Two vulnerabilities in Microsoft Windows Media Player have been discovered. The first vulnerability allows the execution of arbitrary code. By embedding a javascript (.js) file within a Media Player skin file (.wmz) a malicious user can cause media player to automatically run the code. Media Player does not prompt users before running code that appears to be Media Player files. The second vulnerability is a buffer overrun. The problem lies in how Media Player deals with the .ASX file format. This vulnerability can allow the execution of arbitrary code. DEMONSTRATION The following demonstration for the first vulnerability was provided GFI; ----\[Proof of concept Exploit: <Embedded within an HTML file or e-mail> E-mail Example 1. <head> E-mail Example 2. <html> test.wmd is a compressed zip file which contains the following files: * test.asx: meta file which points to an
mpg file and the exploit skin file test.wmz is also a compressed zip file containing: * test.js: our javascript which contains the following code ************************************ var fso, f1; ************************************ * test.wms: another metafile which calls test.js ---------------------------------------------------- The second vulnerability proof of concept was provided by @Stake http://www.atstake.com/research/advisories/2000/asx-bufferoverrun.zip VENDOR RESPONSE Microsoft has released a security
bulletin, MS00-090
and patches to repair the vulnerability.
Windows Media Player 6.4: http://www.microsoft.com/Downloads/Release.asp?ReleaseID=26069 Windows Media Player 7: http://www.microsoft.com/Downloads/Release.asp?ReleaseID=26067 CREDIT |
Multiple Vulnerabilities in Windows Media Player
0 comments
Hide comments