__________________________________________________________
The U.S. Department of Energy
Computer Incident Advisory Capability
___ __ __ _ ___
/ | /_\ /
\___ __|__ / \ \___
__________________________________________________________
INFORMATION BULLETIN
Microsoft Windows Media Player Vulnerabilities
[Microsoft Security Bulletin MS02-032]
June 28, 2002 20:00 GMT Number M-096
[Revised 24 July 2002]
______________________________________________________________________________
PROBLEM: Three vulnerabilities exist in Windows Media Player.
1) An information disclosure vulnerability that could provide
the means to enable an attacker to run code on the user's
system.
2) A privilege elevation vulnerability that could enable an
attacker who can physically logon locally to a Windows 2000
machine and run a program to obtain the same rights as the
operating system.
3) A script execution vulnerability related that could run a
script of an attacker's choice as if the user had chosen to run
it after playing a specially formed media file and then viewing
a specially constructed web page.
SOFTWARE: Microsoft Windows Media Player 6.4, 7.1, and XP
DAMAGE: The first vulnerability may allow unauthorized disclosure of
information to an attacker, and allow the attacker to run code
of choice. The second vulnerability causes an escalation of
privileges if a malicious user has access to the local machine.
The third vulnerability could run a script of an attacker's
choice, but is difficult to exploit because the vulnerability
has specific timing requirements.
SOLUTION: Apply the cumulative patch as stated in Microsoft's security
bulletin.
______________________________________________________________________________
VULNERABILITY The risk is MEDIUM. An attacker must have access to a local
ASSESSMENT: system to exploit these vulnerabilities.
______________________________________________________________________________
LINKS:
CIAC BULLETIN: http://www.ciac.org/ciac/bulletins/m-096.shtml
ORIGINAL BULLETIN:
http://www.microsoft.com/technet/treeview/
default.asp?url=/technet/security/bulletin/
ms02-032.asp
______________________________________________________________________________
[***** Start Microsoft Security Bulletin MS02-032 *****]
Microsoft Security Bulletin MS02-032 Print
26 June 2002 Cumulative Patch for Windows Media Player (Q320920)
Originally posted: June 26, 2002
Updated: July 24, 2002 (Version 2.0)
Summary
Who should read this bulletin: Customers using Microsoft® Windows Media™
Player 6.4, 7.1 or Windows Media Player for Windows XP.
Impact of vulnerability: Three new vulnerabilities, the most serious of which
could be used to run code of attacker's choice.
Maximum Severity Rating: Critical
Recommendation: Customers running affected products should apply the patch
immediately. Customers who are still running Windows Media Player 7.0 should upgrade
to Windows Media Player 7.1 first and then apply the patch immediately.
Affected Software:
Microsoft Windows Media Player 6.4
Microsoft Windows Media Player 7.1
Microsoft Windows Media Player for Windows XP
Technical details
Technical description:
On June 26, 2002, Microsoft released the original version of this bulletin, which
described the patch it provided as being cumulative. We subsequently discovered that a
file had been inadvertently omitted from the patch. While the omission had no effect
on the effectiveness of the patch against the new vulnerabilities discussed below, it did
mean that the patch was not cumulative. Specifically, the original patch did not include
all of the fixes discussed in Microsoft Security Bulletin MS01-056. We have repackaged
the patch to include the file and are re-releasing it to ensure that it truly is cumulative.
If you applied the patch delivered in Microsoft Security Bulletin MS01-056 and the one
that was distributed with the original version of this bulletin, you're fully protected
against all known vulnerabilities in Windows Media Player and don't need to take any
action. Otherwise, we recommend that you apply the new version of the patch provided
below.
The patch includes the functionality of all previously released patches for Windows
Media Player 6.4, 7.1 and Windows Media Player for Windows XP. In addition, it
eliminates the following three newly discovered vulnerabilities one of which is rated as
critical severity, one of which is rated moderate severity, and the last of which is rated
low severity:
* An information disclosure vulnerability that could provide the means to enable
an attacker to run code on the user's system and is rated as critical severity.
* A privilege elevation vulnerability that could enable an attacker who can
physically logon locally to a Windows 2000 machine and run a program to obtain
the same rights as the operating system.
* A script execution vulnerability related that could run a script of an
attacker's choice as if the user had chosen to run it after playing a specially
formed media file and then viewing a specially constructed web page.
This particular vulnerability has specific timing requirements that makes attempts
to exploit vulnerability difficult and is rated as low severity.
It also introduces a configuration change relating to file extensions associated
with Windows Media Player. Finally, it introduces a new, optional, security
configuration feature for users or organizations that want to take extra
precautions beyond applying IE patch MS02-023 and want to disable scripting
functionality in the Windows Media Player for versions 7.x or higher.
Mitigating factors:
Cache Patch Disclosure via Windows Media Player:
* Customers who have applied MS02-023 are protected against attempts to automatically
exploit this issue through HTML email when they read email in the Restricted Sites
zone. Outlook 98 and Outlook 2000 with the Outlook Email Security Update, Outlook
2002 and Outlook Express 6.0 all read email in the Restricted Sites zone by default.
