
             __________________________________________________________

                       The U.S. Department of Energy
                   Computer Incident Advisory Capability
                           ___  __ __    _     ___
                          /       |     /_\   /
                          \___  __|__  /   \  \___
             __________________________________________________________

                             INFORMATION BULLETIN

                         Microsoft Windows Media Player
                         [Vulnerability Note VU#208769]

December 8, 2006 21:00 GMT                                        Number R-068
______________________________________________________________________________
PROBLEM:       Windows Media Player does not properly handle malformed Windows 
               Media Metafiles. This vulnerability may allow a remote attacker 
               execute arbitrary code or crash Windows Media Player. 
PLATFORM:      Windows Media Player 7 
               Windows Media Player for Windows XP 
               Windows Media Player 9 Series 
               Windows Media Player 10 
               Windows Media Player 11 
DAMAGE:        May allow a remote attacker execute arbitrary code. 
SOLUTION:      Apply current patches. 
______________________________________________________________________________
VULNERABILITY  The risk is MEDIUM. May allow a remote attacker execute 
ASSESSMENT:    arbitrary code. 
______________________________________________________________________________
LINKS: 
 CIAC BULLETIN:      http://www.ciac.org/ciac/bulletins/r-068.shtml 
 ORIGINAL BULLETIN:  http://www.kb.cert.org/vuls/id/208769
______________________________________________________________________________
[***** Start Vulnerability Note VU#208769 *****]

Vulnerability Note VU#208769
Microsoft Windows Media Player fails to properly handle malformed Windows Media Metafiles
Overview
Windows Media Player does not properly handle malformed Windows Media Metafiles. This vulnerability may allow a remote attacker execute arbitrary code or crash Windows Media Player.
I. Description
Windows Media Player (WMP) is a multimedia application that comes with Microsoft Windows. According to Microsoft:

      Advanced Stream Redirector (.asx) files, also known as Windows Media Metafiles, are text files that provide information about a file stream and its presentation. ASX files go beyond the simple task of defining playlists to provide Windows Media Player with information about how to present particular media items of the playlist.

      Windows Media Metafiles are based on XML syntax and can be encoded in either ANSI or UNICODE (UTF-8) format. They are made up of various elements with their associated tags and attributes. Each element in a Windows Media metafile defines a particular setting or action in Windows Media Player. 

WMP fails to properly handle Windows Media Metafiles. Specifically, if a URL with an unsupported protocol is embdedded in a Windows Media Metafile and accessed with WMP, a limited heap-based buffer overflow may occur.

Note that file extensions for Windows Media Metafiles include .wax, .wvx, .wmx, and .asx. More information concerning Windows Media Player files is available in the Windows Media Player File Name Extensions web page.

Exploit code for this vulnerability is publicly available.
II. Impact
Although the buffer overflow is limited, it may still be possible to corrupt memory in a way that can allow an attacker to execute code or crash WMP.
III. Solution
We are unaware of a practical solution to this problem. Until a solution is available, the following workaround is strongly encouraged:


Do not access Windows Media Metafiles from untrusted sources

Attackers may host malicious Windows Media Metafiles on web sites. In order to convince users to visit their sites, those attackers often use a variety of techniques to create misleading links including URL encoding, IP address variations, long URLs, and intentional misspellings. Do not click on unsolicited links received in email, instant messages, web forums, or internet relay chat (IRC) channels. Type URLs directly into the browser to avoid these misleading links. While these are generally good security practices, following these behaviors will not prevent exploitation of this vulnerability in all cases, particularly if a trusted site has been compromised or allows cross-site scripting.

Configure Your Web Browser securely handle Windows Media Metafiles

Web browsers can be configured to take specific actions for certain types of content, such as Windows Media Metafiles. Configuring your web browser to securely handle Windows Media Metafiles will not correct this vulnerability, but will reduce the chances of exploitation.

      Mozilla Firefox

      Configure Mozilla Firefox's Download Actions not to automatically open Windows Media Metafiles. Instructions on how to do this can be found in the Firefox section of Securing Your Web Browser.

