Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2008.1107 -- [Win] MS08-076 - Important - Vulnerabilities in Windows Media Components Could Allow Remote Code Execution 10 December 2008 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Windows Media Player 6.4 Windows Media Format Runtime 7.1 Windows Media Format Runtime 9.0 Windows Media Format Runtime 9.5 Windows Media Format Runtime 9.5 x64 Edition Windows Media Format Runtime 11 Windows Media Format Runtime 11 x64 Edition Windows Media Services 4.1 Windows Media Services 9 Series Microsoft Windows 2000 Service Pack 4 Microsoft Windows 2000 Server Service Pack 4 Windows XP Service Pack 2 Windows XP Service Pack 3 Windows XP Professional x64 Edition Windows XP Professional x64 Edition Service Pack 2 Windows Server 2003 Service Pack 1 Windows Server 2003 Service Pack 2 Windows Server 2003 x64 Edition Windows Server 2003 x64 Edition Service Pack 2 Windows Vista Windows Vista Service Pack 1 Windows Vista x64 Edition Windows Vista x64 Edition Service Pack 1 Windows Server 2008 for 32-bit Systems* Windows Server 2008 for x64-based Systems Publisher: Microsoft Operating System: Windows Impact: Execute Arbitrary Code/Commands Access Privileged Data Access: Remote/Unauthenticated CVE Names: CVE-2008-3009 CVE-2008-3010 Original Bulletin: http://www.microsoft.com/technet/security/bulletin/ms08-076.mspx - --------------------------BEGIN INCLUDED TEXT-------------------- Microsoft Security Bulletin MS08-076 - Important Vulnerabilities in Windows Media Components Could Allow Remote Code Execution (959807) Published: December 9, 2008 Version: 1.0 General Information Executive Summary This security update resolves two privately reported vulnerabilities in the following Windows Media components: Windows Media Player, Windows Media Format Runtime, and Windows Media Services. The most severe vulnerability could allow remote code execution. If a user is logged on with administrative user rights, an attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. This security update is rated Important for Windows Media Player 6.4, Windows Media Format Runtime 7.1, Windows Media Format Runtime 9.0, Windows Media Format Runtime 9.5, Windows Media Format Runtime 11, Windows Media Services 4.1, Windows Media Services 9 Series, and Windows Media Services 2008. For more information, see the subsection, Affected and Non-Affected Software, in this section. The security update addresses the first vulnerability by modifying the way that Windows Media authentication replies are validated. The security update addresses the second vulnerability by ensuring that Windows Media clients treat servers using ISATAP addresses as external. For more information about the vulnerabilities, see the Frequently Asked Questions (FAQ) subsection for the specific vulnerability entry under the next section, Vulnerability Information. Recommendation. Microsoft recommends that customers apply the update at the earliest opportunity. Known Issues. None Affected Software Windows Media Player 6.4 Windows Media Format Runtime 7.1 Windows Media Format Runtime 9.0 Windows Media Format Runtime 9.5 Windows Media Format Runtime 9.5 x64 Edition Windows Media Format Runtime 11 Windows Media Format Runtime 11 x64 Edition Windows Media Services 4.1 Windows Media Services 9 Series Windows Media Services 2008 Microsoft Windows 2000 Service Pack 4 Microsoft Windows 2000 Server Service Pack 4 Windows XP Service Pack 2 Windows XP Service Pack 3 Windows XP Professional x64 Edition Windows XP Professional x64 Edition Service Pack 2 Windows Server 2003 Service Pack 1 Windows Server 2003 Service Pack 2 Windows Server 2003 x64 Edition Windows Server 2003 x64 Edition Service Pack 2 Windows Vista Windows Vista Service Pack 1 Windows Vista x64 Edition Windows Vista x64 Edition Service Pack 1 Windows Server 2008 for 32-bit Systems* Windows Server 2008 for x64-based Systems * Windows Server 2008 server core installation affected. For supported editions of Windows Server 2008, this update applies, with the same severity rating, whether or not Windows Server 2008 was installed using the Server Core installation option. Vulnerability Information SPN Vulnerability - CVE-2008-3009 A credential reflection vulnerability exists in the Windows Media components that could allow an attacker to execute code with the same rights as the local user or with Windows Media Services distribution credentials. The vulnerability exists due to weaknesses in Service Principal Name (SPN) implementations within Windows Media components. ISATAP Vulnerability - CVE-2008-3010 An information disclosure vulnerability exists in supported versions of Windows Media components that could result in the disclosure of NTLM credentials. Any Windows Media component that accesses a URL that uses an ISATAP address could leak the users NTLM credentials to the server that hosts the URL. This could allow an attacker who is external to the intranet zone to gather NTLM credentials for an enterprise environment. - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: http://www.auscert.org.au/render.html?cid=1980 If you believe that your computer system has been compromised or attacked in any way, we encourage you to let us know by completing the secure National IT Incident Reporting Form at: http://www.auscert.org.au/render.html?it=3192 =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQCVAwUBST8oyyh9+71yA2DNAQJ85wQAgpb5+2CZwoFpCpXoJAYF4Eo7BW0mSfeS Vcm6MkU0F1bEUBbDrKnPEjF+g6qdw7LryKUBg2sPCMMswmJTO76nXeM3hcAtqY8M vatK1gP9ALc71vHm/cqldu4bLdZaYJeYIk9+5520ghK3/Z276TXrbAbDnmmxGyMH /AB1OJ8QXfk= =OnqZ -----END PGP SIGNATURE-----