[Full-disclosure] iDefense Security Advisory 06.13.06: Windows Media Player PNG Chunk Decoding Stack-Based Buffer Overflow

2006-06-14T00:00:00

Description

Windows Media Player PNG Chunk Decoding Stack-Based Buffer Overflow iDefense Security Advisory 06.13.06 http://www.idefense.com/application/poi/display?type=vulnerabilities June 13, 2006 I. BACKGROUND Windows Media Player is a video and audio file player for Windows based systems. It supports multiple file formats and allows playing files from either the local filesystem or the network. More information can be found at: http://www.microsoft.com/windows/windowsmedia/mp10/default.aspx II. DESCRIPTION Remote exploitation of a stack-based buffer overflow in the handling of PNG image file chunks by Microsoft Corp.'s Windows Media Player could allow attackers to execute arbitrary code. The Portable Network Graphics (PNG) specification defines an extensible, portable image format that gives lossless compression and allows transparency masking of various types. The format was developed as a patent-free alternative to GIF and TIFF format images, and the official specification is published on the W3C website. It should be noted that it is possible to cause Windows Media Player to be called as a 'helper application' in Internet Explorer and Mozilla browsers thus increasing the likelihood of exploitation. Windows Media Player uses a fixed-sized buffer in a function used when processing certain chunk types and no validation is performed on the length of the chunks this function is is passed. Therefore, a stack based buffer overflow can occur when WMP interprets a PNG file with an excessive chunk size. III. ANALYSIS Exploitation could allow a remote attacker to execute code in the context of the currently logged in user. In order to exploit this vulnerability, the victim must open a maliciously constructed file in Windows Media Player or follow a link in their browser to a website hosting such a file. No further user interaction is required for exploitation. In order to trigger this vulnerability, an attacker could construct a maliciously formed PNG file and link to it via an OBJECT tag on a website under their control. iDefense Labs has constructed a proof of concept exploit which achieved reliable code execution in both Internet Explorer and Mozilla Firefox. IV. DETECTION iDefense Labs has verified the existence of this vulnerability in version 10 of Microsoft Windows Media Player on Windows XP SP2 with all security patches installed as of May 23, 2006. Microsoft has reported that the following versions are affected: Windows Media Player 7.1 Windows Media Player for XP Windows Media Player 9 Microsoft Windows Media Player 10 V. WORKAROUND Any of the last three workarounds listed in the advisory for MS06-005 can be used to prevent exploitation. * Modify the Access Control List on the DirectX "Filter Graph no thread" registry key. * Backup and remove the DirectX "Filter Graph no thread" registry key. * Unregister Quartz.dll. Implementing these workarounds might prevent applications that use DirectX from functioning properly. This vulnerability is not the same as MS06-005, and the MS06-005 patches do not fix this vulnerability. The workarounds for that vulnerability are applicable here only because the vulnerability is in the same application and called in a similar manner. VI. VENDOR RESPONSE The vendor security advisory and appropriate patches are available at: http://www.microsoft.com/technet/security/Bulletin/MS06-024.mspx VII. CVE INFORMATION The Common Vulnerabilities and Exposures (CVE) project has assigned the name CAN-2006-0025 to this issue. This is a candidate for inclusion in the CVE list (http://cve.mitre.org), which standardizes names for security problems. VIII. DISCLOSURE TIMELINE 02/22/2006 Initial vendor notification 02/22/2006 Initial vendor response 06/13/2006 Coordinated public disclosure IX. CREDIT This vulnerability was discovered by Greg MacManus, iDefense Labs. Get paid for vulnerability research http://www.idefense.com/poi/teams/vcp.jsp Free tools, research and upcoming events http://labs.idefense.com X. LEGAL NOTICES Copyright (c) 2006 iDefense, Inc. Permission is granted for the redistribution of this alert electronically. It may not be edited in any way without the express written consent of iDefense. If you wish to reprint the whole or any part of this alert in any other medium other than electronically, please email customerservice@idefense.com for permission. Disclaimer: The information in the advisory is believed to be accurate at the time of publishing based on currently available information. Use of the information constitutes acceptance for use in an AS IS condition. There are no warranties with regard to this information. Neither the author nor the publisher accepts any liability for any direct, indirect, or consequential loss or damage arising from use of, or reliance on, this information.

