MS02-032: Patch Available for WMP Active Playlist Vulnerability

Article translations Article translations
Article ID: 321676 - View products that this article applies to.
This article was previously published under Q321676
Expand all | Collapse all

SYMPTOMS

The Windows Media Player Active Playlist vulnerability is a local script execution vulnerability. An attacker who can successfully exploit this vulnerability can cause HTML scripts to run as if they were run locally on the user's computer. The scripts can take any action that the user was can take, including adding, changing or deleting files or changing security settings.

This particular vulnerability is subject to a significant mitigating factor. A successful attack requires that the following specific series of actions occur in an exact order, or the attack does not work:
  1. You must play a specially-formed media file from an attacker.
  2. After you play the file, you must quit Windows Media Player without playing another file.
  3. You must then view a Web page that was constructed by the attacker.

CAUSE

The vulnerability results because of a flaw in how the Windows Media active playlist information is stored on the local computer. Specifically, the playlist is stored in a fixed, known location.

RESOLUTION

The update for this problem is included in the Windows Media Player rollup package that is referenced in the following article in the Microsoft Knowledge Base:
320920 MS02-032: Windows Media Player Rollup Available

STATUS

Microsoft has confirmed that this problem may cause a degree of security vulnerability in the versions of Windows Media Player that are listed earlier in this article.

Properties

Article ID: 321676 - Last Review: February 22, 2007 - Revision: 3.4
APPLIES TO
  • Microsoft Windows Media Player 8.01
  • Microsoft Windows Media Player 8.01
Keywords: 
kbqfe kbbug kbenv kbfix kbsecbulletin kbsechack kbsecurity kbsecvulnerability kbwinxpsp1fix KB321676
Retired KB Content Disclaimer
This article was written about products for which Microsoft no longer offers support. Therefore, this article is offered "as is" and will no longer be updated.

Give Feedback

 

Contact us for more help

Contact us for more help
Connect with Answer Desk for expert help.
Get more support from smallbusiness.support.microsoft.com