Multiple Buffer Overruns in Microsoft DirectX

Reported July 23, 2003, by Microsoft.




  • Microsoft DirectX 9.0a on Windows Server 2003, Windows XP, Windows 2000, and Windows Me

  • Microsoft DirectX 8.1 on Windows 2003 and XP

  • Microsoft DirectX 7.0 on Windows 2000

  • Microsoft DirectX 7.0a on Windows Me

  • Microsoft DirectX 6.1 on Windows 98 Second Edition (Win98SE)

  • Microsoft DirectX 5.2 on Win98

  • Windows NT 4.0 with Windows Media Player (WMP) 6.4 or Internet Explorer (IE) 6.0 Service Pack 1 (SP1)

  • Windows NT Server 4.0, Terminal Server Edition (WTS) with WMP 6.4 or IE 6.0 SP1




Two buffer-overrun vulnerabilities in Microsoft DirectX can result in the execution of arbitrary code on the vulnerable computer. This vulnerability stems from a pair of flaws in all versions of quartz.dll, which lets Windows applications play MIDI music through a common interface. An attacker can construct a malicious .mid file and configure it to play automatically whenever a victim attempts to view certain HTML, such as an attacker-controlled Web site, resulting in the compromise of the victim's machine. For detailed information about this vulnerability, see the discoverer's Web site.




Microsoft has released Security Bulletin MS03-030, "Unchecked Buffer in DirectX Could Enable System Compromise (819696)," to address this vulnerability and recommends that affected users immediately apply the patch mentioned in the bulletin.



Discovered by eEye Digital Security.

Hide comments


  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.