Windows Media Player May Let Remote Users Execute Code on a Target User's Computer or Let Local Users Gain Elevated Privileges
SecurityTracker Alert ID: 1004638|
SecurityTracker URL: http://securitytracker.com/id/1004638
CVE-2002-0372, CVE-2002-0373, CVE-2002-0374
(Links to External Site)
Date: Jun 27 2002
Disclosure of system information, Execution of arbitrary code via local system, Execution of arbitrary code via network, Root access via local system, User access via network|
Fix Available: Yes Vendor Confirmed: Yes |
Version(s): 6.4, 7.1, XP|
Microsoft reported several vulnerabilities in Windows Media Player. A remote user could execute arbitrary programs or arbitrary scripting code on the user's computer. Also, a local user can execute arbitary code on the system with System level privileges.|
Microsoft described several new vulnerabilities in Windows Media Player. These issues are discussed separately below.
First, an information disclosure vulnerability involving the Internet Explorer (IE) Cache directories could allow a remote user to run code on a target user's computer. The code would run with the privileges of the user running Windows Media Player.
This bug is reportedly caused by the player's processing of certain types of licenses for secure media files when the media file is stored in the IE cache. A remote user can supply a certain type of secure Windows Media file (using WM DRM version 1.0) to the user such that, when the file is opened, the media player will incorrectly return information to the server that discloses the location of the IE cache while it is processing the request to the web site specified for handling the licensing information.
A remote user could learn of the location of the IE cache on the target user's local file system and, separately, cause an executable program to be stored in the cache (by sending the user HTML-based e-mail or getting the user to visit a particular web page). Then, the remote user could then directly access (and execute) the stored executable.
In certain configurations, it is reportedly possible for an HTML email to attempt to play a media file automatically, allowing an exploit to occur when the target user views or previews a malicious e-mail message.
Second, a local authenticated user could execute arbitrary commands with System level privileges to take full control of the operating system. The bug reportedly exists in the Windows Media Device Manager (WMDM) Service processing of requests to access invalid local storage devices. WMDM is a component of Windows Media Player and is only used in Windows 2000. So, this flaw reportedly only affects Windows Media Player 7.1 on Windows 2000 systems.
A local user may be able to provide a specially crafted request to connect to an invalid device to gain access to a local resource and execute any local program with LocalSystem privileges.
According to Microsoft, a console session is required to exploit this privilege escalation flaw.
Lastly, a remote user could supply and invoke an HTML script on a target user's computer. The script could take any actions acting as the target user.
The flaw is reportedly due to the storage of the Windows Media active playlist information on the local system in a known location. Playlists typically have a '.asx' extension and are XML-based (and can include HTML script). So, a remote user can exploit this to store and then invoke HTML script in the Local Computer security zone.
A remote user can create a specially formatted media file (that includes a malicious playlist). If this playlist is in the memory when the Windows Media Player is exited (on the target user's computer), the player will write the playlist to a known location on the target user's computer. The remote user can then create a malicious web page that, when subsequently viewed by the target user, will cause the playlist to be executed. The HTML script in the playlist will then run on the target user's computer in the Local Computer zone.
According to the security bulletin, this bug requires several specific, ordered exploit steps:
1) The target user plays specially crafted media file supplied by the remote user.
2) The target user shuts down the media player after playing the file and before playing any other files.
3) The target user views a web page supplied by the remote user.
Microsoft credits jelmer for reporting the Cache Patch Disclosure bug, the Research Team of Security Internals for reporting the Privilege Elevation via Windows Media Device Manager Service issue, and Elias Levy for reporting the Media Playback Script Invocation bug.
A remote user can cause arbitrary code or arbitrary scripts to be executed on the target user's computer.|
A local user can execute commands with System privileges to gain full control of the operating system.
The vendor has released patches.|
For Microsoft Windows Media Player 6.4:
For Microsoft Windows Media Player 7.1:
For Microsoft Windows Media Player for Windows XP:
The patches for 6.4 and 7.1 can reportedly be installed on any operating system running Windows Media Player 6.4 or 7.1. The patch for Windows Media Player for Windows XP can be installed on Windows XP Gold.
Microsoft plans to include the fix in Windows XP SP1.
This patch supersedes the patches referenced in Microsoft's previous security bulletin MS01-056.
Microsoft plans to issue Knowledge Base article Q320920 regarding this issue, to be available shortly at the Microsoft Online Support web site:
Vendor URL: www.microsoft.com/technet/security/bulletin/MS02-032.asp (Links to External Site)
Access control error, Configuration error, Input validation error|
|Underlying OS: Windows (Any)|
Source Message Contents
Subject: Microsoft Security Bulletin MS02-032: 26 June 2002 Cumulative Patch for Windows Media Player (Q320920)|
-----BEGIN PGP SIGNED MESSAGE-----
Title: 26 June 2002 Cumulative Patch for Windows Media Player
Date: 26 June 2002
Software: Windows Media Player
Impact: Three new vulnerabilities, the most serious of which
could run code of attacker's choice
Max Risk: Critical
Microsoft encourages customers to review the Security Bulletin at:
This is a cumulative patch that includes the functionality of
all previously released patches for Windows Media Player 6.4, 7.1
and Windows Media Player for Windows XP. In addition, it eliminates
the following three newly discovered vulnerabilities one of which
is rated as critical severity, one of which is rated moderate
severity, and the last of which is rated low severity:
- An information disclosure vulnerability that could provide
the means to enable an attacker to run code on the user's
system and is rated as critical severity.
