Microsoft KB Archive/817787

= MS03-017: Flaw in Windows Media Player skins downloading could allow code execution =

Article ID: 817787

Article Last Modified on 7/30/2007

-

APPLIES TO


 * Microsoft Windows Media Player 7.1
 * Microsoft Windows Media Player 8.01
 * Microsoft Windows Media Player 8.01

-





SYMPTOMS
Microsoft Windows Media Player provides functionality to change the overall appearance of the player itself through the use of &quot;skins&quot;. Skins are custom overlays that are made up of collections of one or more files of computer art that is organized by an XML file. The XML file tells Windows Media Player how to use these files to display a skin as the user interface. In this manner, the user can choose from a variety of standard skins. Each skin provides an additional visual experience. Although Windows Media Player comes with several standard skins that users can choose, it is relatively easy to create and distribute custom skins. A flaw exists in the way Windows Media Player 7.1 and Windows Media Player for Windows XP handle the download of skin files. The flaw means that a malicious user (referred to as an &quot;attacker&quot;) could force a file that masquerades as a skin file into a known location on a user's computer. This could allow an attacker to save and then start a malicious executable file on the system.

To exploit this flaw, an attacker would have to host a Web site that contained a Web page that is designed to exploit this particular vulnerability. The attacker would then persuade a user to visit that Web site; – an attacker would have no way to force a user to the site. An attacker could also embed the link in an HTML e-mail and send it to the user. If the attacker uses e-mail, and if if the user was using Outlook Express 6.0 or Outlook 2002 in their default configurations, or if he or she uses Outlook 98 or Outlook 2000 in conjunction with the Outlook E-mail Attachment Security Update, an attack could not be automated and the user would still have to click a URL that was received in the e-mail. However, if the user was not using Outlook Express 6.0 or Outlook 2002 in their default configurations, or they were not using Outlook 98 or 2000 in conjunction with the Outlook E-mail Attachment Security Update, the attacker could cause an attack to trigger automatically without the user having to click a URL contained in an e-mail. For additional information about the Outlook E-mail Attachment Security Update, click the following article number to view the article in the Microsoft Knowledge Base:

235309 Outlook E-mail Attachment Security Update

In both the Web-based case and the e-mail-based case, any limitations on the user's privileges would also restrict the capabilities of the attacker's script.

Mitigating Factors

 * Windows Media Player 9 Series is not affected by this issue.
 * Products and versions that are not at risk:

Customers who use any of the following products are at no risk from an e-mail born attack that tried to automatically exploit these vulnerabilities. The attacker would have no way to force users to visit a malicious Web site. Instead, the attacker would have to lure them there, typically by getting them to click a link that would take them to the attacker's site.
 * Outlook Express 6.0 and Outlook 2002. By default, Outlook Express 6.0 and Outlook 2002 open HTML e-mail messages in the Restricted Sites Zone.
 * Outlook 98 and Outlook 2000. These products open HTML e-mail messages in the Restricted Sites Zone if the Outlook E-mail Attachment Security Update has been installed.



Service pack information
To resolve this problem, obtain the latest service pack for Microsoft Windows XP. For additional information, click the following article number to view the article in the Microsoft Knowledge Base:

322389 How to obtain the latest Windows XP service pack

Security patch information
For more information about how to resolve this vulnerability, click the appropriate link below:
 * Windows Media Player for Windows XP
 * Windows Media Player 7.1

Download Information
The following file is available for download from the Microsoft Download Center:

Download the 817787 package now. Release Date: May 7, 2003

For additional information about how to download Microsoft Support files, click the following article number to view the article in the Microsoft Knowledge Base:

119591 How to Obtain Microsoft Support Files from Online Services

Microsoft scanned this file for viruses. Microsoft used the most current virus-detection software that was available on the date that the file was posted. The file is stored on security-enhanced servers that help to prevent any unauthorized changes to the file.

Prerequisites
This patch requires the released version of Windows XP or Windows XP Service Pack 1 (SP1). For additional information, click the following article number to view the article in the Microsoft Knowledge Base:

322389 How to obtain the latest Windows XP service pack

Installation information
This patch supports the following Setup switches:
 * /? : Display the list of installation switches.
 * /q : Quiet mode (no user intervention).
 * /q:u : Specifies user-quiet mode, which presents some dialog boxes to the user.
 * /q:a : Specifies administrator-quiet mode, which does not present any dialog boxes to the user.
 * /t:  : Specifies the temporary working folder.
 * /c : Extracts the files without running Setup when used with /t.
 * /c:  : Override the install command that was defined by the author.
 * /r:n : Never restarts the computer after installation.
 * /r:i : Restart if it is required. Automatically restarts the computer if it is necessary to complete installation.
 * /r:a : Always restarts the computer after installation.
 * /r:s : Restarts the computer after installation without prompting the user.

To verify the patch is installed on your computer, confirm that the following registry key exists:

Deployment information
To install the patch without any user intervention, use the following command line:

windowsmedia8-kb817787-x86-enu /q:a

To install the patch without forcing the computer to restart, use the following command line:

windowsmedia8-kb817787-x86-enu /r:n

Note You can combine these switches into one command line.

