Apache-Talk @lexa.ru 

Inet-Admins @info.east.ru 

Filmscanners @halftone.co.uk 

Security-alerts @yandex-team.ru 

nginx-ru @sysoev.ru 

   


   


   

















      :: Security-alerts
Security-Alerts mailing list archive (security-alerts@yandex-team.ru)

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[security-alerts] FW: [SA28010] Microsoft DirectX SAMI/WAV/AVI File Parsing Vulnerabilities



>
> TITLE:
> Microsoft DirectX SAMI/WAV/AVI File Parsing Vulnerabilities
>
> SECUNIA ADVISORY ID:
> SA28010
>
> VERIFY ADVISORY:
> http://secunia.com/advisories/28010/
>
> CRITICAL:
> Highly critical
>
> IMPACT:
> System access
>
> WHERE:
> From remote
>
> OPERATING SYSTEM:
> Microsoft Windows 2000 Server
> http://secunia.com/product/20/
> Microsoft Windows 2000 Professional
> http://secunia.com/product/1/
> Microsoft Windows 2000 Datacenter Server
> http://secunia.com/product/1177/
> Microsoft Windows 2000 Advanced Server
> http://secunia.com/product/21/
> Microsoft Windows Server 2003 Datacenter Edition
> http://secunia.com/product/1175/
> Microsoft Windows Server 2003 Enterprise Edition
> http://secunia.com/product/1174/
> Microsoft Windows Server 2003 Standard Edition
> http://secunia.com/product/1173/
> Microsoft Windows Server 2003 Web Edition
> http://secunia.com/product/1176/
> Microsoft Windows Storage Server 2003
> http://secunia.com/product/12399/
> Microsoft Windows Vista
> http://secunia.com/product/13223/
> Microsoft Windows XP Home Edition
> http://secunia.com/product/16/
> Microsoft Windows XP Professional
> http://secunia.com/product/22/
>
> SOFTWARE:
> Microsoft DirectX 10.x
> http://secunia.com/product/16896/
> Microsoft DirectX 7.x
> http://secunia.com/product/1913/
> Microsoft DirectX 8.x
> http://secunia.com/product/1914/
> Microsoft DirectX 9.x
> http://secunia.com/product/1915/
>
> DESCRIPTION:
> Two vulnerabilities have been reported in Microsoft DirectX, which
> can be exploited by malicious people to compromise a user's system.
>
> 1) An error within the DirectShow technology when parsing SAMI
> (Synchronized Accessible Media Interchange) files can be exploited to
> execute arbitrary code on a user's system when a specially crafted
> file is opened.
>
> The vulnerability has been reported in DirectX 7.0 and 8.1 and later
> versions are not affected.
>
> 2) An error within the DirectShow technology when parsing AVI and WAV
> files can be exploited to execute arbitrary code on a user's system
> when e.g. visiting a malicious website.
>
> The vulnerability has been reported in DirectX 7.0 through 10.0.
>
> SOLUTION:
> Apply patches.
>
> Windows 2000 SP4 with DirectX 7.0:
> http://www.microsoft.com/downloads/details.aspx?FamilyId=06196
> 774-5a11-4525-b53c-8cb000738949
>
> Windows 2000 SP4 with DirectX 8.1:
> http://www.microsoft.com/downloads/details.aspx?FamilyId=ccb87
> 2bd-fc06-4a3f-ac70-3c9a42d57b37
>
> Windows 2000 SP4 with DirectX 9.0c:
> http://www.microsoft.com/downloads/details.aspx?FamilyId=03b14
ce0-5189-4803-8151-6ac5cb6a9179
>
> Windows XP SP2 with DirectX 9.0c:
> http://www.microsoft.com/downloads/details.aspx?FamilyId=04a8f
> 8d3-69f9-4445-baab-f45616a6b9b7
>
> Windows XP Professional x64 Edition (optionally with SP2) with
> DirectX 9.0c:
> http://www.microsoft.com/downloads/details.aspx?FamilyId=f096c
> 500-e765-4e75-8443-7ffec4ddf149
>
> Windows Server 2003 SP1/SP2 with DirectX 9.0c:
> http://www.microsoft.com/downloads/details.aspx?FamilyId=d80a2
> 95a-baf9-4981-8a28-1b4207ecc5f7
>
> Windows Server 2003 x64 Edition (optionally with SP2) with DirectX
> 9.0c:
> http://www.microsoft.com/downloads/details.aspx?FamilyId=37808
> 6ea-60b8-409f-970a-fcfd62025150
>
> Windows Server 2003 with SP1/SP2 for Itanium-based systems with
> DirectX 9.0c:
> http://www.microsoft.com/downloads/details.aspx?FamilyId=2e6ea
> 4bb-9f4f-46fb-9d51-e20b15e61a89
>
> Windows Vista with DirectX 10.0:
> http://www.microsoft.com/downloads/details.aspx?FamilyId=bfa57
> 1bc-e43f-45e3-bc98-4086985c99aa
>
> Windows Vista x64 Edition with DirectX 10.0:
> http://www.microsoft.com/downloads/details.aspx?FamilyId=3d880
> 3da-108b-4b9d-a039-84932dce8e42
>
> PROVIDED AND/OR DISCOVERED BY:
> 1) The vendor credits Jun Mao, VeriSign iDefense Labs.
> 2) The vendor credits Peter Winter-Smith, NGSSoftware.
>
> ORIGINAL ADVISORY:
> MS07-064 (KB941568):
> http://www.microsoft.com/technet/security/Bulletin/MS07-064.mspx
>



 




Copyright © Lexa Software, 1996-2009.