search menu icon-carat-right cmu-wordmark

CERT Coordination Center

Microsoft Windows Media Player fails to properly evaluate URLs when downloading skin files

Vulnerability Note VU#384932

Original Release Date: 2003-05-07 | Last Revised: 2003-05-15


Microsoft Media Player contains a vulnerability in the parsing of "Skin Files" that may permit a remote attacker to download arbitrary files to a known location on the local system.


Microsoft Media Player is an application that plays various types of media files. The user can customize the appearance of Microsoft's Media Player through the use of skin files. Skin files can be created and downloaded from the Internet. Microsoft's Media Player uses XML to determine the location of these files.

A directory traversal vulnerability exists in Microsoft Media Player 7.1 (for Windows 98, 98SE, ME, 2000) and 8.0 (Windows XP) when parsing of an XML file specifying the location of a skin file. The XML parser fails to recognize hex encoded characters that can permit an attacker to exit the temporary directory, and place files in a known location on the system.

Exploitation of this vulnerability may permit a remote attacker to download a malicious file to a known location on the local system or any mounted network drives that the current user has access to. These files may be programs, configuration files, or various other types of files. The attacker must trick the user into visiting the malicious website in order to exploit this vulnerability.

For more details, please see Microsoft's Advisory MS03-017.


A remote attacker may be able to download arbitrary files to the system in a known location. If the file is placed in the "Start Up" folder, or used in conjunction with other vulnerabilities (such as VU#626395, VU#25249 or VU#489721), the attacker may then be able to execute arbitrary code on the system.


Microsoft has released patches for versions 7.1 and 8.0 in MS03-017 to address this issue.

Microsoft Media Player 9 is not affected by this vulnerability.

Vendor Information


Microsoft Corporation Affected

Updated:  May 07, 2003



Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.


For more details, please see Microsoft's Advisory MS03-017.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

CVSS Metrics

Group Score Vector



Thanks to Jouko Pynnonen for reporting this vulnerability and Microsoft for addressing this issue.

This document was written by Jason A Rafail.

Other Information

CVE IDs: CVE-2003-0228
Severity Metric: 18.98
Date Public: 2003-05-07
Date First Published: 2003-05-07
Date Last Updated: 2003-05-15 15:57 UTC
Document Revision: 21

Sponsored by CISA.