Windows Media Player Remote Code Execution Vulnerability (936782)

2007-08-15T00:00:00

Description

The remote host is running Windows Media Player. There is a vulnerability in the remote version of this software that may allow an attacker to execute arbitrary code on the remote host. To exploit this flaw, one attacker would need to set up a rogue PNG image and send it to a victim on the remote host.

{"id": "4172.PRM", "type": "nessus", "bulletinFamily": "scanner", "title": "Windows Media Player Remote Code Execution Vulnerability (936782)", "description": "The remote host is running Windows Media Player. There is a vulnerability in the remote version of this software that may allow an attacker to execute arbitrary code on the remote host. To exploit this flaw, one attacker would need to set up a rogue PNG image and send it to a victim on the remote host.", "published": "2007-08-15T00:00:00", "modified": "2019-03-06T00:00:00", "cvss": {"score": 5.4, "vector": "CVSS2#AV:A/AC:M/Au:N/C:P/I:P/A:P"}, "cvss2": {}, "cvss3": {"score": 5, "vector": "CVSS:3.0/AV:A/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L"}, "href": "https://www.tenable.com/plugins/nnm/4172", "reporter": "Tenable", "references": ["http://www.microsoft.com/technet/security/bulletin/ms07-047.mspx", "http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-3037", "http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-3035"], "cvelist": ["CVE-2007-3037", "CVE-2007-3035"], "immutableFields": [], "lastseen": "2021-08-19T13:13:39", "viewCount": 2, "enchantments": {"dependencies": {"references": [{"type": "checkpoint_advisories", "idList": ["CPAI-2007-102", "CPAI-2007-310"]}, {"type": "cve", "idList": ["CVE-2007-3035", "CVE-2007-3037"]}, {"type": "mskb", "idList": ["KB936782"]}, {"type": "nessus", "idList": ["4171.PRM", "4173.PRM", "4174.PRM", "4175.PRM", "4176.PRM", "SMB_NT_MS07-047.NASL"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310801714", "OPENVAS:801714"]}, {"type": "securityvulns", "idList": ["SECURITYVULNS:DOC:17790", "SECURITYVULNS:DOC:17797", "SECURITYVULNS:DOC:17798", "SECURITYVULNS:VULN:8044"]}, {"type": "seebug", "idList": ["SSV:2127", "SSV:2128"]}, {"type": "zdi", "idList": ["ZDI-07-046", "ZDI-07-047"]}]}, "score": {"value": 5.4, "vector": "NONE"}, "backreferences": {"references": [{"type": "checkpoint_advisories", "idList": ["CPAI-2007-310"]}, {"type": "cve", "idList": ["CVE-2007-3035", "CVE-2007-3037"]}, {"type": "mskb", "idList": ["KB936782"]}, {"type": "nessus", "idList": ["4174.PRM"]}, {"type": "seebug", "idList": ["SSV:2128"]}, {"type": "zdi", "idList": ["ZDI-07-046", "ZDI-07-047"]}]}, "exploitation": null, "vulnersScore": 5.4}, "pluginID": "4172", "sourceData": "Binary data 4172.prm", "naslFamily": "Web Clients", "cpe": ["cpe:2.3:a:microsoft:windows_media_player:*:*:*:*:*:*:*:*"], "solution": "Microsoft has released a set of patches for Windows 2000, XP, 2003 and Vista.", "nessusSeverity": "Medium", "cvssScoreSource": "", "vpr": {}, "exploitAvailable": false, "exploitEase": "", "patchPublicationDate": null, "vulnerabilityPublicationDate": null, "exploitableWith": [], "_state": {"dependencies": 1647589307, "score": 1659753002}}

{"securityvulns": [{"lastseen": "2018-08-31T11:09:26", "description": "Multiple vulnerabilities on skin files parsing.", "edition": 1, "cvss3": {}, "published": "2007-08-15T00:00:00", "title": "Microsoft Windows Media Player multiple security vulnerabilities", "type": "securityvulns", "bulletinFamily": "software", "cvss2": {}, "cvelist": ["CVE-2007-3037", "CVE-2007-3035"], "modified": "2007-08-15T00:00:00", "id": "SECURITYVULNS:VULN:8044", "href": "https://vulners.com/securityvulns/SECURITYVULNS:VULN:8044", "cvss": {"score": 7.6, "vector": "AV:NETWORK/AC:HIGH/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-08-31T11:10:23", "description": "Microsoft Security Bulletin MS07-047 - Important\r\nVulnerabilities in Windows Media Player Could Allow Remote Code Execution (936782)\r\nPublished: August 14, 2007\r\n\r\nVersion: 1.0\r\nGeneral Information\r\nExecutive Summary\r\n\r\nThis important security update resolves two privately reported vulnerabilities. These vulnerabilities could allow code execution if a user viewed a specially crafted file in Windows Media Player. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.\r\n\r\nThis is an important security update for supported versions of Windows Media Player 7.1, 9, 10, and 11. For more information, see the subsection, Affected and Non-Affected Software, in this section.\r\n\r\nFor more information about the vulnerabilities, see the Frequently Asked Questions (FAQ) subsection for the specific vulnerability entry under the next section, Vulnerability Information.\r\n\r\nRecommendation. Microsoft recommends that customers apply the update.\r\n\r\nKnown Issues. Microsoft Knowledge Base Article 936782 documents the currently known issues that customers may experience when they install this security update. The article also documents recommended solutions for these issues.\r\nTop of sectionTop of section\r\nAffected and Non-Affected Software\r\n\r\nThe software listed here has been tested to determine which versions or editions are affected. Other versions or editions are either past their support life cycle or are not affected. To determine the support life cycle for your software version or edition, visit Microsoft Support Lifecycle.\r\n\r\nAffected Software\r\nOperating System\tComponent\tMaximum Security Impact\tAggregate Severity Rating\tBulletins Replaced by This Update\r\n\r\nWindows 2000 Service Pack 4\r\n\t\r\n\r\nWindows Media Player 7.1\r\n\t\r\n\r\nRemote Code Execution\r\n\t\r\n\r\nImportant\r\n\t\r\n\r\nMS06-024\r\n\r\nWindows 2000 Service Pack 4\r\n\t\r\n\r\nWindows Media Player 9\r\n\t\r\n\r\nRemote Code Execution\r\n\t\r\n\r\nImportant\r\n\t\r\n\r\nMS06-024\r\n\r\nWindows XP Service Pack 2\r\n\t\r\n\r\nWindows Media Player 9\r\n\t\r\n\r\nRemote Code Execution\r\n\t\r\n\r\nImportant\r\n\t\r\n\r\nMS06-024\r\n\r\nWindows XP Service Pack 2\r\n\t\r\n\r\nWindows Media Player 10\r\n\t\r\n\r\nRemote Code Execution\r\n\t\r\n\r\nImportant\r\n\t\r\n\r\nMS06-024\r\n\r\nWindows XP Professional X64 Edition\r\n\t\r\n\r\nWindows Media Player 10\r\n\t\r\n\r\nRemote Code Execution\r\n\t\r\n\r\nImportant\r\n\t\r\n\r\nMS06-024\r\n\r\nWindows XP Professional X64 Edition Service Pack 2\r\n\t\r\n\r\nWindows Media Player 10\r\n\t\r\n\r\nRemote Code Execution\r\n\t\r\n\r\nImportant\r\n\t\r\n\r\nNone\r\n\r\nWindows Server 2003 Service Pack 1\r\n\t\r\n\r\nWindows Media Player 10\r\n\t\r\n\r\nRemote Code Execution\r\n\t\r\n\r\nImportant\r\n\t\r\n\r\nMS06-024\r\n\r\nWindows Server 2003 Service Pack 2\r\n\t\r\n\r\nWindows Media Player 10\r\n\t\r\n\r\nRemote Code Execution\r\n\t\r\n\r\nImportant\r\n\t\r\n\r\nNone\r\n\r\nWindows Server 2003 x64 Edition\r\n\t\r\n\r\nWindows Media Player 10\r\n\t\r\n\r\nRemote Code Execution\r\n\t\r\n\r\nImportant\r\n\t\r\n\r\nMS06-024\r\n\r\nWindows Server 2003 x64 Edition Service Pack 2\r\n\t\r\n\r\nWindows Media Player 10\r\n\t\r\n\r\nRemote Code Execution\r\n\t\r\n\r\nImportant\r\n\t\r\n\r\nNone\r\n\r\nWindows XP Service Pack 2\r\n\t\r\n\r\nWindows Media Player 11\r\n\t\r\n\r\nRemote Code Execution\r\n\t\r\n\r\nImportant\r\n\t\r\n\r\nMS06-024\r\n\r\nWindows XP Professional X64 Edition\r\n\t\r\n\r\nWindows Media Player 11\r\n\t\r\n\r\nRemote Code Execution\r\n\t\r\n\r\nImportant\r\n\t\r\n\r\nMS06-024\r\n\r\nWindows XP Professional X64 Edition Service Pack 2\r\n\t\r\n\r\nWindows Media Player 11\r\n\t\r\n\r\nRemote Code Execution\r\n\t\r\n\r\nImportant\r\n\t\r\n\r\nNone\r\n\r\nWindows Vista\r\n\t\r\n\r\nWindows Media Player 11\r\n\t\r\n\r\nRemote Code Execution\r\n\t\r\n\r\nImportant\r\n\t\r\n\r\nNone\r\n\r\nWindows Vista x64 Edition\r\n\t\r\n\r\nWindows Media Player 11\r\n\t\r\n\r\nRemote Code Execution\r\n\t\r\n\r\nImportant\r\n\t\r\n\r\nNone\r\nTop of sectionTop of section\r\n\t\r\nFrequently Asked Questions (FAQ) Related to This Security Update\r\n\r\nWhat are the known issues that customers may experience when they install this security update? \r\nMicrosoft Knowledge Base Article 936782 documents the currently known issues that customers may experience when they install this security update. The article also documents recommended solutions for these issues.\r\n\r\nI am using an older release of the software discussed in this security bulletin. What should I do? \r\nThe affected software listed in this bulletin has been tested to determine which releases are affected. Other releases are past their support life cycle. To determine the support life cycle for your software release, visit Microsoft Support Lifecycle.\r\n\r\nIt should be a priority for customers who have older releases of the software to migrate to supported releases to prevent potential exposure to vulnerabilities. For more information about the Windows Product Lifecycle, visit the following Microsoft Support Lifecycle. For more information about the extended security update support period for these software releases, visit the Microsoft Product Support Services Web site.