search menu icon-carat-right cmu-wordmark

CERT Coordination Center

Microsoft Windows Media Player fails to properly handle malformed Windows Media Metafiles

Vulnerability Note VU#208769

Original Release Date: 2006-12-08 | Last Revised: 2006-12-13

Overview

Windows Media Player does not properly handle malformed Windows Media Metafiles. This vulnerability may allow a remote attacker to execute arbitrary code or crash Windows Media Player.

Description

Windows Media Player (WMP) is a multimedia application that comes with Microsoft Windows. According to Microsoft:

Advanced Stream Redirector (.asx) files, also known as Windows Media Metafiles, are text files that provide information about a file stream and its presentation. ASX files go beyond the simple task of defining playlists to provide Windows Media Player with information about how to present particular media items of the playlist.

Windows Media Metafiles are based on XML syntax and can be encoded in either ANSI or UNICODE (UTF-8) format. They are made up of various elements with their associated tags and attributes. Each element in a Windows Media metafile defines a particular setting or action in Windows Media Player.

WMP fails to properly handle Windows Media Metafiles. Specifically, if a URL with an unsupported protocol is embdedded in a Windows Media Metafile and accessed with WMP, a limited heap-based buffer overflow may occur.

Note that file extensions for Windows Media Metafiles include .wax, .wvx, .wmx, and .asx. More information concerning Windows Media Player files is available in the Windows Media Player File Name Extensions web page.

Exploit code for this vulnerability is publicly available.

Impact

Although the buffer overflow is limited, it may still be possible to corrupt memory in a way that can allow an attacker to execute code or crash WMP.

Solution

Apply an update from Microsoft
Microsoft has addressed this issue with the updates included with Microsoft Security Bulletin MS06-078.

Note that according to Microsoft Security Bulletin MS06-078, Windows Media Player 11 is not affected by this vulnerability.


Do not access Windows Media Metafiles from untrusted sources

Attackers may host malicious Windows Media Metafiles on web sites. In order to convince users to visit their sites, those attackers often use a variety of techniques to create misleading links including URL encoding, IP address variations, long URLs, and intentional misspellings. Do not click on unsolicited links received in email, instant messages, web forums, or internet relay chat (IRC) channels. Type URLs directly into the browser to avoid these misleading links. While these are generally good security practices, following these behaviors will not prevent exploitation of this vulnerability in all cases, particularly if a trusted site has been compromised or allows cross-site scripting.

Configure Your Web Browser securely handle Windows Media Metafiles

Web browsers can be configured to take specific actions for certain types of content, such as Windows Media Metafiles. Configuring your web browser to securely handle Windows Media Metafiles will not correct this vulnerability, but will reduce the chances of exploitation.

Mozilla Firefox

Configure Mozilla Firefox's Download Actions not to automatically open Windows Media Metafiles. Instructions on how to do this can be found in the Firefox section of Securing Your Web Browser.

Microsoft Internet Explorer

Setting the Internet Zone security setting to High will prevent Windows Media Metafiles from automatically being opened by Internet Explorer. Instructions on how to do this can be found in the Internet Explorer section of Securing Your Web Browser.
Additional workarounds are available in Microsoft Security Bulletin MS06-078.

Vendor Information

208769
 

Microsoft Corporation Affected

Updated:  December 12, 2006

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

Refer to http://www.microsoft.com/technet/security/bulletin/ms06-078.mspx.

If you have feedback, comments, or additional information about this vulnerability, please send us email.


CVSS Metrics

Group Score Vector
Base
Temporal
Environmental

References

Acknowledgements

This vulnerability was publicly disclosed by sehato.

This document was written by Jeff Gennari.

Other Information

CVE IDs: CVE-2006-6134
Severity Metric: 20.25
Date Public: 2006-11-22
Date First Published: 2006-12-08
Date Last Updated: 2006-12-13 16:36 UTC
Document Revision: 36

Sponsored by CISA.