Microsoft Security Bulletin MS01-056 - Critical
Windows Media Player .ASF Processor Contains Unchecked Buffer
Published: November 20, 2001 | Updated: May 09, 2003
Originally posted: November 20, 2001
Updated: May 09, 2003
Who should read this bulletin:
Customers using Microsoft® Windows Media™ Player 6.4, 7, 7.1 or Windows Media Player for Windows XP
Impact of vulnerability:
Run code of attacker's choice.
Maximum Severity Rating:
Customers running affected products should apply the patch immediately.
- Windows Media Player 6.4
- Windows Media Player 7
- Windows Media Player 7.1
- Windows Media Player for Windows XP
One of the streaming media formats supported by Windows Media Player is Advanced Streaming Format (ASF). A security vulnerability occurs in Windows Media Player 6.4 because the code that processes ASF files contains an unchecked buffer.
By creating a specially malformed ASF file and inducing a user to play it, an attacker could overrun the buffer, with either of two results: in the simplest case, Windows Media Player 6.4 would fail; in the more complex case, code chosen by the attacker could be made to run on the user's computer, with the privileges of the user. The scope of this vulnerability is rather limited. It affects only Windows Media Player 6.4, and can only be exploited by the user opening and deliberately playing an ASF file. There is no capability to exploit this vulnerability via email or a web page.
However, the patch eliminates additional vulnerabilities. Specifically, it eliminates all known vulnerabilities affecting Windows Media Player 6.4 - discussed in Microsoft Security Bulletins MS00-090, MS01-029, and MS01-042 - as well as some additional variants of these vulnerabilities that were discovered internally by Microsoft. Some of these vulnerabilities could be exploited via email or a web page. In addition, some affect components of Windows Media Player 6.4 that, for purposes of backward compatibility, ship with Windows Media Player 7, and 7.1. We therefore recommend that customers running any of these versions of Windows Media Player apply the patch to ensure that they are fully protected against all known vulnerabilities.
Windows Media Player for Windows XP includes components of Windows Media Player 6.4, but they are not affected by the ASF buffer overrun or by any of the other vulnerabilities discussed in the security bulletins listed above. However, the version 6.4 components that ship with Windows Media Player for Windows XP are affected by some of the newly discovered variants of these vulnerabilities. Rather than installing this patch, however, we recommend that customers install the 25 October 2001 Critical Update for Windows XP.
- Windows Media Player runs in the security context of the user, rather than as a system component. At best, an attacker could gain the privileges of the user on the system. Systems configured in accordance with the least privilege principal would be at less risk from this vulnerability.
- The vulnerability could only be exploited if the user opened and played an affected ASF file.
- The attacker would need to know the specific operating system that the user was running in order to tailor the attack code properly; if the attacker made an incorrect guess about the user's operating system platform, the attack would crash the user's Windows Media Player session, but not run code of the attacker's choice.
ASF Buffer Overrun:
|Internet Servers||Intranet Servers||Client Systems|
|Windows Media Player 6.4||Low||Low||Low|
|Windows Media Player 7.0||Low||Low||Low|
|Windows Media Player 7.1||Low||Low||Low|
Aggregate severity of all vulnerabilities eliminated by patch:
|Internet Servers||Intranet Servers||Client Systems|
|Windows Media Player 6.4||Critical||Critical||Critical|
|Windows Media Player 7.0||Critical||Critical||Critical|
|Windows Media Player 7.1||Critical||Critical||Critical|
The above assessment is based on the types of systems affected by the vulnerability, their typical deployment patterns, and the effect that exploiting the vulnerability would have on them. The buffer overrun affecting ASF files could only be exploited via a user deliberately opening and playing an affected file; in contrast, other previous vulnerabilities included in the patch could be exploited by opening an email or browsing to a web site.
Vulnerability identifier: CAN-2001-0719
Microsoft tested Windows Media Player 6.4, 7.0 and 7.1, and Windows 98, 98SE, ME, 2000, XP, and Windows NT® 4.0 to assess whether they are affected by this vulnerability. Previous versions are no longer supported, and may or may not be affected by these vulnerabilities.
