A flaw in an anti-piracy feature in Microsoft's Windows Media
Player could put systems at risk to hacker attacks, Microsoft
warned.
All the supported versions of Windows Media Player, versions 6.4,
7.1 and Windows Media Player for Windows XP, are flawed in the way
they handle a licence request for certain secure media files. An
attacker could exploit this flaw to hijack a user's system and take
any action a user is capable of, Microsoft said.
The media player, when it requests licence information from a
server, discloses the location on the user's system of the Internet
Explorer (IE) cache, which is used by IE to store files
temporarily. An attacker could use this information to bypass IE's
security mechanisms and run executable files in the cache,
Microsoft said.
IE places information that a Web page or an HTML e-mail need to
have stored on the user's system - a file for example - in the
cache and retrieves it later for handling. One way the cache is
protected against direct access is by using dynamic folder names.
The cache should only be accessible by IE, Microsoft said.
An attacker could exploit the vulnerability by sending an HTML
e-mail with a specially formed Windows Media file or by hosting the
file on a Web site. In both cases, the IE cache location could be
returned to the attacker's site once the file is played, at which
point the attacker could try to run an executable in the cache,
Microsoft said.
Microsoft released a software patch to fix this problem. The patch,
called a cumulative patch, also includes all previously released
patches for Windows Media Player and two other new patches that fix
more specific security problems.
Microsoft does rate a newly patched privilege elevation
vulnerability in Windows Media Player 7.1 when run on Windows 2000
"critical". A malicious user could exploit the flaw in a part of
Media Player that deals with storage devices to increase his
privilege level on a Windows 2000 system. The user would need to
write a special software program to do that, Microsoft said.
The third newly patched vulnerability could allow an attacker to
run a script of his choice on the user's computer and affects only
Windows Media Player 7.1. Microsoft deems this a "low" risk
vulnerability as a successful attack requires a specific series of
user actions to follow in exact order.
More information about the flaws and the patch, which Microsoft
urges users apply immediately, can be found at:
www.microsoft.com/technet/security/bulletin/MS02-032.asp