 |
Microsoft recommends that the security patch listed in the bulletin be immediately installed on all affected systems that currently have DirectX installed.
DirectX is an API that provides multimedia support for Windows software. Exploiting this vulnerability allows an attacker to run any code on the user's computer. A specially crafted Musical Instrument Digital Interface file can be inserted in a Web site or an HTML e-mail.
When the site is visited or the e-mail is previewed or opened, the MIDI code will execute on the user's computer when DirectShow, which performs client-side audio and video sourcing, attempts to play the file. The vulnerability does not lie in Windows Media Player.
Microsoft lists the following systems as vulnerable:
- Microsoft DirectX 5.2 on Windows 98
- DirectX 6.1 on Windows 98 SE
- DirectX 7.0a on Windows Me
- DirectX 7.0 on Windows 2000
- DirectX 8.1 on Windows XP
- DirectX 8.1 on Windows Server 2003
- DirectX 9.0a on Windows Me
- DirectX 9.0a on Windows 2000
- DirectX 9.0a on Windows XP
- DirectX 9.0a on Windows Server 2003
- Windows NT 4.0 with Media Player 6.4 or IE 6 SP 1 installed
- Windows NT 4.0, Terminal Server Edition with Media Player 6.4 or IE 6 SP 1
You can learn which DirectX version is installed on a system by running the Dxdiag.exe diagnostic utility.
These may not be the only systems affected by this vulnerability, but they're the only ones still supported by Microsoft that are identified with the problem. You may also want to consider patching older, unsupported operating systems that are running DirectX.
This flaw can allow an attacker to run code on a vulnerable system. Microsoft has rated this flaw differently depending on the OS and DirectX environment. Here's the breakdown:
- DirectX 9.0a—Critical
- DirectX 9.0a installed on WS2K3—Important
- DirectX 8.1—Critical
- DirectX 8.1 installed on WS2K3—Important
- DirectX 7.0a on WinMe—Critical
- DirectX 7.0 on Win2K—Critical
- Media Player 6.4 or Internet Explorer 6 SP 1 installed on NT 4.0—Critical
- Media Player 6.4 or Internet Explorer 6 SP 1 installed on NT 4.0, Terminal Server Edition—Critical
You should assume that other configurations not listed above are Critical.
Any system that opens e-mails as plain text is protected, and any code from Web pages will execute only at the user's privilege level. The Microsoft bulletin emphasises that Windows 2003 Servers are configured by default to open HTML e-mail as plain text, which is why that OS has just an Important rating.
The patch corrects the way DirectX validates MIDI file parameters. For some versions of DirectX, the patch can be uninstalled, but not in most versions. If you have systems with DirectX installed, you should patch them as soon as possible. If DirectX is not needed, consider uninstalling it altogether.
TechRepublic is the online community and information resource for all IT professionals, from support staff to executives. We offer in-depth technical articles written for IT professionals by IT professionals. In addition to articles on everything from Windows to e-mail to firewalls, we offer IT industry analysis, downloads, management tips, discussion forums, and e-newsletters.
©2003 TechRepublic, Inc.
16%
7%