What vulnerabilities are eliminated by this patch?
This patch eliminates all known security vulnerabilities affecting Windows Media Player 6.4:
- A vulnerability involving the processor for Advanced Streaming Format (ASF) files
- The vulnerabilities previously discussed in Microsoft Security Bulletins MS00-090, MS01-029, and MS01-042, including some newly discovered variants of these vulnerabilities.
What's the scope of the first vulnerability?
This is a buffer overrun vulnerability. An attacker who could entice another user into opening a particular type of streaming media file would be able to use the vulnerability to run programs on the user's computer. Such programs would be capable of taking any action on the user's machine that the user himself could take, including adding, creating or deleting files, communicating with web sites or potentially even reformatting the hard drive.
The vulnerability could only be exploited if the attacker could entice another user into opening an affecting streaming media file and playing it. It could not be exploited via either email or a web page.
What causes the vulnerability?
The vulnerability results because there is an unchecked buffer in a section of Windows Media Player that handles .ASF files. By including a particular type of malformed entry in an .ASF file, an attacker could cause chosen code to execute when a user played the file.
What are .ASF files?
ASF (Advanced Streaming Format) is a data format used for storing streaming media data and sending it over networks. It was introduced in Windows Media Player 6.4, but is supported by all subsequent versions of the player.
What's wrong with the way Windows Media Player handles .ASF files?
The portion of Windows Media Player 6.4 that handles ASF files doesn't properly check inputs before processing them. It would be possible for an attacker to craft a specially malformed ASF file that would overrun an internal buffer in the player, thereby changing the operation of the player while it was running.
What would be the effect of exploiting the vulnerability?
As we noted above, the vulnerability would, in essence, allow an attacker to modify the operation of the player. The effect of doing this would depend on the specific modifications that were made. If the attacker simply overwrote the player's executable code with random data, it would cause the player to fail. This wouldn't have any real security ramifications - the user could simply restart the player and resume normal operation.
On the other hand, if the attacker overwrite the player's executable code with valid instructions, it would be possible to change the operation of the media player and make it take actions of the attacker's choosing. This would pose a significant security threat.
How could an attacker exploit the vulnerability?
An attacker would need to create an ASF file containing the malformed entry discussed above, then convince another user to open it and play it. This is a significant limitation on the severity of the vulnerability. In some previous vulnerabilities affecting Windows Media Player 6.4, the attacker could create an HTML mail that would exploit the vulnerability simply by being opened, or a web page that could exploit the vulnerability simply by being viewed. In this case, however, the user would need to deliberately open the file and play it.
You said that the attacker would need to know the specific operating system that the user was running. Why is that?
As we mentioned above, the most dangerous use of this vulnerability would involve changing the operation of Windows Media Player while it was running. However, the specific changes that would be needed would vary depending on the operating system that was in use. As a result, the attacker would need to know (or guess) what operating system the user was running. If the attacker guessed wrong, the player would fail, but this wouldn't pose a security threat.
If I'm using a version of Windows Media Player other than 6.4, do I need this patch?
Only Windows Media Player 6.4 is affected by this vulnerability. However, as discussed below, the patch eliminates additional vulnerabilities, and users of post-6.4 versions should install it to eliminate them.
What does the patch do?
The patch eliminates the vulnerability by implementing proper input validation for .ASF files.
What are the additional vulnerabilities eliminated by this patch?
This is a cumulative patch, and eliminates every known security vulnerability affecting Windows Media Player 6.4. In addition to eliminating the vulnerability discussed above, this patch also includes the fixes provided in Microsoft Security Bulletins MS00-090, MS01-029, and MS01-042, plus fixes for several new variants of the vulnerabilities discussed in them.
What's the scope of these additional vulnerabilities?
Security Bulletins MS00-090, MS01-029, and MS01-042 discuss the vulnerabilities in detail, but in the worst case, they could enable an attacker to run programs with the privileges of the user. There are two likely scenarios through which an attacker might be able to exploit these vulnerabilities:
- The attacker could send an HTML email to another user that, when opened by the recipient, would exploit the vulnerability. This approach would allow the attacker to target specific users, but would be blocked by the Outlook E-Mail Security Update, which is built into Outlook 2002 by default.
