__________________________________________________________ The U.S. Department of Energy Computer Incident Advisory Capability ___ __ __ _ ___ / | /_\ / \___ __|__ / \ \___ __________________________________________________________ INFORMATION BULLETIN Microsoft Windows Media Player Vulnerabilities [Microsoft Security Bulletin MS02-032] June 28, 2002 20:00 GMT Number M-096 [Revised 24 July 2002] ______________________________________________________________________________ PROBLEM: Three vulnerabilities exist in Windows Media Player. 1) An information disclosure vulnerability that could provide the means to enable an attacker to run code on the user's system. 2) A privilege elevation vulnerability that could enable an attacker who can physically logon locally to a Windows 2000 machine and run a program to obtain the same rights as the operating system. 3) A script execution vulnerability related that could run a script of an attacker's choice as if the user had chosen to run it after playing a specially formed media file and then viewing a specially constructed web page. SOFTWARE: Microsoft Windows Media Player 6.4, 7.1, and XP DAMAGE: The first vulnerability may allow unauthorized disclosure of information to an attacker, and allow the attacker to run code of choice. The second vulnerability causes an escalation of privileges if a malicious user has access to the local machine. The third vulnerability could run a script of an attacker's choice, but is difficult to exploit because the vulnerability has specific timing requirements. SOLUTION: Apply the cumulative patch as stated in Microsoft's security bulletin. ______________________________________________________________________________ VULNERABILITY The risk is MEDIUM. An attacker must have access to a local ASSESSMENT: system to exploit these vulnerabilities. ______________________________________________________________________________ LINKS: CIAC BULLETIN: http://www.ciac.org/ciac/bulletins/m-096.shtml ORIGINAL BULLETIN: http://www.microsoft.com/technet/treeview/ default.asp?url=/technet/security/bulletin/ ms02-032.asp ______________________________________________________________________________ [***** Start Microsoft Security Bulletin MS02-032 *****] Microsoft Security Bulletin MS02-032 Print 26 June 2002 Cumulative Patch for Windows Media Player (Q320920) Originally posted: June 26, 2002 Updated: July 24, 2002 (Version 2.0) Summary Who should read this bulletin: Customers using Microsoft® Windows Media™ Player 6.4, 7.1 or Windows Media Player for Windows XP. Impact of vulnerability: Three new vulnerabilities, the most serious of which could be used to run code of attacker's choice. Maximum Severity Rating: Critical Recommendation: Customers running affected products should apply the patch immediately. Customers who are still running Windows Media Player 7.0 should upgrade to Windows Media Player 7.1 first and then apply the patch immediately. Affected Software: Microsoft Windows Media Player 6.4 Microsoft Windows Media Player 7.1 Microsoft Windows Media Player for Windows XP Technical details Technical description: On June 26, 2002, Microsoft released the original version of this bulletin, which described the patch it provided as being cumulative. We subsequently discovered that a file had been inadvertently omitted from the patch. While the omission had no effect on the effectiveness of the patch against the new vulnerabilities discussed below, it did mean that the patch was not cumulative. Specifically, the original patch did not include all of the fixes discussed in Microsoft Security Bulletin MS01-056. We have repackaged the patch to include the file and are re-releasing it to ensure that it truly is cumulative. If you applied the patch delivered in Microsoft Security Bulletin MS01-056 and the one that was distributed with the original version of this bulletin, you're fully protected against all known vulnerabilities in Windows Media Player and don't need to take any action. Otherwise, we recommend that you apply the new version of the patch provided below. The patch includes the functionality of all previously released patches for Windows Media Player 6.4, 7.1 and Windows Media Player for Windows XP. In addition, it eliminates the following three newly discovered vulnerabilities one of which is rated as critical severity, one of which is rated moderate severity, and the last of which is rated low severity: * An information disclosure vulnerability that could provide the means to enable an attacker to run code on the user's system and is rated as critical severity. * A privilege elevation vulnerability that could enable an attacker who can physically logon locally to a Windows 2000 machine and run a program to obtain the same rights as the operating system. * A script execution vulnerability related that could run a script of an attacker's choice as if the user had chosen to run it after playing a specially formed media file and then viewing a specially constructed web page. This particular vulnerability has specific timing requirements that makes attempts to exploit vulnerability difficult and is rated as low severity. It also introduces a configuration change relating to file extensions associated with Windows Media Player. Finally, it introduces a new, optional, security configuration feature for users or organizations that want to