\r\n\r\nCustomers who require custom support for older software must contact their Microsoft account team representative, their Technical Account Manager, or the appropriate Microsoft partner representative for custom support options. Customers without an Alliance, Premier, or Authorized Contract can contact their local Microsoft sales office. For contact information, visit the Microsoft Worldwide Information Web site, select the country, and then click Go to see a list of telephone numbers. When you call, ask to speak with the local Premier Support sales manager. For more information, see the Windows Operating System Product Support Lifecycle FAQ.\r\n\r\nDoes this update contain any security-related changes to functionality? \r\nYes. Besides the changes that are listed in the Frequently Asked Questions (FAQ) subsection for the specific vulnerability entry under the bulletin section, Vulnerability Information, this update includes defense-in-depth changes to Windows Media Player. For more information about the defense-in-depth, see Microsoft Knowledge Base Article 940893.\r\nTop of sectionTop of section\r\nVulnerability Information\r\n\t\r\nSeverity Ratings and Vulnerability Identifiers\r\nAffected Software\tWindows Media Player Code Execution Vulnerability Parsing Skins \u2013 CVE-2007-3037\tWindows Media Player Code Execution Vulnerability Decompressing Skins - CVE-2007-3035\tAggregate Severity Rating\r\n\r\nWindows Media Player 7.1\r\n\t\r\n\r\nImportant\r\nRemote Code Execution\r\n\t\r\n\r\nImportant\r\nRemote Code Execution\r\n\t\r\n\r\nImportant\r\n\r\nWindows Media Player 9\r\n\t\r\n\r\nImportant\r\nRemote Code Execution\r\n\t\r\n\r\nImportant\r\nRemote Code Execution\r\n\t\r\n\r\nImportant\r\n\r\nWindows Media Player 10\r\n\t\r\n\r\nImportant\r\nRemote Code Execution\r\n\t\r\n\r\nImportant\r\nRemote Code Execution\r\n\t\r\n\r\nImportant\r\n\r\nWindows Media Player 11\r\n\t\r\n\r\nImportant\r\nRemote Code Execution\r\n\t\r\n\r\nImportant\r\nRemote Code Execution\r\n\t\r\n\r\nImportant\r\nTop of sectionTop of section\r\n\t\r\nWindows Media Player Code Execution Vulnerability Parsing Skins \u2013 CVE-2007-3037\r\n\r\nA code execution vulnerability exists in Windows Media Player skin parsing. An attacker who successfully exploited this vulnerability could take complete control of an affected system.\r\n\r\nTo view this vulnerability as a standard entry in the Common Vulnerabilities and Exposures list, see CVE-2007-3037.\r\n\t\r\nMitigating Factors for Windows Media Player Code Execution Vulnerability Parsing Skins \u2013 CVE-2007-3037\r\n\r\nMitigation refers to a setting, common configuration, or general best-practice, existing in a default state, which could reduce the severity of exploitation of a vulnerability. The following mitigating factors may be helpful in your situation:\r\n\u2022\t\r\n\r\nWhen a user attempts to install a Windows Media Player skin file, the user is prompted with a "Windows Media Download" dialog box prior to the skin being applied.\r\n\u2022\t\r\n\r\nAttempts to exploit the vulnerability using WMZ and WMD files require the user to view or apply the skin after it is downloaded to be vulnerable.\r\nTop of sectionTop of section\r\n\t\r\nWorkarounds for Windows Media Player Code Execution Vulnerability Parsing Skins \u2013 CVE-2007-3037\r\n\r\nDisassociate the WMZ and WMD file extensions\r\n\r\nDisassociation of WMZ and WMD in Windows prevents previewing or opening WMZ and WMD files in Windows Media Player.\r\n\r\n1.\r\n\t\r\n\r\nClick Start, click Run, type "regedit\u201d (without the quotation marks), and then click OK.\r\n\r\n2.\r\n\t\r\n\r\nExpand HKEY_CLASSES_ROOT, and click .WMZ, and then right click and select Export. Note: This will create a backup of this registry key in the \u2018My Documents\u2019 folder by default.\r\n\r\n3.\r\n\t\r\n\r\nIn the Export Registry File window, type \u201cWMZ file association registry backup.reg\u201d and press Save.\r\n\r\nThis will create a backup of this registry key in the \u201cMy Documents\u201d folder by default.\r\n\r\n4.\r\n\t\r\n\r\nPress the Delete key on the keyboard to delete the registry key. Select Yes to confirm the registry key deletion.\r\n\r\n5.\r\n\t\r\n\r\nRepeat steps 2-5 for the WMDkey.\r\n\r\nImpact of Workaround: This workaround prevents users from applying skin files to Windows Media Player by double clicking on them. Users can still apply skin files that are in their default \u2018skins\u2019 directory.\r\n\r\nUn-register Wmp.dll\r\n\r\n1.\r\n\t\r\n\r\nUn-registering the Wmp.dll registry key helps protect the affected system from attempts to exploit this vulnerability. To modify the Wmp.dll registry key, follow these steps.\r\n\r\n2.\r\n\t\r\n\r\nClick Start, click Run, type "regsvr32 -u %windir%\system32\wmp.dll" (without the quotation marks), and then click OK.\r\n\r\n3.\r\n\t\r\n\r\nWhen a dialog box appears that confirms that the process has been successful, click OK.\r\n\r\n4.\r\n\t\r\n\r\nSelect the File Types tab.\r\n\r\nImpact of Workaround: This workaround disables the Windows Media Player and applications that use the embedded Windows Media ActiveX Control.\r\nTop of sectionTop of section\r\n\t\r\nFAQ for Windows Media Player Code Execution Vulnerability Parsing Skins \u2013 CVE-2007-3037\r\n\r\nWhat is the scope of the vulnerability? \r\nA code execution vulnerability exists in Windows Media Player parsing skins. An attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs or view, change, or delete data.\r\n\r\nWhat causes the vulnerability? \r\nWindows Media Player incorrectly handles header information contained in skin files.\r\n\r\nWhat is a skin file? \r\nSkins are sets of scripts, art, media, and text files that can be combined to create a new appearance for Windows Media Player. Using skins, you can change not only the way Windows Media Player looks, but how it functions. Windows Media Player skin files are distributed in WMZ and WMD files.\r\n\r\nWhat might an attacker use the vulnerability to do? \r\nAn attacker who successfully exploited this vulnerability could take complete control of an affected system. Users whose accounts are configured to have fewer user rights on the guest operating system are less impacted than users who operate with administrative user rights on the guest operating system.\r\n\r\nHow could an attacker exploit the vulnerability? \r\nIn a Web-based attack scenario, an attacker could host a specially-crafted skin file designed to exploit this vulnerability through Windows Media Player and then convince a user to view the skins file. In no case, however, would an attacker have a way to force users to visit these Web sites. Instead, an attacker would have to convince users to visit the Web site, typically by getting them to click a link in an e-mail message or in an Instant Messenger request that takes users to the attacker's Web site.\r\n\r\nIn an e-mail attack scenario, an attacker could exploit the vulnerability by sending a specially-crafted skin file to the user and by persuading the user to open the file.\r\n\r\nWhat systems are primarily at risk from the vulnerability? \r\nThis vulnerability requires that a user is logged on and opens the malicious skin file in Windows Media Player for any malicious action to occur. Therefore, any systems where Windows Media Player is used frequently, such as workstations or terminal servers, are at the most risk from this vulnerability.\r\n\r\nWhat does the update do? \r\nThe update removes the vulnerability by changing Windows Media Player to correctly handle header information contained in skin files.\r\n\r\nWhen this security bulletin was issued, had this vulnerability been publicly disclosed? \r\nNo. Microsoft received information about this vulnerability through responsible disclosure. Microsoft had not received any information to indicate that this vulnerability had been publicly disclosed when this security bulletin was originally issued.\r\nTop of sectionTop of section\r\nTop of sectionTop of section\r\n\t\r\nWindows Media Player Code Execution Vulnerability Decompressing Skins - CVE-2007-3035\r\n\r\nA remote code execution vulnerability exists in Windows Media Player an attacker who successfully exploited this vulnerability could take complete control of an affected system.\r\n\r\nTo view this vulnerability as a standard entry in the Common Vulnerabilities and Exposures list, see CVE-2007-3035.\r\n\t\r\nMitigating Factors for Windows Media Player Code Execution Vulnerability Decompressing Skins - CVE-2007-3035\r\n\r\nMitigation refers to a setting, common configuration, or general best-practice, existing in a default state, which could reduce the severity of exploitation of a vulnerability. The following mitigating factors may be helpful in your situation:\r\n\u2022\t\r\n\r\nWhen a user attempts to install a Windows Media Player skin file, the user is prompted with a "Windows Media Download" dialog box prior to the skin being applied.\r\n\u2022\t\r\n\r\nAttempts to exploit the vulnerability using WMZ and WMD files require the user to view or apply the skin after it is downloaded to be vulnerable.\r\nTop of sectionTop of section\r\n\t\r\nWorkarounds for Windows Media Player Code Execution Vulnerability Decompressing Skins - CVE-2007-3035\r\n\r\nDisassociate the WMZ and WMD file extensions\r\n\r\nDisassociation of WMZ and WMD in Windows prevents previewing or opening WMZ and WMD files in Windows Media Player.