(Microsoft Releases Fix) Re: Microsoft Windows Media Player ASX Processing Vulnerability Lets Remote Users Execute Arbitrary Code on the Player's Host System
SecurityTracker Alert ID: 1001601|
SecurityTracker URL: http://securitytracker.com/id/1001601
(Links to External Site)
Date: May 24 2001
Execution of arbitrary code via network|
Fix Available: Yes Vendor Confirmed: Yes |
Version(s): 6.4, possibly others|
It is reported that the Windows Media Player contains a vulnerability in its processing of certain ASX tags that allows a remote user to cause the Media Player client to execute arbitrary code on the client's host.|
It is reported that the processing of the HREF attribute of the BANNER tag contains a buffer overflow that can be used to smash the stack. The vulnerability reportedly exists in certain versions of DXMASF.DLL. This allows a remote user to create a malicious ASX file and deliver it to the intended victim via a web page or via an HTML-based e-mail message.
The Source Message contains some additional information as well as an encoded version of a demonstration exploit ASX file.
A remote user can cause the Media Player to execute arbitrary code on the Media Player's host.|
The vendor has released a fix. See the Vendor URL or the Source Message for additional information.|
Vendor URL: www.microsoft.com/technet/security/bulletin/MS01-029.asp (Links to External Site)
|Underlying OS: Windows (Me), Windows (NT), Windows (95), Windows (98), Windows (2000)|
This archive entry is a follow-up to the message listed below.|
Source Message Contents
Subject: Microsoft Security Bulletin MS01-029|
The following is a Security Bulletin from the Microsoft Product Security
Please do not reply to this message, as it was sent from an unattended
-----BEGIN PGP SIGNED MESSAGE-----
Title: Windows Media Player .ASX Processor Contains Unchecked
Date: 23 May 2001
Software: Windows Media Player 6.4 and 7
Impact: Potentially run code of attacker's choice.
Microsoft encourages customers to review the Security Bulletin at:
This bulletin discusses two security vulnerabilities that are related
to each other only by the fact that they affect Windows Media Player.
We packaged them in a single patch for customers using Windows Media
Player 6.4 to make it more convenient for customers to apply. For
customers using Windows Media Player 7, both security vulnerabilities
are addressed by upgrading to Windows Media Player 7.1.
The two vulnerabilities are:
- A buffer overrun in the functionality used to process Active
Redirector (.ASX) files. This vulnerability is a variant of the
overrun vulnerability identified in Microsoft Security Bulletin
(MS00-090). Windows Media Player supports the use of .ASX files to
enable users to play streaming media that resides on intranet or
Internet sites and allows the use of playlists. However, the code
that parses .ASX files has an unchecked buffer, and this could
potentially enable a malicious user to run code of her choice on the
machine of another user. The attacker could either send an affected
file to another user and entice him to run or preview it, or she
host such a file on a web site and cause it to launch automatically
whenever a user visited the site. The code could take any action on
the machine that the legitimate user himself could take.
- A vulnerability affecting how Windows Media Player handles
shortcuts. Windows Media Player has a flaw that causes it to save
Internet shortcuts to the user's Temporary Files folder with a fixed
known filename. This results in a security vulnerability because it's
possible for HTML code to be stored in such a shortcut and launched
a web page or HTML e-mail, in which case the code would run in the
Local Computer Zone rather than the Internet Zone. An attacker could
exploit this vulnerability to read - but not add, delete or modify -
files on another user's computer.
- In addition, this patch provides a solution to a potential privacy
vulnerability that was recently identified. This issue could be
exploited by a malicious set of web sites to distinguish a user.
this issue would not by itself enable a web site to identify the
it could enable the correlation of user information to potentially
build a composite description of the user. .Users can protect
themselves by installing the above patch or upgrading to Windows
Player 7.1, then changing the appropriate settings in their player as
outlined below to prevent sets of websites from potentially profiling
using Windows Media Player.
- In Windows Media Player 6.4, the privacy setting is selected via a
new option, which can be reached by going to the menu item View /
Options then selecting the player tab and de-selecting "Allow
sites to uniquely identify your player".
- In Windows Media Player 7.1, the privacy setting is toggled via
existing option under the tools menu, on the player tab and deselect
the option "Allow Internet sites to uniquely identify your player".
Although we typically do not discuss privacy issues in security
bulletins, the privacy issue in this case is eliminated by applying
patch and then selecting the new user settings as described above. We
have provided this information because the best way to make the
update available to customers was by including it in this patch, and
because we wanted to provide users who installed the patch with
information about how to use the new privacy settings.
Buffer overrun vulnerability:
- The attacker would need the ability to entice the user into either
visiting a web site she controlled, or opening an HTML e-mail she had
- The attacker would need to know the specific operating system that
the user was running in order to tailor the attack code properly; if
the attacker made an incorrect guess about the user's operating
platform, the attack would crash the user's application, but not run
code of the attacker's choice.
Internet shortcut vulnerability:
- On Windows NT 4.0 and Windows 2000 systems, the location of the
Temporary Files folder varies from user to user. In order to exploit
the vulnerability on these systems, the attacker would need to know
exact location of the Temporary Files folder on the specific system
wished to attack.
- The attacker would need to know the exact name of each file she
wished to read.
- The attacker could only view file types that can be opened in a
browser window. These include.txt, .jpg, .gif, or .htm , but not file
types such as .exe, .doc, and .xls.
- There is no capability to add, delete or changes files via this
- A patch is available to fix this vulnerability. Please read the
for information on obtaining this patch.
THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS PROVIDED
"AS IS" WITHOUT WARRANTY OF ANY KIND. MICROSOFT DISCLAIMS ALL
WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING THE WARRANTIES OF
MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. IN NO EVENT
MICROSOFT CORPORATION OR ITS SUPPLIERS BE LIABLE FOR ANY DAMAGES
WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL, CONSEQUENTIAL,
OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF MICROSOFT CORPORATION
OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH
SOME STATES DO NOT ALLOW THE EXCLUSION OR LIMITATION OF LIABILITY FOR
CONSEQUENTIAL OR INCIDENTAL DAMAGES SO THE FOREGOING LIMITATION MAY
-----BEGIN PGP SIGNATURE-----
Version: PGP Personal Privacy 6.5.3
-----END PGP SIGNATURE-----
You have received this e-mail bulletin as a result of your registration
to the Microsoft Product Security Notification Service. You may
unsubscribe from this e-mail notification service at any time by sending
an e-mail to MICROSOFT_SECURITY-SIGNOFF-REQUEST@ANNOUNCE.MICROSOFT.COM
The subject line and message body are not used in processing the request,
and can be anything you like.
To verify the digital signature on this bulletin, please download our PGP
key at http://www.microsoft.com/technet/security/notify.asp.
For more information on the Microsoft Security Notification Service
please visit http://www.microsoft.com/technet/security/notify.asp. For
security-related information about Microsoft products, please visit the
Microsoft Security Advisor web site at http://www.microsoft.com/security.
Go to the Top of This SecurityTracker Archive Page