{"id": "SECURITYVULNS:DOC:13150", "bulletinFamily": "software", "title": "[Full-disclosure] iDefense Security Advisory 06.13.06: Windows Media Player PNG Chunk Decoding Stack-Based Buffer Overflow", "description": "Windows Media Player PNG Chunk Decoding Stack-Based Buffer Overflow\r\n\r\niDefense Security Advisory 06.13.06\r\nhttp://www.idefense.com/application/poi/display?type=vulnerabilities\r\nJune 13, 2006\r\n\r\nI. BACKGROUND\r\n\r\nWindows Media Player is a video and audio file player for Windows based\r\nsystems. It supports multiple file formats and allows playing files from\r\neither the local filesystem or the network. More information can be\r\nfound at:\r\n\r\n http://www.microsoft.com/windows/windowsmedia/mp10/default.aspx\r\n\r\nII. DESCRIPTION\r\n\r\nRemote exploitation of a stack-based buffer overflow in the handling of\r\nPNG image file chunks by Microsoft Corp.'s Windows Media Player could\r\nallow attackers to execute arbitrary code.\r\n\r\nThe Portable Network Graphics (PNG) specification defines an extensible,\r\nportable image format that gives lossless compression and allows\r\ntransparency masking of various types. The format was developed as a\r\npatent-free alternative to GIF and TIFF format images, and the official\r\nspecification is published on the W3C website. It should be noted that\r\nit is possible to cause Windows Media Player to be called as a 'helper\r\napplication' in Internet Explorer and Mozilla browsers thus increasing\r\nthe likelihood of exploitation.\r\n\r\nWindows Media Player uses a fixed-sized buffer in a function used when\r\nprocessing certain chunk types and no validation is performed on the\r\nlength of the chunks this function is is passed. Therefore, a stack\r\nbased buffer overflow can occur when WMP interprets a PNG file with an\r\nexcessive chunk size.\r\n\r\nIII. ANALYSIS\r\n\r\nExploitation could allow a remote attacker to execute code in the\r\ncontext of the currently logged in user. In order to exploit this\r\nvulnerability, the victim must open a maliciously constructed file in\r\nWindows Media Player or follow a link in their browser to a website\r\nhosting such a file. No further user interaction is required for\r\nexploitation.\r\n\r\nIn order to trigger this vulnerability, an attacker could construct a\r\nmaliciously formed PNG file and link to it via an OBJECT tag on a\r\nwebsite under their control.\r\n\r\niDefense Labs has constructed a proof of concept exploit which achieved\r\nreliable code execution in both Internet Explorer and Mozilla Firefox.\r\n\r\nIV. DETECTION\r\n\r\niDefense Labs has verified the existence of this vulnerability in\r\nversion 10 of Microsoft Windows Media Player on Windows XP\r\nSP2 with all security patches installed as of May 23, 2006.\r\n\r\nMicrosoft has reported that the following versions are affected:\r\n\r\n Windows Media Player 7.1\r\n Windows Media Player for XP\r\n Windows Media Player 9\r\n Microsoft Windows Media Player 10\r\n\r\n\r\nV. WORKAROUND\r\n \r\nAny of the last three workarounds listed in the advisory for MS06-005\r\ncan be used to prevent exploitation.\r\n\r\n * Modify the Access Control List on the DirectX "Filter Graph no\r\n thread" registry key.\r\n * Backup and remove the DirectX "Filter Graph no thread" registry\r\n key.\r\n * Unregister Quartz.dll.\r\n\r\nImplementing these workarounds might prevent applications that use\r\nDirectX from functioning properly.\r\n\r\nThis vulnerability is not the same as MS06-005, and the MS06-005 patches\r\ndo not fix this vulnerability. The workarounds for that vulnerability\r\nare applicable here only because the vulnerability is in the same\r\napplication and called in a similar manner.\r\n\r\nVI. VENDOR RESPONSE\r\n\r\nThe vendor security advisory and appropriate patches are available at:\r\n\r\n http://www.microsoft.com/technet/security/Bulletin/MS06-024.mspx\r\n\r\nVII. CVE INFORMATION\r\n\r\nThe Common Vulnerabilities and Exposures (CVE) project has assigned the\r\nname CAN-2006-0025 to this issue. This is a candidate for inclusion in\r\nthe CVE list (http://cve.mitre.org), which standardizes names for\r\nsecurity problems.\r\n\r\nVIII. DISCLOSURE TIMELINE\r\n\r\n02/22/2006 Initial vendor notification\r\n02/22/2006 Initial vendor response\r\n06/13/2006 Coordinated public disclosure\r\n\r\nIX. CREDIT\r\n\r\nThis vulnerability was discovered by Greg MacManus, iDefense Labs.\r\n\r\nGet paid for vulnerability research\r\nhttp://www.idefense.com/poi/teams/vcp.jsp\r\n\r\nFree tools, research and upcoming events\r\nhttp://labs.idefense.com\r\n\r\nX. LEGAL NOTICES\r\n\r\nCopyright (c) 2006 iDefense, Inc.\r\n\r\nPermission is granted for the redistribution of this alert\r\nelectronically. It may not be edited in any way without the express\r\nwritten consent of iDefense. If you wish to reprint the whole or any\r\npart of this alert in any other medium other than electronically, please\r\nemail customerservice@idefense.com for permission.\r\n\r\nDisclaimer: The information in the advisory is believed to be accurate\r\nat the time of publishing based on currently available information. Use\r\nof the information constitutes acceptance for use in an AS IS condition.\r\nThere are no warranties with regard to this information. Neither the\r\nauthor nor the publisher accepts any liability for any direct, indirect,\r\nor consequential loss or damage arising from use of, or reliance on,\r\nthis information.", "published": "2006-06-14T00:00:00", "modified": "2006-06-14T00:00:00", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:13150", "reporter": "Securityvulns", "references": [], "cvelist": ["CVE-2006-0025"], "type": "securityvulns", "lastseen": "2018-08-31T11:10:18", "edition": 1, "viewCount": 4, "enchantments": {"score": {"value": 8.4, "vector": "NONE"}, "dependencies": {"references": [{"type": "canvas", "idList": ["MS06_024"]}, {"type": "cert", "idList": ["VU:608020"]}, {"type": "checkpoint_advisories", "idList": ["CPAI-2005-99", "CPAI-2006-079", "CPAI-2006-326", "CPAI-2012-065", "SBP-2006-13"]}, {"type": "cve", "idList": ["CVE-2006-0025"]}, {"type": "nessus", "idList": ["3650.PRM", "3651.PRM", "SMB_NT_MS06-024.NASL"]}, {"type": "saint", "idList": ["SAINT:08C0BDF0A8B3F094CFA0A9F995DBDAAC", "SAINT:11A5ADE99E81DDD83C53653FB7C283E6", "SAINT:22F8CEA2C48CD689DD2D73E95291BF89", "SAINT:7ECE8B705CF25CF605B31A74F939ABA7"]}, {"type": "securityvulns", "idList": ["SECURITYVULNS:DOC:13136"]}]}, "backreferences": {"references": [{"type": "canvas", "idList": ["MS06_024"]}, {"type": "cert", "idList": ["VU:608020"]}, {"type": "checkpoint_advisories", "idList": ["CPAI-2005-99"]}, {"type": "cve", "idList": ["CVE-2006-0025"]}, {"type": "nessus", "idList": ["SMB_NT_MS06-024.NASL"]}, {"type": "openvas", "idList": ["OPENVAS:136141256231016280"]}, {"type": "saint", "idList": ["SAINT:22F8CEA2C48CD689DD2D73E95291BF89"]}, {"type": "securityvulns", "idList": ["SECURITYVULNS:VULN:6254"]}]}, "exploitation": null, "vulnersScore": 8.4}, "affectedSoftware": [], "immutableFields": [], "cvss2": {}, "cvss3": {}, "_state": {"dependencies": 1647589307, "score": 0}}