      Microsoft Internet Explorer

      Setting the Internet Zone security setting to High will prevent Windows Media Metafiles from automatically being opened by Internet Explorer. Instructions on how to do this can be found in the Internet Explorer section of Securing Your Web Browser.

Systems Affected
Vendor	Status	Date Updated
Microsoft Corporation	Vulnerable	8-Dec-2006
References


http://blogs.technet.com/msrc/archive/2006/12/07/public-proof-of-concept-code-for-asx-file-format-isssue.aspx
http://support.microsoft.com/default.aspx?scid=kb;en-us;Q316992
http://research.eeye.com/html/alerts/zeroday/20061122.html
http://www.microsoft.com/windows/windowsmedia/default.mspx
http://windowssdk.msdn.microsoft.com/en-us/library/aa385262.aspx
Credit

This vulnerability was publicly disclosed by sehato.

This document was written by Jeff Gennari.
Other Information
Date Public	11/22/2006
Date First Published	12/08/2006 11:12:57 AM
Date Last Updated	12/08/2006
CERT Advisory	 
CVE Name	 
Metric	20.25
Document Revision	27

[***** End Vulnerability Note VU#208769 *****]
_______________________________________________________________________________

CIAC wishes to acknowledge the contributions of US-Cert for the 
information contained in this bulletin.
_______________________________________________________________________________


CIAC, the Computer Incident Advisory Capability, is the computer
security incident response team for the U.S. Department of Energy
(DOE) and the emergency backup response team for the National
Institutes of Health (NIH). CIAC is located at the Lawrence Livermore
National Laboratory in Livermore, California. CIAC is also a founding
member of FIRST, the Forum of Incident Response and Security Teams, a
global organization established to foster cooperation and coordination
among computer security teams worldwide.

CIAC services are available to DOE, DOE contractors, and the NIH. CIAC
can be contacted at:
    Voice:    +1 925-422-8193 (7x24)
    FAX:      +1 925-423-8002
    STU-III:  +1 925-423-2604
    E-mail:   ciac@ciac.org

Previous CIAC notices, anti-virus software, and other information are
available from the CIAC Computer Security Archive.

   World Wide Web:      http://www.ciac.org/
   Anonymous FTP:       ftp.ciac.org

PLEASE NOTE: Many users outside of the DOE, ESnet, and NIH computing
communities receive CIAC bulletins.  If you are not part of these
communities, please contact your agency's response team to report
incidents. Your agency's team will coordinate with CIAC. The Forum of
Incident Response and Security Teams (FIRST) is a world-wide
organization. A list of FIRST member organizations and their
constituencies can be obtained via WWW at http://www.first.org/.

This document was prepared as an account of work sponsored by an
agency of the United States Government. Neither the United States
Government nor the University of California nor any of their
employees, makes any warranty, express or implied, or assumes any
legal liability or responsibility for the accuracy, completeness, or
usefulness of any information, apparatus, product, or process
disclosed, or represents that its use would not infringe privately
owned rights. Reference herein to any specific commercial products,
process, or service by trade name, trademark, manufacturer, or
otherwise, does not necessarily constitute or imply its endorsement,
recommendation or favoring by the United States Government or the
University of California. The views and opinions of authors expressed
herein do not necessarily state or reflect those of the United States
Government or the University of California, and shall not be used for
advertising or product endorsement purposes.

LAST 10 CIAC BULLETINS ISSUED (Previous bulletins available from CIAC)

R-058: Potential vulnerabilities in Adobe Reader and Acrobat
R-059: texinfo Buffer Overflow
R-060: libgsf Buffer Overflow
R-061: HTTP Requests in Sun Java System Server(s)
R-062: proftpd Several Vulnerabilities
R-063: Vulnerability in Microsoft Word
R-064: GnuPG Security Update
R-065: Google Mini and Google Search Appliance Vulnerable
R-066: Adobe Download Manager Vulnerability
R-067: l2tpns Buffer Overflow