take extra precautions beyond applying IE patch MS02-023 and want to disable scripting functionality in the Windows Media Player for versions 7.x or higher. Mitigating factors: Cache Patch Disclosure via Windows Media Player: * Customers who have applied MS02-023 are protected against attempts to automatically exploit this issue through HTML email when they read email in the Restricted Sites zone. Outlook 98 and Outlook 2000 with the Outlook Email Security Update, Outlook 2002 and Outlook Express 6.0 all read email in the Restricted Sites zone by default. * The vulnerability does not affect media files opened from the local machine. As a result of this, users who download and save files locally are not affected by attempts to exploit this vulnerability. Privilege Elevation through Windows Media Device Manager Service: * This issue affects only Windows Media Player 7.1 it does not affect Windows Media Player for Windows XP nor Windows Media Player 6.4. * The vulnerability only affects Windows Media Player 7.1 when run on Windows 2000, it does not impact systems that have no user security model such as Windows 98 or Windows ME systems. * This issue only affects console sessions; users who logon via terminal sessions cannot exploit this vulnerability. * An attacker must be able to load and run a program on the system. Anything that prevents an attacker from loading or running a program could protect against attempts to exploit this vulnerability. Media Playback Script Invocation: * A successful attack requires a specific series of actions follows in exact order, otherwise the attack will fail. Specifically: * A user must play a specially formed media file from an attacker. * After playing the file, the user must shut down Windows Media Player without playing another file. * The user must then view a web page constructed by the attacker. Severity Rating: Cache Patch Disclosure via Windows Media Player: Internet Servers Intranet Servers Client Systems Windows Media Player 6.4 Low Low Critical Windows Media Player 7.1 Low Low Critical Windows Media Player for Windows XP Low Low Critical Privilege Elevation through Windows Media Device Manager Service: Internet Servers Intranet Servers Client Systems Windows Media Player 6.4 None None None Windows Media Player 7.1 on Windows 2000 Low Low Critical Windows Media Player 7.1 all other platforms None None None Windows Media Player for Windows XP None None None Media Playback Script Invocation: Internet Servers Intranet Servers Client Systems Windows Media Player 6.4 None None None Windows Media Player 7.1 Low Low Low Windows Media Player for Windows XP None None None Aggregate Severity of all issues included in this patch (including issues addressed in previously released patches): Internet Servers Intranet Servers Client Systems Windows Media Player 6.4 Critical Critical Critical Windows Media Player 7.1 Critical Critical Critical Windows Media Player for Windows XP Low Low Critical The above assessment is based on the types of systems affected by the vulnerability, their typical deployment patterns, and the effect that exploiting the vulnerability would have on them. The License Handling cache disclosure vulnerability could be used to run code on the system as the user. The Privilege Elevation through Windows Media Device Manager Service requires the ability to logon at the console: terminal sessions are not affected. In addition, the attacker must be able to load and run a program. The Media Playback Script Invocation vulnerability has specific timing requirements that make an automated attack difficult to accomplish. Vulnerability identifier: * Cache Patch Disclosure via Windows Media Player: CAN-2002-0372 * Privilege Elevation through Windows Media Device Manager Service: CAN-2002-0373 * Media Playback Script Invocation: CAN-2002-0615 Tested Versions: Microsoft tested Windows Media Player 6.4, 7.1 and Windows Media Player for Windows XP to assess whether they are affected by this vulnerability. Previous versions, including 7.0, are no longer supported, and may or may not be affected by these vulnerabilities. If they have not done so already, customers using Windows Media Player 7.0 should install Windows Media Player 7.1 prior to installing this patch. Patch availability Download locations for this patch * Microsoft Windows Media Player 6.4: http://download.microsoft.com/download/winmediaplayer/Update/320920/W98NT42KMe/ EN-US/wm320920_64.exe * Microsoft Windows Media Player 7.1: http://download.microsoft.com/download/winmediaplayer/Update/320920/W982KMe/ EN-US/wm320920_71.exe * Microsoft Windows Media Player for Windows XP: http://download.microsoft.com/download/winmediaplayer/Update/320920/WXP/ EN-US/wm320920_8.exe Additional information about this patch Installation platforms: The patch can be installed on any operating system running Windows Media Player 6.4 or 7.1. The patch for Windows Media Player for Windows XP can be installed on Windows XP Gold. Inclusion in future service packs: The fixes for these issues will be in Windows XP SP1. Reboot needed: The patch only requires a reboot if Windows Media Player is running at the time the patch is applied. Superseded patches: MS01-056. Verifying patch installation: * To verify that the patch has been installed on the machine, confirm that the following registry key has been created: HKLM\SOFTWARE\Microsoft\Updates\Windows