MS03-017: Flaw in Windows Media Player skins downloading could allow code execution

Article ID: 817787 - View products that this article applies to.
Expand all | Collapse all

On This Page

SYMPTOMS

Microsoft Windows Media Player provides functionality to change the overall appearance of the player itself through the use of "skins". Skins are custom overlays that are made up of collections of one or more files of computer art that is organized by an XML file. The XML file tells Windows Media Player how to use these files to display a skin as the user interface. In this manner, the user can choose from a variety of standard skins. Each skin provides an additional visual experience. Although Windows Media Player comes with several standard skins that users can choose, it is relatively easy to create and distribute custom skins. A flaw exists in the way Windows Media Player 7.1 and Windows Media Player for Windows XP handle the download of skin files. The flaw means that a malicious user (referred to as an "attacker") could force a file that masquerades as a skin file into a known location on a user's computer. This could allow an attacker to save and then start a malicious executable file on the system.

To exploit this flaw, an attacker would have to host a Web site that contained a Web page that is designed to exploit this particular vulnerability. The attacker would then persuade a user to visit that Web site; – an attacker would have no way to force a user to the site. An attacker could also embed the link in an HTML e-mail and send it to the user. If the attacker uses e-mail, and if if the user was using Outlook Express 6.0 or Outlook 2002 in their default configurations, or if he or she uses Outlook 98 or Outlook 2000 in conjunction with the Outlook E-mail Attachment Security Update, an attack could not be automated and the user would still have to click a URL that was received in the e-mail. However, if the user was not using Outlook Express 6.0 or Outlook 2002 in their default configurations, or they were not using Outlook 98 or 2000 in conjunction with the Outlook E-mail Attachment Security Update, the attacker could cause an attack to trigger automatically without the user having to click a URL contained in an e-mail. For additional information about the Outlook E-mail Attachment Security Update, click the following article number to view the article in the Microsoft Knowledge Base:
235309
(http://support.microsoft.com/kb/235309/EN-US/ )
Outlook E-mail Attachment Security Update
In both the Web-based case and the e-mail-based case, any limitations on the user's privileges would also restrict the capabilities of the attacker's script.

Mitigating Factors

  • Windows Media Player 9 Series is not affected by this issue.
  • Products and versions that are not at risk:
    Customers who use any of the following products are at no risk from an e-mail born attack that tried to automatically exploit these vulnerabilities. The attacker would have no way to force users to visit a malicious Web site. Instead, the attacker would have to lure them there, typically by getting them to click a link that would take them to the attacker's site.
    • Outlook Express 6.0 and Outlook 2002. By default, Outlook Express 6.0 and Outlook 2002 open HTML e-mail messages in the Restricted Sites Zone.
    • Outlook 98 and Outlook 2000. These products open HTML e-mail messages in the Restricted Sites Zone if the Outlook E-mail Attachment Security Update has been installed.
Back to the top | Give Feedback

RESOLUTION

Service pack information

To resolve this problem, obtain the latest service pack for Microsoft Windows XP. For additional information, click the following article number to view the article in the Microsoft Knowledge Base:
322389
(http://support.microsoft.com/kb/322389/ )
How to obtain the latest Windows XP service pack

Security patch information

For more information about how to resolve this vulnerability, click the appropriate link below:

Windows Media Player for Windows XP

Download Information

The following file is available for download from the Microsoft Download Center:

Collapse this imageExpand this image
Download
Download the 817787 package now.
(http://www.microsoft.com/downloads/details.aspx?FamilyId=E311DF50-0633-4100-AB37-D7A68D51182F&displaylang=en)
Release Date: May 7, 2003

For additional information about how to download Microsoft Support files, click the following article number to view the article in the Microsoft Knowledge Base:
119591
(http://support.microsoft.com/kb/119591/EN-US/ )
How to Obtain Microsoft Support Files from Online Services
Microsoft scanned this file for viruses. Microsoft used the most current virus-detection software that was available on the date that the file was posted. The file is stored on security-enhanced servers that help to prevent any unauthorized changes to the file.

