-----BEGIN PGP SIGNED MESSAGE-----

===========================================================================
             AUSCERT External Security Bulletin Redistribution

           ESB-2003.0350 -- Microsoft Security Bulletin MS03-017
              Flaw in Windows Media Player Skins Downloading
                   Could Allow Code Execution (817787)
                                08 May 2003

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:                Windows Media Player 8
                        Windows Media Player 7.1
Publisher:              Microsoft
Operating System:       Windows XP
                        Windows ME
                        Windows 2000
                        Windows NT
                        Windows 98/98SE
Impact:                 Create Arbitrary Files
                        Execute Arbitrary Code/Commands
Access Required:        Remote
CVE Names:              CAN-2003-0228

- --------------------------BEGIN INCLUDED TEXT--------------------

- -----BEGIN PGP SIGNED MESSAGE-----

- - --------------------------------------------------------------------
Title:      Flaw in Windows Media Player Skins Downloading
            could allow Code Execution (817787)
Date:       07 May 2003
Software:   Microsoft Windows Media Player 7.1 
            Microsoft Windows Media Player for Windows XP
            (Version 8.0)
Impact:     Arbitrary code execution 
Max Risk:   Critical
Bulletin:   MS03-017

Microsoft encourages customers to review the Security Bulletins at: 
http://www.microsoft.com/technet/security/bulletin/MS03-017.asp
http://www.microsoft.com/security/security_bulletins/ms03-017.asp
- - --------------------------------------------------------------------

Issue:
======
Microsoft Windows Media Player provides functionality to change the
overall appearance of the player itself through the use of "skins".
Skins are custom overlays that consist of collections of one or
more files of computer art, organized by an XML file. The XML file
tells Windows Media Player how to use these files to display a skin
as the user interface. In this manner, the user can choose from a
variety of standard skins, each one providing an additional visual
experience. Windows Media Player comes with several skins to choose
from, but it is relatively easy to create and distribute custom
skins. 

A flaw exists in the way Windows Media Player 7.1 and Windows
Media Player for Windows XP handle the download of skin files.
The flaw means that an attacker could force a file masquerading
as a skin file into a known location on a user's machine.
This could allow an attacker to place a malicious executable
on the system. 

In order to exploit this flaw, an attacker would have to host a
malicious web site that contained a web page designed to exploit
this particular vulnerability and then persuade a user to visit
that site - an attacker would have no way to force a user to the
site. An attacker could also embed the link in an HTML e-mail and
send it to the user. 

In the case of an e-mail borne attack, if the user was using
Outlook Express 6.0 or Outlook 2002 in their default
configurations, or Outlook 98 or 2000 in conjunction with the
Outlook Email Security Update, then an attack could not be
automated and the user would still need to click on a URL sent
in the e-mail. However if the user was not using Outlook Express
6.0 or Outlook 2002 in their default configurations, or Outlook
98 or 2000 in conjunction with the Outlook Email Security Update,
the attacker could cause an attack that could both place, then
launch the malicious executable without the user having to click
on a URL contained in an e-mail. 

The attacker's code would run with the same privileges as the
user: any restrictions on the user's ability to change the system
would apply to the attacker's code.

Mitigating Factors:
====================
 - Windows Media Player 9 Series is not affected by this issue.
 
 - By default, Outlook Express 6.0 and Outlook 2002 open HTML
   mails in the Restricted Sites Zone. In addition, Outlook 98
   and 2000 open HTML mails in the Restricted Sites Zone if the
   Outlook Email Security Update, has been installed. Customers
   who use any of these products would be at no risk from an
   e-mail borne attack that attempted to automatically exploit
   these vulnerabilities.
 
 - The attacker would have no way to force users to visit a
   malicious web site. Instead, the attacker would need to
   lure them there, typically by getting them to click on a
   link that would take them to the attacker's site.

Risk Rating:
============
 - Critical 

Patch Availability:
===================
 - A patch is available to fix this vulnerability. Please read the 
   Security Bulletins at
   http://www.microsoft.com/technet/security/bulletin/ms03-017.asp
   http://www.microsoft.com/security/security_bulletins/ms03-017.asp

   for information on obtaining this patch.

Acknowledgment:
===============
 - Microsoft thanks Jouko Pynnonen of Oy Online Solutions Ltd,
   Finland and Jelmer for reporting this issue to us and working
   with us to protect customers.

- - --------------------------------------------------------------------

THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS 
PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. MICROSOFT DISCLAIMS 
ALL WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING THE 
WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. 
IN NO EVENT SHALL MICROSOFT CORPORATION OR ITS SUPPLIERS BE LIABLE 
FOR ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL, 
CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF 
MICROSOFT CORPORATION OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE 
POSSIBILITY OF SUCH DAMAGES. SOME STATES DO NOT ALLOW THE EXCLUSION 
OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES 
SO THE FOREGOING LIMITATION MAY NOT APPLY.

- -----BEGIN PGP SIGNATURE-----
Version: PGP 7.1

iQEVAwUBPrlL240ZSRQxA/UrAQGFLwf/X7RC6Cxer39s6Aqq3XqMUyLIZ5bWyzlX
Le4ZIbkLewx6/rw2eZ9O0CWNP9GgW48qAtzFcmkVIiDrPvqWyJVtZ4Tv+0BoQsxo
adWVzUcoEawIuTQPbX/HWhnGyx1+6qddGkz9OjqShkKNtur+2p0P0oaIROFut6r6
2xgoBDnDks+bGlbhjfJfEAiONxE+gEBQwikLePy4+fvkZUt6DrS0KVldlACLq4j3
Z2sNCkdotCjb6mSd+72eGEEcnYuH3pnzphIXb3gicgCDeOyeEJocc6SqndRXF8FV
Q/2Owm/0ZnhadZMfgKQeQzHJS9siypndbk51T9FFQXEjKp+rJPjRvQ==
=Xq+W
- -----END PGP SIGNATURE-----

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content.  The decision to use any or all of this information is
the responsibility of each user or organisation, and should be done so in
accordance with site policies and procedures.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        http://www.auscert.org.au/render.html?cid=1980

If you believe that your system has been compromised, contact AusCERT or
your representative in FIRST (Forum of Incident Response and Security
Teams).

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business 
                hours which are GMT+10:00 (AEST).  On call after hours 
                for member emergencies only.

-----BEGIN PGP SIGNATURE-----
Version: 2.6.3i
Charset: noconv
Comment: http://www.auscert.org.au/render.html?it=1967

iQCVAwUBPrqBHih9+71yA2DNAQGOHwP/Wsfhn17IzzYRbIUMNEZsbVvoKbw63p+L
jV0JxKJQfutsrbWDNTvHd9/EjwtWasg6OnC1xe0/YYQmfHPFTDRvbQ8DUr59o6zY
bYzSttKe6nqcSqQOY94Dnitc2VT2ibn+Dw35GMLVKwTdFWwXk7mbBYgVWsmqv9eC
GX9KKKc2DO4=
=q7Ca
-----END PGP SIGNATURE-----