MS-ISAC ADVISORY NUMBER:
2007-027 Updated

DATE(S) ISSUED:
12/11/2007 - Updated

SUBJECT:
Vulnerabilities in Microsoft DirectX Could Allow Remote Code Execution

OVERVIEW:
Vulnerabilities have been found in Microsoft DirectX which handles audio and video media files in applications such as Windows Media Player. These vulnerabilities could allow an attacker to take complete control of an affected system. These vulnerabilities can be exploited if a user visits a specifically crafted web page or opens a maliciously crafted file. Successful exploitation will result in an attacker gaining the same user privileges as the logged on user. If the user is logged in with administrator privileges, the attacker could then install programs; view, change, or delete data; or create new accounts with full privileges.

SYSTEMS AFFECTED:

  • DirectX 7.0 and DirectX 8.1 for Microsoft Windows 2000 Service Pack 4
  • DirectX 9.0c for Microsoft Windows 2000 Service Pack 4
  • DirectX 9.0c for Microsoft Windows XP Service Pack 2
  • DirectX 9.0c for Windows Server 2003 Service Pack 1 and Windows Server 2003 Service Pack 2
  • DirectX 9.0c for Windows Server 2003 x64 Edition and Windows Server 2003 x64 Edition Service Pack 2
  • DirectX 9.0c for Windows Server 2003 with SP1 for Itanium-based Systems and Windows Server 2003 with SP2 for Itanium-based Systems
  • DirectX 10.0 for Windows Vista
  • DirectX 10.0 for Windows Vista x64 Edition

RISK:
Government:

  • Large and medium government entities: High
  • Small government entities: High

Businesses:

  • Large and medium business entities: High
  • Small business entities: High

Home users: High

DESCRIPTION:
Vulnerabilities have been found in Microsoft DirectX that could allow an attacker to take complete control of the affected system.

Vulnerabilities exist in the way that DirectX handles streaming media files such as WAV, AVI, and SAMI file formats. Applications (i.e Windows Media Player) that can stream media files using DirectX are also affected. These vulnerabilities could allow remote code execution if a user opens a maliciously crafted file from a web site, e-mail message, or e-mail attachment.

Successful exploitation of these vulnerabilities could allow an attacker to execute arbitrary code on the system. If the user is logged in with administrator privileges, the attacker could then install programs; view, change, or delete data; or create new accounts with full privileges.

RECOMMENDATIONS:
We recommend the following actions be taken:

  • Apply appropriate patches provided by Microsoft to vulnerable systems immediately after appropriate testing.
  • Logon to your systems as a non-privileged user (one without administrative privileges) to diminish the effects of a successful attack. Employ the principle of least privilege when ever possible.
  • Do not visit unknown or un-trusted Web sites or click on links provided in an email.

REFERENCES:
Microsoft:
http://www.microsoft.com/technet/security/bulletin/ms07-064.mspx(New Window)

SecurityFocus:
http://www.securityfocus.com/bid/26789(New Window)

CVE:
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-3901(New Window)
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-3895(New Window)


This cyber advisory was issued by the Multi-State Information Sharing and Analysis Center (MS-ISAC) and was intended for government entities. The information may or may not be applicable to the general public and accordingly, the MS-ISAC does not warrant its use for any specific purposes.