Security Bulletin
Microsoft Security Bulletin MS03-021 - Moderate
Flaw In Windows Media Player May Allow Media Library Access (819639)
Published: June 25, 2003 | Updated: July 04, 2003
Version: 1.1
Originally posted: June 25, 2003
Updated: July 4, 2003
Summary
Who should read this bulletin: Customers running Microsoft Windows Media Player 9 Series
Impact of vulnerability: Information Disclosure
Maximum Severity Rating: Moderate
Recommendation: System administrators install the patch on a schedule consistent with their practices.
End User Bulletin: An end user version of this bulletin is available at:
Affected Software:
- Microsoft Windows Media Player 9 Series
Not Affected Software Versions:
- Microsoft Windows Media Player 6.4
- Microsoft Windows Media Player 7.1
- Microsoft Windows Media Player for Windows XP (8.0)
General Information
Technical details
Technical description:
An ActiveX control included with Windows Media Player 9 Series allows Web page authors to create Web pages that can play media and provide a user interface by which the user can control playback. When a user visits a Web page with embedded media, the ActiveX control provides a user interface that allows the user to take such actions as pausing or rewinding the media.
A flaw exists in the way in which the ActiveX control provides access to information on the user's computer. A vulnerability exists because an attacker could invoke the ActiveX control from script code, which would allow the attacker to view and manipulate metadata contained in the media library on the user's computer.
To exploit this flaw, an attacker would have to host a malicious Web site that contained a Web page designed to exploit this vulnerability, and then persuade a user to visit that site-an attacker would have no way to force a user to the site. An attacker could also embed a link to the malicious site in an HTML e-mail and send it to the user. After the user previewed or opened the e-mail, the malicious site could be visited automatically without further user interaction.
The attacker would only have access to manipulate the media library on the user's computer. The attacker would not be able to browse the user's hard disk and would not have access to passwords or encrypted data. The attacker would not be able to modify files on the user's hard disk, but could modify the contents of any Media Library entries associated with those files. The attacker might also be able to determine the user name of the logged-on user by examining the directory paths to media files.
Mitigating factors:
- By default, Internet Explorer on Windows Server 2003 runs in Enhanced Security Configuration. This default configuration of Internet Explorer blocks this attack.
- The attacker could only gain access to information contained in the Windows Media Library
- The attacker would not be able to execute code on the system or delete files on the user's hard disk.
Severity Rating:
| Windows Media Player 9 Series | Moderate |
The above assessment is based on the types of systems affected by the vulnerability, their typical deployment patterns, and the effect that exploiting the vulnerability would have on them.
Vulnerability identifier: CAN-2003-0348
Tested Versions:
Microsoft tested Windows Media Player 6.4, Windows Media Player 7.1, Windows Media Player for Windows XP (8.0), and Windows Media Player 9 Series to assess whether they are affected by these vulnerabilities. Previous versions are no longer supported, and may or may not be affected by these vulnerabilities.
Frequently asked questions
What's the scope of the vulnerability?
This is an information disclosure vulnerability. An attacker who successfully exploited this vulnerability could gain access to a user's media library without the user being aware of this access.
Does this vulnerability affect all versions of Windows Media Player?
No - only Windows Media Player 9 Series is affected.
How could an attacker exploit this vulnerability?
An attacker could seek to exploit this vulnerability by hosting a specially constructed Web page. If a user were to visit this Web page, the Windows Media Player 9 Series ActiveX control would load and the attacker could then use script code to invoke the control and cause it to provide the attacker with access to the user's media library. As an alternative, an attacker could craft an HTML e-mail that attempted to exploit this vulnerability.
What could this vulnerability enable an attacker to do?
This vulnerability could enable an attacker to view and manipulate information in the user's media library. This vulnerability could allow an attacker to change the metadata of media files, delete entries from the media library, or rename entries in the library. The attacker could not delete or rename the actual media files on the user's hard disk; he or she could only manipulate entries in the library. However the attacker might be able to determine the user name of the logged in user by examining the directory paths to the media files.
What is Media Library Metadata?
Windows Media Player Library entries contain information about media files. This information is called metadata. Metadata is information about a song or video file such as artist name, track name, album name, or genre. This information, which is often provided automatically when a user records music from CDs into digital music, is stored in the media library of Windows Media Player.
What causes the vulnerability?
The vulnerability results because the Windows Media Player 9 Series ActiveX control does not properly validate access to the Media Library.
What's wrong with the way Windows Media Player 9 Series provides access to the Media Library?
The Windows Media Player 9 Series ActiveX control uses the Windows Media Player public object model, and provides access to the media library under certain conditions. The Windows Media Player 9 Series ActiveX control is a scriptable component, meaning that script code can be used to invoke or control it. The ActiveX control does not properly validate requests made by script to access the Media Library.
