Home

Multiple Microsoft DirectShow Remote Code Execution Vulnerabilities

Notification Type:	IBM Internet Security Systems Protection Alert
Notification Date:	Dec. 11, 2007
Notification Version:	1.0

Name:	Multiple Microsoft DirectShow Remote Code Execution Vulnerabilities
Public disclosure/ In the wild date:	Dec. 11, 2007 (vuln disclosure)
CVE:	CVE-2007-3901 and CVE-2007-3895
Description:	Two vulnerabilities in Microsoft DirectShow could allow remote code execution. By creating a malicious file and enticing a user to click a link or open a file, an attacker could remotely execute unauthorized code with the privileges of the user.

ISS Coverage

Product	Content Version
Network Sensor 7.0 Proventia A Proventia IPS (G/GX) Server Sensor 7.0 Proventia Multifunction Appliance Proventia Server (Linux)	27.120
Proventia Server (Windows) Proventia Desktop	x.x.x.2130
BlackICE PC Protection 3.6	CQS

Propagation Techniques	ISS Protection	Available
remote exploit	SAMI_DirectShow_Overflow RIFF_WAV_DirectShow_Overflow	Dec 11, 2007 Dec 11, 2007

Detailed Description

Business Impact:	Microsoft DirectShow is a software interface used by most Windows-based applications, such as Microsoft Media Player, that manage multimedia files. Although this vulnerability may require some user interaction, a successful exploit would result in remote code execution and possibly complete compromise of the system. The widespread nature of Microsoft DirectShow coupled with the impact of the vulnerability means this issue should be considered highly critical.
CVSS for XFIDs 38721 and 38722:	Base Score:		9.3
		Access Vector:	Network
		Access Complexity:
		Authentication:	None
		Confidentiality Impact:	Complete
		Integrity Impact:	Complete
		Availability Impact:	Complete

	Adjusted Temporal Score:		6.9
		Exploitability:	Unproven
		Remediation Level:	Official-Fix
		Report Confidence:	Confirmed
Affected Products:	For a full list of affected versions, see references below.
Technical Description:	Vulnerabilities in Microsoft DirectShow could allow a remote attacker to execute arbitrary code on the system when specially-crafted parameters in a Synchronized Accessible Media Interchange (SAMI) file (XFID 38721), .WAV file (XFID 38722), or .AVI file (XFID 38722) are parsed. An attacker could exploit this vulnerability by persuading a victim to open a malicious file in an email or click a link to a web page that loads the file.
Remediation:	Patches are available for this issue. See References for details.

References

XFDB	http://xforce.iss.net/xforce/xfdb/38721 http://xforce.iss.net/xforce/xfdb/38722

Microsoft:	http://www.microsoft.com/technet/security/Bulletin/MS07-064.mspx

Revision History

1.0	Initial publication.

About IBM Internet Security Systems
IBM Internet Security Systems is the trusted security advisor to thousands of the world's leading businesses and governments, providing pre-emptive protection for networks, desktops and servers. An established leader in security since 1994, the IBM Proventia® integrated security platform is designed to automatically protect against both known and unknown threats, helping to keep networks up and running and shielding customers from online attacks before they impact business assets. IBM Internet Security Systems products and services are based on the proactive security intelligence of its X-Force® research and development team – the unequivocal world authority in vulnerability and threat research. The Internet Security Systems product line is also complemented by comprehensive Managed Security Services and Professional Security Services. For more information, visit the Internet Security Systems Web site at www.iss.net or call 800-776-2362.