MS issues patch for Win Media Player 6.4, 7.0 and 7.1 vulnerability
Windows Media Player provides support for audio and video streaming. Streaming media channels can be configured by using Windows Media Station (.NSC) files. An unchecked buffer exists in the functionality used to process Windows Media Station files.
This unchecked buffer could potentially allow an attacker to run code of his choice on the machine of another user. The attacker could either send a specially malformed file to another user and entice her to run or preview it, or he could host such a file on a web site and cause it to launch automatically whenever a user visited the site. The code could take any action on the machine that the legitimate user himself could take...
Originally posted: July 26, 2001
Summary
Who should read this bulletin: Customers using Microsoft® Windows Media? Player
6.4, 7, or 7.1.Impact of vulnerability: Run code of attacker?s choice.
Recommendation:
- Windows Media Player 6.4 customers should either install the patch or upgrade to Windows Media
Player 7.1 and then install the patch.- Windows Media Player 7.0 customers should upgrade to Windows Media
Player 7.1 and install the patch.- Windows Media Player 7.1 customers should apply the patch.
Affected Software:
- Microsoft Windows Media Player 6.4
- Microsoft Windows Media Player 7
- Microsoft Windows Media Player 7.1
details
Technical description:
Windows Media Player provides support for audio and video streaming. Streaming media
channels can be configured by using Windows Media Station (.NSC) files. An unchecked
buffer exists in the functionality used to process Windows Media Station files. This
unchecked buffer could potentially allow an attacker to run code of his choice on the
machine of another user. The attacker could either send a specially malformed file to
another user and entice her to run or preview it, or he could host such a file on a web
site and cause it to launch automatically whenever a user visited the site. The code could
take any action on the machine that the legitimate user himself could take.Mitigating factors:
- Customers who have applied the Outlook E-mail Security Update (OESU) for Outlook 2000 or
are running Outlook XP, which has the OESU functionality built-in, are automatically
protected against HTML e-mail based attempts to exploit this vulnerability.- For others not in the above categories, the attacker would have to entice the potential
victim to visit a web site he controlled, or to open an HTML e-mail he had sent.- The attacker would need to know the specific operating system that the user was running
in order to tailor the attack code properly; if the attacker made an incorrect guess about
the user?s operating system platform, the attack would crash the user?s Windows
Media Player session, but not run code of the attacker?s choice.Vulnerability identifier: CAN-2001-0541
Tested Versions:
Microsoft tested Windows Media Player 6.4, Windows Media Player 7 and Windows Media Player
7.1 to assess whether they are affected by this vulnerability. Previous versions are no
longer supported and
may or may not be affected by this vulnerability.
asked questions
What?s the scope of the vulnerability?
This is a buffer
overrun vulnerability. It could enable an attacker to run code of his choice on the
machine of another user is he was able to convince the user to visit a web site he
controlled or to open a specially crafted HTML e-mail.The program would be capable of taking any action on the user's machine that the user
herself could take, including adding, creating or deleting files, communicating with web
sites or potentially even reformatting the hard drive.What causes the vulnerability?
The vulnerability results because there is an unchecked buffer in a section of Windows
Media Player that handles .NSC files. By including a particular type of malformed entry in
a .NSC file, an attacker could cause code of his choice to execute when a user played the
file.What's a .NSC file?
Windows Media Station files (.NSC)
were first introduced in NetShow 2.0 as NetShow Channels. In Windows Media Player, .NSC
files are called Windows Media Station Files..NSC files are essentially playlists that contain information to allow Windows Media
Player to connect to and play streaming media. Windows Media Player uses Windows Media
Station (.nsc) files to get the information it needs to receive multicast content over the
Internet. These files can contain information such as stream location and rollover URL, as
well as descriptive information about the station. Where standard streaming multimedia
sends a single media stream to a single recipient, multicasting allows a single media
stream to be received by more than one person, much like a Television or Radiobroadcast.
.NSC files contain the information necessary to allow multimedia multicast streams to be
processed correctly by Windows Media.What's wrong with how Windows Media Player handles .NSC files?
One of the buffers that read data from .NSC files doesn't perform proper input
validation. As a result, it would be possible for an attacker to craft a specially formed
.NSC file that can overrun the buffer and modify the executable Windows Media Player code
that is running.What could this enable an attacker to do?
When it runs, Windows Media Player runs in the security context of the
currently-logged-on user. If an attacker were to successfully exploit this vulnerability,
the malicious code then could do anything on the machine that the current user could do.
This means that the actions an attacker could take will depend a great deal on what
privileges the user has on the system when they run the attacker's code.
