Microsoft Security Bulletin MS03-017

Technical description:

Microsoft Windows Media Player provides functionality to change the overall appearance of the player itself through the use of "skins". Skins are custom overlays that consist of collections of one or more files of computer art, organized by an XML file. The XML file tells Windows Media Player how to use these files to display a skin as the user interface. In this manner, the user can choose from a variety of standard skins, each one providing an additional visual experience. Windows Media Player comes with several skins to choose from, but it is relatively easy to create and distribute custom skins.

A flaw exists in the way Windows Media Player 7.1 and Windows Media Player for Windows XP handle the download of skin files. The flaw means that an attacker could force a file masquerading as a skin file into a known location on a user's machine. This could allow an attacker to place a malicious executable on the system.

In order to exploit this flaw, an attacker would have to host a malicious web site that contained a web page designed to exploit this particular vulnerability and then persuade a user to visit that site - an attacker would have no way to force a user to the site. An attacker could also embed the link in an HTML e-mail and send it to the user.

In the case of an e-mail borne attack, if the user was using Outlook Express 6.0 or Outlook 2002 in their default configurations, or Outlook 98 or 2000 in conjunction with the Outlook Email Security Update, then an attack could not be automated and the user would still need to click on a URL sent in the e-mail. However if the user was not using Outlook Express 6.0 or Outlook 2002 in their default configurations, or Outlook 98 or 2000 in conjunction with the Outlook Email Security Update, the attacker could cause an attack that could both place, then launch the malicious executable without the user having to click on a URL contained in an e-mail.

The attacker's code would run with the same privileges as the user: any restrictions on the user's ability to change the system would apply to the attacker's code.

Mitigating factors:

• Windows Media Player 9 Series is not affected by this issue.
• Windows Media Player 6.4 is not affected by this issue.
• By default, Outlook Express 6.0 and Outlook 2002 open HTML mails in the Restricted Sites Zone. In addition, Outlook 98 and 2000 open HTML mails in the Restricted Sites Zone if the Outlook Email Security Update, has been installed. Customers who use any of these products would be at no risk from an e-mail borne attack that attempted to automatically exploit these vulnerabilities.
• The attacker would have no way to force users to visit a malicious web site. Instead, the attacker would need to lure them there, typically by getting them to click on a link that would take them to the attacker's site.

Severity Rating:

The above assessment is based on the types of systems affected by the vulnerability, their typical deployment patterns, and the effect that exploiting the vulnerability would have on them.

Vulnerability identifier: CAN-2003-0228

Tested Versions:

Microsoft tested Windows Media Player 6.4, Windows Media Player 7.1, Windows Media Player for Windows XP and Windows Media Player 9.0 Series to assess whether they are affected by this vulnerability. Previous versions are no longer supported, and may or may not be affected by these vulnerabilities.

What's the scope of this vulnerability? 
This vulnerability, by itself, could allow an attacker to place a malicious file in a known location on the computer. However, if the user was not using Outlook Express 6.0 or Outlook 2002 in their default configurations, or Outlook 98 or 2000 in conjunction with the Outlook Email Security Update, the attacker could cause an attack that could both place, then launch the malicious executable without the user having to click on a URL contained in an e-mail. This that could enable an attacker to run code on the system of a user. The code could then be able to take any actions on the system that the user was capable of.
The attacker's code would run with the same privileges as the user: any restrictions on the user's ability to change the system would apply to the attacker's code. For example, if the user were prevented from deleting files on the hard drive, the attacker's code would similarly be prevented. Conversely, if a user were using an account with high privileges such as an administrator's account, the attacker's code would also run the same high privileges.

Does this vulnerability affect all versions on Windows Media Player? 
No, only Windows Media Player 7.1 and Windows Media Player for XP are affected. Windows Media Player 9.0 Series is not affected by this vulnerability, and versions prior to 7.1--such as Windows Media Player 6.4-- did not support skins.

What causes the vulnerability? 
The vulnerability results because Windows Media Player 7.1 and Windows Media Player for XP do not correctly validate inputs when a skin file is being downloaded. Normally a skin file is downloaded to the Temporary Internet Files Folder and then copied into another non-predictable location. However the flaw permits a skin file - or a file masquerading as a skin - to be downloaded and copied into a predictable location.

What is the Temporary Internet Files folder, and what is it used for? 
The Temporary Internet Files folder is the location on your hard disk where Web pages and files (such as graphics) are cached as you view them. This speeds up the display of pages you frequently visit or have already seen, because Internet Explorer can open them from your hard disk instead of from the Web. Obfuscation plays a vital role in ensuring that this cache is stored in a non-predictable location. By design, if a web site knows the physical location of a web page, then the web site operator could be able to learn more information about the user visiting their site. The cache prevents a web site from learning this information, thereby forcing it to submit to the Internet Explorer security model.

What is the problem with a skin file being copied to a known location? 
The problem with this is that it would allow an attacker to place a malicious program into a known location. This could allow an attacker to subsequently execute that program as he or she would know were the program was located.

What are "Skins"? 
Skins are sets of scripts, art, media, and text files that can be combined to create a new appearance for Windows Media Player. Using skins, it is possible to change not only the way Windows Media Player looks, but how it functions.

Is there a problem with "Skins"? 
No, the vulnerability does not lie in skin files. The flaw lies in the way skin files are downloaded.

What's wrong with the way that Windows Media Player 7.1 and Windows Media Player for XP download skin files? 
There is a flaw in way that Windows Media Player 7.1 and Windows Media Player for XP download skins files. They do not correctly check URLs that is passed to them to initiate the download of a skin. As a result, a URL can be maliciously crafted that allows a file masquerading as a skin file to be copied to a location known to an attacker, rather than the Temporary Internet Files folder.

What could this vulnerability enable an attacker to do? 
This vulnerability could enable an attacker to place a file of their choice into a known or predetermined location on the user's machine. If the file was then made to run, it could take any action desired by the attacker, in the context of the user's privileges on that machine.
Any limitation of the user's permissions on the machine would also be applied to the attackers program.

How could an attacker exploit this vulnerability? 
An attacker could seek to exploit this vulnerability by creating a specially crafted URL that, when accessed, would cause a file to be downloaded and copied to a location of the attacker's choosing.
For example, if an attacker knew the location of the "Startup" folder on a user's machine, he may be able to cause the file to be downloaded directly into that folder. Because programs contained in the "Startup" folder automatically run when the machine starts up, an attacker could use this method to cause a malicious program or script to run on the machine.

What does the patch do? 
The patch ensures that Windows Media Player 7.1 and Windows Media Player for Windows XP correctly validate URL's passed to it when downloading skins.

Download locations for this patch

• Microsoft Windows Media Player 7.1:

  http://www.microsoft.com/downloads/details.aspx?FamilyId=012F143A-
  77D1-4F6F-9338-5A6332614532&displaylang=en

• Microsoft Windows Media Player for Windows XP (Version 8.0):

  http://www.microsoft.com/downloads/details.aspx?FamilyId=E311DF50-
  0633-4100-AB37-D7A68D51182F&displaylang=en