Windows Media Player (Q320920)
Date: 26 June 2002
Software: Windows Media Player
Impact: Three new vulnerabilities, the most serious of which could run
code of attacker's choice
Max Risk: Critical
Bulletin: MS02-032
Microsoft encourages customers to review the Security Bulletin at:
http://www.microsoft.com/technet/security/bulletin/MS02-032.asp.
Issue:
This is a cumulative patch that includes the functionality of all
previously released patches for Windows Media Player 6.4, 7.1 and Windows
Media Player for Windows XP. In addition, it eliminates the following
three newly discovered vulnerabilities one of which is rated as critical
severity, one of which is rated moderate severity, and the last of which
is rated low severity:
- An information disclosure vulnerability that could provide the means to
enable an attacker to run code on the user's system and is rated as
critical severity.
- A privilege elevation vulnerability that could enable an attacker who
can physically logon locally to a Windows 2000 machine and run a program
to obtain the same rights as the operating system.
- A script execution vulnerability related that could run a script of an
attacker's choice as if the user had chosen to run it after playing a
specially formed media file and then viewing a specially constructed web
page. This particular vulnerability has specific timing requirements
that makes attempts to exploit vulnerability difficult and is rated as low
severity.
It also introduces a configuration change relating to file extensions
associated with Windows Media Player. Finally, it introduces a new,
optional, security configuration feature for users or organizations that
want to take extra precautions beyond applying IE patch MS02-023 and want
to disable scripting functionality in the Windows Media Player for
versions 7.x or higher.
Mitigating Factors:
Cache Patch Disclosure via Windows Media Player
- Customers who have applied MS02-023 are protected against attempts to
automatically exploit this issue through HTML email when they read
email in the Restricted Sites zone. Outlook 98 and Outlook 2000 with the
Outlook Email Security Update, Outlook 2002 and Outlook Express 6.0 all
read email in the Restricted Sites
zone by default.
- The vulnerability does not affect media files opened from the local
machine. As a result of this, users who download and save files locally
are not affected by attempts to exploit this vulnerability.
Privilege Elevation through Windows Media Device Manager Service:
- This issue affects only Windows Media Player 7.1 it does not affect
Windows Media Player for Windows XP nor Windows Media Player 6.4.
- The vulnerability only affects Windows Media Player 7.1 when run on
Windows 2000, it does not impact systems that have no user security
model such as Windows 98 or Windows ME systems.
- This issue only affects console sessions; users who logon via terminal
sessions cannot exploit this vulnerability.
- An attacker must be able to load and run a program on the system.
Anything that prevents an attacker from loading or running a program could
protect against attempts to exploit this vulnerability.
Media Playback Script Invocation:
- A successful attack requires a specific series of actions follows in
exact order, otherwise the attack will fail.
Specifically:
- A user must play a specially formed media file from an attacker.
- After playing the file, the user must shut down Windows Media Player
without playing another file.
- The user must then view a web page constructed by the attacker.
Risk Rating of new vulnerabilities:
- Internet systems: Low
- Intranet systems: Low
- Client systems: Critical
Aggregate Risk Rating (including issues addressed in previously
released patches):
- Internet systems: Critical
- Intranet systems: Critical
- Client systems: Critical
Patch Availability:
- A patch is available to fix this vulnerability. Please read the Security
Bulletin at
http://www.microsoft.com/technet/security/bulletin/ms02-032.asp
for information on obtaining this patch. |

Client List
Partners
Press Releases
Client Comments
Past Projects
Information Request

Net Health Check
Net Performance Review
Vulnerability Assessment
Banking I/T Assessment
NetSentry Monitoring
Frame Relay Analysis
Custom Services
NetDocs Documentation
On-Site Training

NetLogger
NetSpector
Technical Reference



|