- If the victim had only limited privileges on the machine, the attacker?s code would
be similarly limited. However, in most cases even an unprivileged user could add, delete
or change data files, run programs, send data to or receive data from a web site, and so
forth ? so the attacker?s code could take these actions as well.- If the victim had administrative privileges, the code could use these as well, and cause
greater damage. However, if the least privilege principle has been observed, users will
not have been given administrative privileges unless absolutely required.How could an attacker maliciously exploit this vulnerability?
There are two likely scenarios that that an attacker might try to exploit this
vulnerability.
- He could send an HTML e-mail that would launch the malicious .NSC file when opened. An
attacker could target specific individuals with this approach.- He could host an .NSC file on a web site and cause it to be launched automatically
whenever someone visited the site. This approach would require that the attacker wait for
the potential victims to come to his site.I'm using the Outlook E-mail Security Update, does this help protect me?
Customers who have deployed the Outlook
E-Mail Security Update or who are using Outlook
2002 are protected from HTML e-mail-based attempts to exploit this vulnerability by
the default security settings. The OESU and Outlook 2002 both set the Security Zone for
HTML e-mail to the Restricted Sites
Zone which automatically disables ActiveX controls in HTML e-mail. This means that an
HTML e-mail with a .NSC file embedded by a malicious user would not run in Outlook,
rendering the attack harmless.If the malicious user placed the .NSC file on a web site, would it run automatically in
the browser?When using Internet Explorer (IE), the default security settings for the Internet Zone
make it possible for a web site to automatically open .NSC files when a user visits the
web site. This is because ActiveX controls are enabled by default in the Internet Zone in
IE.However, users can use change the settings in the Internet Zone to disable ActiveX
controls. If users make this change, then .NSC files will not launch automatically.You said previously that the attacker would need to overrun the buffer with
carefully-chosen data in order to run code of his choice. What would happen if she just
overran it with random data?If the buffer were overrun with random data, it would cause Windows Media Player to
fail. This wouldn?t pose a security problem, and the user could simply restart it and
resume normal operation.You said previously that the attacker would need to know the specific operations system
that the user was running. Why is that?To mount an effective attack exploiting this vulnerability, an attacker would need to
know the potential victim?s specific operating system so that he could tailor the
malformed file appropriately for his platform. If the file is not fashioned appropriately
for the user's platform, the attack would fail, causing Windows Media Player to crash, but
not execute the attacker?s code.What does the patch do?
The patch eliminates the vulnerability by implementing proper input validation for .NSC
files.
Patch availability
Download locations for this patch
- Windows Media Player 6.4:
The vulnerability can be eliminated by installing the patch or
upgrading to Windows Media
Player 7.1 and then installing the patch.- Windows Media Player 7.0:
The vulnerability can be eliminated by upgrading to Windows Media
Player 7.1 and then installing the patch.- Windows Media Player 7.1:
The vulnerability can be eliminated by installing the patch.
information about this patch
Installation platforms:
The patch can be installed on systems running Windows Media Player 6.4, and Windows Media
Player 7.1 respectively. Customers running Windows Media Player 7 should upgrade to version 7.1
and then install the patch.Inclusion in future service packs:
The fix for this issue will be included in the forthcoming Windows 2000 Service Pack 3.Reboot needed: Yes
Superseded patches: None.
Verifying patch installation:
- To verify that the patch has been installed on the machine, confirm that the following
registry key has been created:
HKLMSOFTWAREMicrosoftUpdatesWindows Media PlayerWMSU5536Caveats:
NoneLocalization:
Localized versions of this patch are under development. When completed, they will be
available at the locations discussed in "Obtaining other security patches".Obtaining other security patches:
Patches for other security issues are available from the following locations:
- Security patches are available from the Microsoft
Download Center, and can be most easily found by doing a keyword search for
"security_patch".- Patches for consumer platforms are available from the WindowsUpdate web site
- All patches available via WindowsUpdate
also are available in a redistributable form from the WindowsUpdate Corporate site.
Other information:
Support:
- Microsoft Knowledge Base article Q304404 discusses this issue and will be available
approximately 24 hours after the release of this bulletin. Knowledge Base articles can be
found on the Microsoft
Online Support web site.- Technical support is available from Microsoft
Product Support Services. There is no charge for support calls associated with
security patches.Security Resources: The Microsoft
TechNet Security Web Site provides additional information about security in Microsoft
products.Disclaimer:
The information provided in the Microsoft Knowledge Base is provided "as is"
without warranty of any kind. Microsoft disclaims all warranties, either express or
implied, including the warranties of merchantability and fitness for a particular purpose.
In no event shall Microsoft Corporation or its suppliers be liable for any damages
whatsoever including direct, indirect, incidental, consequential, loss of business profits
or special damages, even if Microsoft Corporation or its suppliers have been advised of
the possibility of such damages. Some states do not allow the exclusion or limitation of
liability for consequential or incidental damages so the foregoing limitation may not
apply.Revisions:
- V1.0 July 26, 2001: Bulletin Created.