copyright | disclaimer | privacy | contact  
Australia's Leading Computer Emergency Response Team
 
Search this site

 
On this site

 > HOME
 > About AusCERT
 > Membership
 > Contact Us
 > PKI Services
 > Training
 > Publications
 > Sec. Bulletins
 > Conferences
 > News & Media
 > Services
 > Web Log
 > Site Map
 > Site Help
 > Member login

  Home » Security Bul... » ESB-2002.317 -- Microsoft Security Bulletin MS02-032...
 

ESB-2002.317 -- Microsoft Security Bulletin MS02-032 -- 26 June 2002 Cumulative Patch for Windows Media Player (Q320920)
Date: 28 June 2002
References: ESB-2002.362  

Click here for printable version
Click here for PGP verifiable version
-----BEGIN PGP SIGNED MESSAGE-----

===========================================================================
             AUSCERT External Security Bulletin Redistribution

           ESB-2002.317 -- Microsoft Security Bulletin MS02-032
     26 June 2002 Cumulative Patch for Windows Media Player (Q320920)
                               28 June 2002

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:                Windows Media Player 6.4
                        Windows Media Player 7.1
                        Windows Media Player for Windows XP
Vendor:                 Microsoft
Operating System:       Windows
Impact:                 Execute Arbitrary Code/Commands
                        Administrator Compromise
Access Required:        Remote

- --------------------------BEGIN INCLUDED TEXT--------------------

- -----BEGIN PGP SIGNED MESSAGE-----

- - ----------------------------------------------------------------------
Title:      26 June 2002 Cumulative Patch for Windows Media Player
            (Q320920)
Date:       26 June 2002
Software:   Windows Media Player
Impact:     Three new vulnerabilities, the most serious of which 
            could run code of attacker's choice
Max Risk:   Critical
Bulletin:   MS02-032

Microsoft encourages customers to review the Security Bulletin at: 
http://www.microsoft.com/technet/security/bulletin/MS02-032.asp.
- - ----------------------------------------------------------------------

Issue:
======
This is a cumulative patch that includes the functionality of
all previously released patches for Windows Media Player 6.4, 7.1
and Windows Media Player for Windows XP. In addition, it eliminates
the following three newly discovered vulnerabilities one of which
is rated as critical severity, one of which is rated moderate
severity, and the last of which is rated low severity: 

 - An information disclosure vulnerability that could provide
   the means to enable an attacker to run code on the user's
   system and is rated as critical severity. 

 - A privilege elevation vulnerability that could enable an attacker
   who can physically logon locally to a Windows 2000 machine and run
   a program to obtain the same rights as the operating system.
 
 - A script execution vulnerability related that could run a script
   of an attacker's choice as if the user had chosen to run it after
   playing a specially formed media file and then viewing a specially
   constructed web page. This particular vulnerability has specific
   timing requirements that makes attempts to exploit vulnerability
   difficult and is rated as low severity. 

It also introduces a configuration change relating to file extensions
associated with Windows Media Player. Finally, it introduces a new,
optional, security configuration feature for users or organizations
that want to take extra precautions beyond applying IE patch MS02-023
and want to disable scripting functionality in the
Windows Media Player for versions 7.x or higher.

Mitigating Factors:
====================
Cache Patch Disclosure via Windows Media Player 

 - Customers who have applied MS02-023 are protected against
   attempts to automatically exploit this issue through HTML email
   when they read email in the Restricted Sites zone. Outlook 98 and
   Outlook 2000 with the Outlook Email Security Update, Outlook 2002
   and Outlook Express 6.0 all read email in the Restricted Sites
   zone by default. 

 - The vulnerability does not affect media files opened from the
   local machine. As a result of this, users who download and save
   files locally are not affected by attempts to exploit this
   vulnerability. 

Privilege Elevation through Windows Media Device Manager Service: 

 - This issue affects only Windows Media Player 7.1 it does not
   affect Windows Media Player for Windows XP nor Windows
   Media Player 6.4. 

 - The vulnerability only affects Windows Media Player 7.1 when run
   on Windows 2000, it does not impact systems that have no user
   security model such as Windows 98 or Windows ME systems.

 - This issue only affects console sessions; users who logon via
   terminal sessions cannot exploit this vulnerability. 

 - An attacker must be able to load and run a program on the system.
   Anything that prevents an attacker from loading or running a
   program could protect against attempts to exploit this
   vulnerability. 