- The attacker could host a file on a web site that would launch automatically when a user visited the site, and which would exploit the vulnerability. This approach would require that the attacker wait for the potential victims to come to his site.
I'm using another version of Windows Media Player. Do I need to install this patch?
Yes. Although the vulnerabilities eliminated by this patch only affect components of Windows Media Player 6.4, some of these components are included in other versions of the player. For this reason, customers using Windows Media Player 6.4, 7, or 7.1 should install the patch and, as discussed below, customers using Windows Media Player for Windows XP should install the 25 October Critical Update for Windows XP.
Why are components of Windows Media Player 6.4 installed as part of other versions of Windows Media Player?
Beginning with version 7 of Windows Media Player, the methods through which certain actions are requested were changed. This meant that, for instance, a web page that had been coded to work with Windows Media Player 6.4 would not work with Windows Media Player 7. Because of this, some of the Windows Media Player 6.4 components were included with subsequent versions of the Player, in order to ensure that web pages could work effectively regardless of the version of Windows Media Player a user had installed.
Is Windows Media Player for Windows XP affected by any of these vulnerabilities?
Yes. Windows Media Player for Windows XP does include some components from Windows Media Player 6.4. All of the vulnerabilities discussed in Security Bulletins MS00-090, MS01-029, and MS01-042 were corrected prior to the release of Windows XP. However, some of the new variants referred to above are present in the Windows Media Player 6.4 components that shipped with Windows Media Player for Windows XP.
Customers using Windows XP should not install the patch discussed below. Instead, they should install the 25 October Critical Update for Windows XP, which eliminates these vulnerabilities as well as the ones discussed in Microsoft Security Bulletins MS01-050 and MS01-054.
I haven't installed Windows Media Player. Do I need to apply a patch?
Depending on the operating system you're using, you might need to, as Windows Media Player ships as part of several operating systems. Of the affected versions listed above, only two of them - Windows Media Player 6.4 and Windows Media Player for Windows XP -- shipped as part of an operating system. Windows Media Player 6.4 shipped as part of both Windows ME and Windows 2000, and Windows Media Player for Windows XP ships as part of Windows XP.
Download locations for this patch
- Windows Media Player 6.4, 7, or 7.1:
- Windows Media Player for Windows XP:
Additional information about this patch
The patch can be installed on any operating system running Windows Media Player 6.4, 7.0, or 7.1.
Inclusion in future service packs:
The fix for this issue will be included in Windows 2000 Service Pack 3.
Reboot needed: The patch only requires a reboot if Windows Media Player is running at the time that the patch is applied.
This patch supersedes all previously released patches for Windows Media 6.4 patches. These are discussed in the following references:
- Microsoft Security Bulletin MS01-042.
- Microsoft Security Bulletin MS01-029.
- Microsoft Security Bulletin MS00-090.
Note: The patch provided in Microsoft Security Bulletin MS01-029 contained fixes for both a security and privacy issue. Only the security fix in MS01-029 is superseded by this patch.
Verifying patch installation:
- To verify that the patch has been installed on the machine, confirm that the following registry key has been created: HKLM\SOFTWARE\Microsoft\Updates\Windows Media Player\wm308567
- To verify the individual files, use the patch manifest provided in Knowledge Base article Q308567
Localized versions of this patch are available at the locations discussed in "Patch Availability".
Obtaining other security patches:
Patches for other security issues are available from the following locations:
- Microsoft Knowledge Base article Q308567 discusses this issue and will be available approximately 24 hours after the release of this bulletin. Knowledge Base articles can be found on the Microsoft Online Support web site.
- Technical support is available from Microsoft Product Support Services. There is no charge for support calls associated with security patches.
Security Resources: The Microsoft TechNet Security Web Site provides additional information about security in Microsoft products.
The information provided in the Microsoft Knowledge Base is provided "as is" without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.
- V1.0 (November 20, 2001): Bulletin Created.
- V1.1 (May 09, 2003): Updated download links to Windows Update.
Built at 2014-04-18T13:49:36Z-07:00