\r\n\r\n1.\r\n\t\r\n\r\nClick Start, click Run, type "regedit\u201d (without the quotation marks), and then click OK.\r\n\r\n2.\r\n\t\r\n\r\nExpand HKEY_CLASSES_ROOT, and click .WMZ, and then right click and select Export. Note: This will create a backup of this registry key in the \u2018My Documents\u2019 folder by default.\r\n\r\n3.\r\n\t\r\n\r\nIn the Export Registry File window, type \u201cWMZ file association registry backup.reg\u201d and press Save.\r\n\r\nThis will create a backup of this registry key in the \u201cMy Documents\u201d folder by default.\r\n\r\n4.\r\n\t\r\n\r\nPress the Delete key on the keyboard to delete the registry key. Select Yes to confirm the registry key deletion.\r\n\r\n5.\r\n\t\r\n\r\nRepeat steps 2-5 for the WMD key.\r\n\r\nImpact of Workaround: This workaround prevents users from applying skin files to Windows Media Player by double clicking on them. Users can still apply skin files that are in their default \u2018skins\u2019 directory.\r\n\r\nUn-register Wmp.dll\r\n\r\n1.\r\n\t\r\n\r\nUn-registering the Wmp.dll registry key helps protect the affected system from attempts to exploit this vulnerability. To modify the Wmp.dll registry key, follow these steps.\r\n\r\n2.\r\n\t\r\n\r\nClick Start, click Run, type "regsvr32 -u %windir%\system32\wmp.dll" (without the quotation marks), and then click OK.\r\n\r\n3.\r\n\t\r\n\r\nWhen a dialog box appears that confirms that the process has been successful, click OK.\r\n\r\n4.\r\n\t\r\n\r\nSelect the File Types tab.\r\n\r\nImpact of Workaround: This workaround disables the Windows Media Player and applications that use the embedded Windows Media ActiveX Control.\r\nTop of sectionTop of section\r\n\t\r\n\t\r\nFAQ for Windows Media Player Code Execution Vulnerability Decompressing Skins - CVE-2007-3035\r\n\r\nWhat is the scope of the vulnerability? \r\nA code execution vulnerability exists in Windows Media Player skin parsing. An attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs or view, change, or delete data.\r\n\r\nWhat causes the vulnerability? \r\nWindows Media Player incorrectly handles header information contained in skin files.\r\n\r\nWhat is a skin file? \r\nSkins are sets of scripts, art, media, and text files that can be combined to create a new appearance for Windows Media Player. Using skins, you can change not only the way Windows Media Player looks, but how it functions. Windows Media Player skin files are distributed in WMZ and WMD files.\r\n\r\nWhat might an attacker use the vulnerability to do? \r\nAn attacker who successfully exploited this vulnerability could take complete control of an affected system. Users whose accounts are configured to have fewer user rights on the guest operating system are less impacted than users who operate with administrative user rights on the guest operating system.\r\n\r\nHow could an attacker exploit the vulnerability? \r\nIn a Web-based attack scenario, an attacker could host a specially-crafted skin file designed to exploit this vulnerability through Windows Media Player and then convince a user to view the skins file. In no case, however, would an attacker have a way to force users to visit these Web sites. Instead, an attacker would have to convince users to visit the Web site, typically by getting them to click a link in an e-mail message or in an Instant Messenger request that takes users to the attacker's Web site.\r\n\r\nIn an e-mail attack scenario, an attacker could exploit the vulnerability by sending a specially-crafted skin file to the user and by persuading the user to open the file.\r\n\r\nWhat systems are primarily at risk from the vulnerability? \r\nThis vulnerability requires that a user is logged on and opens the malicious skin file in Windows Media Player for any malicious action to occur. Therefore, any systems where Windows Media Player is used frequently, such as workstations or terminal servers, are at the most risk from this vulnerability.\r\n\r\nWhat does the update do? \r\nThe update removes the vulnerability by changing Windows Media Player to correctly handle header information contained in skin files.\r\n\r\nWhen this security bulletin was issued, had this vulnerability been publicly disclosed? \r\nNo. Microsoft received information about this vulnerability through responsible disclosure. Microsoft had not received any information to indicate that this vulnerability had been publicly disclosed when this security bulletin was originally issued.\r\nOther Information\r\nAcknowledgments\r\n\r\nMicrosoft thanks the following for working with us to help protect customers:\r\n\u2022\t\r\n\r\nPiotr Bania, working with TippingPoint and the Zero Day Initiative, for reporting the Windows Media Player Code Execution Vulnerability Decompressing Skins - CVE-2007-3035.\r\n\u2022\t\r\n\r\nPiotr Bania, working with TippingPoint and the Zero Day Initiative, for reporting the Windows Media Player Code Execution Vulnerability Parsing Skins \u2013 CVE-2007-3037.\r\n\u2022\t\r\n\r\nDan Kaminsky, of IOActive, for reporting the defense-in-depth changes to the Windows Media Player described in Microsoft Knowledge Base Article 940893\r\n\r\nSupport\r\n\u2022\t\r\n\r\nCustomers in the U.S. and Canada can receive technical support from Microsoft Product Support Services at 1-866-PCSAFETY. There is no charge for support calls that are associated with security updates.\r\n\u2022\t\r\n\r\nInternational customers can receive support from their local Microsoft subsidiaries. There is no charge for support that is associated with security updates. For more information about how to contact Microsoft for support issues, visit the International Support Web site.\r\n\r\nDisclaimer\r\n\r\nThe information provided in the Microsoft Knowledge Base is provided "as is" without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.\r\n\r\nRevisions\r\n\u2022\t\r\n\r\nV1.0 (August 14, 2007): Bulletin published.", "edition": 1, "cvss3": {}, "published": "2007-08-15T00:00:00", "title": "http://www.microsoft.com/technet/security/bulletin/ms07-047.mspx", "type": "securityvulns", "bulletinFamily": "software", "cvss2": {}, "cvelist": ["CVE-2007-3037", "CVE-2007-3035"], "modified": "2007-08-15T00:00:00", "id": "SECURITYVULNS:DOC:17790", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:17790", "cvss": {"score": 7.6, "vector": "AV:NETWORK/AC:HIGH/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-08-31T11:10:23", "description": "ZDI-07-046: Microsoft Windows Media Player Skin Parsing Size Mismatch\r\n Heap Overflow Vulnerability\r\nhttp://www.zerodayinitiative.com/advisories/ZDI-07-046.html\r\nAugust 14, 2007\r\n\r\n-- CVE ID:\r\nCVE-2007-3037\r\n\r\n-- Affected Vendor:\r\nMicrosoft\r\n\r\n-- Affected Products:\r\nWindows Media Player 7.1\r\nWindows Media Player 9\r\nWindows Media Player 10\r\nWindows Media Player 11\r\n\r\n-- TippingPoint(TM) IPS Customer Protection:\r\nTippingPoint IPS customers have been protected against this\r\nvulnerability since August 14, 2007 by Digital Vaccine protection\r\nfilter ID 5535. For further product information on the TippingPoint IPS:\r\n\r\n http://www.tippingpoint.com \r\n\r\n-- Vulnerability Details:\r\nThis vulnerability allows attackers to execute arbitrary code on\r\nvulnerable installations of Microsoft Windows Media Player. User\r\ninteraction is required to exploit this vulnerability in that the\r\ntarget must visit a malicious page or open a malicious file.\r\n\r\nThe specific flaw exists during the parsing of malformed skin files\r\n(WMZ). A size compressed / decompressed size mismatch can result in an\r\nunder allocated heap buffer which can be leveraged by an attacker to\r\neventually execute arbitrary code under the context of the current\r\nuser.\r\n\r\n-- Vendor Response:\r\nMicrosoft has issued an update to correct this vulnerability. More\r\ndetails can be found at:\r\n\r\nhttp://www.microsoft.com/technet/security/bulletin/MS07-047.mspx\r\n\r\n-- Disclosure Timeline:\r\n2007.03.19 - Vulnerability reported to vendor\r\n2007.08.14 - Digital Vaccine released to TippingPoint customers\r\n2007.08.14 - Coordinated public release of advisory\r\n\r\n-- Credit:\r\nThis vulnerability was discovered by Piotr Bania.\r\n\r\n-- About the Zero Day Initiative (ZDI):\r\nEstablished by TippingPoint, a division of 3Com, The Zero Day Initiative\r\n(ZDI) represents a best-of-breed model for rewarding security\r\nresearchers for responsibly disclosing discovered vulnerabilities.\r\n\r\nResearchers interested in getting paid for their security research\r\nthrough the ZDI can find more information and sign-up at:\r\n\r\n http://www.zerodayinitiative.com\r\n\r\nThe ZDI is unique in how the acquired vulnerability information is used.\r\n3Com does not re-sell the vulnerability details or any exploit code.\r\nInstead, upon notifying the affected product vendor, 3Com provides its\r\ncustomers with zero day protection through its intrusion prevention\r\ntechnology. Explicit details regarding the specifics of the\r\nvulnerability are not exposed to any parties until an official vendor\r\npatch is publicly available. Furthermore, with the altruistic aim of\r\nhelping to secure a broader user base, 3Com provides this vulnerability\r\ninformation confidentially to security vendors (including competitors)\r\nwho have a vulnerability protection or mitigation product.