-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                          ESB-2008.1107 -- [Win]
          MS08-076 - Important - Vulnerabilities in Windows Media
               Components Could Allow Remote Code Execution
                             10 December 2008

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:              Windows Media Player 6.4	
                      Windows Media Format Runtime 7.1
                      Windows Media Format Runtime 9.0
                      Windows Media Format Runtime 9.5
                      Windows Media Format Runtime 9.5 x64 Edition
                      Windows Media Format Runtime 11	
                      Windows Media Format Runtime 11 x64 Edition
                      Windows Media Services 4.1
                      Windows Media Services 9 Series
                      Microsoft Windows 2000 Service Pack 4
                      Microsoft Windows 2000 Server Service Pack 4	
                      Windows XP Service Pack 2
                      Windows XP Service Pack 3
                      Windows XP Professional x64 Edition
                      Windows XP Professional x64 Edition Service Pack 2
                      Windows Server 2003 Service Pack 1 
                      Windows Server 2003 Service Pack 2
                      Windows Server 2003 x64 Edition
                      Windows Server 2003 x64 Edition Service Pack 2
                      Windows Vista
                      Windows Vista Service Pack 1
                      Windows Vista x64 Edition
                      Windows Vista x64 Edition Service Pack 1
                      Windows Server 2008 for 32-bit Systems*
                      Windows Server 2008 for x64-based Systems
Publisher:            Microsoft
Operating System:     Windows
Impact:               Execute Arbitrary Code/Commands
                      Access Privileged Data
Access:               Remote/Unauthenticated
CVE Names:            CVE-2008-3009 CVE-2008-3010

Original Bulletin:    
  http://www.microsoft.com/technet/security/bulletin/ms08-076.mspx

- --------------------------BEGIN INCLUDED TEXT--------------------

Microsoft Security Bulletin MS08-076 - Important
Vulnerabilities in Windows Media Components Could Allow Remote Code 
Execution (959807)

   Published: December 9, 2008

   Version: 1.0

General Information

Executive Summary

   This security update resolves two privately reported vulnerabilities in the 
   following Windows Media components: Windows Media Player, Windows Media 
   Format Runtime, and Windows Media Services. The most severe vulnerability 
   could allow remote code execution. If a user is logged on with 
   administrative user rights, an attacker who successfully exploited this 
   vulnerability could take complete control of an affected system. An attacker 
   could then install programs; view, change, or delete data; or create new 
   accounts with full user rights. Users whose accounts are configured to have 
   fewer user rights on the system could be less impacted than users who 
   operate with administrative user rights.

   This security update is rated Important for Windows Media Player 6.4, 
   Windows Media Format Runtime 7.1, Windows Media Format Runtime 9.0, 
   Windows Media Format Runtime 9.5, Windows Media Format Runtime 11, 
   Windows Media Services 4.1, Windows Media Services 9 Series, and Windows 
   Media Services 2008. For more information, see the subsection, Affected 
   and Non-Affected Software, in this section.

   The security update addresses the first vulnerability by modifying the way 
   that Windows Media authentication replies are validated. The security update 
   addresses the second vulnerability by ensuring that Windows Media clients 
   treat servers using ISATAP addresses as external. For more information about 
   the vulnerabilities, see the Frequently Asked Questions (FAQ) subsection for 
   the specific vulnerability entry under the next section, Vulnerability 
   Information.

   Recommendation. Microsoft recommends that customers apply the update at the 
   earliest opportunity.

   Known Issues. None

Affected Software

   Windows Media Player 6.4	
 	 	 	 
   Windows Media Format Runtime 7.1

   Windows Media Format Runtime 9.0

   Windows Media Format Runtime 9.5

   Windows Media Format Runtime 9.5 x64 Edition

   Windows Media Format Runtime 11	
 
   Windows Media Format Runtime 11 x64 Edition

   Windows Media Services 4.1
	
   Windows Media Services 9 Series

   Windows Media Services 2008

   Microsoft Windows 2000 Service Pack 4

   Microsoft Windows 2000 Server Service Pack 4	

   Windows XP Service Pack 2
   
   Windows XP Service Pack 3
	
   Windows XP Professional x64 Edition 

   Windows XP Professional x64 Edition Service Pack 2
	
   Windows Server 2003 Service Pack 1 

   Windows Server 2003 Service Pack 2
	
   Windows Server 2003 x64 Edition 
   
   Windows Server 2003 x64 Edition Service Pack 2

   Windows Vista 

   Windows Vista Service Pack 1

   Windows Vista x64 Edition
   
   Windows Vista x64 Edition Service Pack 1
 	 	 	
   Windows Server 2008 for 32-bit Systems*
	
   Windows Server 2008 for x64-based Systems

   * Windows Server 2008 server core installation affected. For supported 
   editions of Windows Server 2008, this update applies, with the same 
   severity rating, whether or not Windows Server 2008 was installed using 
   the Server Core installation option.

Vulnerability Information

SPN Vulnerability - CVE-2008-3009

   A credential reflection vulnerability exists in the Windows Media 
   components that could allow an attacker to execute code with the same 
   rights as the local user or with Windows Media Services distribution 
   credentials. The vulnerability exists due to weaknesses in Service 
   Principal Name (SPN) implementations within Windows Media components.
	
ISATAP Vulnerability - CVE-2008-3010

   An information disclosure vulnerability exists in supported versions of 
   Windows Media components that could result in the disclosure of NTLM 
   credentials. Any Windows Media component that accesses a URL that uses an 
   ISATAP address could leak the users NTLM credentials to the server that 
   hosts the URL. This could allow an attacker who is external to the 
   intranet zone to gather NTLM credentials for an enterprise environment.

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        http://www.auscert.org.au/render.html?cid=1980

If you believe that your computer system has been compromised or attacked in 
any way, we encourage you to let us know by completing the secure National IT 
Incident Reporting Form at:

        http://www.auscert.org.au/render.html?it=3192

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================

-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQCVAwUBST8oyyh9+71yA2DNAQJ85wQAgpb5+2CZwoFpCpXoJAYF4Eo7BW0mSfeS
Vcm6MkU0F1bEUBbDrKnPEjF+g6qdw7LryKUBg2sPCMMswmJTO76nXeM3hcAtqY8M
vatK1gP9ALc71vHm/cqldu4bLdZaYJeYIk9+5520ghK3/Z276TXrbAbDnmmxGyMH
/AB1OJ8QXfk=
=OnqZ
-----END PGP SIGNATURE-----