HighIBM Security Server Protection for Windows, Proventia Network IDS, Proventia-G 1.1 and earlier, Proventia Network MFS, BlackICE PC Protection, BlackICE Server Protection, RealSecure Server Sensor, RealSecure Network, Proventia Network IPS, Proventia Desktop, Virtual Server Protection for Vmware, Proventia Server IPS for Linux technology:
This signature detects SAMI file specially crafted to overflow a buffer, allowing code execution.
High
IBM Security Server Protection for Windows: 2.1.14.2400, IBM Security Server Protection for Windows: 1.0.914.2130, Proventia Network IDS: XPU 27.120, Proventia-G 1.1 and earlier: XPU 27.120, Proventia Network MFS: XPU 27.120, BlackICE PC Protection: 3.6cqs, BlackICE Server Protection: 3.6.cqs, RealSecure Server Sensor: XPU 27.120, RealSecure Network: XPU 27.120, Proventia Network IPS: XPU 27.120, Proventia Desktop: 2130, Virtual Server Protection for Vmware: 1.0, Proventia Server IPS for Linux technology: 27.120
Microsoft DirectX: 7.0, Microsoft DirectX: 8.1, Microsoft Windows 2000: SP4
Unauthorized Access Attempt
Microsoft DirectShow, which is part of Microsoft DirectX, could allow a remote attacker to execute arbitrary code on the system, caused by improper parsing of Synchronized Accessible Media Interchange (SAMI) files. By persuading a victim to open a specially-crafted SAMI file, an attacker could exploit this vulnerability to execute arbitrary code on the system with the privileges of the victim.
Apply the appropriate patch for your system, as listed in the latest Microsoft Security Bulletin. See References.
— OR —
Use Microsoft Automatic Update if it is supported by your operating system. The original bulletin issued by Microsoft has been superseded.
Microsoft Security Bulletin MS07-064
Vulnerabilities in DirectShow Could Allow Remote Code Execution (941568)
http://www.microsoft.com/technet/security/Bulletin/MS07-064.mspx
IBM Internet Security Systems Protection Alert Dec. 11, 2007
Multiple Microsoft DirectShow Remote Code Execution Vulnerabilities
http://www.iss.net/threats/280.html
iDefense PUBLIC ADVISORY: 12.11.07
Microsoft DirectX 7 and 8 DirectShow Stack Buffer Overflow Vulnerability
https://labs.idefense.com/verisign/intelligence/2009/vulnerabilities/display.php?id=632
Microsoft Security Bulletin MS08-033
Vulnerabilities in DirectX Could Allow Remote Code Execution (951698)
http://www.microsoft.com/technet/security/Bulletin/MS08-033.mspx
Microsoft Security Bulletin MS09-011
Vulnerability in Microsoft DirectShow Could Allow Remote Code Execution (961373)
http://www.microsoft.com/technet/security/bulletin/ms09-011.mspx
Microsoft Security Bulletin MS09-028
Vulnerabilities in Microsoft DirectShow Could Allow Remote Code Execution (971633)
http://www.microsoft.com/technet/security/bulletin/ms09-028.mspx
Microsoft Security Bulletin MS10-013
Vulnerability in Microsoft DirectShow Could Allow Remote Code Execution (977935)
http://www.microsoft.com/technet/security/bulletin/ms10-013.mspx
Microsoft Security Bulletin MS10-033
Vulnerabilities in Media Decompression Could Allow Remote Code Execution (979902)
http://www.microsoft.com/technet/security/bulletin/ms10-033.mspx
Microsoft Security Bulletin MS10-094
Vulnerability in Windows Media Encoder Could Allow Remote Code Execution (2447961
http://www.microsoft.com/technet/security/bulletin/ms10-094.mspx
Microsoft Security Bulletin MS12-004
Vulnerabilities in Windows Media Could Allow Remote Code Execution (2636391)
http://www.microsoft.com/technet/security/bulletin/ms12-004.mspx
ISS X-Force
Microsoft DirectX DirectShow SAMI code execution
http://www.iss.net/security_center/static/38721.php
CVE
CVE-2007-3901
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-3901