From secnotif@MICROSOFT.COM Tue Nov 20 20:28:44 2001 From: Microsoft Product Security To: MICROSOFT_SECURITY@ANNOUNCE.MICROSOFT.COM Date: Mon, 19 Nov 2001 17:42:03 -0800 Subject: Microsoft Security Bulletin MS01-056 The following is a Security Bulletin from the Microsoft Product Security Notification Service. Please do not reply to this message, as it was sent from an unattended mailbox. ******************************** -----BEGIN PGP SIGNED MESSAGE----- - ---------------------------------------------------------------------- Title: Windows Media Player .ASF Processor Contains Unchecked Buffer Date: 20 November 2001 Software: Windows Media Player Impact: Run code of attacker's choice Max Risk: Critical Bulletin: MS01-056 Microsoft encourages customers to review the Security Bulletin at: http://www.microsoft.com/technet/security/bulletin/MS01-056.asp. - ---------------------------------------------------------------------- Issue: ====== One of the streaming media formats supported by Windows Media Player is Advanced Streaming Format (ASF). A security vulnerability occurs in Windows Media Player 6.4 because the code that processes ASF files contains an unchecked buffer. By creating a specially malformed ASF file and inducing a user to play it, an attacker could overrun the buffer, with either of two results: in the simplest case, Windows Media Player 6.4 would fail; in the more complex case, code chosen by the attacker could be made to run on the user's computer, with the privileges of the user. The scope of this vulnerability is rather limited. It affects only Windows Media Player 6.4, and can only be exploited by the user opening and deliberately playing an ASF file. There is no capability to exploit this vulnerability via email or a web page. However, the patch eliminates additional vulnerabilities. Specifically, it eliminates all known vulnerabilities affecting Windows Media Player 6.4 - discussed in Microsoft Security Bulletins MS00-090, MS01-029, and MS01-042 - as well as some additional variants of these vulnerabilities that were discovered internally by Microsoft. Some of these vulnerabilities could be exploited via email or a web page. In addition, some affect components of Windows Media Player 6.4 that, for purposes of backward compatibility, ship with Windows Media Player 7, and 7.1. We therefore recommend that customers running any of these versions of Windows Media Player apply the patch to ensure that they are fully protected against all known vulnerabilities. Windows Media Player for Windows XP includes components of Windows Media Player 6.4, but they are not affected by the ASF buffer overrun or by any of the other vulnerabilities discussed in the security bulletins listed above. However, the version 6.4 components that ship with Windows Media Player for Windows XP are affected by some of the newly discovered variants of these vulnerabilities. Rather than installing this patch, however, we recommend that customers install the 25 October 2001 Critical Update for Windows XP. Mitigating Factors: ==================== - Windows Media Player runs in the security context of the user, rather than as a system component. At best, an attacker could gain the privileges of the user on the system. Systems configured in accordance with the least privilege principal would be at less risk from this vulnerability. - The vulnerability could only be exploited if the user opened and played an affected ASF file. - The attacker would need to know the specific operating system that the user was running in order to tailor the attack code properly; if the attacker made an incorrect guess about the user's operating system platform, the attack would crash the user's Windows Media Player session, but not run code of the attacker's choice. Risk Rating: ============ - Internet systems: Critical - Intranet systems: Critical - Client systems: Critical Patch Availability: =================== - A patch is available to fix this vulnerability. Please read the Security Bulletin at http://www.microsoft.com/technet/security/bulletin/ms01-056.asp for information on obtaining this patch. - --------------------------------------------------------------------- THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. MICROSOFT DISCLAIMS ALL WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING THE WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. IN NO EVENT SHALL MICROSOFT CORPORATION OR ITS SUPPLIERS BE LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL, CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF MICROSOFT CORPORATION OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. SOME STATES DO NOT ALLOW THE EXCLUSION OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES SO THE FOREGOING LIMITATION MAY NOT APPLY. -----BEGIN PGP SIGNATURE----- Version: PGP 7.1 iQEVAwUBO/mvQY0ZSRQxA/UrAQFx9wgArkc5gTwjgy5aS2aZuC27gmPq527gEQ2A ii7sfFeO+EpoABxRpJK/Tauwr5EMh+tfHdrZQttkv4Wnbd8QyI6yfY0l79xxBwAE Md6h4OdUx3yCIZSbN69ZCUusUKidwqzl7VbWI+9Tdsm4QHhP4VrL5/C5ZbuxPXQ9 2gbFYtLTxPNSvtONiStQbSnFSTQdsdsytN4YpGLqdtmkBHTTbjXRp6mmk1DmUMD2 BR7+Saf2knoSMW6SKYZRgEV0UQleom0qDWltGUDuxs2eSUFmpL9Hn3t+GlyYhtbO S4lc9z5vqA3NGb0oeG2NyI2SspwEckoTtxf2gdyOZIe7OtLNtno9pg== =uEWm -----END PGP SIGNATURE----- ******************************************************************* You have received this e-mail bulletin as a result of your registration to the Microsoft Product Security Notification Service. You may unsubscribe from this e-mail notification service at any time by sending an e-mail to MICROSOFT_SECURITY-SIGNOFF-REQUEST@ANNOUNCE.MICROSOFT.COM The subject line and message body are not used in processing the request, and can be anything you like. To verify the digital signature on this bulletin, please download our PGP key at http://www.microsoft.com/technet/security/notify.asp. For more information on the Microsoft Security Notification Service please visit http://www.microsoft.com/technet/security/notify.asp. For security-related information about Microsoft products, please visit the Microsoft Security Advisor web site at http://www.microsoft.com/security.