Prerequisites

This patch requires the released version of Windows XP or Windows XP Service Pack 1 (SP1). For additional information, click the following article number to view the article in the Microsoft Knowledge Base:
322389
(http://support.microsoft.com/kb/322389/ )
How to obtain the latest Windows XP service pack

Installation information

This patch supports the following Setup switches:
  • /? : Display the list of installation switches.
  • /q : Quiet mode (no user intervention).
  • /q:u : Specifies user-quiet mode, which presents some dialog boxes to the user.
  • /q:a : Specifies administrator-quiet mode, which does not present any dialog boxes to the user.
  • /t:<full path> : Specifies the temporary working folder.
  • /c : Extracts the files without running Setup when used with /t.
  • /c:<cmd> : Override the install command that was defined by the author.
  • /r:n : Never restarts the computer after installation.
  • /r:i : Restart if it is required. Automatically restarts the computer if it is necessary to complete installation.
  • /r:a : Always restarts the computer after installation.
  • /r:s : Restarts the computer after installation without prompting the user.
To verify the patch is installed on your computer, confirm that the following registry key exists:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\Windows Media Player\wm817787

Deployment information

To install the patch without any user intervention, use the following command line:
windowsmedia8-kb817787-x86-enu /q:a
To install the patch without forcing the computer to restart, use the following command line:
windowsmedia8-kb817787-x86-enu /r:n
Note You can combine these switches into one command line.

For information about how to deploy this patch with Software Update Services, visit the following Microsoft Web site:
Software Update Services Overview White Paper
http://technet.microsoft.com/en-us/wsus/bb466201.aspx
(http://technet.microsoft.com/en-us/wsus/bb466201.aspx)

Restart requirement

You do not have to restart your computer after you apply this patch unless Windows Media Player is running in the background.

Removal information

You cannot remove this patch.

Patch replacement information

This patch does not replace any other patches.

File information

The English version of this patch has the file attributes (or later) that are listed in the following table. The dates and times for these files are listed in coordinated universal time (UTC). When you view the file information, it is converted to local time. To find the difference between UTC and local time, use the Time Zone tab in the Date and Time tool in Control Panel. 
   Date         Time   Version       Size    File name
   ------------------------------------------------------
   11-Apr-2003  19:11  8.0.0.4490   520,192  Wmplayer.exe

Files to support installation

The following files are included to support the installation of the patch.
   Date         Time   Size   File name
   ---------------------------------------
   18-Apr-2003  21:44    755  Wmplayer.inf
   18-Apr-2003  20:55  1,428  Wmqfe.inf
Files included for file dependency reasons

The following files are included due to file dependencies.
   Date         Time   Version      Size    File name
   -----------------------------------------------------
   18-Aug-2001  02:43  6.0.2600.0   91,136  Advpack.dll
   14-Jan-2002  22:58  5.1.2600.27  28,160  Msoobci.dll
   06-Jun-2000  20:43  4.71.704.0    2,272  W95inf16.dll
   06-Jun-2000  20:43  4.71.16.0     4,608  W95inf32.dll
You can also verify the files that this patch installed by reviewing the following registry key:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\Windows Media Player\wm817787\Filelist

Windows Media Player 7.1

Download Information

The following file is available for download from the Microsoft Download Center:
Collapse this imageExpand this image
Download
Download the 817787 package now.
(http://microsoft.com/downloads/details.aspx?FamilyId=012F143A-77D1-4F6F-9338-5A6332614532&displaylang=en)
Release Date: May 7, 2003

For additional information about how to download Microsoft Support files, click the following article number to view the article in the Microsoft Knowledge Base:
119591
(http://support.microsoft.com/kb/119591/EN-US/ )
How to Obtain Microsoft Support Files from Online Services
Microsoft scanned this file for viruses. Microsoft used the most current virus-detection software that was available on the date that the file was posted. The file is stored on security-enhanced servers that help to prevent any unauthorized changes to the file.