For information about how to deploy this patch with Software Update Services, visit the following Microsoft Web site:

Software Update Services Overview White Paper

http://technet.microsoft.com/en-us/wsus/bb466201.aspx

Restart requirement
You do not have to restart your computer after you apply this patch unless Windows Media Player is running in the background.

Removal information
You cannot remove this patch.

Patch replacement information
This patch does not replace any other patches.

File information
The English version of this patch has the file attributes (or later) that are listed in the following table. The dates and times for these files are listed in coordinated universal time (UTC). When you view the file information, it is converted to local time. To find the difference between UTC and local time, use the Time Zone tab in the Date and Time tool in Control Panel.   Date         Time   Version       Size    File name --  11-Apr-2003  19:11  8.0.0.4490   520,192  Wmplayer.exe

Files to support installation
The following files are included to support the installation of the patch.   Date         Time   Size   File name ---  18-Apr-2003  21:44    755  Wmplayer.inf 18-Apr-2003 20:55  1,428  Wmqfe.inf

Files included for file dependency reasons
The following files are included due to file dependencies.   Date         Time   Version      Size    File name -  18-Aug-2001  02:43  6.0.2600.0   91,136  Advpack.dll 14-Jan-2002 22:58  5.1.2600.27  28,160  Msoobci.dll 06-Jun-2000 20:43  4.71.704.0    2,272  W95inf16.dll 06-Jun-2000 20:43  4.71.16.0     4,608  W95inf32.dll You can also verify the files that this patch installed by reviewing the following registry key:

Download Information
The following file is available for download from the Microsoft Download Center:

Download the 817787 package now. Release Date: May 7, 2003

For additional information about how to download Microsoft Support files, click the following article number to view the article in the Microsoft Knowledge Base:

119591 How to Obtain Microsoft Support Files from Online Services

Microsoft scanned this file for viruses. Microsoft used the most current virus-detection software that was available on the date that the file was posted. The file is stored on security-enhanced servers that help to prevent any unauthorized changes to the file.

Prerequisites
This patch requires Windows 98, Windows 98 Second Edition, Windows Millennium Edition, or Windows 2000.

Installation information
This patch supports the following Setup switches:
 * /? : Display the list of installation switches.
 * /q : Quiet mode (no user intervention).
 * /q:u : Specifies user-quiet mode, which presents some dialog boxes to the user.
 * /q:a : Specifies administrator-quiet mode, which does not present any dialog boxes to the user.
 * /t:  : Specifies the temporary working folder.
 * /c : Extracts the files without running Setup when used with /t.
 * /c:  : Override the install command that was defined by the author.
 * /r:n : Never restarts the computer after installation.
 * /r:i : Restart if it is required. Automatically restarts the computer if it is necessary to complete installation.
 * /r:a : Always restarts the computer after installation.
 * /r:s : Restarts the computer after installation without prompting the user.

To verify the patch is installed on your computer, confirm that the following registry key exists:

Deployment information
To install the patch without any user intervention, use the following command line:

windowsmedia71-kb817787-x86-enu /q:a

To install the patch without forcing the computer to restart, use the following command line:

windowsmedia71-kb817787-x86-enu /r:n

Note You can combine these switches into one command line.

Restart requirement
You do not have to restart your computer after you apply this patch unless Windows Media Player is running in the background.

Removal information
You cannot remove this patch.

Patch replacement information
This patch does not replace any other patches.

File information
The English version of this patch has the file attributes (or later) that are listed in the following table. The dates and times for these files are listed in coordinated universal time (UTC). When you view the file information, it is converted to local time. To find the difference between UTC and local time, use the Time Zone tab in the Date and Time tool in Control Panel.   Date         Time   Version      Size     File name --  18-Apr-2003  03:09  7.10.0.3074  348,160  Wmplayer.exe

Files to support installation
The following file is included to support the installation of the patch.   Date         Time   Version    Size   File name --  18-Apr-2003  18:07             1,752  Wmqfe.inf

Files included for file dependency reasons
The following files are included due to file dependencies.   Date         Time   Version      Size     File name --  18-Aug-2001  02:43  6.0.2600.0    91,136  Advpack.dll 06-Jun-2000 20:43  4.71.704.0     2,272  W95inf16.dll 06-Jun-2000 20:43  4.71.16.0      4,608  W95inf32.dll You can also verify the files that this patch installed by reviewing the following registry key:



STATUS
Microsoft has confirmed that this problem may cause a degree of security vulnerability in the Microsoft products that are listed in the &quot;Applies to&quot; section. This problem was first corrected in Microsoft Windows XP Service Pack 2.



MORE INFORMATION
For more information about this vulnerability, visit the following Microsoft Web site:

http://www.microsoft.com/technet/security/bulletin/MS03-017.mspx

Additional query words: security_patch

Keywords: atdownload kbwinxpsp2fix kbwinxppresp2fix kbfix kbbug kbsecbulletin kbsecvulnerability kbsecurity KB817787

-

[mailto:TECHNET@MICROSOFT.COM Send feedback to Microsoft]

© Microsoft Corporation. All rights reserved.