__________________________________________________________ The U.S. Department of Energy Computer Incident Advisory Center ___ __ __ _ ___ / | /_\ / \___ __|__ / \ \___ __________________________________________________________ INFORMATION BULLETIN Windows Unchecked Buffer in Media Player .ASX Processor [Microsoft MS01-029] May 25, 2001 21:00 GMT Number L-089 ______________________________________________________________________________ PROBLEM: This addresses 2 vulnerabilities: the code parsing .ASX files has an unchecked buffer, enabling a malicious user to run code of her choice. Secondly, Windows Media Player has a flaw in saving Internet shortcuts to the user's Temporary Files folder with a fixed known filename. PLATFORM: Windows Media Player 6.4 and 7 DAMAGE: Unauthorized disclosure, and/or limited executing code of choice. SOLUTION: Apply the patches as described below. ______________________________________________________________________________ VULNERABILITY MEDIUM. In the first, the attacker can run only limited code, ASSESSMENT: and in the second, the attacker would need to know the exact name of each file to be read, and could not modify the file. ______________________________________________________________________________ [****** Start Microsoft Advisory ******] - ---------------------------------------------------------------------- Title: Windows Media Player .ASX Processor Contains Unchecked Buffer Date: 23 May 2001 Software: Windows Media Player 6.4 and 7 Impact: Potentially run code of attacker's choice. Bulletin: MS01-029 Microsoft encourages customers to review the Security Bulletin at: http://www.microsoft.com/technet/security/bulletin/MS01-029.asp. - ---------------------------------------------------------------------- Issue: ====== This bulletin discusses two security vulnerabilities that are related to each other only by the fact that they affect Windows Media Player. We packaged them in a single patch for customers using Windows Media Player 6.4 to make it more convenient for customers to apply. For customers using Windows Media Player 7, both security vulnerabilities are addressed by upgrading to Windows Media Player 7.1. The two vulnerabilities are: - A buffer overrun in the functionality used to process Active Stream Redirector (.ASX) files. This vulnerability is a variant of the buffer overrun vulnerability identified in Microsoft Security Bulletin (MS00-090). Windows Media Player supports the use of .ASX files to enable users to play streaming media that resides on intranet or Internet sites and allows the use of playlists. However, the code that parses .ASX files has an unchecked buffer, and this could potentially enable a malicious user to run code of her choice on the machine of another user. The attacker could either send an affected file to another user and entice him to run or preview it, or she could host such a file on a web site and cause it to launch automatically whenever a user visited the site. The code could take any action on the machine that the legitimate user himself could take. - A vulnerability affecting how Windows Media Player handles Internet shortcuts. Windows Media Player has a flaw that causes it to save Internet shortcuts to the user's Temporary Files folder with a fixed known filename. This results in a security vulnerability because it's possible for HTML code to be stored in such a shortcut and launched via a web page or HTML e-mail, in which case the code would run in the Local Computer Zone rather than the Internet Zone. An attacker could exploit this vulnerability to read - but not add, delete or modify - files on another user's computer. - In addition, this patch provides a solution to a potential privacy vulnerability that was recently identified. This issue could be exploited by a malicious set of web sites to distinguish a user. While this issue would not by itself enable a web site to identify the user, it could enable the correlation of user information to potentially build a composite description of the user. .Users can protect themselves by installing the above patch or upgrading to Windows Media Player 7.1, then changing the appropriate settings in their player as outlined below to prevent sets of websites from potentially profiling using Windows Media Player. - In Windows Media Player 6.4, the privacy setting is selected via a new option, which can be reached by going to the menu item View / Options then selecting the player tab and de-selecting "Allow Internet sites to uniquely identify your player". - In Windows Media Player 7.1, the privacy setting is toggled via the existing option under the tools menu, on the player tab and deselect the option "Allow Internet sites to uniquely identify your player". Although we typically do not discuss privacy issues in security bulletins, the privacy issue in this case is eliminated by applying the patch and then selecting the new user settings as described above. We have provided this information because the best way to make the privacy update available to customers was by including it in this patch, and because we wanted to provide users who installed the patch with information about how to use the new privacy settings. Mitigating Factors: ==================== Buffer