\r\n\r\n\r\nCONFIDENTIALITY NOTICE: This e-mail message, including any attachments,\r\nis being sent by 3Com for the sole use of the intended recipient(s) and\r\nmay contain confidential, proprietary and/or privileged information.\r\nAny unauthorized review, use, disclosure and/or distribution by any \r\nrecipient is prohibited. If you are not the intended recipient, please\r\ndelete and/or destroy all copies of this message regardless of form and\r\nany included attachments and notify 3Com immediately by contacting the\r\nsender via reply e-mail or forwarding to 3Com at postmaster@3com.com. \r\n_______________________________________________\r\nFull-Disclosure - We believe in it.\r\nCharter: http://lists.grok.org.uk/full-disclosure-charter.html\r\nHosted and sponsored by Secunia - http://secunia.com/", "edition": 1, "cvss3": {}, "published": "2007-08-15T00:00:00", "title": "[Full-disclosure] ZDI-07-046: Microsoft Windows Media Player Skin Parsing Size Mismatch Heap Overflow Vulnerability", "type": "securityvulns", "bulletinFamily": "software", "cvss2": {}, "cvelist": ["CVE-2007-3037"], "modified": "2007-08-15T00:00:00", "id": "SECURITYVULNS:DOC:17798", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:17798", "cvss": {"score": 4.0, "vector": "AV:NETWORK/AC:HIGH/Au:NONE/C:PARTIAL/I:PARTIAL/A:NONE/"}}, {"lastseen": "2018-08-31T11:10:23", "description": "ZDI-07-047: Microsoft Windows Media Player Malformed Skin Header Code\r\n Execution Vulnerability\r\nhttp://www.zerodayinitiative.com/advisories/ZDI-07-047.html\r\nAugust 14, 2007\r\n\r\n-- CVE ID:\r\nCVE-2007-3035\r\n\r\n-- Affected Vendor:\r\nMicrosoft\r\n\r\n-- Affected Products:\r\nWindows Media Player 7.1\r\nWindows Media Player 9\r\nWindows Media Player 10\r\nWindows Media Player 11\r\n\r\n-- Vulnerability Details:\r\nThis vulnerability allows attackers to execute arbitrary code on\r\nvulnerable installations of Microsoft Windows Media Player. User\r\ninteraction is required to exploit this vulnerability in that the\r\ntarget must visit a malicious page or open a malicious file.\r\n\r\nThe specific flaw exists while decompressing skin files (.WMZ and .WMD)\r\nwith malformed headers. During this process the malformed values are\r\nused to improperly calculate data which can later allow an attacker to\r\nexecute code under the rights of the current user.\r\n\r\n-- Vendor Response:\r\nMicrosoft has issued an update to correct this vulnerability. More\r\ndetails can be found at:\r\n\r\nhttp://www.microsoft.com/technet/security/bulletin/MS07-047.mspx\r\n\r\n-- Disclosure Timeline:\r\n2007.05.22 - Vulnerability reported to vendor\r\n2007.08.14 - Coordinated public release of advisory\r\n\r\n-- Credit:\r\nThis vulnerability was discovered by Piotr Bania.\r\n\r\n-- About the Zero Day Initiative (ZDI):\r\nEstablished by TippingPoint, a division of 3Com, The Zero Day Initiative\r\n(ZDI) represents a best-of-breed model for rewarding security\r\nresearchers for responsibly disclosing discovered vulnerabilities.\r\n\r\nResearchers interested in getting paid for their security research\r\nthrough the ZDI can find more information and sign-up at:\r\n\r\n http://www.zerodayinitiative.com\r\n\r\nThe ZDI is unique in how the acquired vulnerability information is used.\r\n3Com does not re-sell the vulnerability details or any exploit code.\r\nInstead, upon notifying the affected product vendor, 3Com provides its\r\ncustomers with zero day protection through its intrusion prevention\r\ntechnology. Explicit details regarding the specifics of the\r\nvulnerability are not exposed to any parties until an official vendor\r\npatch is publicly available. Furthermore, with the altruistic aim of\r\nhelping to secure a broader user base, 3Com provides this vulnerability\r\ninformation confidentially to security vendors (including competitors)\r\nwho have a vulnerability protection or mitigation product.\r\n\r\nCONFIDENTIALITY NOTICE: This e-mail message, including any attachments,\r\nis being sent by 3Com for the sole use of the intended recipient(s) and\r\nmay contain confidential, proprietary and/or privileged information.\r\nAny unauthorized review, use, disclosure and/or distribution by any \r\nrecipient is prohibited. If you are not the intended recipient, please\r\ndelete and/or destroy all copies of this message regardless of form and\r\nany included attachments and notify 3Com immediately by contacting the\r\nsender via reply e-mail or forwarding to 3Com at postmaster@3com.com. \r\n_______________________________________________\r\nFull-Disclosure - We believe in it.\r\nCharter: http://lists.grok.org.uk/full-disclosure-charter.html\r\nHosted and sponsored by Secunia - http://secunia.com/", "edition": 1, "cvss3": {}, "published": "2007-08-15T00:00:00", "title": "[Full-disclosure] ZDI-07-047: Microsoft Windows Media Player Malformed Skin Header Code Execution Vulnerability", "type": "securityvulns", "bulletinFamily": "software", "cvss2": {}, "cvelist": ["CVE-2007-3035"], "modified": "2007-08-15T00:00:00", "id": "SECURITYVULNS:DOC:17797", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:17797", "cvss": {"score": 7.6, "vector": "AV:NETWORK/AC:HIGH/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "mskb": [{"lastseen": "2021-01-01T22:37:06", "description": "<html><body><p>Resolves a reported vulnerability in Windows Media Player that could allow remote code execution.</p><h2>INTRODUCTION</h2><div class=\"kb-summary-section section\">Microsoft has released security bulletin MS07-047. The security bulletin contains all the relevant information about the security update. This information includes file manifest information and deployment options. To view the complete security bulletin, visit one of the following Microsoft Web sites: <br/> <ul class=\"sbody-free_list\"><li>Home users:<div class=\"indent\"><a href=\"http://www.microsoft.com/protect/computer/updates/bulletins/200708.mspx\" id=\"kb-link-1\" target=\"_self\">http://www.microsoft.com/protect/computer/updates/bulletins/200708.mspx</a></div></li><li>IT professionals:<div class=\"indent\"><a href=\"http://www.microsoft.com/technet/security/bulletin/ms07-047.mspx\" id=\"kb-link-2\" target=\"_self\">http://www.microsoft.com/technet/security/bulletin/ms07-047.mspx</a></div></li></ul></div><h2>More Information</h2><div class=\"kb-moreinformation-section section\"><h3 class=\"sbody-h3\">Known issues with this security update</h3><ul class=\"sbody-free_list\"><li>After you apply this security update, you cannot open .swf files in Windows Media Player. You receive an error message that resembles the following:<div class=\"sbody-error\">you must install a later version of the Macromedia Flash Player...</div><span> For more information, click the following article number to view the article in the Microsoft Knowledge Base: <div class=\"indent\"><a href=\"https://support.microsoft.com/en-us/help/941197\" id=\"kb-link-3\">941197 </a> After you apply security update 936782, you cannot open .swf files in Windows Media Player<br/><br/></div></span></li><li>Microsoft has made defense in depth changes to Microsoft Windows Media Player to help with security in social networking sites. <br/><span> For more information, click the following article number to view the article in the Microsoft Knowledge Base: <div class=\"indent\"><a href=\"https://support.microsoft.com/en-us/help/940893\" id=\"kb-link-4\">940893 </a> Changes in Windows Media Player that are introduced after you install security update 936782<br/><br/></div></span></li></ul></div></body></html>", "edition": 2, "cvss3": {}, "published": "2018-04-17T19:02:52", "type": "mskb", "title": "MS07-047: Vulnerability in Windows Media Player could allow remote code execution", "bulletinFamily": "microsoft", "cvss2": {"severity": "HIGH", "exploitabilityScore": 4.9, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "HIGH", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 7.6, "vectorString": "AV:N/AC:H/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2007-3037", "CVE-2007-3035"], "modified": "2018-04-17T19:02:52", "id": "KB936782", "href": "https://support.microsoft.com/en-us/help/936782/", "cvss": {"score": 7.6, "vector": "AV:N/AC:H/Au:N/C:C/I:C/A:C"}}], "nessus": [{"lastseen": "2021-08-19T13:13:39", "description": "The remote host is running Windows Media Player. There is a vulnerability in the remote version of this software that may allow an attacker to execute arbitrary code on the remote host. To exploit this flaw, one attacker would need to set up a rogue PNG image and send it to a victim on the remote host.", "cvss3": {"score": 5, "vector": "CVSS:3.0/AV:A/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L"}, "published": "2007-08-15T00:00:00", "type": "nessus", "title": "Windows Media Player Remote Code Execution Vulnerability (936782)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2007-3037", "CVE-2007-3035"], "modified": "2019-03-06T00:00:00", "cpe": ["cpe:2.3:a:microsoft:windows_media_player:*:*:*:*:*:*:*:*"], "id": "4173.PRM", "href": "https://www.tenable.com/plugins/nnm/4173", "sourceData": "Binary