Severity: Medium
14 August, 2007
Summary:
Today, Microsoft released a bulletin describing two security vulnerabilities affecting Windows Media Player. By enticing one of your users into viewing a maliciously crafted skin file for Windows Media Player, an attacker could execute code on your user’s computer, potentially gaining complete control of it. If your users listen to or view media via Windows Media Player, you should download, test, and deploy the appropriate Microsoft patches as quickly as possible.
Exposure:
Windows Media Player (WMP) is the popular multimedia playback application that ships with Windows. WMP supports the use of skins, sets of scripts, art, media, and text files that create a new appearance for the media player.
In a bulletin released today as part of Patch Day, Microsoft describes two vulnerabilities that affect WMP 7, 9, 10, and 11. Though the vulnerabilities differ technically, they both involve WMP skin files, and have the same scope and impact. If an attacker can entice one of your users into viewing a maliciously crafted WMP skin, he could exploit either flaw to execute code on your user’s system, with your user’s privileges. If that user had local administrative privileges, the attacker gains complete control of that user’s machine.
MIcrosoft’s bulletin contradicts itself about whether an attack requires the victim merely to view the skin, or if the user must open and install the skin for the attack to work. WMP prompts users before allowing them to view skins. So this sort of attack requires user interaction to succeed, which is probably why Microsoft only gave it an “Important” severity rating. However, we often see attackers attaching their malware to desirable applications in order to entice victims, and users often click “OK” without thinking. Attackers could easily inject their malicious code into a popular or cool skin, which might lure one of your users into viewing it. We recommend that you patch this flaw as soon as you can.
Severity: Medium
14 August, 2007
Summary:
Today, Microsoft released a bulletin describing two security vulnerabilities affecting Windows Media Player. By enticing one of your users into viewing a maliciously crafted skin file for Windows Media Player, an attacker could execute code on your user’s computer, potentially gaining complete control of it. If your users listen to or view media via Windows Media Player, you should download, test, and deploy the appropriate Microsoft patches as quickly as possible.
Exposure:
Windows Media Player (WMP) is the popular multimedia playback application that ships with Windows. WMP supports the use of skins, sets of scripts, art, media, and text files that create a new appearance for the media player.
In a bulletin released today as part of Patch Day, Microsoft describes two vulnerabilities that affect WMP 7, 9, 10, and 11. Though the vulnerabilities differ technically, they both involve WMP skin files, and have the same scope and impact. If an attacker can entice one of your users into viewing a maliciously crafted WMP skin, he could exploit either flaw to execute code on your user’s system, with your user’s privileges. If that user had local administrative privileges, the attacker gains complete control of that user’s machine.
MIcrosoft’s bulletin contradicts itself about whether an attack requires the victim merely to view the skin, or if the user must open and install the skin for the attack to work. WMP prompts users before allowing them to view skins. So this sort of attack requires user interaction to succeed, which is probably why Microsoft only gave it an “Important” severity rating. However, we often see attackers attaching their malware to desirable applications in order to entice victims, and users often click “OK” without thinking. Attackers could easily inject their malicious code into a popular or cool skin, which might lure one of your users into viewing it. We recommend that you patch this flaw as soon as you can.
Solution Path
Microsoft has released patches correcting these Windows Media Player vulnerabilities. You should download, test, and deploy the appropriate patches as soon as possible.
- Windows Media Player 7.1
- Windows Media Player 9
- Windows Media Player 10
- Windows Media Player 11
For All WatchGuard Users:
You can mitigate the risk of these vulnerabilities by configuring your WatchGuard Firebox to block WMP skins (.WMD and .WMZ files) using its SMTP and HTTP proxies. Keep in mind, blocking skin files will prevent your users from downloading any WMP skins, whether legitimate or malicious. For most organizations, media player skins are not needed to accomplish the corporate mission, so you should apply the patches.
If you want to block .WMD and WMZ files, follow the links below for instructions:
- Firebox X Edge running 8.5
- Firebox III and X Core running WFS
- Firebox X Core and X Peak running Fireware Pro
- Vclass
- SMTP Proxy. You’ll have to create or adjust a custom proxy action based on SMTP-Incoming in order to strip .WMD and .WMZ files. If you have created your own Proxy Action based on SMTP-Incoming, you can edit it so that it blocks these files. In the Vcontroller software, click the Proxies button and double-click your custom proxy action. Under the Content Checking tab, change “Category” to Attachment Filename and click either the Add to Top or Insert After button (only one or the other will display). Next, type “WMD_files” as the new rule’s name, and choose Pattern Match. Next to Pattern Match, type “*.WMD” and select Strip as the Action. Repeat these steps for .WMZ files as well. Now you can apply this new Proxy Action to your SMTP rule to ensure your Firebox blocks .WMD and .WMZ files.
- HTTP Proxy. You’ll have to create or adjust a custom proxy action based on HTTP-Outgoing in order to strip .WMD and .WMZ files. If you have created your own Proxy Action based on HTTP-Outgoing, you can edit it so that it blocks these files. In the Vcontroller software, click the Proxies button and double-click your custom proxy action. Under the Request General tab, change “Category” to URL Paths and click on Add. Next, type “WMD_files” as the new rule’s name, and choose Pattern Match. Next to Pattern Match, type “*.WMD” and select Strip as the Action. Repeat these steps for .WMZ files as well. Now you can apply this new Proxy Action to your HTTP rule to ensure your Firebox blocks .WMD and .WMZ files.
Status:
Microsoft has released patches for Windows Media Player, correcting these issues.
References:
- Microsoft Security Bulletin MS07-047