HighProventia Network IPS, Proventia Desktop, RealSecure Network, RealSecure Server Sensor, Proventia Network MFS, Proventia-G 1.1 and earlier, Proventia Network IDS, IBM Security Server Protection for Windows, Virtual Server Protection for Vmware, Proventia Server IPS for Linux technology:
This event detects an AVI video that will cause an integer overflow in MS DirectShow media-file handling. A remote attacker could provide a specially crafted file to exploit this vulnerability and execute code provided by the attacker on the victim's computer.
High
Proventia Network IPS: XPU 30.020, Proventia Desktop: 2480, RealSecure Network: XPU 30.020, RealSecure Server Sensor: XPU 30.020, Proventia Network MFS: XPU 30.020, Proventia-G 1.1 and earlier: XPU 30.020, Proventia Network IDS: XPU 30.020, IBM Security Server Protection for Windows: 2.1.14.2480, IBM Security Server Protection for Windows: 2.0.300.2480, Virtual Server Protection for Vmware: XPU 30.020, Proventia Server IPS for Linux technology: 30.020
Microsoft Windows 2000: SP4, Microsoft Windows XP: SP2, Microsoft Windows Vista, Microsoft Windows Server 2003: SP2, Microsoft Windows Server 2003: SP2 Itanium, Microsoft Windows Server 2003: SP2 x64, Microsoft Windows Vista: x64, Microsoft Windows XP: SP2 x64 Professional, Microsoft Windows Vista: SP1, Microsoft Windows Vista: SP1 x64, Microsoft Windows Server 2008: Itanium, Microsoft Windows Server 2008: x32, Microsoft Windows Server 2008: x64, Microsoft Windows XP: SP3, Microsoft Windows Vista: SP2 x64, Microsoft Windows Vista: SP2, Microsoft Windows Server 2008: SP2 x32, Microsoft Windows Server 2008: SP2 x64, Microsoft Windows 7: x64, Microsoft Windows 7: x32, Microsoft Windows Server 2008: R2 x64, Microsoft Windows Server 2008: R2 Itanium, Microsoft Windows Server 2008: SP2 Itanium, Microsoft AVI Filter, Microsoft Quartz
Unauthorized Access Attempt
Microsoft DirectShow is vulnerable to a heap-based buffer overflow, caused by improper bounds checking when parsing malicious AVI files. By persuading a victim to open a specially-crafted AVI file, a remote attacker could exploit this vulnerability to overflow a buffer and execute arbitrary code on the system with elevated privileges or cause the affected application to crash.
Apply the appropriate patch for your system, as listed in Microsoft Security Bulletin MS10-013. See References.
Microsoft Security Bulletin MS10-013
Vulnerability in Microsoft DirectShow Could Allow Remote Code Execution (977935)
http://www.microsoft.com/technet/security/bulletin/ms10-013.mspx
ZDI-10-015
Microsoft Windows RLE Video Decompressor Remote Code Execution Vulnerability
http://www.zerodayinitiative.com/advisories/ZDI-10-015/
ISS X-Force
Microsoft DirectShow AVI file buffer overflow
http://www.iss.net/security_center/static/55929.php
CVE
CVE-2010-0250
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0250