TUCoPS :: Windows Apps :: n-092.txt

Microsoft Windows Media Player Skins Flaw (CIAC N-092)

             __________________________________________________________

                       The U.S. Department of Energy
                   Computer Incident Advisory Capability
                           ___  __ __    _     ___
                          /       |     /_\   /
                          \___  __|__  /   \  \___
             __________________________________________________________

                             INFORMATION BULLETIN

                   Microsoft Windows Media Player Skins Flaw 
                     [Microsoft Security Bulletin MS03-017]

May 8, 2003 15:00 GMT                                             Number N-092
______________________________________________________________________________
PROBLEM:       Windows Media Player skins are custom overlays that consist of
               one or more files of computer art, organized by an XML file.
               A flaw exists in the way Windows Media Player 7.1 and Windows 
               Media Player for Windows XP handle the download of skin files. 
               The flaw means that an attacker could force a file masquerading 
               as a skin file into a known location on a user's machine. 
AFFECTED       Microsoft Windows Media Player 7.1
SOFTWARE:      Microsoft Windows Media Player for Windows XP (Version 8.0) 
DAMAGE:        This could allow an attacker to place a malicious executable on 
               the victim's system. 
SOLUTION:      Apply available patches. 
______________________________________________________________________________
VULNERABILITY  The risk is MEDIUM. The victim would need to visit a website 
ASSESSMENT:    under the attacker's control or receive an HTML e-mail from the 
               attacker. Automatic exploitation by an HTML e-mail would be 
               blocked by Outlook Express 6.0 and Outlook 2000 in their 
               default configurations, and by Outlook 98 and 2000 if used in 
               conjunction with the Outlook Email Security Update. 
______________________________________________________________________________
LINKS: 
 CIAC BULLETIN:      http://www.ciac.org/ciac/bulletins/n-092.shtml 
 ORIGINAL BULLETIN:  http://www.microsoft.com/technet/treeview/default.asp?
                        url=/technet/security/bulletin/MS03-017.asp 
 PATCHES:            http://microsoft.com/downloads/details.aspx?FamilyId=
                        012F143A-77D1-4F6F-9338-5A6332614532&displaylang=en 
                     http://microsoft.com/downloads/details.aspx?FamilyId=
                        E311DF50-0633-4100-AB37-D7A68D51182F&displaylang=en 
______________________________________________________________________________

[***** Start Microsoft Security Bulletin MS03-017 *****]

Microsoft Security Bulletin MS03-017   

Flaw in Windows Media Player Skins Downloading could allow Code Execution (817787)
Originally posted: May 7, 2003

Summary

Who should read this bulletin: Customers running Windows Media Player 7.1 and 
Windows Media Player for Windows XP (Version 8.0) 

Impact of vulnerability: Arbitrary code execution 

Maximum Severity Rating: Critical 

Recommendation: Customers running Windows Media Player 7.1 and Windows Media 
Player for Windows XP (Version 8) should apply the patch. 

Affected Software: 

Microsoft Windows Media Player 7.1 
Microsoft Windows Media Player for Windows XP (Version 8.0) 

 
Technical details

Technical description: 

Microsoft Windows Media Player provides functionality to change the overall 
appearance of the player itself through the use of "skins". Skins are custom 
overlays that consist of collections of one or more files of computer art, 
organized by an XML file. The XML file tells Windows Media Player how to use 
these files to display a skin as the user interface. In this manner, the user 
can choose from a variety of standard skins, each one providing an additional 
visual experience. Windows Media Player comes with several skins to choose 
from, but it is relatively easy to create and distribute custom skins. 

A flaw exists in the way Windows Media Player 7.1 and Windows Media Player for 
Windows XP handle the download of skin files. The flaw means that an attacker 
could force a file masquerading as a skin file into a known location on a user's 
machine. This could allow an attacker to place a malicious executable on the 
system. 

