Microsoft Windows Media Player fails to properly handle malformed Windows Media Metafiles

ID VU:208769
Type cert
Reporter sehato
Modified 2006-12-13T00:00:00



Windows Media Player does not properly handle malformed Windows Media Metafiles. This vulnerability may allow a remote attacker to execute arbitrary code or crash Windows Media Player.


Windows Media Player (WMP) is a multimedia application that comes with Microsoft Windows. According to Microsoft:

`Advanced Stream Redirector (.asx) files, also known as Windows Media Metafiles, are text files that provide information about a file stream and its presentation. ASX files go beyond the simple task of defining playlists to provide Windows Media Player with information about how to present particular media items of the playlist.

Windows Media Metafiles are based on XML syntax and can be encoded in either ANSI or UNICODE (UTF-8) format. They are made up of various elements with their associated tags and attributes. Each element in a Windows Media metafile defines a particular setting or action in Windows Media Player. `
WMP fails to properly handle Windows Media Metafiles. Specifically, if a URL with an unsupported protocol is embdedded in a Windows Media Metafile and accessed with WMP, a limited heap-based buffer overflow may occur.

Note that file extensions for Windows Media Metafiles include .wax, .wvx, .wmx, and .asx. More information concerning Windows Media Player files is available in the Windows Media Player File Name Extensions web page.

Exploit code for this vulnerability is publicly available.


Although the buffer overflow is limited, it may still be possible to corrupt memory in a way that can allow an attacker to execute code or crash WMP.


Apply an update from Microsoft
Microsoft has addressed this issue with the updates included with Microsoft Security Bulletin MS06-078.

Note that according to Microsoft Security Bulletin MS06-078, Windows Media Player 11 is not affected by this vulnerability.

Do not access Windows Media Metafiles from untrusted sources

Attackers may host malicious Windows Media Metafiles on web sites. In order to convince users to visit their sites, those attackers often use a variety of techniques to create misleading links including URL encoding, IP address variations, long URLs, and intentional misspellings. Do not click on unsolicited links received in email, instant messages, web forums, or internet relay chat (IRC) channels. Type URLs directly into the browser to avoid these misleading links. While these are generally good security practices, following these behaviors will not prevent exploitation of this vulnerability in all cases, particularly if a trusted site has been compromised or allows cross-site scripting.

Configure Your Web Browser securely handle Windows Media Metafiles

Web browsers can be configured to take specific actions for certain types of content, such as Windows Media Metafiles. Configuring your web browser to securely handle Windows Media Metafiles will not correct this vulnerability, but will reduce the chances of exploitation.

Mozilla Firefox

Configure Mozilla Firefox's Download Actions not to automatically open Windows Media Metafiles. Instructions on how to do this can be found in the Firefox section of Securing Your Web Browser.

Microsoft Internet Explorer

Setting the Internet Zone security setting to High will prevent Windows Media Metafiles from automatically being opened by Internet Explorer. Instructions on how to do this can be found in the Internet Explorer section of Securing Your Web Browser.
Additional workarounds are available in Microsoft Security Bulletin MS06-078.

Systems Affected

Vendor| Status| Date Notified| Date Updated
Microsoft Corporation| | -| 12 Dec 2006
If you are a vendor and your product is affected, let us know.

CVSS Metrics

Group | Score | Vector
Base | N/A | N/A
Temporal | N/A | N/A
Environmental | N/A | N/A


  • <>
  • <;en-us;Q316992>
  • <>
  • <>
  • <>
  • <>


This vulnerability was publicly disclosed by sehato.

This document was written by Jeff Gennari.

Other Information

  • CVE IDs: CVE-2006-6134
  • Date Public: 22 Nov 2006
  • Date First Published: 08 Dec 2006
  • Date Last Updated: 13 Dec 2006
  • Severity Metric: 20.25
  • Document Revision: 34