914.2400, IBM Security Server Protection for Windows: 2.1.14.2400, Proventia Server IPS for Linux technology: 29.060, Virtual Server Protection for Vmware: 1.0
Microsoft DirectX: 7.0, Microsoft DirectX: 8.1, Microsoft Windows 2000: SP4, Microsoft Windows XP: SP2, Microsoft Windows XP: x64 Professional, Microsoft DirectX: 9.0, Microsoft Windows Server 2003: SP2, Microsoft Windows Server 2003: SP2 Itanium, Microsoft Windows Server 2003: SP2 x64, Microsoft Windows XP: SP3
Unauthorized Access Attempt
Microsoft DirectX could allow a remote attacker to execute arbitrary code on the system, caused by a NULL byte overwrite vulnerability in quartz.dll. By persuading a victim to open a specially-crafted QuickTime media file, a remote attacker could exploit this vulnerability to execute arbitrary code on the system with the privileges of the victim.
Apply the appropriate patch for your system, as listed in the latest Microsoft Security Bulletin. See References.
— OR —
Use Microsoft Automatic Update if it is supported by your operating system. The original bulletin issued by Microsoft has been superseded.
Microsoft Security Advisory (971778)
Vulnerability in Microsoft DirectShow Could Allow Remote Code Execution
http://www.microsoft.com/technet/security/advisory/971778.mspx
IBM Internet Security Systems
Mozilla Unicode URL Stack Overflow
http://www.iss.net/threats/303.html
Microsoft Security Bulletin MS09-028
Vulnerabilities in Microsoft DirectShow Could Allow Remote Code Execution (971633)
http://www.microsoft.com/technet/security/bulletin/ms09-028.mspx
Microsoft Security Bulletin MS10-013
Vulnerability in Microsoft DirectShow Could Allow Remote Code Execution (977935)
http://www.microsoft.com/technet/security/bulletin/ms10-013.mspx
Microsoft Security Bulletin MS10-033
Vulnerabilities in Media Decompression Could Allow Remote Code Execution (979902)
http://www.microsoft.com/technet/security/bulletin/ms10-033.mspx
Microsoft Security Bulletin MS10-094
Vulnerability in Windows Media Encoder Could Allow Remote Code Execution (2447961
http://www.microsoft.com/technet/security/bulletin/ms10-094.mspx
Microsoft Security Bulletin MS12-004
Vulnerabilities in Windows Media Could Allow Remote Code Execution (2636391)
http://www.microsoft.com/technet/security/bulletin/ms12-004.mspx
ISS X-Force
Microsoft DirectX quartz.dll code execution
http://www.iss.net/security_center/static/50831.php
CVE
CVE-2009-1537
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1537