overrun vulnerability: - The attacker would need the ability to entice the user into either visiting a web site she controlled, or opening an HTML e-mail she had prepared. - The attacker would need to know the specific operating system that the user was running in order to tailor the attack code properly; if the attacker made an incorrect guess about the user's operating system platform, the attack would crash the user's application, but not run code of the attacker's choice. Internet shortcut vulnerability: - On Windows NT 4.0 and Windows 2000 systems, the location of the Temporary Files folder varies from user to user. In order to exploit the vulnerability on these systems, the attacker would need to know the exact location of the Temporary Files folder on the specific system she wished to attack. - The attacker would need to know the exact name of each file she wished to read. - The attacker could only view file types that can be opened in a browser window. These include.txt, .jpg, .gif, or .htm , but not file types such as .exe, .doc, and .xls. - There is no capability to add, delete or changes files via this vulnerability. Patch Availability: =================== - A patch is available to fix this vulnerability. Please read the Security Bulletin http://www.microsoft.com/technet/security/bulletin/ms01-029.asp for information on obtaining this patch. - --------------------------------------------------------------------- THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. MICROSOFT DISCLAIMS ALL WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING THE WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. IN NO EVENT SHALL MICROSOFT CORPORATION OR ITS SUPPLIERS BE LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL, CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF MICROSOFT CORPORATION OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. SOME STATES DO NOT ALLOW THE EXCLUSION OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES SO THE FOREGOING LIMITATION MAY NOT APPLY. [****** End Microsoft Advisory ******] _______________________________________________________________________________ CIAC wishes to acknowledge the contributions of Microsoft for the information contained in this bulletin. _______________________________________________________________________________ CIAC, the Computer Incident Advisory Center, is the computer security incident response team for the U.S. Department of Energy (DOE) and the emergency backup response team for the National Institutes of Health (NIH). CIAC is located at the Lawrence Livermore National Laboratory in Livermore, California. CIAC is also a founding member of FIRST, the Forum of Incident Response and Security Teams, a global organization established to foster cooperation and coordination among computer security teams worldwide. CIAC services are available to DOE, DOE contractors, and the NIH. CIAC can be contacted at: Voice: +1 925-422-8193 (7x24) FAX: +1 925-423-8002 STU-III: +1 925-423-2604 E-mail: ciac@ciac.org Previous CIAC notices, anti-virus software, and other information are available from the CIAC Computer Security Archive. World Wide Web: http://www.ciac.org/ Anonymous FTP: ftp.ciac.org PLEASE NOTE: Many users outside of the DOE, ESnet, and NIH computing communities receive CIAC bulletins. If you are not part of these communities, please contact your agency's response team to report incidents. Your agency's team will coordinate with CIAC. The Forum of Incident Response and Security Teams (FIRST) is a world-wide organization. A list of FIRST member organizations and their constituencies can be obtained via WWW at http://www.first.org/. This document was prepared as an account of work sponsored by an agency of the United States Government. Neither the United States Government nor the University of California nor any of their employees, makes any warranty, express or implied, or assumes any legal liability or responsibility for the accuracy, completeness, or usefulness of any information, apparatus, product, or process disclosed, or represents that its use would not infringe privately owned rights. Reference herein to any specific commercial products, process, or service by trade name, trademark, manufacturer, or otherwise, does not necessarily constitute or imply its endorsement, recommendation or favoring by the United States Government or the University of California. The views and opinions of authors expressed herein do not necessarily state or reflect those of the United States Government or the University of California, and shall not be used for advertising or product endorsement purposes. LAST 10 CIAC BULLETINS ISSUED (Previous bulletins available from CIAC) L-079: Microsoft Domain Controller Core Memory Leak Vulnerability L-080: SGI IRIX rpc.espd Buffer Overflow L-081: Microsoft Index Server Search Function Buffer Overflow L-082: Cisco IOS BGP Attribute Corruption Vulnerability L-083: Microsoft CGI Filename Decode Error Vulnerability in IIS L-084: Red Hat Samba Package /tmp Race Condition L-085: Cisco Content Service Switch FTP Vulnerability L-086: Cisco Multiple Vulnerabilities in CBOS L-087: Microsoft Internet Explorer Flaws in Certificate Validation L-088: Cisco IOS Reload after Scanning Vulnerability