Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2002.362 -- Microsoft Security Bulletin MS02-032 (Version 2.0) 26 June 2002 Cumulative Patch for Windows Media Player (Q320920) 25 July 2002 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Microsoft Windows Media Player for Windows XP Microsoft Windows Media Player 7.1 Microsoft Windows Media Player 6.4 Vendor: Microsoft Operating System: Windows Impact: Execute Arbitrary Code/Commands Increased Privileges Access Required: Remote Existing Account Ref: ESB-2002.317 - --------------------------BEGIN INCLUDED TEXT-------------------- - -----BEGIN PGP SIGNED MESSAGE----- - - ---------------------------------------------------------------------- Title: 26 June 2002 Cumulative Patch for Windows Media Player (Q320920) Released: 26 June 2002 Revised: 24 July 2002 (version 2.0) Software: Microsoft Windows Media Player 6.4, Microsoft Windows Media Player 7.1, Microsoft Windows Media Player for Windows XP Impact: Three vulnerabilities, first reported on June 26 2002, the most serious of which could be used to run code of attacker's choice. Max Risk: Critical Bulletin: MS02-032 Microsoft encourages customers to review the Security Bulletin at: http://www.microsoft.com/technet/security/bulletin/MS01-032.asp. - - ---------------------------------------------------------------------- Reason for Revision: ==================== On June 26, 2002, Microsoft released the original version of this bulletin, which described the patch it provided as being cumulative. We subsequently discovered that a file had been inadvertently omitted from the patch. While the omission had no effect on the effectiveness of the patch against the new vulnerabilities discussed below, it did mean that the patch was not cumulative. Specifically, the original patch did not include all of the fixes discussed in Microsoft Security Bulletin MS01-056. We have repackaged the patch to include the file and are re-releasing it to ensure that it truly is cumulative. If you applied the patch delivered in Microsoft Security Bulletin MS01-056 and the one that was distributed with the original version of this bulletin, you're fully protected against all known vulnerabilities in Windows Media Player and don't need to take any action. Otherwise, we recommend that you apply the new version of the patch provided in MS02-032. Issue: ====== The patch includes the functionality of all previously released patches for Windows Media Player 6.4, 7.1 and Windows Media Player for Windows XP. In addition, it eliminates the following three newly discovered vulnerabilities one of which is rated as critical severity, one of which is rated moderate severity, and the last of which is rated low severity: - An information disclosure vulnerability that could provide the means to enable an attacker to run code on the user's system and is rated as critical severity. - A privilege elevation vulnerability that could enable an attacker who can physically logon locally to a Windows 2000 machine and run a program to obtain the same rights as the operating system. - A script execution vulnerability related that could run a script of an attacker's choice as if the user had chosen to run it after playing a specially formed media file and then viewing a specially constructed web page. This particular vulnerability has specific timing requirements that makes attempts to exploit vulnerability difficult and is rated as low severity. It also introduces a configuration change relating to file extensions associated with Windows Media Player. Finally, it introduces a new, optional, security configuration feature for users or organizations that want to take extra precautions beyond applying IE patch MS02-023 and want to disable scripting functionality in the Windows Media Player for versions 7.x or higher. Mitigating Factors: ==================== Cache Patch Disclosure via Windows Media Player - Customers who have applied MS02-023 are protected against attempts to automatically exploit this issue through HTML email when they read email in the Restricted Sites zone. Outlook 98 and Outlook 2000 with the Outlook Email Security Update, Outlook 2002 and Outlook Express 6.0 all read email in the Restricted Sites zone by default. - The vulnerability does not affect media files opened from the local machine. As a result of this, users who download and