data 4173.prm", "cvss": {"score": 5.4, "vector": "CVSS2#AV:A/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-08-19T13:13:39", "description": "The remote host is running Windows Media Player. There is a vulnerability in the remote version of this software that may allow an attacker to execute arbitrary code on the remote host. To exploit this flaw, one attacker would need to set up a rogue PNG image and send it to a victim on the remote host.", "cvss3": {"score": 5, "vector": "CVSS:3.0/AV:A/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L"}, "published": "2007-08-15T00:00:00", "type": "nessus", "title": "Windows Media Player Remote Code Execution Vulnerability (936782)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2007-3037", "CVE-2007-3035"], "modified": "2019-03-06T00:00:00", "cpe": ["cpe:2.3:a:microsoft:windows_media_player:*:*:*:*:*:*:*:*"], "id": "4171.PRM", "href": "https://www.tenable.com/plugins/nnm/4171", "sourceData": "Binary data 4171.prm", "cvss": {"score": 5.4, "vector": "CVSS2#AV:A/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-08-19T13:13:39", "description": "The remote host is running Windows Media Player. There is a vulnerability in the remote version of this software that may allow an attacker to execute arbitrary code on the remote host. To exploit this flaw, one attacker would need to set up a rogue PNG image and send it to a victim on the remote host.", "cvss3": {"score": 5, "vector": "CVSS:3.0/AV:A/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L"}, "published": "2007-08-15T00:00:00", "type": "nessus", "title": "Windows Media Player Remote Code Execution Vulnerability (936782)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2007-3037", "CVE-2007-3035"], "modified": "2019-03-06T00:00:00", "cpe": ["cpe:2.3:a:microsoft:windows_media_player:*:*:*:*:*:*:*:*"], "id": "4174.PRM", "href": "https://www.tenable.com/plugins/nnm/4174", "sourceData": "Binary data 4174.prm", "cvss": {"score": 5.4, "vector": "CVSS2#AV:A/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-08-19T13:13:39", "description": "The remote host is running Windows Media Player. There is a vulnerability in the remote version of this software that may allow an attacker to execute arbitrary code on the remote host. To exploit this flaw, one attacker would need to set up a rogue PNG image and send it to a victim on the remote host.", "cvss3": {"score": 5, "vector": "CVSS:3.0/AV:A/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L"}, "published": "2007-08-15T00:00:00", "type": "nessus", "title": "Windows Media Player Remote Code Execution Vulnerability (936782)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2007-3037", "CVE-2007-3035"], "modified": "2019-03-06T00:00:00", "cpe": ["cpe:2.3:a:microsoft:windows_media_player:*:*:*:*:*:*:*:*"], "id": "4175.PRM", "href": "https://www.tenable.com/plugins/nnm/4175", "sourceData": "Binary data 4175.prm", "cvss": {"score": 5.4, "vector": "CVSS2#AV:A/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-08-19T13:13:39", "description": "The remote host is running Windows Media Player. There is a vulnerability in the remote version of this software that may allow an attacker to execute arbitrary code on the remote host. To exploit this flaw, one attacker would need to set up a rogue PNG image and send it to a victim on the remote host.", "cvss3": {"score": 5, "vector": "CVSS:3.0/AV:A/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L"}, "published": "2007-08-15T00:00:00", "type": "nessus", "title": "Windows Media Player Remote Code Execution Vulnerability (936782)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2007-3037", "CVE-2007-3035"], "modified": "2019-03-06T00:00:00", "cpe": ["cpe:2.3:a:microsoft:windows_media_player:*:*:*:*:*:*:*:*"], "id": "4176.PRM", "href": "https://www.tenable.com/plugins/nnm/4176", "sourceData": "Binary data 4176.prm", "cvss": {"score": 5.4, "vector": "CVSS2#AV:A/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-08-19T13:13:40", "description": "There is a vulnerability in the remote version of Windows Media Player that may allow an attacker to execute arbitrary code on the remote host.\n\nTo exploit this flaw, one attacker would need to set up a rogue PNG image and send it to a victim on the remote host.", "cvss3": {"score": null, "vector": null}, "published": "2007-08-14T00:00:00", "type": "nessus", "title": "MS07-047: Vulnerability in Windows Media Player Could Allow Remote Code Execution (936782)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2007-3037", "CVE-2007-3035"], "modified": "2018-11-15T00:00:00", "cpe": ["cpe:/o:microsoft:windows", "cpe:/a:microsoft:windows_media_player"], "id": "SMB_NT_MS07-047.NASL", "href": "https://www.tenable.com/plugins/nessus/25885", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(25885);\n script_version(\"1.33\");\n script_cvs_date(\"Date: 2018/11/15 20:50:30\");\n\n script_cve_id(\"CVE-2007-3037\", \"CVE-2007-3035\");\n script_bugtraq_id(25305, 25307);\n script_xref(name:\"MSFT\", value:\"MS07-047\");\n script_xref(name:\"MSKB\", value:\"936782\");\n \n\n script_name(english:\"MS07-047: Vulnerability in Windows Media Player Could Allow Remote Code Execution (936782)\");\n script_summary(english:\"Checks the version of Media Player\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"Arbitrary code can be executed on the remote host through Windows Media\nPlayer.\");\n script_set_attribute(attribute:\"description\", value:\n\"There is a vulnerability in the remote version of Windows Media Player\nthat may allow an attacker to execute arbitrary code on the remote host.\n\nTo exploit this flaw, one attacker would need to set up a rogue PNG\nimage and send it to a victim on the remote host.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://docs.microsoft.com/en-us/security-updates/SecurityBulletins/2007/ms07-047\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.zerodayinitiative.com/advisories/ZDI-07-047/\");\n script_set_attribute(attribute:\"solution\", value:\n\"Microsoft has released a set of patches for Windows 2000, XP, 2003 and\nVista.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:H/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n script_cwe_id(94, 119);\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2007/08/14\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2007/08/14\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2007/08/14\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:microsoft:windows\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:microsoft:windows_media_player\");\n script_end_attributes();\n script_category(ACT_GATHER_INFO);\n\n script_copyright(english:\"This script is Copyright (C) 2007-2018 Tenable Network Security, Inc.\");\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_dependencies(\"smb_hotfixes.nasl\", \"ms_bulletin_checks_possible.nasl\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, 'Host/patch_management_checks');\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"smb_hotfixes_fcheck.inc\");\ninclude(\"smb_hotfixes.inc\");\ninclude(\"smb_func.inc\");\ninclude(\"misc_func.inc\");\n\nget_kb_item_or_exit(\"SMB/MS_Bulletin_Checks/Possible\");\n\nbulletin = 'MS07-047';\nkb = '936782';\n\nkbs = make_list(kb);\nif (get_kb_item(\"Host/patch_management_checks\")) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);\n\nget_kb_item_or_exit(\"SMB/Registry/Enumerated\");\nget_kb_item_or_exit(\"SMB/WindowsVersion\", exit_code:1);\n\nif (hotfix_check_sp_range(win2k:'4,5', xp:'2,3', win2003:'1,2', vista:'0') <= 0) audit(AUDIT_OS_SP_NOT_VULN);\n\nversion = get_kb_item(\"SMB/WindowsMediaPlayer\");\nif (!version) audit(AUDIT_NOT_INST, \"Windows Media Player\");\n\nrootfile = hotfix_get_systemroot();\nif (!rootfile) exit(1, \"Failed to get the system root.