Title

Multiple Remote Code Execution Vulnerabilities in Microsoft Windows Media (Cat II impact)

Discussion

Microsoft has released a security bulletin addressing multiple vulnerabilities in Windows Media. To exploit these vulnerabilities, an attacker would entice a user to access a malicious MIDI file sent via email or hosted on a web site. If successfully exploited, these vulnerabilities would allow an attacker to execute arbitrary code and compromise the affected system. At this time, there are no known exploits associated with these vulnerabilities; USCYBERCOM is not aware of any DoD related incidents. MIDI Remote Code Execution Vulnerability - (CVE-2012-0003): A remote code execution vulnerability exists in Windows Media Player. The vulnerability is caused when Windows Media Player fails to handle a specially crafted MIDI file. An attacker could exploit this vulnerability by constructing a specially crafted MIDI file that could allow remote code execution when played using Windows Media Player. An attacker who successfully exploited this vulnerability could take complete control of an affected system. DirectShow Remote Code Execution Vulnerability - (CVE-2012-0004): A remote code execution vulnerability exists in the way that Windows handles media files. The vulnerability is caused when filters in DirectShow do not properly handle specially crafted media files.

Check Content

See IAVM notice and vendor bulletin for additional information. Microsoft Bulletin MS12-004 (2598479) Vulnerable Applications/Systems: Windows Multimedia Library Windows XP SP3 Windows XP Media Center Edition SP3 Windows XP Professional x64 Edition SP2 Windows Server 2003 SP2 (x86, x64, and Itanium) Windows Vista SP2 (x86 and x64) Windows Server 2008 and Windows Server 2008 SP2 (x86*, x64*, and Itanium) DirectShow Windows XP SP3 Windows XP Media Center Edition SP3 [1] Windows XP Professional x64 Edition SP2 Windows Server 2003 SP2 (x86, x64, and Itanium) Windows Vista SP2 (x86 and x64) Windows Server 2008 and Windows Server 2008 SP2 (x86**, x64**, and Itanium) Windows 7 and Windows 7 SP1 (x86 and x64) Windows Server 2008 R2 and Windows Server 2008 R2 SP1 (x64** and Itanium) *Server Core installation not affected. **Server Core installation not affected. [1]This update is the same update as the DirectShow update for Windows XP Service Pack 3 (KB2631813). Verify that the patch has been installed by checking that the following sample file is at the version indicated or later. See the vendor bulletin for additional information and any Vulnerable Systems/Applications not listed below. Windows Multimedia Library Mstvcapn.dll Windows XP Media Center Edition - 5.1.2715.5512 Mciseq.dll Windows XP SP3 – 5.1.2600.6160 Windows XP SP2 x64 – 5.2.3790.4916 Windows Server 2003 SP2 – 5.2.3790.4916 Windows Vista SP2 / 2008 SP2 – 6.0.6002.18528 or 22726 DirectShow Qdvd.dll Windows XP SP3 – 6.5.2600.6169 Windows XP SP2 x64 – 6.5.3790.4928 Windows Server 2003 SP2 – 6.5.3790.4928 Windows Vista SP2 / 2008 SP2 – 6.6.6002.18533 or 22732 Windows 7 / 2008 R2 – 6.6.7600.16905 or 21077 Windows 7 / 2008 R2 SP1 – 6.6.7601.17713 or 21847

Fix Text

Additional Identifiers

Rule ID:

Vulnerability ID: V-31000

Group Title:

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.