Advanced Streaming Format (ASF) is one of the streaming media formats that is supported by Windows Media Player. A security vulnerability occurs in Windows Media Player 6.4 because the code that processes ASF files contains an unchecked buffer.

By creating a specially-malformed ASF file and inducing a user to play it, an attacker could overrun the buffer, with two possible results. In the simplest case, Windows Media Player 6.4 would stop working, and in the more complex case, code that was chosen by the attacker could be made to run on the user's computer, with the privileges of the user. The scope of this vulnerability is rather limited. It affects only Windows Media Player 6.4, and can only be exploited by the user opening and deliberately playing an ASF file. There is no capability to exploit this vulnerability by using e-mail messages or a Web page.

The patch that is described in this article eliminates additional vulnerabilities. Specifically, it eliminates all known vulnerabilities affecting Windows Media Player 6.4 that are described in the following Microsoft Security Bulletins as well as some additional variants of these vulnerabilities that were discovered internally by Microsoft.

Back to the top

MS00-090

Back to the top

MS01-029

Back to the top

MS01-042

Some of these vulnerabilities could be exploited by using e-mail messages or a Web page. In addition, some of affected components of Windows Media Player 6.4 (for purposes of backward compatibility) are included with Windows Media Player 7 and 7.1. Because of this, Microsoft recommends that customers that are running any of these versions of Windows Media Player apply the patch to ensure that they are fully protected against all known vulnerabilities.

Windows Media Player for Windows XP includes components of Windows Media Player 6.4, but they are not affected by the ASF buffer overrun or by any of the other vulnerabilities that are described in the preceding security bulletins. However, the version 6.4 components that are included with Windows Media Player for Windows XP are affected by some of the newly-discovered variants of these vulnerabilities. Rather than installing this patch, however, Microsoft recommends that customers install the October 25, 2001 Critical Update for Windows XP. For additional information about this package, click the article number below to view the article in the Microsoft Knowledge Base:

Back to the top

Mitigating Factors

•	Windows Media Player runs in the security context of the user, rather than as a system component. At best, an attacker could gain the privileges of the user of the computer. Computers that are configured in accordance with the least-privilege principal would be at less risk from this vulnerability.
•	This vulnerability could only be exploited if the user opens and plays an affected ASF file.
•	The attacker would need to know the specific operating system that the user was running to tailor the attack code properly. If the attacker made an incorrect guess about the user's operating system, the attack would crash the user's Windows Media Player session, but not run code of the attacker's choice.

Back to the top

This vulnerability can occur because of an unchecked buffer in a section of Windows Media Player that handles .ASF files. By including a particular type of malformed entry in an ASF file, an attacker could cause chosen code to run when a user plays the file.

Back to the top

Microsoft Windows Media Player for Windows XP

A supported fix is now available from Microsoft, but it is only intended to correct the problem that is described in this article. Apply it only to computers that you determine are at risk of attack. Evaluate your computer's physical accessibility, network and Internet connectivity, and other factors to determine the degree of risk to your computer. See the associated Microsoft Security Bulletin (http://www.microsoft.com/technet/security/bulletin/ms01-056.mspx) to help determine the degree of risk. This fix may receive additional testing. If your computer is sufficiently at risk, Microsoft recommends that you apply this fix now. Otherwise, wait for the next Windows XP service pack that contains this fix.

To resolve this problem immediately, download the fix by following the instructions later in this article or contact Microsoft Product Support Services to obtain the fix. For a complete list of Microsoft Product Support Services phone numbers and information about support costs, visit the following Microsoft Web site:NOTE: In special cases, charges that are ordinarily incurred for support calls may be canceled if a Microsoft Support Professional determines that a specific update will resolve your problem. The usual support costs will apply to additional support questions and issues that do not qualify for the specific update in question.

This update is available on the Microsoft Windows Update Web site. Release Date: October 25, 2001

For additional information about how to download Microsoft Support files, click the following article number to view the article in the Microsoft Knowledge Base: Microsoft scanned this file for viruses. Microsoft used the most current virus-detection software that was available on the date that the file was posted. The file is stored on security-enhanced servers that help to prevent any unauthorized changes to the file. The English version of this fix should have the following file attributes or later:

   Date         Time   Version     Size     File name
   ---------------------------------------------------
   04-Oct-2001  13:58  6.4.9.1121  498,960  Dxmasf.dll
   04-Oct-2001  13:58  6.4.9.1121  844,048  Msdxm.ocx 
				

Back to the top

Windows Media Player Versions 6.4, 7, or 7.1

To resolve this problem, obtain the latest service pack for Windows 2000. For additional information, click the following article number to view the article in the Microsoft Knowledge Base: The following file is available for download from the Microsoft Download Center:
Release Date: November 12, 2001

For additional information about how to download Microsoft Support files, click the following article number to view the article in the Microsoft Knowledge Base:Microsoft scanned this file for viruses. Microsoft used the most current virus-detection software that was available on the date that the file was posted. The file is stored on secure servers that prevent any unauthorized changes to the file.

The English version of this fix should have the following file attributes or later:

  Date         Time   Version     Size     File name      Operating system
  ------------------------------------------------------------------------
  21-Sep-2001  15:39  6.4.9.1121  498,960  Dxmasf.dll     Windows 2000
  21-Sep-2001  15:40  6.4.9.1121  844,048  Msdxm.ocx      Windows 2000

  21-Sep-2001  15:44  6.4.7.1121  498,448  Dxmasf550.dll  Windows 98/95
  21-Sep-2001  15:45  6.4.7.1121  846,096  Msdxm550.ocx   Windows 98/95

  21-Sep-2001  15:44  6.4.7.1121  498,448  Dxmasf550.dll  Windows 
                                                          Millennium
                                                          Edition (Me)
  21-Sep-2001  15:45  6.4.7.1121  846,096  Msdxm550.ocx   Windows Me

  21-Sep-2001  15:44  6.4.7.1121  498,448  Dxmasf550.dll  Windows NT 4.0
  21-Sep-2001  15:45  6.4.7.1121  846,096  Msdxm550.ocx   Windows NT 4.0
				

Back to the top

Microsoft has confirmed that this is a problem in the Microsoft products that are listed at the beginning of this article.

Back to the top

Microsoft Windows Media Player for Windows XP

Microsoft has confirmed that this problem may cause a degree of security vulnerability in Windows Media Player for Windows XP.

Back to the top

Windows Media Player Versions 6.4, 7, or 7.1

Microsoft has confirmed that this problem may cause a degree of security vulnerability in Windows Media Player versions 6.4, 7, and 7.1. This problem was first corrected in Windows 2000 Service Pack 3.

Back to the top

For more information about this vulnerability, please see the following Microsoft Web site: For more information about Windows Media Player, please see the following Microsoft Web site:

Back to the top