* The vulnerability does not affect media files opened from the local machine. As a
result of this, users who download and save files locally are not affected by
attempts to exploit this vulnerability.
Privilege Elevation through Windows Media Device Manager Service:
* This issue affects only Windows Media Player 7.1 it does not affect Windows Media
Player for Windows XP nor Windows Media Player 6.4.
* The vulnerability only affects Windows Media Player 7.1 when run on Windows 2000,
it does not impact systems that have no user security model such as Windows 98 or
Windows ME systems.
* This issue only affects console sessions; users who logon via terminal sessions
cannot exploit this vulnerability.
* An attacker must be able to load and run a program on the system. Anything that
prevents an attacker from loading or running a program could protect against
attempts to exploit this vulnerability.
Media Playback Script Invocation:
* A successful attack requires a specific series of actions follows in exact order,
otherwise the attack will fail. Specifically:
* A user must play a specially formed media file from an attacker.
* After playing the file, the user must shut down Windows Media Player without
playing another file.
* The user must then view a web page constructed by the attacker.
Severity Rating:
Cache Patch Disclosure via Windows Media Player:
Internet Servers Intranet Servers Client Systems
Windows Media
Player 6.4 Low Low Critical
Windows Media
Player 7.1 Low Low Critical
Windows Media
Player for
Windows XP Low Low Critical
Privilege Elevation through Windows Media Device Manager Service:
Internet Servers Intranet Servers Client Systems
Windows Media
Player 6.4 None None None
Windows Media
Player 7.1 on
Windows 2000 Low Low Critical
Windows Media
Player 7.1 all
other platforms None None None
Windows Media
Player for Windows
XP None None None
Media Playback Script Invocation:
Internet Servers Intranet Servers Client Systems
Windows Media
Player 6.4 None None None
Windows Media
Player 7.1 Low Low Low
Windows Media
Player for
Windows XP None None None
Aggregate Severity of all issues included in this patch (including issues
addressed in previously released patches):
Internet Servers Intranet Servers Client Systems
Windows Media
Player 6.4 Critical Critical Critical
Windows Media
Player 7.1 Critical Critical Critical
Windows Media
Player for
Windows XP Low Low Critical
The above assessment is based on the types of systems affected by the vulnerability,
their typical deployment patterns, and the effect that exploiting the vulnerability
would have on them. The License Handling cache disclosure vulnerability could be
used to run code on the system as the user. The Privilege Elevation through
Windows Media Device Manager Service requires the ability to logon at the console:
terminal sessions are not affected. In addition, the attacker must be able to load
and run a program. The Media Playback Script Invocation vulnerability has specific
timing requirements that make an automated attack difficult to accomplish.
Vulnerability identifier:
* Cache Patch Disclosure via Windows Media Player: CAN-2002-0372
* Privilege Elevation through Windows Media Device Manager Service: CAN-2002-0373
* Media Playback Script Invocation: CAN-2002-0615
Tested Versions:
Microsoft tested Windows Media Player 6.4, 7.1 and Windows Media Player for Windows
XP to assess whether they are affected by this vulnerability. Previous versions,
including 7.0, are no longer supported, and may or may not be affected by these
vulnerabilities. If they have not done so already, customers using Windows Media
Player 7.0 should install Windows Media Player 7.1 prior to installing this patch.
Patch availability
Download locations for this patch
* Microsoft Windows Media Player 6.4:
http://download.microsoft.com/download/winmediaplayer/Update/320920/W98NT42KMe/
EN-US/wm320920_64.exe
* Microsoft Windows Media Player 7.1:
http://download.microsoft.com/download/winmediaplayer/Update/320920/W982KMe/
EN-US/wm320920_71.exe
* Microsoft Windows Media Player for Windows XP:
http://download.microsoft.com/download/winmediaplayer/Update/320920/WXP/
EN-US/wm320920_8.exe
Additional information about this patch
Installation platforms:
The patch can be installed on any operating system running Windows Media
Player 6.4 or 7.1.
The patch for Windows Media Player for Windows XP can be installed on Windows
XP Gold.
Inclusion in future service packs:
The fixes for these issues will be in Windows XP SP1.
Reboot needed: The patch only requires a reboot if Windows Media Player is running
at the time the patch is applied.
Superseded patches: MS01-056.
Verifying patch installation:
* To verify that the patch has been installed on the machine, confirm that the
following registry key has been created: HKLM\SOFTWARE\Microsoft\Updates\Windows
Media Player\wm320920
* To verify the individual files, use the patch manifest provided in Knowledge Base
article Q320920
Caveats:
None
Localization:
Localized versions of this patch are under development. When completed, they will be
available at the locations discussed in "Obtaining other security patches".
