Computer Security
[EN] securityvulns.ru no-pyccku


Related information

  Microsoft Mediaplayer ediaplayer .ASX/.NSC/.ASF buffer overflow, .WMS code execution

  Windows mplay32 buffer overflow

  Security Bulletin MS01-056

  MS Windows Media Player ASF Marker Buffer Overflow

  Security Bulletin MS01-042

From:MICROSOFT <secure_(at)_microsoft.com>
Date:27.06.2002
Subject:Security Bulletin MS02-032: 26 June 2002 Cumulative Patch for Windows Media Player (Q320920)

- ----------------------------------------------------------------------
Title:      26 June 2002 Cumulative Patch for Windows Media Player
           (Q320920)
Date:       26 June 2002
Software:   Windows Media Player
Impact:     Three new vulnerabilities, the most serious of which
           could run code of attacker's choice
Max Risk:   Critical
Bulletin:   MS02-032

Microsoft encourages customers to review the Security Bulletin at:
http://www.microsoft.com/technet/security/bulletin/MS02-032.asp.
- ----------------------------------------------------------------------

Issue:
======
This is a cumulative patch that includes the functionality of
all previously released patches for Windows Media Player 6.4, 7.1
and Windows Media Player for Windows XP. In addition, it eliminates
the following three newly discovered vulnerabilities one of which
is rated as critical severity, one of which is rated moderate
severity, and the last of which is rated low severity:

- An information disclosure vulnerability that could provide
  the means to enable an attacker to run code on the user's
  system and is rated as critical severity.

- A privilege elevation vulnerability that could enable an attacker
  who can physically logon locally to a Windows 2000 machine and run
  a program to obtain the same rights as the operating system.

- A script execution vulnerability related that could run a script
  of an attacker's choice as if the user had chosen to run it after
  playing a specially formed media file and then viewing a specially
  constructed web page. This particular vulnerability has specific
  timing requirements that makes attempts to exploit vulnerability
  difficult and is rated as low severity.

It also introduces a configuration change relating to file extensions
associated with Windows Media Player. Finally, it introduces a new,
optional, security configuration feature for users or organizations
that want to take extra precautions beyond applying IE patch MS02-023
and want to disable scripting functionality in the
Windows Media Player for versions 7.x or higher.

Mitigating Factors:
====================
Cache Patch Disclosure via Windows Media Player

- Customers who have applied MS02-023 are protected against
  attempts to automatically exploit this issue through HTML email
  when they read email in the Restricted Sites zone. Outlook 98 and
  Outlook 2000 with the Outlook Email Security Update, Outlook 2002
  and Outlook Express 6.0 all read email in the Restricted Sites
  zone by default.

- The vulnerability does not affect media files opened from the
  local machine. As a result of this, users who download and save
  files locally are not affected by attempts to exploit this
  vulnerability.

Privilege Elevation through Windows Media Device Manager Service:

- This issue affects only Windows Media Player 7.1 it does not
  affect Windows Media Player for Windows XP nor Windows
  Media Player 6.4.

- The vulnerability only affects Windows Media Player 7.1 when run
  on Windows 2000, it does not impact systems that have no user
  security model such as Windows 98 or Windows ME systems.

- This issue only affects console sessions; users who logon via
  terminal sessions cannot exploit this vulnerability.

- An attacker must be able to load and run a program on the system.
  Anything that prevents an attacker from loading or running a
  program could protect against attempts to exploit this
  vulnerability.

Media Playback Script Invocation:

- A successful attack requires a specific series of actions
  follows in exact order, otherwise the attack will fail.
  Specifically:
   - A user must play a specially formed media file from an
     attacker.
   - After playing the file, the user must shut down
     Windows Media Player without playing another file.
   - The user must then view a web page constructed by the
     attacker.

Risk Rating of new vulnerabilities:
============
- Internet systems: Low
- Intranet systems: Low
- Client systems: Critical

Aggregate Risk Rating (including issues addressed in
previously released patches):
- Internet systems: Critical
- Intranet systems: Critical
- Client systems: Critical

============
Patch Availability:
===================
- A patch is available to fix this vulnerability. Please read the
  Security Bulletin at
  http://www.microsoft.com/technet/security/bulletin/ms02-032.asp
  for information on obtaining this patch.

Acknowledgment:
===============
- jelmer for reporting the Cache Patch Disclosure via Windows
  Media Player.

- The Research Team of Security Internals
  (www.securityinternals.com) for reporting Privilege
  Elevation through Windows Media Device Manager Service:

- Elias Levy, Chief Technical Officer, SecurityFocus
  (http://www.securityfocus.com/), for reporting the
  Media Playback Script Invocation.

- ---------------------------------------------------------------------

THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS
PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. MICROSOFT DISCLAIMS
ALL
WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING THE
WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.
IN NO EVENT
SHALL MICROSOFT CORPORATION OR ITS SUPPLIERS BE LIABLE FOR ANY
DAMAGES
WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL, CONSEQUENTIAL,
LOSS OF
BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF MICROSOFT CORPORATION OR
ITS
SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. SOME
STATES DO
NOT ALLOW THE EXCLUSION OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL
OR
INCIDENTAL DAMAGES SO THE FOREGOING LIMITATION MAY NOT APPLY.

About | Terms of use | Privacy Policy
© SecurityVulns, 3APA3A, Vladimir Dubrovin
Nizhny Novgorod