Security Bulletin

Microsoft Security Bulletin MS01-042 - Critical

Windows Media Player .NSC Processor Contains Unchecked Buffer

Published: July 26, 2001 | Updated: June 13, 2003

Version: 1.1

Originally posted: July 26, 2001
Updated: June 13, 2003

Summary

Who should read this bulletin:
Customers using Microsoft® Windows Media™ Player 6.4, 7, or 7.1.

Impact of vulnerability:
Run code of attacker's choice.

Recommendation:

  • Windows Media Player 6.4 customers should either install the patch or upgrade to Windows Media Player 7.1 and then install the patch.
  • Windows Media Player 7.0 customers should upgrade to Windows Media Player 7.1 and install the patch.
  • Windows Media Player 7.1 customers should apply the patch.

Affected Software:

  • Microsoft Windows Media Player 6.4
  • Microsoft Windows Media Player 7
  • Microsoft Windows Media Player 7.1

General Information

Technical details

Technical description:

Windows Media Player provides support for audio and video streaming. Streaming media channels can be configured by using Windows Media Station (.NSC) files. An unchecked buffer exists in the functionality used to process Windows Media Station files. This unchecked buffer could potentially allow an attacker to run code of his choice on the machine of another user. The attacker could either send a specially malformed file to another user and entice her to run or preview it, or he could host such a file on a web site and cause it to launch automatically whenever a user visited the site. The code could take any action on the machine that the legitimate user himself could take.

Mitigating factors:

  • Customers who have applied the Outlook E-mail Security Update (OESU) for Outlook 2000 or are running Outlook XP, which has the OESU functionality built-in, are automatically protected against HTML e-mail based attempts to exploit this vulnerability.
  • For others not in the above categories, the attacker would have to entice the potential victim to visit a web site he controlled, or to open an HTML e-mail he had sent.
  • The attacker would need to know the specific operating system that the user was running in order to tailor the attack code properly; if the attacker made an incorrect guess about the user's operating system platform, the attack would crash the user's Windows Media Player session, but not run code of the attacker's choice.

Vulnerability identifier: CAN-2001-0541

Tested Versions:

Microsoft tested Windows Media Player 6.4, Windows Media Player 7 and Windows Media Player 7.1 to assess whether they are affected by this vulnerability. Previous versions are no longer supported and may or may not be affected by this vulnerability.

Frequently asked questions

What's the scope of the vulnerability?
This is a buffer overrun vulnerability. It could enable an attacker to run code of his choice on the machine of another user is he was able to convince the user to visit a web site he controlled or to open a specially crafted HTML e-mail. The program would be capable of taking any action on the user's machine that the user herself could take, including adding, creating or deleting files, communicating with web sites or potentially even reformatting the hard drive.

What causes the vulnerability?
The vulnerability results because there is an unchecked buffer in a section of Windows Media Player that handles .NSC files. By including a particular type of malformed entry in a .NSC file, an attacker could cause code of his choice to execute when a user played the file.

What's a .NSC file?
Windows Media Station files (.NSC) were first introduced in NetShow 2.0 as NetShow Channels. In Windows Media Player, .NSC files are called Windows Media Station Files. .NSC files are essentially playlists that contain information to allow Windows Media Player to connect to and play streaming media. Windows Media Player uses Windows Media Station (.nsc) files to get the information it needs to receive multicast content over the Internet. These files can contain information such as stream location and rollover URL, as well as descriptive information about the station. Where standard streaming multimedia sends a single media stream to a single recipient, multicasting allows a single media stream to be received by more than one person, much like a Television or Radiobroadcast. .NSC files contain the information necessary to allow multimedia multicast streams to be processed correctly by Windows Media.

What's wrong with how Windows Media Player handles .NSC files?
One of the buffers that read data from .NSC files doesn't perform proper input validation. As a result, it would be possible for an attacker to craft a specially formed .NSC file that can overrun the buffer and modify the executable Windows Media Player code that is running.

What could this enable an attacker to do?
When it runs, Windows Media Player runs in the security context of the currently-logged-on user. If an attacker were to successfully exploit this vulnerability, the malicious code then could do anything on the machine that the current user could do. This means that the actions an attacker could take will depend a great deal on what privileges the user has on the system when they run the attacker's code.