Media Player\wm320920 * To verify the individual files, use the patch manifest provided in Knowledge Base article Q320920 Caveats: None Localization: Localized versions of this patch are under development. When completed, they will be available at the locations discussed in "Obtaining other security patches". Obtaining other security patches: Patches for other security issues are available from the following locations: * Security patches are available from the Microsoft Download Center, and can be most easily found by doing a keyword search for "security_patch". * Patches for consumer platforms are available from the WindowsUpdate web site * All patches available via WindowsUpdate also are available in a redistributable form from the WindowsUpdate Corporate site. Other information: Acknowledgments Microsoft thanks the following people for working with us to protect customers: * jelmer for reporting the Cache Patch Disclosure via Windows Media Player. * The Research Team of Security Internals (www.securityinternals.com) for reporting Privilege Elevation through Windows Media Device Manager Service: * Elias Levy, Chief Technical Officer, SecurityFocus (http://www.securityfocus.com/), for reporting the Media Playback Script Invocation. Support: * Microsoft Knowledge Base article Q320920 discusses this issue and will be available approximately 24 hours after the release of this bulletin. Knowledge Base articles can be found on the Microsoft Online Support web site. * Technical support is available from Microsoft Product Support Services. There is no charge for support calls associated with security patches. Security Resources: The Microsoft TechNet Security Web Site provides additional information about security in Microsoft products. Disclaimer: The information provided in the Microsoft Knowledge Base is provided "as is" without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply. Revisions: V1.0 (June 26, 2002): Bulletin Created. V2.0 (July 24, 2002): Bulletin revised to indicate a missing file from MS01-056 has been included, and a correction to the aggregate severity table has been made. [***** End Microsoft Security Bulletin MS02-032 *****] _______________________________________________________________________________ CIAC wishes to acknowledge the contributions of Microsoft Corporation for the information contained in this bulletin. _______________________________________________________________________________ CIAC, the Computer Incident Advisory Capability, is the computer security incident response team for the U.S. Department of Energy (DOE) and the emergency backup response team for the National Institutes of Health (NIH). CIAC is located at the Lawrence Livermore National Laboratory in Livermore, California. CIAC is also a founding member of FIRST, the Forum of Incident Response and Security Teams, a global organization established to foster cooperation and coordination among computer security teams worldwide. CIAC services are available to DOE, DOE contractors, and the NIH. CIAC can be contacted at: Voice: +1 925-422-8193 (7x24) FAX: +1 925-423-8002 STU-III: +1 925-423-2604 E-mail: ciac@ciac.org Previous CIAC notices, anti-virus software, and other information are available from the CIAC Computer Security Archive. World Wide Web: http://www.ciac.org/ Anonymous FTP: ftp.ciac.org PLEASE NOTE: Many users outside of the DOE, ESnet, and NIH computing communities receive CIAC bulletins. If you are not part of these communities, please contact your agency's response team to report incidents. Your agency's team will coordinate with CIAC. The Forum of Incident Response and Security Teams (FIRST) is a world-wide organization. A list of FIRST member organizations and their constituencies can be obtained via WWW at http://www.first.org/. This document was prepared as an account of work sponsored by an agency of the United States Government. Neither the United States Government nor the University of California nor any of their employees, makes any warranty, express or implied, or assumes any legal liability or responsibility for the accuracy, completeness, or usefulness of any information, apparatus, product, or process disclosed, or represents that its use would not infringe privately owned rights. Reference herein to any specific commercial products, process, or service by trade name, trademark, manufacturer, or otherwise, does not necessarily constitute or imply its endorsement, recommendation or favoring by the United States Government or the University of California. The views and opinions of authors expressed herein do not necessarily state or reflect those of the United States Government or the University of California, and shall not be used for advertising or product endorsement purposes. LAST 10 CIAC BULLETINS ISSUED (Previous bulletins available from CIAC) M-086: Sun SEA SNMP Vulnerability M-087: SGI IRIX rpc.passwd Vulnerability M-088: MS Unchecked Buffer in Gopher Protocol Handler M-089: MS Heap Overrun in HTR Chunked Encoding Vulnerability M-090: Microsoft Unchecked Buffer in RAS Phonebook Vulnerability M-091: Microsoft Unchecked Buffer in SQLXML Vulnerability M-092: Cisco Buffer Overflow in UNIX VPN Client M-093: Apache HTTP Server Chunk Encoding Vulnerability M-094: Microsoft SQL Server 2000 OpenDataSource Buffer Overflow M-095: OpenSSH Challenge Response Vulnerabilities