Microsoft Security Bulletin MS00-068

Patch Available for OCX Attachment Vulnerability

Originally posted: September 26, 2000

Summary

Microsoft has released a patch that eliminates a security vulnerability that could cause certain email applications to fail, requiring the user to restart the e-mail client to resume normal operation.

Affected Software:

Media Player OCX as part of Microsoft Windows Media Player 7, and only when installed on systems running Outlook or Outlook Express.
Note: The vulnerability only occurs if both Windows Media Player 7 and an affected e-mail client (Outlook or Outlook Express) are installed on the same machine. Machines that only fulfill one of these conditions are not affected.

Vulnerability Identifier: CVE-2000-0929

General Information

Technical details

Frequently asked questions

What's this bulletin about?
Microsoft Security Bulletin MS00-068 announces the availability of a patch that eliminates a vulnerability whose primary impact involves e-mail clients such as Outlook and Outlook Express. Microsoft is committed to protecting customers' information, and is providing the bulletin to inform customers of the vulnerability and what they can do about it.

What's the scope of the vulnerability?
This is a Denial of Service vulnerability. If a malicious user created an e-mail containing a particular type of embedded object, it could be used to cause the recipient's e-mail application to fail when he closed it after reading it. The user could resume normal operation simply by restarting the affected e-mail application.

What causes the vulnerability?
There is a flaw in the interaction between RTF enabled e-mail clients and an OCX control associated with Windows Media Player which is revealed when a user attempts to view an e-mail message with with the embedded control.

Is this an E-mail or Windows Media Player vulnerability?
The vulnerability lies in how a control associated with Windows Media Player interacts with e-mail applications. The only way to expose the vulnerability is by viewing the affected control via an RTF-enabled e-mail client such as Outlook or Outlook Express. It does not impact Windows Media Player 7 itself.

What is an OCX control?
Think of an OCX control as an ActiveX container. It is a file that can contain multiple ActiveX controls to be used by an application. For more information on OCX and ActiveX controls please see: Q159621.

Why would someone embed an OCX control in an E-mail message?
It is currently not supported by the control associated with Windows Media Player, and because of a malicious user could cause the failure. There is no standard or supported method for embedding any OCX control associated with Windows Media Player within an e-mail message. A malicious user would need to programmatically create a custom malicious message with the embedded OCX control.

Why would a WMP flaw cause an E-mail application to fail?
The flaw is in the method used by the e-mail client to close an embedded OCX control. This flaw is what causes the crash in the e-mail client.

How could this vulnerability be exploited?
If a malicious user created an RTF e-mail that contained the WMP OCX at issue here and mailed it to someone, it would cause the recipient's email client to fail when he closed the mail after reading it. The vulnerability would not cause any lasting effects. The user could resume normal operation by restarting the mail client and deleting the affected mail.

Could this vulnerability be exploited while reading the mail in the Preview Pane?
No. The e-mail application would not fail when opening or viewing the message, but only when closing the message.

What would I need to do to recover from the attack?
The vulnerability would not cause any lasting effects. The user could resume normal operation by restarting the mail client and deleting the affected mail.

Could this issue be used to attack Windows Media Player itself?
No. The OCX control at issue here is associated with Windows Media Player, but it doesn't pose any risk to it. That is, there is no way to misuse this OCX control to attack a user via WMP - it could only be used to attack e-mail clients like Outlook and Outlook Express.

Can this vulnerability be exploited accidentally?
No. A malicious user would need to explicitly craft a malicious e-mail containing a specific OCX control to exploit this vulnerability. The malicious e-mail message would have to be crafted through a very special programming method.

Who should use the patch?
Microsoft recommends that customers who have both Windows Media Player 7 and either Outlook or Outlook Express installed consider installing this patch.

What does the patch do?
The patch modifies the behavior of the OCX associated with Windows Media Player when closing an RTF e-mail message with an embedded OCX control.

Where can I get the patch?
The download location for the patch is provided in the "Patch Availability" section of the security bulletin .

How do I use the patch?
The Knowledge Base article contains detailed instructions for applying the patch to your site.

How can I tell if I installed the patch correctly?
The Knowledge Base article provides a manifest of the files in the patch package.The easiest way to verify that you've installed the patch correctly is to verify that these files are present on your computer, and have the same sizes and creation dates as shown in the KB article.

What is Microsoft doing about this issue?

Microsoft has delivered a patch that eliminates the vulnerability.
Microsoft has provided a security bulletin and this FAQ to provide customers with a detailed understanding of the vulnerability and the procedure to eliminate it.
Microsoft has sent copies of the security bulletin to all subscribers to the Microsoft Product Security Notification Service, a free e-mail service that customers can use to stay up to date with Microsoft security bulletins.
Microsoft has issued a Knowledge Base article explaining the vulnerability and procedure in more detail.

Where can I learn more about best practices for security?
The Microsoft TechNet Security web site is the best to place to get information about Microsoft security.

How do I get technical support on this issue?
Microsoft Product Support Services can provide assistance with this or any other product support issue.

Patch availability

Other information:

Acknowledgments

Microsoft thanks Luciano Martins of USSR Labs (www.ussrback.com) for reporting this issue to us and working with us to protect customers.

Support: This is a fully supported patch. Information on contacting Microsoft Product Support Services is available at http://support.microsoft.com/contactussupport/?ws=support.

Security Resources: The Microsoft TechNet Security Web Site provides additional information about security in Microsoft products.

Disclaimer:

The information provided in the Microsoft Knowledge Base is provided "as is" without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.

Revisions:

September 26, 2000: Bulletin Created.