Microsoft Security Bulletin MS01-010 - Critical
Windows Media Player Skins Files Can Enable Java Code to Execute
Published: February 14, 2001 | Updated: June 23, 2003
Originally posted: February 14, 2001
Updated: June 23, 2003
Who should read this bulletin:
Users of Windows Media Player 7
Impact of vulnerability:
Run code of attacker's choice
Customers with Windows Media Player 7 should install the patch
- Microsoft Windows Media Player 7
Windows Media Player 7 introduced a feature called "skins", that allows customization of the look and feel of Windows Media Player. If a Windows Media Player skin (.WMZ) file were downloaded from a malicious web site it could potentially be used to run Java code to read and browse files on a local machine. The vulnerability stems from the fact that "skins" are downloaded to a known location on a victim's computer and are stored in a .zip package. If the .zip package contained a Java class (.class) file, any Java code in this class could be executed under the local computer security zone.
If a Windows Media Player skin (.WMZ) file were downloaded from a malicious web site, it could potentially cause the deployment of zipped Java code to a known location on the visiting user's machine. Since the Java code would reside in a known location on the machine, script hosted on a hostile web site or embedded in a hostile HTML mail message could potentially invoke the script in the local computer security zone to take arbitrary action on the user's machine.
- Users could only be affected if they have downloaded a malicious skins file from an untrusted source
Vulnerability identifier: CAN-2001-0137
What's the scope of the vulnerability?
This vulnerability could enable a malicious user to run Java code of his choice on another user's computer via a feature in Windows Media Player 7. Such a program could take virtually any action on the user's machine that she herself could take, and could be used to compromise data on the victim's computer, misuse software already on it, download additional software and run it, or take additional action.
The vulnerability only affects Windows Media Player 7. The feature at issue here was not available in previous versions of Windows Media Player.
Is this the same vulnerability described in MS00-090, "WMS Script Execution?"
No. Though the problems may seem similar the issue here is not so much the ability for a script or ActiveX control to run, but the fact that a .WMZ file is downloaded to a known directory on a user's machine. Since a .WMZ file is really just a .ZIP file with a different extension, it can contain Java class files that a web page can directly access and run.
What causes the vulnerability?
The Java language allows Java code to be run directly from a .ZIP file. Since skins use the .ZIP format, any Java code in a skin can be directly accessed by a malicious web page.
What's a .WMZ file?
WMZ is the default extension for a zipped Windows Media Player skins file (which contain both a custom skin and the art associated with a skin). Skins are a new feature introduced in Windows Media Player 7, and they enable the user to customize the look and feel of Windows Media Player.
Windows Media Player 7 includes a number of default skins that the user can choose from, but it's also possible to develop custom skins that create an entirely new look and feel.
Is this a problem with the default skins that come with Windows Media Player 7?
No. Customers who are using any of the default skins are not at risk from this vulnerability. The problem arises only in conjunction with custom-written skins packaged with a malicious Java file.
What's the problem with the implementation of Java in a skins file?
The vulnerability at issue here is the ability for Java code to execute under the local computer context when packaged in a .WMZ file. Since the default IE settings assume that any program run under the local computer zone is safe -- any Java code (malicious or not)will be allowed to run under this setting.
What does the patch do?
The patch eliminates the ability for a malicious user to access any code they insert as part of a .WMZ file.
Download locations for this patch
- Microsoft Windows Media Player 7:
Additional information about this patch
The patches can be installed on any system running Windows Media Player 7.
Verifying patch installation:
- To ensure that the patch has been properly applied on the machine, verify that the files listed in the patch manifest in Knowledge Base article Q287045 have been installed on the machine.
Localized versions of this patch are under development. When completed, they will be available at the locations discussed in "Obtaining other security patches".
Obtaining other security patches:
Patches for other security issues are available from the following locations:
- Microsoft Knowledge Base article Q287045 discusses this issue and will be available approximately 24 hours after the release of this bulletin. Knowledge Base articles can be found on the Microsoft Online Support web site.
- Technical support is available from Microsoft Product Support Services. There is no charge for support calls associated with security patches.
Security Resources: The Microsoft TechNet Security Web Site provides additional information about security in Microsoft products.
The information provided in the Microsoft Knowledge Base is provided "as is" without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.
- V1.0 (February 14, 2001): Bulletin Created.
- V1.1 (June 23, 2003): Updated download links to Windows Update.
Built at 2014-04-18T13:49:36Z-07:00