Date: 20 November 2001
Click here for printable version
Click here for PGP verifiable version
-----BEGIN PGP SIGNED MESSAGE-----
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2001.490 -- Microsoft Security Bulletin MS01-056
Windows Media Player .ASF Processor Contains Unchecked Buffer
20 November 2001
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: Windows Media Player 6.4
Windows Media Player 7
Windows Media Player 7.1
Vendor: Microsoft
Operating System: Windows
Impact: Execute Arbitrary Code/Commands
Access Required: Existing Account
- --------------------------BEGIN INCLUDED TEXT--------------------
- -----BEGIN PGP SIGNED MESSAGE-----
- - ----------------------------------------------------------------------
Title: Windows Media Player .ASF Processor Contains Unchecked
Buffer
Date: 20 November 2001
Software: Windows Media Player
Impact: Run code of attacker's choice
Max Risk: Critical
Bulletin: MS01-056
Microsoft encourages customers to review the Security Bulletin at:
http://www.microsoft.com/technet/security/bulletin/MS01-056.asp.
- - ----------------------------------------------------------------------
Issue:
======
One of the streaming media formats supported by Windows Media
Player is Advanced Streaming Format (ASF). A security vulnerability
occurs in Windows Media Player 6.4 because the code that processes
ASF files contains an unchecked buffer.
By creating a specially malformed ASF file and inducing a user to
play it, an attacker could overrun the buffer, with either of two
results: in the simplest case, Windows Media Player 6.4 would fail;
in the more complex case, code chosen by the attacker could be made
to run on the user's computer, with the privileges of the user.
The scope of this vulnerability is rather limited. It affects only
Windows Media Player 6.4, and can only be exploited by the user
opening and deliberately playing an ASF file. There is no
capability to exploit this vulnerability via email or a web page.
However, the patch eliminates additional vulnerabilities.
Specifically, it eliminates all known vulnerabilities affecting
Windows Media Player 6.4 - discussed in Microsoft Security
Bulletins MS00-090, MS01-029, and MS01-042 - as well as some
additional variants of these vulnerabilities that were discovered
internally by Microsoft. Some of these vulnerabilities could be
exploited via email or a web page. In addition, some affect
components of Windows Media Player 6.4 that, for purposes of
backward compatibility, ship with Windows Media Player 7, and
7.1. We therefore recommend that customers running any of these
versions of Windows Media Player apply the patch to ensure that
they are fully protected against all known vulnerabilities.
Windows Media Player for Windows XP includes components of
Windows Media Player 6.4, but they are not affected by the ASF
buffer overrun or by any of the other vulnerabilities discussed
in the security bulletins listed above. However, the version 6.4
components that ship with Windows Media Player for Windows XP are
affected by some of the newly discovered variants of these
vulnerabilities. Rather than installing this patch, however, we
recommend that customers install the 25 October 2001 Critical
Update for Windows XP.
Mitigating Factors:
====================
- Windows Media Player runs in the security context of the user,
rather than as a system component. At best, an attacker could
gain the privileges of the user on the system. Systems
configured in accordance with the least privilege principal
would be at less risk from this vulnerability.
- The vulnerability could only be exploited if the user opened
and played an affected ASF file.
- The attacker would need to know the specific operating system
that the user was running in order to tailor the attack code
properly; if the attacker made an incorrect guess about the user's
operating system platform, the attack would crash the user's
Windows Media Player session, but not run code of the attacker's
choice.
Risk Rating:
============
- Internet systems: Critical
- Intranet systems: Critical
- Client systems: Critical
Patch Availability:
===================
- A patch is available to fix this vulnerability. Please read the
Security Bulletin at
http://www.microsoft.com/technet/security/bulletin/ms01-056.asp
for information on obtaining this patch.
- - ---------------------------------------------------------------------
THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS
PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. MICROSOFT DISCLAIMS
ALL
WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING THE
WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.
IN NO EVENT
SHALL MICROSOFT CORPORATION OR ITS SUPPLIERS BE LIABLE FOR ANY
DAMAGES
WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL, CONSEQUENTIAL,
LOSS OF
BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF MICROSOFT CORPORATION OR
ITS
SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. SOME
STATES DO
NOT ALLOW THE EXCLUSION OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL
OR
INCIDENTAL DAMAGES SO THE FOREGOING LIMITATION MAY NOT APPLY.
- -----BEGIN PGP SIGNATURE-----
Version: PGP 7.1
iQEVAwUBO/mvQY0ZSRQxA/UrAQFx9wgArkc5gTwjgy5aS2aZuC27gmPq527gEQ2A
ii7sfFeO+EpoABxRpJK/Tauwr5EMh+tfHdrZQttkv4Wnbd8QyI6yfY0l79xxBwAE
Md6h4OdUx3yCIZSbN69ZCUusUKidwqzl7VbWI+9Tdsm4QHhP4VrL5/C5ZbuxPXQ9
2gbFYtLTxPNSvtONiStQbSnFSTQdsdsytN4YpGLqdtmkBHTTbjXRp6mmk1DmUMD2
BR7+Saf2knoSMW6SKYZRgEV0UQleom0qDWltGUDuxs2eSUFmpL9Hn3t+GlyYhtbO
S4lc9z5vqA3NGb0oeG2NyI2SspwEckoTtxf2gdyOZIe7OtLNtno9pg==
=uEWm
- -----END PGP SIGNATURE-----
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to use any or all of this information is
the responsibility of each user or organisation, and should be done so in
accordance with site policies and procedures.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the original authors to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
http://www.auscert.org.au/Information/advisories.html
If you believe that your system has been compromised, contact AusCERT or
your representative in FIRST (Forum of Incident Response and Security
Teams).
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for emergencies.
-----BEGIN PGP SIGNATURE-----
Version: 2.6.3i
Charset: noconv
Comment: ftp://ftp.auscert.org.au/pub/auscert/AUSCERT_PGP.key
iQCVAwUBO/pmQSh9+71yA2DNAQHVmAP9GleUvoNi5DHI6N9ze6lHiMgl6Mv48EYC
7qAI2eOeX3SAjXVsSKIQp7GXG8SOzEisD7fKveJ3mCvyHau7MHQ3QdyQIctELdEh
KZBC8JauItE1qQWNO7okAunwt1GnhGScSuI2iB20TwZ7md8FMZjMyc4W4Wx8ZyrM
GWoSesMYN+A=
=rAaR
-----END PGP SIGNATURE-----
|