Microsoft DirectX DirectShow WAV and AVI code execution (RIFF_WAV_DirectShow_Overflow)

About this signature or vulnerability

Proventia Server IPS for Microsoft Windows technology, BlackICE Server Protection, BlackICE PC Protection, RealSecure Server Sensor, RealSecure Network, Proventia Server IPS for Linux technology, Proventia-G 1.1 and earlier, Proventia Network MFS, Proventia Desktop, Proventia Network IPS:

This signature detects RIFF/WAV file specially crafted to overflow a buffer, allowing code execution.


Default risk level

High risk vulnerability  High

Sensors that have this signature

Proventia Server IPS for Microsoft Windows technology: 1.0.914.2130, BlackICE Server Protection: 3.6.cqs, BlackICE PC Protection: 3.6cqs, RealSecure Server Sensor: XPU 27.120, RealSecure Network: XPU 27.120, Proventia Server IPS for Linux technology: 27.120, Proventia-G 1.1 and earlier: XPU 27.120, Proventia Network MFS: XPU 27.120, Proventia Desktop: 2130, Proventia Network IPS: XPU 27.120

Systems affected

Microsoft DirectX: 7.0, Microsoft DirectX: 8.1, Microsoft DirectX: 9.0a, Microsoft Windows 2000: SP4, Microsoft Windows 2003 Server: x64, Microsoft Windows XP: SP2, Microsoft Windows 2003 Server: SP1, Microsoft Windows XP: Professional x64, Microsoft Windows 2003 Server: SP1 Itanium, Microsoft DirectX: 9.0, Microsoft DirectX: 9.0b, Microsoft DirectX: 9.0c, Microsoft Windows Vista, Microsoft Windows 2003 Server: SP2, Microsoft Windows 2003 Server: SP2 Itanium, Microsoft Windows 2003 Server: SP2 x64, Microsoft Windows Vista: x64, Microsoft Windows XP: SP2 Professional x64, Microsoft DirectX: 10.0

Type

Unauthorized Access Attempt

Vulnerability description

Microsoft DirectShow, which is part of Microsoft DirectX, could allow a remote attacker to execute arbitrary code on the system, caused by improper parsing of WAV and AVI files. By persuading a victim to open a specially-crafted WAV or AVI file, an attacker could exploit this vulnerability to execute arbitrary code on the system with the privileges of the victim.

How to remove this vulnerability

Apply the appropriate patch for your system, as listed in the latest Microsoft Security Bulletin. See References.

— OR —

Use Microsoft Automatic Update if it is supported by your operating system. The original bulletin issued by Microsoft has been superseded.

References

Microsoft Security Bulletin MS07-064
Vulnerabilities in DirectShow Could Allow Remote Code Execution (941568)
http://www.microsoft.com/technet/security/Bulletin/MS07-064.mspx

IBM Internet Security Systems Protection Alert Dec. 11, 2007
Multiple Microsoft DirectShow Remote Code Execution Vulnerabilities
http://www.iss.net/threats/280.html

Microsoft Security Bulletin MS08-033
Vulnerabilities in DirectX Could Allow Remote Code Execution (951698)
http://www.microsoft.com/technet/security/Bulletin/MS08-033.mspx

ISS X-Force
Microsoft DirectX DirectShow WAV and AVI code execution
http://www.iss.net/security_center/static/38722.php

CVE
CVE-2007-3895
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-3895