HighIBM Security Server Protection for Windows, BlackICE Server Protection, Proventia Network IDS, Proventia-G 1.1 and earlier, Proventia Network MFS, BlackICE PC Protection, RealSecure Server Sensor, RealSecure Network, Proventia Network IPS, Proventia Desktop, Virtual Server Protection for Vmware, Proventia Server IPS for Linux technology:
This signature detects a malformed SAMI file that could exploit a vulnerability in the quartz.dll module of Windows Media Player to allow remote code execution.
High
IBM Security Server Protection for Windows: 2.1.14.2400, IBM Security Server Protection for Windows: 1.0.914.2210, IBM Security Server Protection for Windows: 2.0.300.2210, BlackICE Server Protection: 3.6.cra, Proventia Network IDS: XPU 28.070, Proventia-G 1.1 and earlier: XPU 28.070, Proventia Network MFS: XPU 28.070, BlackICE PC Protection: 3.6cra, RealSecure Server Sensor: XPU 28.070, RealSecure Network: XPU 28.070, Proventia Network IPS: XPU 28.070, Proventia Desktop: 2210, Virtual Server Protection for Vmware: 1.0, Proventia Server IPS for Linux technology: 28.070
Microsoft DirectX: 7.0, Microsoft DirectX: 8.1, HP Storage Management Appliance: 2.1
Unauthorized Access Attempt
Microsoft Windows DirectX is vulnerable to a stack-based buffer overflow, caused by improper bounds checking of the Accessible Media Interchange (SAMI) "Class Name"parameter. By persuading a victim to open a specially-crafted SAMI file, a remote attacker could overflow a buffer and execute arbitrary code on the system with the privileges of the victim.
Apply the appropriate patch for your system, as listed in the latest Microsoft Security Bulletin. See References.
— OR —
Use Microsoft Automatic Update if it is supported by your operating system. The original bulletin issued by Microsoft has been superseded.
Microsoft Security Bulletin MS08-033
Vulnerabilities in DirectX Could Allow Remote Code Execution (951698)
http://www.microsoft.com/technet/security/Bulletin/MS08-033.mspx
ZDI-08-040
Microsoft DirectX SAMI File Format Name Parsing Stack Overflow Vulnerability
http://www.zerodayinitiative.com/advisories/ZDI-08-040/
NORTEL BULLETIN ID: 2008008891, Rev 1
Centrex IP Client Manager (CICM) response to Microsoft June security bulletin
http://support.nortel.com/go/main.jsp?cscat=BLTNDETAIL&id=734247
NORTEL BULLETIN ID: 2008008897, Rev 1
Nortel Response to Microsoft Security Bulletin MS08-033
http://support.nortel.com/go/main.jsp?cscat=BLTNDETAIL&id=734154
Microsoft Security Bulletin MS09-011
Vulnerability in Microsoft DirectShow Could Allow Remote Code Execution (961373)
http://www.microsoft.com/technet/security/bulletin/ms09-011.mspx
Microsoft Security Bulletin MS09-028
Vulnerabilities in Microsoft DirectShow Could Allow Remote Code Execution (971633)
http://www.microsoft.com/technet/security/bulletin/ms09-028.mspx
Microsoft Security Bulletin MS10-013
Vulnerability in Microsoft DirectShow Could Allow Remote Code Execution (977935)
http://www.microsoft.com/technet/security/bulletin/ms10-013.mspx
Microsoft Security Bulletin MS10-033
Vulnerabilities in Media Decompression Could Allow Remote Code Execution (979902)
http://www.microsoft.com/technet/security/bulletin/ms10-033.mspx
Microsoft Security Bulletin MS10-094
Vulnerability in Windows Media Encoder Could Allow Remote Code Execution (2447961
http://www.microsoft.com/technet/security/bulletin/ms10-094.mspx
Microsoft Security Bulletin MS12-004
Vulnerabilities in Windows Media Could Allow Remote Code Execution (2636391)
http://www.microsoft.com/technet/security/bulletin/ms12-004.mspx
ISS X-Force
Microsoft Windows DirectX SAMI buffer overflow
http://www.iss.net/security_center/static/42674.php
CVE
CVE-2008-1444
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1444