MS02-032: Patch Available for Windows Media Player Cache Disclosure Vulnerability

Article translations Article translations
Article ID: 321678 - View products that this article applies to.
This article was previously published under Q321678
Expand all | Collapse all

On This Page

SYMPTOMS

Windows Media Player has an information-disclosure vulnerability that an attacker can use to run code on a user's computer. The code would then be able to take any actions on the computer that the user could accomplish. For example, adding, changing or deleting data, communicating with Web sites, or changing the configuration of the computer.

The attacker's code would run with the same rights as the user. Any restrictions on the user's ability to change the computer would apply to the attacker's code. For example, if the user were prevented from deleting files on the hard disk, the attacker's code would similarly be prevented. Conversely, if a user were using an account with high rights such as an administrator's account, the attacker's code would also run with the same high rights.

CAUSE

The vulnerability results because of a flaw in how Windows Media Player handles certain types of licenses for secure media files when the media file is stored in the Microsoft Internet Explorer cache. Specifically, when a type of secure Windows Media file is opened, the Windows Media Player incorrectly returns information to the server that discloses the location of the Internet Explorer cache as it processes the request to the site for the licensing information.

RESOLUTION

Windows Media Player for Windows XP

The update for this problem is included in the Windows Media Player rollup package that is referenced in the following article in the Microsoft Knowledge Base:
320920 MS02-032: Windows Media Player Rollup Available

Windows Media Player 7.1

The update for this problem is included in the Windows Media Player rollup package that is referenced in the following article in the Microsoft Knowledge Base:
320920 MS02-032: Windows Media Player Rollup Available

Windows Media Player 6.4

The update for this problem is included in the Windows Media Player rollup package that is referenced in the following article in the Microsoft Knowledge Base:
320920 MS02-032: Windows Media Player Rollup Available

STATUS

Microsoft has confirmed that this problem may result in some degree of security vulnerability in the versions of Windows Media Player that are listed earlier in this article. Microsoft has confirmed that this is a problem in the Microsoft products that are listed at the beginning of this article.

Properties

Article ID: 321678 - Last Review: February 1, 2007 - Revision: 3.7
APPLIES TO
  • Microsoft Windows Media Player 6.4
  • Microsoft Windows Media Player 7.0
  • Microsoft Windows Media Player 7.1
  • Microsoft Windows Media Player 8.01
  • Microsoft Windows Media Player 8.01
Keywords: 
kbtshoot kbbug kbfix kbsecvulnerability kbenv kbsecurity kbsecbulletin kbsechack kbwinxpsp1fix KB321678

Give Feedback

 

Contact us for more help

Contact us for more help
Connect with Answer Desk for expert help.
Get more support from smallbusiness.support.microsoft.com