save files locally are not affected by attempts to exploit this vulnerability. Privilege Elevation through Windows Media Device Manager Service: - This issue affects only Windows Media Player 7.1 it does not affect Windows Media Player for Windows XP nor Windows Media Player 6.4. - The vulnerability only affects Windows Media Player 7.1 when run on Windows 2000, it does not impact systems that have no user security model such as Windows 98 or Windows ME systems. - This issue only affects console sessions; users who logon via terminal sessions cannot exploit this vulnerability. - An attacker must be able to load and run a program on the system. Anything that prevents an attacker from loading or running a program could protect against attempts to exploit this vulnerability. Media Playback Script Invocation: - A successful attack requires a specific series of actions follows in exact order, otherwise the attack will fail. Specifically: - A user must play a specially formed media file from an attacker. - After playing the file, the user must shut down Windows Media Player without playing another file. - The user must then view a web page constructed by the attacker. Risk Rating of new vulnerabilities: ============ - Internet systems: Low - Intranet systems: Low - Client systems: Critical Aggregate Risk Rating (including issues addressed in previously released patches): - Internet systems: Critical - Intranet systems: Critical - Client systems: Critical Patch Availability: =================== - A patch is available to fix this vulnerability. Please read the Security Bulletin at http://www.microsoft.com/technet/security/bulletin/ms02-032.asp for information on obtaining this patch. Acknowledgment: =============== - jelmer for reporting the Cache Patch Disclosure via Windows Media Player. - The Research Team of Security Internals (www.securityinternals.com) for reporting Privilege Elevation through Windows Media Device Manager Service: - Elias Levy, Chief Technical Officer, SecurityFocus (http://www.securityfocus.com/), for reporting the Media Playback Script Invocation. - - --------------------------------------------------------------------- THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. MICROSOFT DISCLAIMS ALL WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING THE WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. IN NO EVENT SHALL MICROSOFT CORPORATION OR ITS SUPPLIERS BE LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL, CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF MICROSOFT CORPORATION OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. SOME STATES DO NOT ALLOW THE EXCLUSION OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES SO THE FOREGOING LIMITATION MAY NOT APPLY. - -----BEGIN PGP SIGNATURE----- Version: PGP 7.1 iQEVAwUBPT9HgY0ZSRQxA/UrAQFEkgf9EOeiJd9IhvuXn+7G4CjIv3x5zXyOcsn3 ZT7Gu2CPQVJbDNBTwxdKcpx4BA325X92lVieOBZkrWQU6pvGjFd+UvU/77Zg9MGa K+d/X89nO9FC6dtKCsp7XHbBbSZ7vSzXtiA6rzaq8xWux1Bq9Q5wegi1aj92Fv3t 2OiiEKNoC9XRiqrCJjS2UMy5rG1Gcpji1cQgU3r+r2mzIBCr9GQQdPvWnWPMz/bL Hltouqx1xpVFRj4Ul2YqDOKrAN3Jw/VOdFCVbdbO11XSAzRwYUuJ0sV/zr2U33I+ xDXmqwZ9tMed+Is0lF+cM9LPBpVj1ixD+34DeaDE1q/p6X3hNlIaFQ== =9inW - -----END PGP SIGNATURE----- - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to email@example.com and we will forward your request to the appropriate person. This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to use any or all of this information is the responsibility of each user or organisation, and should be done so in accordance with site policies and procedures. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the original authors to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: http://www.auscert.org.au/Information/advisories.html If you believe that your system has been compromised, contact AusCERT or your representative in FIRST (Forum of Incident Response and Security Teams). Internet Email: firstname.lastname@example.org Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies. -----BEGIN PGP SIGNATURE----- Version: 2.6.3i Charset: noconv Comment: ftp://ftp.auscert.org.au/pub/auscert/AUSCERT_PGP.key iQCVAwUBPUAgVCh9+71yA2DNAQHTjgQAl7/xJc1EC+hIwPgGhxB3JmrwQBNB+cDJ aw7NeTWylH8YbTNzPTXu+X5Vxz7FIpNUioQJM3DV6FlYdMJEwI+Hu/mlzkFCuSJO Xs9kqdjQE49pI+zFQpNbMIoAuPnAG6B3v2fhUrZ/rMOyhgjtrYCfqfvUVtwyV501 6dHVFiZCstg= =59Iz -----END PGP SIGNATURE-----