SehatoVU:208769Microsoft Windows Media Player fails to properly handle malformed Windows Media Metafiles
0.97 High
EPSS
Percentile
99.7%
Overview
Windows Media Player does not properly handle malformed Windows Media Metafiles. This vulnerability may allow a remote attacker to execute arbitrary code or crash Windows Media Player.
Description
Windows Media Player (WMP) is a multimedia application that comes with Microsoft Windows. According to Microsoft:
`Advanced Stream Redirector (.asx) files, also known as Windows Media Metafiles, are text files that provide information about a file stream and its presentation. ASX files go beyond the simple task of defining playlists to provide Windows Media Player with information about how to present particular media items of the playlist.
Windows Media Metafiles are based on XML syntax and can be encoded in either ANSI or UNICODE (UTF-8) format. They are made up of various elements with their associated tags and attributes. Each element in a Windows Media metafile defines a particular setting or action in Windows Media Player. `
WMP fails to properly handle Windows Media Metafiles. Specifically, if a URL with an unsupported protocol is embdedded in a Windows Media Metafile and accessed with WMP, a limited heap-based buffer overflow may occur.
Note that file extensions for Windows Media Metafiles include .wax, .wvx, .wmx, and .asx. More information concerning Windows Media Player files is available in the Windows Media Player File Name Extensions web page.
Exploit code for this vulnerability is publicly available.
Impact
Although the buffer overflow is limited, it may still be possible to corrupt memory in a way that can allow an attacker to execute code or crash WMP.
Solution
Apply an update from Microsoft
Microsoft has addressed this issue with the updates included with Microsoft Security Bulletin MS06-078.
Note that according to Microsoft Security Bulletin MS06-078, Windows Media Player 11 is not affected by this vulnerability.
Do not access Windows Media Metafiles from untrusted sources
Attackers may host malicious Windows Media Metafiles on web sites. In order to convince users to visit their sites, those attackers often use a variety of techniques to create misleading links including URL encoding, IP address variations, long URLs, and intentional misspellings. Do not click on unsolicited links received in email, instant messages, web forums, or internet relay chat (IRC) channels. Type URLs directly into the browser to avoid these misleading links. While these are generally good security practices, following these behaviors will not prevent exploitation of this vulnerability in all cases, particularly if a trusted site has been compromised or allows cross-site scripting.
Configure Your Web Browser securely handle Windows Media Metafiles
Web browsers can be configured to take specific actions for certain types of content, such as Windows Media Metafiles. Configuring your web browser to securely handle Windows Media Metafiles will not correct this vulnerability, but will reduce the chances of exploitation.
Mozilla Firefox
Configure Mozilla Firefoxβs Download Actions not to automatically open Windows Media Metafiles. Instructions on how to do this can be found in the Firefox section of Securing Your Web Browser.
Microsoft Internet Explorer
Setting the Internet Zone security setting to High will prevent Windows Media Metafiles from automatically being opened by Internet Explorer. Instructions on how to do this can be found in the Internet Explorer section of Securing Your Web Browser.
Additional workarounds are available in Microsoft Security Bulletin MS06-078.
Vendor Information
208769
Filter by status: All Affected Not Affected Unknown
Filter by content: __ Additional information available
__ Sort by: Status Alphabetical
Expand all
Javascript is disabled. Click here to view vendors.
Microsoft Corporation __ Affected
Updated: December 12, 2006
Status
Affected
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
Refer to <http://www.microsoft.com/technet/security/bulletin/ms06-078.mspx>.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23208769 Feedback>).
CVSS Metrics
| Group | Score | Vector |
|---|---|---|
| Base | ||
| Temporal | ||
| Environmental |
References
- <http://blogs.technet.com/msrc/archive/2006/12/07/public-proof-of-concept-code-for-asx-file-format-isssue.aspx>
- <http://support.microsoft.com/default.aspx?scid=kb;en-us;Q316992>
- <http://research.eeye.com/html/alerts/zeroday/20061122.html>
- <http://www.microsoft.com/windows/windowsmedia/default.mspx>
- <http://windowssdk.msdn.microsoft.com/en-us/library/aa385262.aspx>
- <http://www.microsoft.com/technet/security/bulletin/ms06-078.mspx>
Acknowledgements
This vulnerability was publicly disclosed by sehato.
This document was written by Jeff Gennari.
Other Information
| CVE IDs: | CVE-2006-6134 |
|---|---|
| Severity Metric: | 20.25 Date Public: |
References
blogs.technet.com/msrc/archive/2006/12/07/public-proof-of-concept-code-for-asx-file-format-isssue.aspx
research.eeye.com/html/alerts/zeroday/20061122.html
support.microsoft.com/default.aspx?scid=kb;en-us;Q316992
windowssdk.msdn.microsoft.com/en-us/library/aa385262.aspx
www.microsoft.com/technet/security/bulletin/ms06-078.mspx
www.microsoft.com/windows/windowsmedia/default.mspx
Related