In order to exploit this flaw, an attacker would have to host a malicious web 
site that contained a web page designed to exploit this particular vulnerability 
and then persuade a user to visit that site – an attacker would have no way to 
force a user to the site. An attacker could also embed the link in an HTML 
e-mail and send it to the user. 

In the case of an e-mail borne attack, if the user was using Outlook Express 6.0 
or Outlook 2002 in their default configurations, or Outlook 98 or 2000 in 
conjunction with the Outlook Email Security Update, then an attack could not 
be automated and the user would still need to click on a URL sent in the e-mail. 
However if the user was not using Outlook Express 6.0 or Outlook 2002 in their 
default configurations, or Outlook 98 or 2000 in conjunction with the Outlook 
Email Security Update, the attacker could cause an attack that could both place, 
then launch the malicious executable without the user having to click on a URL 
contained in an e-mail. 

The attacker's code would run with the same privileges as the user: any 
restrictions on the user's ability to change the system would apply to the 
attacker's code. 


Mitigating factors: 

Windows Media Player 9 Series is not affected by this issue. 

By default, Outlook Express 6.0 and Outlook 2002 open HTML mails in the 
Restricted Sites Zone. In addition, Outlook 98 and 2000 open HTML mails in 
the Restricted Sites Zone if the Outlook Email Security Update, has been 
installed. Customers who use any of these products would be at no risk from 
an e-mail borne attack that attempted to automatically exploit these 
vulnerabilities. 

The attacker would have no way to force users to visit a malicious web site. 
Instead, the attacker would need to lure them there, typically by getting them 
to click on a link that would take them to the attacker's site. 


Severity Rating: 
Windows Media Player 7.1             Critical 
Windows Media Player for Windows XP  Critical 

The above assessment is based on the types of systems affected by the 
vulnerability, their typical deployment patterns, and the effect that 
exploiting the vulnerability would have on them. 

Vulnerability identifier: CAN-2003-0228 

Tested Versions:
Microsoft tested Windows Media Player 7.1, Windows Media Player for Windows XP 
and Windows Media Player 9.0 Series to assess whether they are affected by this 
vulnerability. Previous versions are no longer supported, and may or may not be 
affected by these vulnerabilities.


Patch availability

Download locations for this patch 

Microsoft Windows Media Player 7.1: 
http://microsoft.com/downloads/details.aspx?FamilyId=012F143A-77D1-4F6F-9338-
5A6332614532&displaylang=en 

Microsoft Windows Media Player for Windows XP (Version 8.0): 
http://microsoft.com/downloads/details.aspx?FamilyId=E311DF50-0633-4100-AB37-
D7A68D51182F&displaylang=en 


Additional information about this patch

Installation platforms: 
This patch can be installed on systems running 

   Windows Media Player 7.1 on Win98, Win98SE, WinME, Win2k 
   Windows Media Player for XP, WinXP 

Inclusion in future service packs:
The fix for this issue will be included in Windows XP SP2. 

Reboot needed: Reboot is not needed, unless the user has Windows Media Player 
loaded in the background when installing the patch. 

Patch can be uninstalled: No 

Superseded patches: None 

Verifying patch installation: 

To verify that the patch has been installed on the machine, confirm that the 
following registry key has been created on the machine: 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\Windows Media Player\wm817787 

To verify the individual files, use the date/time and version information 
provided in the following registry key:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\Windows Media Player\wm817787\FileList

 
Caveats:
None 

Localization:
Localized versions of this patch are available at the locations discussed in 
"Patch Availability". 

Obtaining other security patches: 
Patches for other security issues are available from the following locations: 

Security patches are available from the Microsoft Download Center, and can be 
most easily found by doing a keyword search for "security_patch". 

Patches for consumer platforms are available from the WindowsUpdate web site 


Other information:
 
Acknowledgments
Microsoft thanks  Jouko Pynnonen of Oy Online Solutions Ltd, Finland and Jelmer 
for reporting this issue to us and working with us to protect customers. 

Support: 

Microsoft Knowledge Base article 817787 discusses this issue and will be available 
approximately 24 hours after the release of this bulletin. Knowledge Base articles 
can be found on the Microsoft Online Support web site. 

