9.3 High
CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:M/Au:N/C:C/I:C/A:C
0.973 High
EPSS
Percentile
99.9%
Added: 02/06/2012
CVE: CVE-2012-0003
BID: 51292
OSVDB: 78210
Musical Instrument Digital Interface (MIDI) is an industry specification for encoding, storing, synchronizing, and transmitting the musical performance and control data of electronic musical instruments and other electronic equipment. Microsoft Windows supports the playback of MIDI files through the DirectShow and Windows Multimedia Libraries.
Microsoft DirectShow and Windows Multimedia Library improperly validate the channel field in MIDI files, causing the libraries to be vulnerable to memory corruption. If an attacker were to successfully convince a user into opening a specially formatted MIDI file, the attack could gain execution control of the userβs system.
Apply the KB specified for your system in Microsoft Security Bulletin MS12-004.
<http://technet.microsoft.com/en-us/security/bulletin/ms12-004>
<http://threatpost.com/en_us/blogs/attackers-targeting-windows-media-bug-malware-012712>
This exploit has been tested against Microsoft Internet Explorer 8 with KB2618444 on Windows XP SP3 English (DEP OptIn) and Windows Vista SP2 (DEP OptIn), and Microsoft Internet Explorer 9 with KB2618444 on Windows Vista SP2 (DEP OptIn).
Windows XP
Windows Vista