SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Multimedia)  >   Windows Media Player Vendors:   Microsoft
Microsoft Windows Media Player Access Control Flaw Lets Remote Users View, Modify, and Delete Media Library Metadata
SecurityTracker Alert ID:  1007057
SecurityTracker URL:  http://securitytracker.com/id/1007057
CVE Reference:   CVE-2003-0348   (Links to External Site)
Date:  Jun 25 2003
Impact:   Disclosure of system information, Disclosure of user information, Modification of user information
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): 9
Description:   An access control vulnerability was reported in an ActiveX control included in Windows Media Player. A remote user may be able to view and manipulate metadata in the target user's media library.

It is reported that a remote user can create HTML that, when loaded by the target user, will invoke the vulnerable ActiveX control. The remote user can then view metadata contained in the target user's media library, according to the report. The remote user can reportedly delete or rename metadata entries in the Media Library (but not the actual media files themselves) and may be able to ascertain the user name of the target user by viewing the directory paths to the media files. Metadata entries may include the name of an artist, a media track, a CD name, a genre of media, and other related information.

Versions prior to 9 are reportedly not affected.

Microsoft credits Jelmer with reporting this flaw.

Impact:   A remote user can view, edit, and delete the contents of Media Library metadata on the target user's computer.
Solution:   The vendor has released the following fix:

Windows Media Player 9 Series:

http://microsoft.com/downloads/details.aspx?FamilyId=36814221-8194-4492-BB29-94DB3D4CB682&displaylang=en

Windows Media Player 9 Series on Windows Server 2003:

http://microsoft.com/downloads/details.aspx?FamilyId=82CD6192-15D8-4E28-9B14-F9B78FF01D8A&displaylang=en

The patch can be installed on Windows 98, Windows 98SE, Windows Me, Windows 2000 SP2, SP3, and SP4, Windows XP and Windows XP SP1, and Windows Server 2003.

Microsoft plans to include this fix in Windows 2000 SP5, Windows XP SP2, and Windows Server 2003 SP1.

A reboot is not required after installing this patch.

Microsoft plans to issue Knowledge Base article 819639 regarding this issue, to be available shortly at:

http://support.microsoft.com/default.aspx?scid=kb;en-us;819639

Vendor URL:  www.microsoft.com/technet/security/bulletin/MS03-021.asp (Links to External Site)
Cause:   Access control error
Underlying OS:  Windows (Any)

Message History:   None.


 Source Message Contents

Subject:  MS03-021 Flaw In Windows Media Player May Allow Media Library Access


http://www.microsoft.com/technet/security/bulletin/MS03-021.asp

CVE: CAN-2003-0348

Version 9

Flaw In Windows Media Player May Allow Media Library Access (819639)

Maximum Severity Rating: Moderate

Microsoft issued Security Bulletin MS03-021 warning of a flaw in an ActiveX control 
included in Windows Media Player version 9.  A remote user may be able to view and 
manipulate metadata in the target user's media library.

It is reported that a remote user can create HTML that, when loaded by the target user, 
will invoke the vulnerable ActiveX control.  The remote user can then view metadata 
contained in the target user's media library, according to the report.. The remote user 
can reportedly delete or rename metadata entries in the Media Library (but not the actual 
media files themselves) and may be able to ascertain the user name of the target user by 
viewing the directory paths to the media files.  Metadata entries may include the name of 
an artist, a media track, a CD name, a genre of media, and other related information.

Versions prior to 9 are reportedly not affected.

Microsoft credits Jelmer with reporting this flaw.


Windows Media Player 9 Series:

http://microsoft.com/downloads/details.aspx?FamilyId=36814221-8194-4492-BB29-94DB3D4CB682&displaylang=en

Windows Media Player 9 Series on Windows Server 2003:

http://microsoft.com/downloads/details.aspx?FamilyId=82CD6192-15D8-4E28-9B14-F9B78FF01D8A&displaylang=en

The patch can be installed on Windows 98, Windows 98SE, Windows Me, Windows 2000 SP2, SP3, 
and SP4, Windows XP and Windows XP SP1, and Windows Server 2003.

Microsoft plans to include this fix in Windows 2000 SP5, Windows XP SP2, and Windows 
Server 2003 SP1.

A reboot is not required after installing this patch.

Microsoft plans to issue Knowledge Base article 819639 regarding this issue, to be 
available shortly at:

http://support.microsoft.com/default.aspx?scid=kb;en-us;819639




 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2021, SecurityGlobal.net LLC