  • If the victim had only limited privileges on the machine, the attacker's code would be similarly limited. However, in most cases even an unprivileged user could add, delete or change data files, run programs, send data to or receive data from a web site, and so forth - so the attacker's code could take these actions as well.
  • If the victim had administrative privileges, the code could use these as well, and cause greater damage. However, if the least privilege principle has been observed, users will not have been given administrative privileges unless absolutely required.

How could an attacker maliciously exploit this vulnerability?
There are two likely scenarios that that an attacker might try to exploit this vulnerability.

  • He could send an HTML e-mail that would launch the malicious .NSC file when opened. An attacker could target specific individuals with this approach.
  • He could host an .NSC file on a web site and cause it to be launched automatically whenever someone visited the site. This approach would require that the attacker wait for the potential victims to come to his site.

I'm using the Outlook E-mail Security Update, does this help protect me?
Customers who have deployed the Outlook E-Mail Security Update or who are using Outlook 2002 are protected from HTML e-mail-based attempts to exploit this vulnerability by the default security settings. The OESU and Outlook 2002 both set the Security Zone for HTML e-mail to the Restricted Sites Zone which automatically disables ActiveX controls in HTML e-mail. This means that an HTML e-mail with a .NSC file embedded by a malicious user would not run in Outlook, rendering the attack harmless.

If the malicious user placed the .NSC file on a web site, would it run automatically in the browser?
When using Internet Explorer (IE), the default security settings for the Internet Zone make it possible for a web site to automatically open .NSC files when a user visits the web site. This is because ActiveX controls are enabled by default in the Internet Zone in IE. However, users can use change the settings in the Internet Zone to disable ActiveX controls. If users make this change, then .NSC files will not launch automatically.

You said previously that the attacker would need to overrun the buffer with carefully-chosen data in order to run code of his choice. What would happen if she just overran it with random data?
If the buffer were overrun with random data, it would cause Windows Media Player to fail. This wouldn't pose a security problem, and the user could simply restart it and resume normal operation.

You said previously that the attacker would need to know the specific operations system that the user was running. Why is that?
To mount an effective attack exploiting this vulnerability, an attacker would need to know the potential victim's specific operating system so that he could tailor the malformed file appropriately for his platform. If the file is not fashioned appropriately for the user's platform, the attack would fail, causing Windows Media Player to crash, but not execute the attacker's code.

What does the patch do?
The patch eliminates the vulnerability by implementing proper input validation for .NSC files.

Patch availability

Download locations for this patch

  • Windows Media Player 6.4:
    The vulnerability can be eliminated by installing the patch or upgrading to Windows Media Player 7.1 and then installing the patch.

  • Windows Media Player 7.0:
    The vulnerability can be eliminated by upgrading to Windows Media Player 7.1 and then installing the patch.

  • Windows Media Player 7.1:
    The vulnerability can be eliminated by installing the patch.

Additional information about this patch

Installation platforms:

The patch can be installed on systems running Windows Media Player 6.4, and Windows Media Player 7.1 respectively. Customers running Windows Media Player 7 should upgrade to version 7.1 and then install the patch.

Inclusion in future service packs:

The fix for this issue will be included in the forthcoming Windows 2000 Service Pack 3.

Reboot needed: Yes

Superseded patches: None.

Verifying patch installation:

  • To verify that the patch has been installed on the machine, confirm that the following registry key has been created:
    HKLM\SOFTWARE\Microsoft\Updates\Windows Media Player\WMSU55362

Caveats:

None

Localization:

Localized versions of this patch are under development. When completed, they will be available at the locations discussed in "Obtaining other security patches".

Obtaining other security patches:

Patches for other security issues are available from the following locations:

  • Security patches are available from the Microsoft Download Center, and can be most easily found by doing a keyword search for "security_patch".
  • Patches for consumer platforms are available from the WindowsUpdate web site.

Other information:

Support:

  • Microsoft Knowledge Base article Q304404 discusses this issue and will be available approximately 24 hours after the release of this bulletin. Knowledge Base articles can be found on the Microsoft Online Support web site.
  • Technical support is available from Microsoft Product Support Services. There is no charge for support calls associated with security patches.

Security Resources: The Microsoft TechNet Security Web Site provides additional information about security in Microsoft products.

Disclaimer:

The information provided in the Microsoft Knowledge Base is provided "as is" without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.

Revisions:

  • V1.0 July 26, 2001: Bulletin Created.
  • V1.1 (June 13, 2003): Updated download links to Windows Update.

Built at 2014-04-18T13:49:36Z-07:00