Microsoft Security Bulletin MS01-010

Technical description:

Windows Media Player 7 introduced a feature called "skins", that allows customization of the look and feel of Windows Media Player. If a Windows Media Player skin (.WMZ) file were downloaded from a malicious web site it could potentially be used to run Java code to read and browse files on a local machine. The vulnerability stems from the fact that "skins" are downloaded to a known location on a victim's computer and are stored in a .zip package. If the .zip package contained a Java class (.class) file, any Java code in this class could be executed under the local computer security zone.

If a Windows Media Player skin (.WMZ) file were downloaded from a malicious web site, it could potentially cause the deployment of zipped Java code to a known location on the visiting user's machine. Since the Java code would reside in a known location on the machine, script hosted on a hostile web site or embedded in a hostile HTML mail message could potentially invoke the script in the local computer security zone to take arbitrary action on the user's machine.

Mitigating factors:

• Users could only be affected if they have downloaded a malicious skins file from an untrusted source

Vulnerability identifier: CAN-2001-0137

What's the scope of the vulnerability?
This vulnerability could enable a malicious user to run Java code of his choice on another user's computer via a feature in Windows Media Player 7. Such a program could take virtually any action on the user's machine that she herself could take, and could be used to compromise data on the victim's computer, misuse software already on it, download additional software and run it, or take additional action.
The vulnerability only affects Windows Media Player 7. The feature at issue here was not available in previous versions of Windows Media Player.

Is this the same vulnerability described in MS00-090, "WMS Script Execution?"
No. Though the problems may seem similar the issue here is not so much the ability for a script or ActiveX control to run, but the fact that a .WMZ file is downloaded to a known directory on a user's machine. Since a .WMZ file is really just a .ZIP file with a different extension, it can contain Java class files that a web page can directly access and run.

What causes the vulnerability?
The Java language allows Java code to be run directly from a .ZIP file. Since skins use the .ZIP format, any Java code in a skin can be directly accessed by a malicious web page.

What's a .WMZ file?
WMZ is the default extension for a zipped Windows Media Player skins file (which contain both a custom skin and the art associated with a skin). Skins are a new feature introduced in Windows Media Player 7, and they enable the user to customize the look and feel of Windows Media Player.
Windows Media Player 7 includes a number of default skins that the user can choose from, but it's also possible to develop custom skins that create an entirely new look and feel.

Is this a problem with the default skins that come with Windows Media Player 7?
No. Customers who are using any of the default skins are not at risk from this vulnerability. The problem arises only in conjunction with custom-written skins packaged with a malicious Java file.

What's the problem with the implementation of Java in a skins file?
The vulnerability at issue here is the ability for Java code to execute under the local computer context when packaged in a .WMZ file. Since the default IE settings assume that any program run under the local computer zone is safe -- any Java code (malicious or not)will be allowed to run under this setting.

What does the patch do?
The patch eliminates the ability for a malicious user to access any code they insert as part of a .WMZ file.

Download locations for this patch

• Microsoft Windows Media Player 7:

  http://www.microsoft.com/downloads/details.aspx?FamilyId=BAF62356-D717-4B8F-97E0-299A7697A083&displaylang=en