Media Playback Script Invocation: 

 - A successful attack requires a specific series of actions
   follows in exact order, otherwise the attack will fail.
   Specifically: 
    - A user must play a specially formed media file from an
      attacker. 
    - After playing the file, the user must shut down
      Windows Media Player without playing another file. 
    - The user must then view a web page constructed by the
      attacker.

Risk Rating of new vulnerabilities:
============
 - Internet systems: Low
 - Intranet systems: Low
 - Client systems: Critical

Aggregate Risk Rating (including issues addressed in
previously released patches):
 - Internet systems: Critical
 - Intranet systems: Critical
 - Client systems: Critical

============
Patch Availability:
===================
 - A patch is available to fix this vulnerability. Please read the 
   Security Bulletin at
   http://www.microsoft.com/technet/security/bulletin/ms02-032.asp
   for information on obtaining this patch.

Acknowledgment:
===============
 - jelmer for reporting the Cache Patch Disclosure via Windows
   Media Player. 

 - The Research Team of Security Internals
   (www.securityinternals.com) for reporting Privilege
   Elevation through Windows Media Device Manager Service: 

 - Elias Levy, Chief Technical Officer, SecurityFocus
   (http://www.securityfocus.com/), for reporting the
   Media Playback Script Invocation.

- - ---------------------------------------------------------------------

THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS 
PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. MICROSOFT DISCLAIMS
ALL 
WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING THE 
WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.
IN NO EVENT 
SHALL MICROSOFT CORPORATION OR ITS SUPPLIERS BE LIABLE FOR ANY
DAMAGES 
WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL, CONSEQUENTIAL,
LOSS OF 
BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF MICROSOFT CORPORATION OR
ITS 
SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. SOME
STATES DO 
NOT ALLOW THE EXCLUSION OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL
OR 
INCIDENTAL DAMAGES SO THE FOREGOING LIMITATION MAY NOT APPLY.

- -----BEGIN PGP SIGNATURE-----
Version: PGP 7.1

iQEVAwUBPRpJ0I0ZSRQxA/UrAQGm7Af/axJFUtEerrKmB+C5n8R/iyQMn+vvFbIW
2KLUb7S2X+gLOMeG7KBH3hz0DKG7vRR+BH1NOmZn7wFDQ8K0XFNlx7qXbh9Fbn3G
CVM6Knqtqwl/U4nEI/IzGDW1fEzgqLbZhzgeeT+ZWTVF7Tqp2Y8H1YnmM6UH0oKm
GvP02CIPeDciOrxSRVv17eH6TaVzrR+SHVTif1ZsoVmorX+WOm+sAhyWPxfVlqaZ
KrBhKlDMazQPWzTQbW6OXl6ENGY3rLvHEy+fJ5G+jwKTI4o0NbCNSjCTJ0sEuQ44
KkZ0NpIfh20YqkdkOG5Z3aiyyjMiMQvT0BrBHhpGd3wXm8dz2H0ktw==
=I110
- -----END PGP SIGNATURE-----

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content.  The decision to use any or all of this information is
the responsibility of each user or organisation, and should be done so in
accordance with site policies and procedures.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the original authors to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

	http://www.auscert.org.au/Information/advisories.html

If you believe that your system has been compromised, contact AusCERT or
your representative in FIRST (Forum of Incident Response and Security
Teams).

Internet Email: auscert@auscert.org.au
Facsimile:	(07) 3365 7031
Telephone:	(07) 3365 4417 (International: +61 7 3365 4417)
		AusCERT personnel answer during Queensland business hours
		which are GMT+10:00 (AEST).
		On call after hours for member emergencies.

-----BEGIN PGP SIGNATURE-----
Version: 2.6.3i
Charset: noconv
Comment: ftp://ftp.auscert.org.au/pub/auscert/AUSCERT_PGP.key

iQCVAwUBPRyZAyh9+71yA2DNAQEoegP8CyS4+OFn1XVmTaURZdVpuVJISOIOKrR6
+dsuAPYbYENsAeR6Wd35ShH3ZY8b+01l9OYGVplrt9lzmapK3mT4lKUfvD/40pzo
PxZSYjvYcq7n5jINVdMGZBOOMBdvd4q+7pCYqk0TNFfBfITYsgnfU3uxRTxtlP29
Oya2GD3SX/4=
=Jj7E
-----END PGP SIGNATURE-----




Comments? Click here http://www.auscert.org.au/render.html?cid=1&it=2169