Prerequisites

This patch requires Windows 98, Windows 98 Second Edition, Windows Millennium Edition, or Windows 2000.

Installation information

This patch supports the following Setup switches:
  • /? : Display the list of installation switches.
  • /q : Quiet mode (no user intervention).
  • /q:u : Specifies user-quiet mode, which presents some dialog boxes to the user.
  • /q:a : Specifies administrator-quiet mode, which does not present any dialog boxes to the user.
  • /t:<full path> : Specifies the temporary working folder.
  • /c : Extracts the files without running Setup when used with /t.
  • /c:<cmd> : Override the install command that was defined by the author.
  • /r:n : Never restarts the computer after installation.
  • /r:i : Restart if it is required. Automatically restarts the computer if it is necessary to complete installation.
  • /r:a : Always restarts the computer after installation.
  • /r:s : Restarts the computer after installation without prompting the user.
To verify the patch is installed on your computer, confirm that the following registry key exists:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\Windows Media Player\wm817787

Deployment information

To install the patch without any user intervention, use the following command line:
windowsmedia71-kb817787-x86-enu /q:a
To install the patch without forcing the computer to restart, use the following command line:
windowsmedia71-kb817787-x86-enu /r:n
Note You can combine these switches into one command line.

Restart requirement

You do not have to restart your computer after you apply this patch unless Windows Media Player is running in the background.

Removal information

You cannot remove this patch.

Patch replacement information

This patch does not replace any other patches.

File information

The English version of this patch has the file attributes (or later) that are listed in the following table. The dates and times for these files are listed in coordinated universal time (UTC). When you view the file information, it is converted to local time. To find the difference between UTC and local time, use the Time Zone tab in the Date and Time tool in Control Panel. 
   Date         Time   Version      Size     File name
   ------------------------------------------------------
   18-Apr-2003  03:09  7.10.0.3074  348,160  Wmplayer.exe
Files to support installation

The following file is included to support the installation of the patch.
   Date         Time   Version    Size   File name
   --------------------------------------------------
   18-Apr-2003  18:07             1,752  Wmqfe.inf
Files included for file dependency reasons

The following files are included due to file dependencies.
   Date         Time   Version      Size     File name
   ------------------------------------------------------
   18-Aug-2001  02:43  6.0.2600.0    91,136  Advpack.dll
   06-Jun-2000  20:43  4.71.704.0     2,272  W95inf16.dll
   06-Jun-2000  20:43  4.71.16.0      4,608  W95inf32.dll
You can also verify the files that this patch installed by reviewing the following registry key:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\Windows Media Player\wm817787\Filelist
Back to the top | Give Feedback

STATUS

Microsoft has confirmed that this problem may cause a degree of security vulnerability in the Microsoft products that are listed in the "Applies to" section. This problem was first corrected in Microsoft Windows XP Service Pack 2.
Back to the top | Give Feedback

MORE INFORMATION

For more information about this vulnerability, visit the following Microsoft Web site:
http://www.microsoft.com/technet/security/bulletin/MS03-017.mspx
(http://www.microsoft.com/technet/security/bulletin/MS03-017.mspx)
Back to the top | Give Feedback

Properties

Article ID: 817787 - Last Review: July 30, 2007 - Revision: 7.7
APPLIES TO
  • Microsoft Windows Media Player 7.1
  • Microsoft Windows Media Player 8.01
  • Microsoft Windows Media Player 8.01
Keywords: 
atdownload kbwinxpsp2fix kbwinxppresp2fix kbfix kbbug kbsecbulletin kbsecvulnerability kbsecurity KB817787
Back to the top | Give Feedback

Give Feedback

 
Back to the topBack to the top