What are ActiveX controls?
ActiveX is a technology that allows Web authors the ability to embed small programs in Web pages or other interfaces to provide additional functionality. These embedded programs are known as ActiveX Controls. Developers can create ActiveX controls in any programming language that supports the Microsoft Common Object Model.
I have my Windows Media Player 9 Series configured to not run script automatically. Does this protect me from this vulnerability?
No - in this case it is the ActiveX control running the script code that allows access to the Media Library, not the Windows Media Player itself. The flaw exists because the ActiveX Control does not properly validate who is accessing the Media Library.
What products does Windows Media Player 9 Series ship with?
Windows Media Player 9 Series is included with Windows Server 2003. In addition it can be downloaded as an update for Windows XP, Windows 2000, Windows ME and Windows 98 Second Edition.
I am running Internet Explorer on Windows Server 2003. Does this mitigate this issue?
Yes. By default, Internet Explorer on Windows Server 2003 runs in a restricted mode known as Enhanced Security Configuration. In this configuration the ActiveX control would not load.
What is Internet Explorer Enhanced Security Configuration?
Internet Explorer Enhanced Security Configuration is a group of preconfigured Internet Explorer settings that reduce the likelihood of a user or administrator downloading and running malicious Web content on a server. Internet Explorer Enhanced Security Configuration reduces this threat by modifying numerous security-related settings, including Security and Advanced tab settings in Internet Options. Some of the key modifications include:
- Security level for the Internet zone is set to High. This setting disables scripts, ActiveX components, Microsoft virtual machine (Microsoft VM) HTML content, and file downloads.
- Automatic detection of intranet sites is disabled. This setting assigns all intranet Web sites and all Universal Naming Convention (UNC) paths that are not explicitly listed in the Local intranet zone to the Internet zone.
- Install on Demand and non-Microsoft browser extensions are disabled. This setting prevents Web pages from automatically installing components and prevents non-Microsoft extensions from running.
- Multimedia content is disabled. This setting prevents music, animations, and video clips from running.
For more information regarding Internet Explorer Enhanced Security Configuration, please consult the Managing Internet Explorer Enhanced Security Configuration guide, which can be found at the following location:
Is there any configuration of Windows Server 2003 that is likely to have Internet Explorer Enhanced Security Configuration Disabled?
Yes. Systems Administrators who have deployed Windows Server 2003 as a Terminal Servers would likely disable Internet Explorer Enhanced Security Configuration to allow users of the Terminal Server to utilize Internet Explorer in an unrestricted mode.
What does the patch do?
The patch eliminates the vulnerability by ensuring the Windows Media Player 9 Series ActiveX Control properly validates access to the Media Library.
Patch availability
Download locations for this patch
- The patch to correct this vulnerability can be downloaded from the following locations:
Additional information about this patch
Installation platforms:
This patch can be installed on systems running:
Windows 98
Windows 98 Second Edition
Windows Me
Windows 2000 Service Pack 2
Windows 2000 Service Pack 3
Windows 2000 Service Pack 4
Windows XP
Windows XP Service Pack 1
Windows Server 2003
Inclusion in future service packs:
The fix for this issue will be included in Windows 2000 Service Pack 5, Windows XP Service Pack 2, and Windows Server 2003 Service Pack 1.
Reboot needed: No
Patch can be uninstalled: No
Superseded patches: None.
Verifying patch installation:
To verify that the patch has been installed on the machine, confirm that the following registry key has been created on the machine:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\Windows Media Player\wm819639
To verify the individual files, use the date/time and version information provided in Knowledge Base article 819639.
Caveats:
None
Localization:
Localized versions of this patch are available at the locations discussed in "Patch Availability".
Obtaining other security patches:
Patches for other security issues are available from the following locations:
- Security patches are available from the Microsoft Download Center, and can be most easily found by doing a keyword search for "security_patch".
- Patches for consumer platforms are available from the WindowsUpdate web site
Other information:
Acknowledgments
Microsoft thanks Jelmer for reporting this issue to us and working with us to protect customers.
Support:
- Microsoft Knowledge Base article 819639 discusses this issue and will be available approximately 24 hours after the release of this bulletin. Knowledge Base articles can be found on the Microsoft Online Support web site.
- Technical support is available from Microsoft Product Support Services. There is no charge for support calls associated with security patches.
Security Resources: The Microsoft TechNet Security Web Site provides additional information about security in Microsoft products.
Disclaimer:
The information provided in the Microsoft Knowledge Base is provided "as is" without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.
Revisions:
- V1.0 (June 25, 2003): Bulletin Created.
- V1.1 (July 4, 2003): Corrected registry key for verification of patch install.
Built at 2014-04-18T13:49:36Z-07:00 </https:>