Technical support is available from Microsoft Product Support Services. There is 
no charge for support calls associated with security patches.

Security Resources: The Microsoft TechNet Security Web Site provides additional 
information about security in Microsoft products. 

Disclaimer: 
The information provided in the Microsoft Knowledge Base is provided "as is" 
without warranty of any kind. Microsoft disclaims all warranties, either express 
or implied, including the warranties of merchantability and fitness for a 
particular purpose. In no event shall Microsoft Corporation or its suppliers be 
liable for any damages whatsoever including direct, indirect, incidental, 
consequential, loss of business profits or special damages, even if Microsoft 
Corporation or its suppliers have been advised of the possibility of such damages. 
Some states do not allow the exclusion or limitation of liability for 
consequential or incidental damages so the foregoing limitation may not apply. 

Revisions: 

V1.0 May 07, 2003Bulletin Created. 

[***** End Microsoft Security Bulletin MS03-017 *****]

_______________________________________________________________________________

CIAC wishes to acknowledge the contributions of Microsoft for the 
information contained in this bulletin.
_______________________________________________________________________________


CIAC, the Computer Incident Advisory Capability, is the computer
security incident response team for the U.S. Department of Energy
(DOE) and the emergency backup response team for the National
Institutes of Health (NIH). CIAC is located at the Lawrence Livermore
National Laboratory in Livermore, California. CIAC is also a founding
member of FIRST, the Forum of Incident Response and Security Teams, a
global organization established to foster cooperation and coordination
among computer security teams worldwide.

CIAC services are available to DOE, DOE contractors, and the NIH. CIAC
can be contacted at:
    Voice:    +1 925-422-8193 (7x24)
    FAX:      +1 925-423-8002
    STU-III:  +1 925-423-2604
    E-mail:   ciac@ciac.org

Previous CIAC notices, anti-virus software, and other information are
available from the CIAC Computer Security Archive.

   World Wide Web:      http://www.ciac.org/
   Anonymous FTP:       ftp.ciac.org

PLEASE NOTE: Many users outside of the DOE, ESnet, and NIH computing
communities receive CIAC bulletins.  If you are not part of these
communities, please contact your agency's response team to report
incidents. Your agency's team will coordinate with CIAC. The Forum of
Incident Response and Security Teams (FIRST) is a world-wide
organization. A list of FIRST member organizations and their
constituencies can be obtained via WWW at http://www.first.org/.

This document was prepared as an account of work sponsored by an
agency of the United States Government. Neither the United States
Government nor the University of California nor any of their
employees, makes any warranty, express or implied, or assumes any
legal liability or responsibility for the accuracy, completeness, or
usefulness of any information, apparatus, product, or process
disclosed, or represents that its use would not infringe privately
owned rights. Reference herein to any specific commercial products,
process, or service by trade name, trademark, manufacturer, or
otherwise, does not necessarily constitute or imply its endorsement,
recommendation or favoring by the United States Government or the
University of California. The views and opinions of authors expressed
herein do not necessarily state or reflect those of the United States
Government or the University of California, and shall not be used for
advertising or product endorsement purposes.

LAST 10 CIAC BULLETINS ISSUED (Previous bulletins available from CIAC)

N-082: Microsoft Cumulative Patch for Internet Explorer (IE)
N-083: Cisco Catalyst Enable Password Bypass Vulnerability
N-084: SGI nsd LDAP Implementation Vulnerability
N-085: Oracle Buffer Overflow in Net Services for Oracle Database Server
N-086: HP Tru64 UNIX Software Installation and Update Utilities Vulnerability
N-087: Microsoft Cumulative Patch for BizTalk Server
N-088: Hewlett-Packard rexec Command Security Vulnerability
N-089: Red Hat MySQL Vulnerabilities
N-090: Red Hat mod_auth_any Vulnerabilities
N-091: Sun Cobalt PHP SafeMode Vulnerability


TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH