Microsoft KB Archive/819639

= MS03-021: A Flaw in Windows Media Player May Permit the Media Library to Be Accessed =

Article ID: 819639

Article Last Modified on 11/7/2007

-

APPLIES TO


 * Microsoft Windows Media Player 9 Series
 * Microsoft Windows Media Player 9 Series for Windows XP
 * Microsoft Windows Media Player 9 Series
 * Microsoft Windows Media Player 9 Series
 * Microsoft Windows Media Player 9 Series

-



Technical Updates

 * June 27, 2003: The &quot;File Information&quot; section was updated.
 * July 1, 2003: Updated the &quot;Download Information&quot; section to point to the correct download URL. No technical information was changed.



SYMPTOMS
With Windows Media Player 9 Series, a flaw in an ActiveX control might permit a Web page to gain access to your Media Library. An attacker who exploits this flaw can gain access only to manipulate the Media Library on your computer. The attacker cannot browse your hard disk and cannot gain access to passwords or encrypted data. Also, the attacker cannot modify actual files on the hard disk; the attacker can modify only the contents of the Media Library entries for those files.



Windows XP, Windows 2000, Windows Millennium Edition, and Windows 98
The following file is available for download from the Microsoft Download Center:

Download the 819639 package now.

Release Date: June 25, 2003

For additional information about how to download Microsoft Support files, click the following article number to view the article in the Microsoft Knowledge Base:

119591 How to Obtain Microsoft Support Files from Online Services

Microsoft scanned this file for viruses. Microsoft used the most current virus-detection software that was available on the date that the file was posted. The file is stored on security-enhanced servers that help to prevent any unauthorized changes to the file.

Windows Server 2003
The following file is available for download from the Microsoft Download Center:

Download the 819639 package now. Release Date: June 25, 2003

For additional information about how to download Microsoft Support files, click the following article number to view the article in the Microsoft Knowledge Base:

119591 How to Obtain Microsoft Support Files from Online Services

Microsoft scanned this file for viruses. Microsoft used the most current virus-detection software that was available on the date that the file was posted. The file is stored on security-enhanced servers that help to prevent any unauthorized changes to the file.

Installation Information
This security patch supports the following Setup switches:
 * /?: Shows the list of installation switches.
 * /q: Specifies Quiet mode (no user intervention).
 * /q:u: Specifies User-Quiet mode, which presents some dialog boxes to the user.
 * /q:a: Specifies Administrator-Quiet mode, which does not present any dialog boxes to the user.
 * /t: : Specifies the temporary working folder.
 * /c: Extracts the files without running Setup when used with /t.
 * /c: : Override the installation command that was defined by the author.
 * /r:n: Never restarts the computer after installation.
 * /r:i: Restart the computer if necessary. Automatically restarts the computer if it is necessary to complete the installation.
 * /r:a: Always restarts the computer after installation.

To verify that the security patch is installed on your computer, confirm that the following registry key exists:

Deployment Information
To install the security patch without any user intervention, use the following command:

windowsmedia9-kb819639-x86-enu /q:a

To install the security patch without forcing the computer to restart, use the following command:

windowsmedia9-kb819639-x86-enu /r:n

Note You can combine these switches in one command.

For information about how to deploy this security patch with Microsoft Software Update Services, visit the following Microsoft Web site:

http://technet.microsoft.com/en-us/wsus/bb466201.aspx

Restart Requirement
You do not have to restart your computer after you apply this security patch.

Removal Information
You cannot remove this security patch if you are using Microsoft Windows XP, Microsoft Windows 2000, Microsoft Windows Millennium Edition (Me), or Microsoft Windows 98 Second Edition. The Setup technology in these versions of Windows does not support removing the security patch. To remove this security patch if you are running Microsoft Windows Server 2003, use the Add or Remove Programs tool in Control Panel.

Security Patch Replacement Information
This security patch does not replace any other hotfixes.

File Information
The English version of this fix has the file attributes (or later) that are listed in the following table. The dates and times for these files are listed in coordinated universal time (UTC). When you view the file information, it is converted to local time. To find the difference between UTC and local time, use the Time Zone tab in the Date and Time tool in Control Panel.   Date         Time   Version     Size       File name 06-Jun-2003 00:50  9.0.0.3008  4,653,056  Wmp.dll

Files to Support Installation
The following file is included to support installing the security patch.   Date         Time   Size   File name ---  06-Jun-2003  22:26  1,566  Wm819639.inf

Files for File-Dependency Reasons
The following files are included because of file dependencies.   Date         Time   Version     Size    File name 18-Aug-2001 02:43  6.0.2600.0  91,136  Advpack.dll 06-Jun-2000 20:43  4.71.704.0   2,272  W95inf16.dll 06-Jun-2000 20:43  4.71.16.0    4,608  W95inf32.dll



STATUS
Microsoft has confirmed that this problem may cause a degree of security vulnerability in the Microsoft products that are listed at the beginning of this article.



MORE INFORMATION
For more information about this vulnerability, visit the following Microsoft Web site:

http://www.microsoft.com/technet/security/bulletin/MS03-021.mspx

Additional query words: security_patch

Keywords: kbsecvulnerability kbqfe kbsecurity kbwinxpsp2fix kbsecbulletin kbwinxppresp2fix kbwinserv2003presp1fix kbhotfixserver KB819639

-

[mailto:TECHNET@MICROSOFT.COM Send feedback to Microsoft]

© Microsoft Corporation. All rights reserved.