Flaw in Windows Media Player Skins Downloading

[Martin L]

Microsoft Windows Media Player provides functionality to change the overall appearance of the player itself through the use of ?skins?. Skins are custom overlays that consist of collections of one or more files of computer art, organized by an XML file. The XML file tells Windows Media Player how to use these files to display a skin as the user interface. In this manner, the user can choose from a variety of standard skins, each one providing an additional visual experience. Windows Media Player comes with several skins to choose from, but it is relatively easy to create and distribute custom skins.

A flaw exists in the way Windows Media Player 7.1 and Windows Media Player for Windows XP handle the download of skin files. The flaw means that an attacker could force a file masquerading as a skin file into a known location on a user?s machine. This could allow an attacker to place a malicious executable on the system.

In order to exploit this flaw, an attacker would have to host a malicious web site that contained a web page designed to exploit this particular vulnerability and then persuade a user to visit that site ? an attacker would have no way to force a user to the site. An attacker could also embed the link in an HTML e-mail and send it to the user.

In the case of an e-mail borne attack, if the user was using Outlook Express 6.0 or Outlook 2002 in their default configurations, or Outlook 98 or 2000 in conjunction with the Outlook Email Security Update, then an attack could not be automated and the user would still need to click on a URL sent in the e-mail. However if the user was not using Outlook Express 6.0 or Outlook 2002 in their default configurations, or Outlook 98 or 2000 in conjunction with the Outlook Email Security Update, the attacker could cause an attack that could both place, then launch the malicious executable without the user having to click on a URL contained in an e-mail.

The attacker's code would run with the same privileges as the user: any restrictions on the user's ability to change the system would apply to the attacker's code.

Mitigating factors:

Windows Media Player 9 Series is not affected by this issue.

By default, Outlook Express 6.0 and Outlook 2002 open HTML mails in the Restricted Sites Zone. In addition, Outlook 98 and 2000 open HTML mails in the Restricted Sites Zone if the Outlook Email Security Update, has been installed. Customers who use any of these products would be at no risk from an e-mail borne attack that attempted to automatically exploit these vulnerabilities.

The attacker would have no way to force users to visit a malicious web site. Instead, the attacker would need to lure them there, typically by getting them to click on a link that would take them to the attacker's site.

READ MORE

[JnCoKiLLa]

Title: Flaw in Windows Media Player Skins Downloading

could allow Code Execution (817787)

Date: 07 May 2003

Software: Microsoft Windows Media Player 7.1

Microsoft Windows Media Player for Windows XP

(Version 8.0)

Impact: Arbitrary code execution

Max Risk: Critical

Bulletin: MS03-017

Microsoft encourages customers to review the Security Bulletins at:

http://www.microsoft.com/technet/security/...in/MS03-017.asp

http://www.microsoft.com/security/security...ns/ms03-017.asp

- --------------------------------------------------------------------

Issue:

======

Microsoft Windows Media Player provides functionality to change the

overall appearance of the player itself through the use of "skins".

Skins are custom overlays that consist of collections of one or

more files of computer art, organized by an XML file. The XML file

tells Windows Media Player how to use these files to display a skin

as the user interface. In this manner, the user can choose from a

variety of standard skins, each one providing an additional visual

experience. Windows Media Player comes with several skins to choose

from, but it is relatively easy to create and distribute custom

skins.

A flaw exists in the way Windows Media Player 7.1 and Windows

Media Player for Windows XP handle the download of skin files.

The flaw means that an attacker could force a file masquerading

as a skin file into a known location on a user's machine.

This could allow an attacker to place a malicious executable

on the system.

In order to exploit this flaw, an attacker would have to host a

malicious web site that contained a web page designed to exploit

this particular vulnerability and then persuade a user to visit

that site - an attacker would have no way to force a user to the

site. An attacker could also embed the link in an HTML e-mail and

send it to the user.

In the case of an e-mail borne attack, if the user was using

Outlook Express 6.0 or Outlook 2002 in their default

configurations, or Outlook 98 or 2000 in conjunction with the

Outlook Email Security Update, then an attack could not be

automated and the user would still need to click on a URL sent

in the e-mail. However if the user was not using Outlook Express

6.0 or Outlook 2002 in their default configurations, or Outlook

98 or 2000 in conjunction with the Outlook Email Security Update,

the attacker could cause an attack that could both place, then

launch the malicious executable without the user having to click

on a URL contained in an e-mail.

The attacker's code would run with the same privileges as the

user: any restrictions on the user's ability to change the system

would apply to the attacker's code.

Mitigating Factors:

====================

- Windows Media Player 9 Series is not affected by this issue.

- By default, Outlook Express 6.0 and Outlook 2002 open HTML

mails in the Restricted Sites Zone. In addition, Outlook 98

and 2000 open HTML mails in the Restricted Sites Zone if the

Outlook Email Security Update, has been installed. Customers

who use any of these products would be at no risk from an

e-mail borne attack that attempted to automatically exploit

these vulnerabilities.

- The attacker would have no way to force users to visit a

malicious web site. Instead, the attacker would need to

lure them there, typically by getting them to click on a

link that would take them to the attacker's site.

Risk Rating:

============

- Critical

Patch Availability:

===================

- A patch is available to fix this vulnerability. Please read the

Security Bulletins at

http://www.microsoft.com/technet/security/...in/ms03-017.asp

http://www.microsoft.com/security/security...ns/ms03-017.asp

for information on obtaining this patch.

Acknowledgment:

===============

- Microsoft thanks Jouko Pynnonen of Oy Online Solutions Ltd,

Finland and Jelmer for reporting this issue to us and working

with us to protect customers.

- --------------------------------------------------------------------

THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS

PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. MICROSOFT DISCLAIMS

ALL WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING THE

WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.

IN NO EVENT SHALL MICROSOFT CORPORATION OR ITS SUPPLIERS BE LIABLE

FOR ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL,

CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF

MICROSOFT CORPORATION OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE

POSSIBILITY OF SUCH DAMAGES. SOME STATES DO NOT ALLOW THE EXCLUSION

OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES

SO THE FOREGOING LIMITATION MAY NOT APPLY

Source: My Email

[Steven]

Good Post :D

[uniacidz]

Also big posts

:p