Obtaining other security patches:
Patches for other security issues are available from the following locations:
* Security patches are available from the Microsoft Download Center, and can be most
easily found by doing a keyword search for "security_patch".
* Patches for consumer platforms are available from the WindowsUpdate web site
* All patches available via WindowsUpdate also are available in a redistributable form
from the WindowsUpdate Corporate site.
Other information:
Acknowledgments
Microsoft thanks the following people for working with us to protect customers:
* jelmer for reporting the Cache Patch Disclosure via Windows Media Player.
* The Research Team of Security Internals (www.securityinternals.com) for reporting
Privilege Elevation through Windows Media Device Manager Service:
* Elias Levy, Chief Technical Officer, SecurityFocus (http://www.securityfocus.com/),
for reporting the Media Playback Script Invocation.
Support:
* Microsoft Knowledge Base article Q320920 discusses this issue and will be available
approximately 24 hours after the release of this bulletin. Knowledge Base articles can
be found on the Microsoft Online Support web site.
* Technical support is available from Microsoft Product Support Services. There is no
charge for support calls associated with security patches.
Security Resources: The Microsoft TechNet Security Web Site provides additional
information about security in Microsoft products.
Disclaimer:
The information provided in the Microsoft Knowledge Base is provided "as is" without
warranty of any kind. Microsoft disclaims all warranties, either express or implied,
including the warranties of merchantability and fitness for a particular purpose.
In no event shall Microsoft Corporation or its suppliers be liable for any damages
whatsoever including direct, indirect, incidental, consequential, loss of business
profits or special damages, even if Microsoft Corporation or its suppliers have been
advised of the possibility of such damages. Some states do not allow the exclusion
or limitation of liability for consequential or incidental damages so the foregoing
limitation may not apply.
Revisions:
V1.0 (June 26, 2002): Bulletin Created.
V2.0 (July 24, 2002): Bulletin revised to indicate a missing file from MS01-056 has
been included, and a correction to the aggregate severity table has been made.
[***** End Microsoft Security Bulletin MS02-032 *****]
_______________________________________________________________________________
CIAC wishes to acknowledge the contributions of Microsoft Corporation for the
information contained in this bulletin.
_______________________________________________________________________________
CIAC, the Computer Incident Advisory Capability, is the computer
security incident response team for the U.S. Department of Energy
(DOE) and the emergency backup response team for the National
Institutes of Health (NIH). CIAC is located at the Lawrence Livermore
National Laboratory in Livermore, California. CIAC is also a founding
member of FIRST, the Forum of Incident Response and Security Teams, a
global organization established to foster cooperation and coordination
among computer security teams worldwide.
CIAC services are available to DOE, DOE contractors, and the NIH. CIAC
can be contacted at:
Voice: +1 925-422-8193 (7x24)
FAX: +1 925-423-8002
STU-III: +1 925-423-2604
E-mail: ciac@ciac.org
Previous CIAC notices, anti-virus software, and other information are
available from the CIAC Computer Security Archive.
World Wide Web: http://www.ciac.org/
Anonymous FTP: ftp.ciac.org
PLEASE NOTE: Many users outside of the DOE, ESnet, and NIH computing
communities receive CIAC bulletins. If you are not part of these
communities, please contact your agency's response team to report
incidents. Your agency's team will coordinate with CIAC. The Forum of
Incident Response and Security Teams (FIRST) is a world-wide
organization. A list of FIRST member organizations and their
constituencies can be obtained via WWW at http://www.first.org/.
This document was prepared as an account of work sponsored by an
agency of the United States Government. Neither the United States
Government nor the University of California nor any of their
employees, makes any warranty, express or implied, or assumes any
legal liability or responsibility for the accuracy, completeness, or
usefulness of any information, apparatus, product, or process
disclosed, or represents that its use would not infringe privately
owned rights. Reference herein to any specific commercial products,
process, or service by trade name, trademark, manufacturer, or
otherwise, does not necessarily constitute or imply its endorsement,
recommendation or favoring by the United States Government or the
University of California. The views and opinions of authors expressed
herein do not necessarily state or reflect those of the United States
Government or the University of California, and shall not be used for
advertising or product endorsement purposes.
LAST 10 CIAC BULLETINS ISSUED (Previous bulletins available from CIAC)
M-086: Sun SEA SNMP Vulnerability
M-087: SGI IRIX rpc.passwd Vulnerability
M-088: MS Unchecked Buffer in Gopher Protocol Handler
M-089: MS Heap Overrun in HTR Chunked Encoding Vulnerability
M-090: Microsoft Unchecked Buffer in RAS Phonebook Vulnerability
M-091: Microsoft Unchecked Buffer in SQLXML Vulnerability
M-092: Cisco Buffer Overflow in UNIX VPN Client
M-093: Apache HTTP Server Chunk Encoding Vulnerability
M-094: Microsoft SQL Server 2000 OpenDataSource Buffer Overflow
M-095: OpenSSH Challenge Response Vulnerabilities
TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH
