Microsoft has issued a cumulative patch to fix three
flaws in its flagship Windows Media Player (WMP) software.
A security bulletin from Microsoft said the
vulnerabilities affected WMP versions 6.4, 7.1 and Windows XP. The most
serious of the three, which deals with an information disclosure problem, is
described as “severe.” It said exploitation could result in an
attacker executing code on a user’s PC.
The company said the information disclosure vulnerability could allow code
to be issued by an attacker to execute commands adding, changing or deleting
data, communicating with web sites, or changing the configuration of the
system.
“The attacker’s code would run with the same privileges as the user: any
restrictions on the user’s ability to change the system would apply to the
attacker’s code. For example, if the user were prevented from deleting files
on the hard drive, the attacker’s code would similarly be prevented.
Conversely, if a user were using an account with high privileges such as an
administrator’s account, the attacker’s code would also run the same high
privileges,” Microsoft said.
It said the problem results because of a flaw in how WMP handles certain
types of licenses for secure media files when the media file is stored in
the Internet Explorer browser cache. Specifically, when a type of secure
Windows Media file is opened, the media player erroneously returns
information to the server that discloses the location of the IE cache as it
processes the request to the site for the licensing information, the company
said.
The second bug — a privilege elevation vulnerability — could enable an
attacker who can physically logon locally to a Windows 2000 machine and run
a program to obtain the same rights as the operating system.
The warning also pointed to a script execution vulnerability that could run
a script of an attacker’s choice as if the user had chosen to run it after
playing a specially formed media file and then viewing a specially
constructed web page.
“This particular vulnerability has specific timing requirements that makes
attempts to exploit vulnerability difficult and is rated as low severity.”
It also introduces a configuration change relating to file extensions
associated with WMP.
Patches for the vulnerabilities can be found here.