Microsoft Windows DirectX MJPEG decoder code execution (RIFF_Codec_Overflow)

About this signature or vulnerability

Proventia Server IPS for Microsoft Windows technology, BlackICE Server Protection, BlackICE PC Protection, RealSecure Server Sensor, RealSecure Network, Proventia Server IPS for Linux technology, Proventia-G 1.1 and earlier, Proventia Network MFS, Proventia Desktop, Proventia Network IPS:

This signature detects a RIFF file specially crafted to overflow a buffer, allowing remote code execution


Default risk level

High risk vulnerability  High

Sensors that have this signature

Proventia Server IPS for Microsoft Windows technology: 2.0.252.2140, Proventia Server IPS for Microsoft Windows technology: 1.0.914.2140, BlackICE Server Protection: 3.6.cqt, BlackICE PC Protection: 3.6cqt, RealSecure Server Sensor: XPU 28.010, RealSecure Network: XPU 28.010, Proventia Server IPS for Linux technology: 28.010, Proventia-G 1.1 and earlier: XPU 28.010, Proventia Network MFS: XPU 28.010, Proventia Desktop: 2140, Proventia Network IPS: XPU 28.010

Systems affected

Microsoft DirectX: 8.1, Microsoft DirectX: 9.0a, Microsoft DirectX: 9.0, Microsoft DirectX: 9.0b, Microsoft DirectX: 9.0c, Microsoft DirectX: 10.0

Type

Unauthorized Access Attempt

Vulnerability description

Microsoft Windows DirectX could allow a remote attacker to execute arbitrary code on the system, caused by improper error checking on MJPEG video streams embedded within Audio Video Interleave (AVI) or Advanced Systems Format (ASF) media files. By persuading a victim to open a specially-crafted ASF or AVI, a remote attacker could exploit this vulnerability to execute arbitrary code on the system.

How to remove this vulnerability

Apply the appropriate patch for your system, as listed in Microsoft Security Bulletin MS08-033. See References.

For other distributions:
Apply the appropriate update for your system. See References.

References

Microsoft Security Bulletin MS08-033
Vulnerabilities in DirectX Could Allow Remote Code Execution (951698)
http://www.microsoft.com/technet/security/Bulletin/MS08-033.mspx

NORTEL BULLETIN ID: 2008008891, Rev 1
Centrex IP Client Manager (CICM) response to Microsoft June security bulletin
http://support.nortel.com/go/main.jsp?cscat=BLTNDETAIL&id=734247

NORTEL BULLETIN ID: 2008008897, Rev 1
Nortel Response to Microsoft Security Bulletin MS08-033
http://support.nortel.com/go/main.jsp?cscat=BLTNDETAIL&id=734154

HPSBST02344 SSRT080087 rev.1
Storage Management Appliance (SMA), Microsoft Patch Applicability MS08-030 to MS08-036
http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?lang=en&cc=us&objectID=c01482941

ISS X-Force
Microsoft Windows DirectX MJPEG decoder code execution
http://www.iss.net/security_center/static/39052.php

CVE
CVE-2008-0011
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0011