\");\n\nshare = hotfix_path2share(path:rootfile);\nif (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);\n\nif (\n hotfix_is_vulnerable(os:\"6.0\", file:\"Wmp.dll\", version:\"11.0.6000.6336\", min_version:\"11.0.0.0\", dir:\"\\system32\", bulletin:bulletin, kb:kb) ||\n\n hotfix_is_vulnerable(os:\"5.2\", sp:1, file:\"Wmp.dll\", version:\"10.0.0.3709\", min_version:\"10.0.0.0\", dir:\"\\system32\", bulletin:bulletin, kb:kb) ||\n hotfix_is_vulnerable(os:\"5.2\", sp:2, file:\"Wmp.dll\", version:\"10.0.0.3998\", min_version:\"10.0.0.0\", dir:\"\\system32\", bulletin:bulletin, kb:kb) ||\n\n hotfix_is_vulnerable(os:\"5.1\", file:\"Wmp.dll\", version:\"9.0.0.3354\", min_version:\"9.0.0.0\", dir:\"\\system32\", bulletin:bulletin, kb:kb) ||\n hotfix_is_vulnerable(os:\"5.1\", file:\"Wmp.dll\", version:\"10.0.0.4058\", min_version:\"10.0.0.0\", dir:\"\\system32\", bulletin:bulletin, kb:kb) ||\n hotfix_is_vulnerable(os:\"5.1\", file:\"Wmp.dll\", version:\"11.0.5721.5230\", min_version:\"11.0.0.0\", dir:\"\\system32\", bulletin:bulletin, kb:kb) ||\n\n hotfix_is_vulnerable(os:\"5.0\", file:\"Wmpui.dll\", version:\"7.10.0.3080\", min_version:\"7.0.0.0\", dir:\"\\system32\", bulletin:bulletin, kb:kb) ||\n hotfix_is_vulnerable(os:\"5.0\", file:\"Wmp.dll\", version:\"9.0.0.3354\", min_version:\"9.0.0.0\", dir:\"\\system32\", bulletin:bulletin, kb:kb)\n)\n{\n set_kb_item(name:\"SMB/Missing/\"+bulletin, value:TRUE);\n hotfix_security_hole();\n hotfix_check_fversion_end();\n exit(0);\n}\nelse\n{\n hotfix_check_fversion_end();\n audit(AUDIT_HOST_NOT, 'affected');\n}\n", "cvss": {"score": 7.6, "vector": "AV:N/AC:H/Au:N/C:C/I:C/A:C"}}], "openvas": [{"lastseen": "2017-07-02T21:13:38", "description": "This host is missing a critical security update according to\n Microsoft Bulletin MS07-047.", "cvss3": {}, "published": "2011-01-14T00:00:00", "type": "openvas", "title": "Vulnerabilities in Windows Media Player Could Allow Remote Code Execution (936782)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2007-3037", "CVE-2007-3035"], "modified": "2017-02-20T00:00:00", "id": "OPENVAS:801714", "href": "http://plugins.openvas.org/nasl.php?oid=801714", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_ms07-047.nasl 5362 2017-02-20 12:46:39Z cfi $\n#\n# Vulnerabilities in Windows Media Player Could Allow Remote Code Execution (936782)\n#\n# Authors:\n# Madhuri D <dmadhuri@secpod.com>\n#\n# Copyright:\n# Copyright (c) 2011 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\ntag_impact = \"Successful exploitation will allow the attacker to execute arbitrary code in\n the context of the user running the application.\n Impact Level: System/Application\";\ntag_affected = \"Microsoft Windows Media Player 7.1\n Microsoft Windows Media Player 9\n Microsoft Windows Media Player 10\";\ntag_insight = \"The flaws are due to an errors in the parsing of header information \n in skin files.\";\ntag_solution = \"Run Windows Update and update the listed hotfixes or download and\n update mentioned hotfixes in the advisory from the below link,\n http://www.microsoft.com/technet/security/bulletin/ms07-047.mspx\";\ntag_summary = \"This host is missing a critical security update according to\n Microsoft Bulletin MS07-047.\";\n\nif(description)\n{\n script_id(801714);\n script_version(\"$Revision: 5362 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2017-02-20 13:46:39 +0100 (Mon, 20 Feb 2017) $\");\n script_tag(name:\"creation_date\", value:\"2011-01-14 07:39:17 +0100 (Fri, 14 Jan 2011)\");\n script_cve_id(\"CVE-2007-3037\", \"CVE-2007-3035\");\n script_bugtraq_id(25307, 25305);\n script_tag(name:\"cvss_base\", value:\"7.6\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:H/Au:N/C:C/I:C/A:C\");\n script_name(\"Vulnerabilities in Windows Media Player Could Allow Remote Code Execution (936782)\");\n script_xref(name : \"URL\" , value : \"http://secunia.com/advisories/26433\");\n script_xref(name : \"URL\" , value : \"http://xforce.iss.net/xforce/xfdb/35895\");\n script_xref(name : \"URL\" , value : \"http://www.microsoft.com/technet/security/bulletin/ms07-047.mspx\");\n\n script_tag(name:\"qod_type\", value:\"executable_version\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2011 Greenbone Networks GmbH\");\n script_family(\"Windows : Microsoft Bulletins\");\n script_dependencies(\"secpod_reg_enum.nasl\");\n script_require_ports(139, 445);\n script_mandatory_keys(\"SMB/WindowsVersion\");\n\n script_tag(name : \"impact\" , value : tag_impact);\n script_tag(name : \"affected\" , value : tag_affected);\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name : \"summary\" , value : tag_summary);\n exit(0);\n}\n\n\ninclude(\"smb_nt.inc\");\ninclude(\"secpod_reg.inc\");\ninclude(\"version_func.inc\");\ninclude(\"secpod_smb_func.inc\");\n\n## Check for OS and Service Pack\nif(hotfix_check_sp(xp:4, win2k:5, win2003:3, winVista:3) <= 0){\n exit(0);\n}\n\n## MS07-047 Hotfix\nif(hotfix_missing(name:\"936782\") == 0){\n exit(0);\n}\n\n## Get System32 path\nsysPath = registry_get_sz(key:\"SOFTWARE\\Microsoft\\COM3\\Setup\",\n item:\"Install Path\");\nif(sysPath)\n{\n dllVer = fetch_file_version(sysPath, file_name:\"Wmp.dll\");\n dllVer2 = fetch_file_version(sysPath, file_name:\"Wmpui.dll\");\n if(dllVer || dllVer2)\n {\n # Windows 2K\n if(hotfix_check_sp(win2k:5) > 0)\n {\n # Grep for Wmp.dll version 9.0 < 9.0.0.3354, Wmpui.dll version 7.0 < 7.10.0.3080\n if(version_in_range(version:dllVer, test_version:\"9.0\", test_version2:\"9.0.0.3353\") ||\n version_in_range(version:dllVer2, test_version:\"7.0\", test_version2:\"7.10.0.3079\")){\n security_message(0);\n }\n }\n \n ## Windows XP\n if(hotfix_check_sp(xp:4) > 0)\n {\n SP = get_kb_item(\"SMB/WinXP/ServicePack\");\n if(\"Service Pack 2\" >< SP)\n {\n ## Check for wmp.dll version\n if(version_in_range(version:dllVer, test_version:\"9.0\", test_version2:\"9.0.0.3353\")||\n version_in_range(version:dllVer, test_version:\"10\", test_version2:\"10.0.0.4057\")||\n version_in_range(version:dllVer, test_version:\"11\", test_version2:\"11.0.5721.5229\")){\n security_message(0);\n }\n }\n \n if(\"Service Pack 3\" >< SP)\n {\n ## Check for wmp.dll version\n if(version_in_range(version:dllVer, test_version:\"10\", test_version2:\"10.0.0.4057\")||\n version_in_range(version:dllVer, test_version:\"11\", test_version2:\"11.0.5721.5229\")){\n security_message(0);\n }\n exit(0);\n } \n security_message(0);\n }\n \n ## Windows 2003\n else if(hotfix_check_sp(win2003:3) > 0)\n { \n SP = get_kb_item(\"SMB/Win2003/ServicePack\");\n if(\"Service Pack 1\" >< SP)\n {\n ## Check for wmp.dll version\n if(version_in_range(version:dllVer, test_version:\"10\", test_version2:\"10.0.0.3708\")){\n security_message(0);\n }\n exit(0);\n }\n \n if(\"Service Pack 2\" >< SP)\n { \n ## Check for wmp.dll version\n if(version_in_range(version:dllVer, test_version:\"10\", test_version2:\"10.0.0.3997\")){\n security_message(0);\n }\n exit(0);\n }\n security_message(0);\n }\n }\n}\n\nsysPath = registry_get_sz(key:\"SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\",\n item:\"PathName\");\nif(!sysPath){\n exit(0);\n}\n\ndllVer = fetch_file_version(sysPath, file_name:\"system32\\wmp.dll\");\nif(!dllVer){\n exit(0);\n}\n\n## Windows Vista\nif(hotfix_check_sp(winVista:3) > 0)\n{\n ## Check for wmp.dll version\n if(version_in_range(version:dllVer, test_version:\"11\", test_version2:\"11.0.6000.6335\")){\n security_message(0);\n }\n exit(0);\n}\n", "cvss": {"score": 7.6, "vector": "AV:NETWORK/AC:HIGH/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2020-01-08T14:04:49", "description": "This host is missing a critical security update according to\n Microsoft Bulletin MS07-047.", "cvss3": {}, "published": "2011-01-14T00:00:00", "type": "openvas", "title": "Vulnerabilities in Windows Media Player Could Allow Remote Code Execution (936782)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2007-3037", "CVE-2007-3035"], "modified": "2020-01-07T00:00:00", "id": "OPENVAS:1361412562310801714", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310801714", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Vulnerabilities in Windows Media Player Could Allow Remote Code Execution (936782)\n#\n# Authors:\n# Madhuri D <dmadhuri@secpod.com>\n#\n# Copyright:\n# Copyright (c) 2011 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.801714\");\n script_version(\"2020-01-07T09:06:32+0000\");\n script_tag(name:\"last_modification\", value:\"2020-01-07 09:06:32 +0000 (Tue, 07 Jan 2020)\");\n script_tag(name:\"creation_date\", value:\"2011-01-14 07:39:17 +0100 (Fri, 14 Jan 2011)\");\n script_cve_id(\"CVE-2007-3037\", \"CVE-2007-3035\");\n script_bugtraq_id(25307, 25305);\n script_tag(name:\"cvss_base\", value:\"7.6\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:H/Au:N/C:C/I:C/A:C\");\n script_name(\"Vulnerabilities in Windows Media Player Could Allow Remote Code Execution (936782)\");\n script_xref(name:\"URL\", value:\"http://xforce.iss.net/xforce/xfdb/35895\");\n script_xref(name:\"URL\", value:\"https://docs.microsoft.com/en-us/security-updates/securitybulletins/2007/ms07-047\");\n\n script_tag(name:\"qod_type\", value:\"executable_version\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2011 Greenbone Networks GmbH\");\n script_family(\"Windows : Microsoft Bulletins\");\n script_dependencies(\"secpod_reg_enum.nasl\");\n script_require_ports(139, 445);\n script_mandatory_keys(\"SMB/registry_enumerated\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation will allow the attacker to execute arbitrary code in\n the context of the user running the application.\");\n script_tag(name:\"affected\", value:\"- Microsoft Windows Media Player 7.1\n\n - Microsoft Windows Media Player 9\n\n - Microsoft Windows Media Player 10\");\n script_tag(name:\"insight\", value:\"The flaws are due to an errors in the parsing of header information\n in skin files.\");\n script_tag(name:\"solution\", value:\"The vendor has released updates. Please see the references for more information.\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"summary\", value:\"This host is missing a critical security update according to\n Microsoft Bulletin MS07-047.