- A privilege elevation vulnerability that could enable an attacker
who can physically logon locally to a Windows 2000 machine and run
a program to obtain the same rights as the operating system.
- A script execution vulnerability related that could run a script
of an attacker's choice as if the user had chosen to run it after
playing a specially formed media file and then viewing a specially
constructed web page. This particular vulnerability has specific
timing requirements that makes attempts to exploit vulnerability
difficult and is rated as low severity.
It also introduces a configuration change relating to file extensions
associated with Windows Media Player. Finally, it introduces a new,
optional, security configuration feature for users or organizations
that want to take extra precautions beyond applying IE patch MS02-023
and want to disable scripting functionality in the
Windows Media Player for versions 7.x or higher.
Cache Patch Disclosure via Windows Media Player
- Customers who have applied MS02-023 are protected against
attempts to automatically exploit this issue through HTML email
when they read email in the Restricted Sites zone. Outlook 98 and
Outlook 2000 with the Outlook Email Security Update, Outlook 2002
and Outlook Express 6.0 all read email in the Restricted Sites
zone by default.
- The vulnerability does not affect media files opened from the
local machine. As a result of this, users who download and save
files locally are not affected by attempts to exploit this
Privilege Elevation through Windows Media Device Manager Service:
- This issue affects only Windows Media Player 7.1 it does not
affect Windows Media Player for Windows XP nor Windows
Media Player 6.4.
- The vulnerability only affects Windows Media Player 7.1 when run
on Windows 2000, it does not impact systems that have no user
security model such as Windows 98 or Windows ME systems.
- This issue only affects console sessions; users who logon via
terminal sessions cannot exploit this vulnerability.
- An attacker must be able to load and run a program on the system.
Anything that prevents an attacker from loading or running a
program could protect against attempts to exploit this
Media Playback Script Invocation:
- A successful attack requires a specific series of actions
follows in exact order, otherwise the attack will fail.
- A user must play a specially formed media file from an
- After playing the file, the user must shut down
Windows Media Player without playing another file.
- The user must then view a web page constructed by the
Risk Rating of new vulnerabilities:
- Internet systems: Low
- Intranet systems: Low
- Client systems: Critical
Aggregate Risk Rating (including issues addressed in
previously released patches):
- Internet systems: Critical
- Intranet systems: Critical
- Client systems: Critical
- A patch is available to fix this vulnerability. Please read the
Security Bulletin at
for information on obtaining this patch.
- jelmer for reporting the Cache Patch Disclosure via Windows
- The Research Team of Security Internals
(www.securityinternals.com) for reporting Privilege
Elevation through Windows Media Device Manager Service:
- Elias Levy, Chief Technical Officer, SecurityFocus
(http://www.securityfocus.com/), for reporting the
Media Playback Script Invocation.
THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS
PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. MICROSOFT DISCLAIMS
WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING THE
WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.
IN NO EVENT
SHALL MICROSOFT CORPORATION OR ITS SUPPLIERS BE LIABLE FOR ANY
WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL, CONSEQUENTIAL,
BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF MICROSOFT CORPORATION OR
SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. SOME
NOT ALLOW THE EXCLUSION OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL
INCIDENTAL DAMAGES SO THE FOREGOING LIMITATION MAY NOT APPLY.
-----BEGIN PGP SIGNATURE-----
Version: PGP 7.1
-----END PGP SIGNATURE-----
You have received this e-mail bulletin because of your subscription to the Microsoft Product Security Notification Service. For more
information on this service, please visit http://www.microsoft.com/technet/security/notify.asp.
To verify the digital signature on this bulletin, please download our PGP key at http://www.microsoft.com/technet/security/notify.asp.
To unsubscribe from the Microsoft Security Notification Service, please visit the Microsoft Profile Center at http://register.microsoft.com/regsys/pic.asp
If you do not wish to use Microsoft Passport, you can unsubscribe from the Microsoft Security Notification Service via email as described
Send an email to unsubscribe to the Service by following these steps:
a. Send an e-mail to firstname.lastname@example.org. The subject line and the message body are not used to process the subscription request,
and can be anything you like.
b. Send the e-mail.
c. You will receive a response, asking you to verify that you really want to cancel your subscription. Compose a reply, and put "OK"
in the message body. (Without the quotes). Send the reply.
d. You will receive an e-mail telling you that your name has been removed from the subscriber list.
For security-related information about Microsoft products, please visit the Microsoft Security Advisor web site at http://www.microsoft.com/security.
Go to the Top of This SecurityTracker Archive Page