\");\n exit(0);\n}\n\ninclude(\"smb_nt.inc\");\ninclude(\"secpod_reg.inc\");\ninclude(\"version_func.inc\");\ninclude(\"secpod_smb_func.inc\");\n\nif(hotfix_check_sp(xp:4, win2k:5, win2003:3, winVista:3) <= 0){\n exit(0);\n}\n\n## MS07-047 Hotfix\nif(hotfix_missing(name:\"936782\") == 0){\n exit(0);\n}\n\nsysPath = registry_get_sz(key:\"SOFTWARE\\Microsoft\\COM3\\Setup\",\n item:\"Install Path\");\nif(sysPath)\n{\n dllVer = fetch_file_version(sysPath:sysPath, file_name:\"Wmp.dll\");\n dllVer2 = fetch_file_version(sysPath:sysPath, file_name:\"Wmpui.dll\");\n if(dllVer || dllVer2)\n {\n if(hotfix_check_sp(win2k:5) > 0)\n {\n if(version_in_range(version:dllVer, test_version:\"9.0\", test_version2:\"9.0.0.3353\") ||\n version_in_range(version:dllVer2, test_version:\"7.0\", test_version2:\"7.10.0.3079\")){\n security_message( port: 0, data: \"The target host was found to be vulnerable\" );\n }\n }\n\n if(hotfix_check_sp(xp:4) > 0)\n {\n SP = get_kb_item(\"SMB/WinXP/ServicePack\");\n if(\"Service Pack 2\" >< SP)\n {\n if(version_in_range(version:dllVer, test_version:\"9.0\", test_version2:\"9.0.0.3353\")||\n version_in_range(version:dllVer, test_version:\"10\", test_version2:\"10.0.0.4057\")||\n version_in_range(version:dllVer, test_version:\"11\", test_version2:\"11.0.5721.5229\")){\n security_message( port: 0, data: \"The target host was found to be vulnerable\" );\n }\n }\n\n if(\"Service Pack 3\" >< SP)\n {\n if(version_in_range(version:dllVer, test_version:\"10\", test_version2:\"10.0.0.4057\")||\n version_in_range(version:dllVer, test_version:\"11\", test_version2:\"11.0.5721.5229\")){\n security_message( port: 0, data: \"The target host was found to be vulnerable\" );\n }\n exit(0);\n }\n security_message( port: 0, data: \"The target host was found to be vulnerable\" );\n }\n\n else if(hotfix_check_sp(win2003:3) > 0)\n {\n SP = get_kb_item(\"SMB/Win2003/ServicePack\");\n if(\"Service Pack 1\" >< SP)\n {\n if(version_in_range(version:dllVer, test_version:\"10\", test_version2:\"10.0.0.3708\")){\n security_message( port: 0, data: \"The target host was found to be vulnerable\" );\n }\n exit(0);\n }\n\n if(\"Service Pack 2\" >< SP)\n {\n if(version_in_range(version:dllVer, test_version:\"10\", test_version2:\"10.0.0.3997\")){\n security_message( port: 0, data: \"The target host was found to be vulnerable\" );\n }\n exit(0);\n }\n security_message( port: 0, data: \"The target host was found to be vulnerable\" );\n }\n }\n}\n\nsysPath = registry_get_sz(key:\"SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\",\n item:\"PathName\");\nif(!sysPath){\n exit(0);\n}\n\ndllVer = fetch_file_version(sysPath:sysPath, file_name:\"system32\\wmp.dll\");\nif(!dllVer){\n exit(0);\n}\n\nif(hotfix_check_sp(winVista:3) > 0)\n{\n if(version_in_range(version:dllVer, test_version:\"11\", test_version2:\"11.0.6000.6335\")){\n security_message( port: 0, data: \"The target host was found to be vulnerable\" );\n }\n exit(0);\n}\n", "cvss": {"score": 7.6, "vector": "AV:N/AC:H/Au:N/C:C/I:C/A:C"}}], "checkpoint_advisories": [{"lastseen": "2021-12-17T12:46:25", "description": "Microsoft Windows Media Player is an application for the Microsoft Windows operating system. It supports numerous video, audio, and image formats. A buffer overflow vulnerability has been identified in Microsoft Windows Media Player. Remote attacker could exploit this issue via a malformed skin file. Successful exploitation of these vulnerabilities may allow execution of arbitrary code on a target system.", "cvss3": {}, "published": "2007-08-22T00:00:00", "type": "checkpoint_advisories", "title": "Microsoft Media Player Skin Parsing Code Execution (MS07-047; CVE-2007-3037)", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 4.9, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "HIGH", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 4.0, "vectorString": "AV:N/AC:H/Au:N/C:P/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 4.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2007-3037"], "modified": "2011-11-29T00:00:00", "id": "CPAI-2007-102", "href": "", "cvss": {"score": 4.0, "vector": "AV:N/AC:H/Au:N/C:P/I:P/A:N"}}, {"lastseen": "2021-12-17T12:37:20", "description": "Microsoft Windows Media Player (WMP) is a popular multi-media application bundled with recent versions of the Microsoft Windows operating system. The application supports the playback of numerous video, audio, and image formats, as well as the playback of streaming content from remote sources. To enhance the flexibility of the application, Microsoft has implemented a Skin selection mechanism that allows the users to change the look of the application's Graphical User Interface (GUI). There exists a code execution vulnerability in Microsoft Windows Media Player. The vulnerability is caused due to a boundary error when decompressing the encoded data from WMZ and WMD files. A remote attacker can exploit this vulnerability by enticing the target user to open crafted WMZ and WMD files, potentially causing arbitrary code to be injected and executed in the security context of the currently logged in user. In a simple attack case, the affected Windows Media Player may terminate when the malicious page is opened. In a sophisticated attack scenario, where the malicious user is successful in injecting and executing supplied code, the behavior of the system is dependent on the nature of the injected code. Any code injected into the vulnerable component would execute in the security context of the currently logged in user.", "cvss3": {}, "published": "2010-07-27T00:00:00", "type": "checkpoint_advisories", "title": "Microsoft Windows Media Player Skin Decompression Code Execution (CVE-2007-3035)", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 4.9, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "HIGH", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 7.6, "vectorString": "AV:N/AC:H/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2007-3035"], "modified": "2010-07-27T00:00:00", "id": "CPAI-2007-310", "href": "", "cvss": {"score": 7.6, "vector": "AV:N/AC:H/Au:N/C:C/I:C/A:C"}}], "zdi": [{"lastseen": "2022-01-31T22:41:58", "description": "This vulnerability allows attackers to execute arbitrary code on vulnerable installations of Microsoft Windows Media Player. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists during the parsing of malformed skin files (WMZ). A size compressed / decompressed size mismatch can result in an under allocated heap buffer which can be leveraged by an attacker to eventually execute arbitrary code under the context of the current user.", "cvss3": {}, "published": "2007-08-14T00:00:00", "type": "zdi", "title": "Microsoft Windows Media Player Skin Parsing Size Mismatch Heap Overflow Vulnerability", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 4.9, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "HIGH", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 4.0, "vectorString": "AV:N/AC:H/Au:N/C:P/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 4.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2007-3037"], "modified": "2007-08-14T00:00:00", "id": "ZDI-07-046", "href": "https://www.zerodayinitiative.com/advisories/ZDI-07-046/", "cvss": {"score": 4.0, "vector": "AV:N/AC:H/Au:N/C:P/I:P/A:N"}}, {"lastseen": "2022-01-31T22:41:55", "description": "This vulnerability allows attackers to execute arbitrary code on vulnerable installations of Microsoft Windows Media Player. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists while decompressing skin files (.WMZ and .WMD) with malformed headers. During this process the malformed values are used to improperly calculate data which can later allow an attacker to execute code under the rights of the current user.", "cvss3": {}, "published": "2007-08-14T00:00:00", "type": "zdi", "title": "Microsoft Windows Media Player Malformed Skin Header Code Execution Vulnerability", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 4.9, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "HIGH", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 7.6, "vectorString": "AV:N/AC:H/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2007-3035"], "modified": "2007-08-14T00:00:00", "id": "ZDI-07-047", "href": "https://www.zerodayinitiative.com/advisories/ZDI-07-047/", "cvss": {"score": 7.6, "vector": "AV:N/AC:H/Au:N/C:C/I:C/A:C"}}], "seebug": [{"lastseen": "2017-11-19T22:00:19", "description": "BUGTRAQ ID: 25305\r\nCVE(CAN) ID: CVE-2007-3037\r\n\r\nMedia Player\u662fWindows\u64cd\u4f5c\u7cfb\u7edf\u4e2d\u9ed8\u8ba4\u6346\u7ed1\u7684\u5a92\u4f53\u64ad\u653e\u5668\u3002\r\n\r\nMedia Player\u5728\u5904\u7406\u7578\u5f62\u683c\u5f0f\u7684\u76ae\u80a4\u6587\u4ef6\u65f6\u5b58\u5728\u7f13\u51b2\u533a\u6ea2\u51fa\u6f0f\u6d1e\uff0c\u8fdc\u7a0b\u653b\u51fb\u8005\u53ef\u80fd\u5229\u7528\u6b64\u6f0f\u6d1e\u901a\u8fc7\u8bf1\u4f7f\u7528\u6237\u5904\u7406\u6076\u610f\u6587\u4ef6\u63a7\u5236\u7528\u6237\u7cfb\u7edf\u3002\r\n\r\nMedia Player\u5728\u89e3\u6790\u7578\u5f62\u7684\u76ae\u80a4\u6587\u4ef6\uff08WMZ\uff09\u65f6\u9519\u8bef\u5730\u5339\u914d\u4e86\u538b\u7f29/\u89e3\u538b\u5927\u5c0f\uff0c\u5982\u679c\u7528\u6237\u53d7\u9a97\u52a0\u8f7d\u4e86\u6076\u610f\u7684\u76ae\u80a4\u6587\u4ef6\u6216\u8bbf\u95ee\u4e86\u6076\u610f\u7ad9\u70b9\u7684\u8bdd\u5c31\u53ef\u80fd\u89e6\u53d1\u5806\u6ea2\u51fa\uff0c\u5bfc\u81f4\u6267\u884c\u4efb\u610f\u6307\u4ee4\u3002\r\n\r\n\n\nMicrosoft Windows Media Player 9.0\r\nMicrosoft Windows Media Player 7.1\r\nMicrosoft Windows Media Player 11\r\nMicrosoft Windows Media Player 10.0\n \u4e34\u65f6\u89e3\u51b3\u65b9\u6cd5\uff1a\r\n\r\n* \u89e3\u9664WMZ\u548cWMD\u6587\u4ef6\u6269\u5c55\u540d\u5173\u8054\r\n \r\n1. \u5355\u51fb\u201c\u5f00\u59cb\u201d\uff0c\u5355\u51fb\u201c\u8fd0\u884c\u201d\uff0c\u952e\u5165\u201cregedit\u201d\uff08\u4e0d\u5e26\u53cc\u5f15\u53f7\uff09\uff0c\u7136\u540e\u5355\u51fb\u201c\u786e\u5b9a\u201d\u3002\r\n2. \u5c55\u5f00\u201cHKEY_CLASSES_ROOT\u201d\uff0c\u5355\u51fb\u201c.WMZ\u201d\uff0c\u7136\u540e\u53f3\u952e\u5355\u51fb\u548c\u9009\u62e9\u201c\u5bfc\u51fa\u201d\u3002\u6ce8\u610f\uff1a\u9ed8\u8ba4\u4e0b\u6b64\u64cd\u4f5c\u5c06\u5728\u201c\u6211\u7684\u6587\u6863\u201d\u6587\u4ef6\u5939\u4e2d\u521b\u5efa\u6b64\u6ce8\u518c\u8868\u9879\u7684\u5907\u4efd\u3002\r\n3. \u5728\u201c\u5bfc\u51fa\u6ce8\u518c\u8868\u6587\u4ef6\u201d\u7a97\u53e3\u4e2d\uff0c\u952e\u5165\u201cWMZ file association registry backup.reg\u201d\u5e76\u6309\u201c\u4fdd\u5b58\u201d\u3002\r\n4. \u6309\u952e\u76d8\u4e0a\u7684\u201cDelete\u201d\u952e\u5220\u9664\u8be5\u6ce8\u518c\u8868\u9879\u3002\u9009\u62e9\u201c\u662f\u201d\u786e\u8ba4\u5220\u9664\u6ce8\u518c\u8868\u9879\u3002\r\n5. \u5bf9\u4e8eWMD\u9879\u91cd\u590d\u6b65\u9aa42\u81f35\u3002\r\n \r\n* \u6ce8\u9500 Wmp.dll \r\n\r\n1. \u4f9d\u6b21\u5355\u51fb\u201c\u5f00\u59cb\u201d\u3001\u201c\u8fd0\u884c\u201d\uff0c\u952e\u5165\u201cregedit -u %windir%\\system32\\wmp.dll\u201d\uff08\u4e0d\u5e26\u5f15\u53f7\uff09\uff0c\u7136\u540e\u5355\u51fb\u201c\u786e\u5b9a\u201d\u3002\r\n2. \u5f53\u51fa\u73b0\u4e00\u4e2a\u5bf9\u8bdd\u6846\u786e\u8ba4\u8fc7\u7a0b\u5df2\u6210\u529f\u5b8c\u6210\u65f6\uff0c\u8bf7\u5355\u51fb\u201c\u786e\u5b9a\u201d\u3002\r\n\r\n\u5382\u5546\u8865\u4e01\uff1a\r\n\r\nMicrosoft\r\n---------\r\nMicrosoft\u5df2\u7ecf\u4e3a\u6b64\u53d1\u5e03\u4e86\u4e00\u4e2a\u5b89\u5168\u516c\u544a\uff08MS07-047\uff09\u4ee5\u53ca\u76f8\u5e94\u8865\u4e01:\r\nMS07-047\uff1aVulnerabilities in Windows Media Player Could Allow Remote Code Execution (936782)\r\n\u94fe\u63a5\uff1a<a href=\"http://www.microsoft.com/technet/security/Bulletin/MS07-047.mspx?pf=true\" target=\"_blank\">http://www.microsoft.com/technet/security/Bulletin/MS07-047.mspx?pf=true</a>", "cvss3": {}, "published": "2007-08-17T00:00:00", "title": "Winodws Media Player\u76ae\u80a4\u89e3\u6790\u5927\u5c0f\u9519\u8bef\u5339\u914d\u5806\u6ea2\u51fa\u6f0f\u6d1e\uff08MS07-047\uff09", "type": "seebug", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2007-3037"], "modified": "2007-08-17T00:00:00", "href": "https://www.seebug.org/vuldb/ssvid-2127", "id": "SSV:2127", "sourceData": "", "sourceHref": "", "cvss": {"score": 4.0, "vector": "AV:NETWORK/AC:HIGH/Au:NONE/C:PARTIAL/I:PARTIAL/A:NONE/"}}, {"lastseen": "2017-11-19T21:59:45", "description": "BUGTRAQ ID: 25307\r\nCVE(CAN) ID: CVE-2007-3035\r\n\r\nMedia Player\u662fWindows\u64cd\u4f5c\u7cfb\u7edf\u4e2d\u9ed8\u8ba4\u6346\u7ed1\u7684\u5a92\u4f53\u64ad\u653e\u5668\u3002\r\n\r\nMedia Player\u5728\u5904\u7406\u7578\u5f62\u683c\u5f0f\u7684\u76ae\u80a4\u6587\u4ef6\u65f6\u5b58\u5728\u6f0f\u6d1e\uff0c\u8fdc\u7a0b\u653b\u51fb\u8005\u53ef\u80fd\u5229\u7528\u6b64\u6f0f\u6d1e\u901a\u8fc7\u8bf1\u4f7f\u7528\u6237\u5904\u7406\u6076\u610f\u6587\u4ef6\u63a7\u5236\u7cfb\u7edf\u3002\r\n\r\nMedia Player\u5728\u89e3\u538b\u996e\u98df\u7578\u5f62\u5934\u7ed3\u6784\u7684\u76ae\u80a4\u6587\u4ef6\uff08.WMZ\u548c.WMD\uff09\u65f6\u5b58\u5728\u6f0f\u6d1e\uff0c\u5982\u679c\u7528\u6237\u53d7\u9a97\u52a0\u8f7d\u4e86\u6076\u610f\u7684\u76ae\u80a4\u6587\u4ef6\u6216\u8bbf\u95ee\u4e86\u6076\u610f\u7ad9\u70b9\u7684\u8bdd\u5c31\u53ef\u80fd\u5bfc\u81f4\u6267\u884c\u4efb\u610f\u6307\u4ee4\u3002\r\n\r\n\n\nMicrosoft Windows Media Player 9.0\r\nMicrosoft Windows Media Player 7.1\r\nMicrosoft Windows Media Player 11\r\nMicrosoft Windows Media Player 10.0\n \u4e34\u65f6\u89e3\u51b3\u65b9\u6cd5\uff1a\r\n\r\n* \u89e3\u9664WMZ\u548cWMD\u6587\u4ef6\u6269\u5c55\u540d\u5173\u8054\r\n \r\n1. \u5355\u51fb\u201c\u5f00\u59cb\u201d\uff0c\u5355\u51fb\u201c\u8fd0\u884c\u201d\uff0c\u952e\u5165\u201cregedit\u201d\uff08\u4e0d\u5e26\u53cc\u5f15\u53f7\uff09\uff0c\u7136\u540e\u5355\u51fb\u201c\u786e\u5b9a\u201d\u3002\r\n2. \u5c55\u5f00\u201cHKEY_CLASSES_ROOT\u201d\uff0c\u5355\u51fb\u201c.WMZ\u201d\uff0c\u7136\u540e\u53f3\u952e\u5355\u51fb\u548c\u9009\u62e9\u201c\u5bfc\u51fa\u201d\u3002\u6ce8\u610f\uff1a\u9ed8\u8ba4\u4e0b\u6b64\u64cd\u4f5c\u5c06\u5728\u201c\u6211\u7684\u6587\u6863\u201d\u6587\u4ef6\u5939\u4e2d\u521b\u5efa\u6b64\u6ce8\u518c\u8868\u9879\u7684\u5907\u4efd\u3002\r\n3. \u5728\u201c\u5bfc\u51fa\u6ce8\u518c\u8868\u6587\u4ef6\u201d\u7a97\u53e3\u4e2d\uff0c\u952e\u5165\u201cWMZ file association registry backup.reg\u201d\u5e76\u6309\u201c\u4fdd\u5b58\u201d\u3002\r\n4. \u6309\u952e\u76d8\u4e0a\u7684\u201cDelete\u201d\u952e\u5220\u9664\u8be5\u6ce8\u518c\u8868\u9879\u3002\u9009\u62e9\u201c\u662f\u201d\u786e\u8ba4\u5220\u9664\u6ce8\u518c\u8868\u9879\u3002\r\n5. \u5bf9\u4e8eWMD\u9879\u91cd\u590d\u6b65\u9aa42\u81f35\u3002\r\n \r\n* \u6ce8\u9500 Wmp.dll \r\n\r\n1. \u4f9d\u6b21\u5355\u51fb\u201c\u5f00\u59cb\u201d\u3001\u201c\u8fd0\u884c\u201d\uff0c\u952e\u5165\u201cregedit -u %windir%\\system32\\wmp.dll\u201d\uff08\u4e0d\u5e26\u5f15\u53f7\uff09\uff0c\u7136\u540e\u5355\u51fb\u201c\u786e\u5b9a\u201d\u3002\r\n2. \u5f53\u51fa\u73b0\u4e00\u4e2a\u5bf9\u8bdd\u6846\u786e\u8ba4\u8fc7\u7a0b\u5df2\u6210\u529f\u5b8c\u6210\u65f6\uff0c\u8bf7\u5355\u51fb\u201c\u786e\u5b9a\u201d\u3002\r\n\r\n\u5382\u5546\u8865\u4e01\uff1a\r\n\r\nMicrosoft\r\n---------\r\nMicrosoft\u5df2\u7ecf\u4e3a\u6b64\u53d1\u5e03\u4e86\u4e00\u4e2a\u5b89\u5168\u516c\u544a\uff08MS07-047\uff09\u4ee5\u53ca\u76f8\u5e94\u8865\u4e01:\r\nMS07-047\uff1aVulnerabilities in Windows Media Player Could Allow Remote Code Execution (936782)\r\n\u94fe\u63a5\uff1a<a href=\"http://www.microsoft.com/technet/security/Bulletin/MS07-047.mspx?pf=true\" target=\"_blank\">http://www.microsoft.com/technet/security/Bulletin/MS07-047.mspx?pf=true</a>", "cvss3": {}, "published": "2007-08-17T00:00:00", "title": "Windows Media Player\u76ae\u80a4\u6587\u4ef6\u89e3\u6790\u8fdc\u7a0b\u4ee3\u7801\u6267\u884c\u6f0f\u6d1e\uff08MS07-047\uff09", "type": "seebug", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2007-3035"], "modified": "2007-08-17T00:00:00", "href": "https://www.seebug.org/vuldb/ssvid-2128", "id": "SSV:2128", "sourceData": "", "sourceHref": "", "cvss": {"score": 7.6, "vector": "AV:NETWORK/AC:HIGH/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "cve": [{"lastseen": "2022-03-23T12:24:30", "description": "Microsoft Windows Media Player 7.1, 9, 10, and 11 allows remote attackers to execute arbitrary code via a skin file (WMZ or WMD) with crafted header information that causes a size mismatch between compressed and decompressed data and triggers a heap-based buffer overflow, aka \"Windows Media Player Code Execution Vulnerability Parsing Skins.\"", "cvss3": {}, "published": "2007-08-14T21:17:00", "type": "cve", "title": "CVE-2007-3037", "cwe": ["CWE-119", "CWE-94"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 4.9, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "HIGH", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 4.0, "vectorString": "AV:N/AC:H/Au:N/C:P/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 4.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2007-3037"], "modified": "2018-10-16T16:47:00", "cpe": ["cpe:/a:microsoft:windows_media_player:11", "cpe:/a:microsoft:windows_media_player:7.1", "cpe:/a:microsoft:windows_media_player:10", "cpe:/a:microsoft:windows_media_player:9"], "id": "CVE-2007-3037", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2007-3037", "cvss": {"score": 4.0, "vector": "AV:N/AC:H/Au:N/C:P/I:P/A:N"}, "cpe23": ["cpe:2.3:a:microsoft:windows_media_player:9:*:*:*:*:*:*:*", "cpe:2.3:a:microsoft:windows_media_player:10:*:*:*:*:*:*:*", "cpe:2.3:a:microsoft:windows_media_player:7.1:*:*:*:*:*:*:*", "cpe:2.3:a:microsoft:windows_media_player:11:*:*:*:*:*:*:*"]}, {"lastseen": "2022-03-23T12:24:28", "description": "Unspecified vulnerability in Microsoft Windows Media Player 7.1, 9, 10, and 11 allows remote attackers to execute arbitrary code via a skin file (WMZ or WMD) with crafted header information that is not properly handled during decompression, aka \"Windows Media Player Code Execution Vulnerability Decompressing Skins.\"", "cvss3": {}, "published": "2007-08-14T21:17:00", "type": "cve", "title": "CVE-2007-3035", "cwe": ["NVD-CWE-noinfo"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 4.9, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "HIGH", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 7.6, "vectorString": "AV:N/AC:H/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2007-3035"], "modified": "2018-10-16T16:47:00", "cpe": ["cpe:/a:microsoft:windows_media_player:11", "cpe:/a:microsoft:windows_media_player:7.1", "cpe:/a:microsoft:windows_media_player:10", "cpe:/a:microsoft:windows_media_player:9"], "id": "CVE-2007-3035", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2007-3035", "cvss": {"score": 7.6, "vector": "AV:N/AC:H/Au:N/C:C/I:C/A:C"}, "cpe23": ["cpe:2.3:a:microsoft:windows_media_player:9:*:*:*:*:*:*:*", "cpe:2.3:a:microsoft:windows_media_player:11:*:*:*:*:*:*:*", "cpe:2.3:a:microsoft:windows_media_player:10:*:*:*:*:*:*:*", "cpe:2.3:a:microsoft:windows_media_player:7.1:*:*:*:*:*:*:*"]}]}