{"saint": [{"lastseen": "2021-07-29T16:40:33", "description": "Added: 06/16/2006 \nCVE: [CVE-2006-0025](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-0025>) \nBID: [18385](<http://www.securityfocus.com/bid/18385>) \nOSVDB: [26430](<http://www.osvdb.org/26430>) \n\n\n### Background\n\n[Windows Media Player](<http://www.microsoft.com/windows/windowsmedia/default.mspx>) is an audio and video media player for Windows platforms. \n\n### Problem\n\nA buffer overflow in Windows Media Player allows command execution when a user opens a specially crafted PNG image file. \n\n### Resolution\n\nApply the patch referenced in [Microsoft Security Bulletin 06-024](<http://www.microsoft.com/technet/security/bulletin/MS06-024.mspx>). \n\n### References\n\n<http://www.kb.cert.org/vuls/id/608020> \n<http://www.idefense.com/intelligence/vulnerabilities/display.php?id=406> \n\n\n### Limitations\n\nSuccessful exploitation requires a user to download a PNG file and open it in Windows Media Player. \n\nExecution of this exploit requires the Digest::CRC PERL module. On Linux systems this is typically found in a package named such as libdigest-crc-perl or perl-Digest-CRC. \n\n### Platforms\n\nWindows 2000 \n \n\n", "cvss3": {}, "published": "2006-06-16T00:00:00", "type": "saint", "title": "Windows Media Player PNG buffer overflow", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2006-0025"], "modified": "2006-06-16T00:00:00", "id": "SAINT:22F8CEA2C48CD689DD2D73E95291BF89", "href": "https://my.saintcorporation.com/cgi-bin/exploit_info/wmp_png", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2016-10-03T15:01:56", "description": "Added: 06/16/2006 \nCVE: [CVE-2006-0025](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-0025>) \nBID: [18385](<http://www.securityfocus.com/bid/18385>) \nOSVDB: [26430](<http://www.osvdb.org/26430>) \n\n\n### Background\n\n[Windows Media Player](<http://www.microsoft.com/windows/windowsmedia/default.mspx>) is an audio and video media player for Windows platforms. \n\n### Problem\n\nA buffer overflow in Windows Media Player allows command execution when a user opens a specially crafted PNG image file. \n\n### Resolution\n\nApply the patch referenced in [Microsoft Security Bulletin 06-024](<http://www.microsoft.com/technet/security/bulletin/MS06-024.mspx>). \n\n### References\n\n<http://www.kb.cert.org/vuls/id/608020> \n<http://www.idefense.com/intelligence/vulnerabilities/display.php?id=406> \n\n\n### Limitations\n\nSuccessful exploitation requires a user to download a PNG file and open it in Windows Media Player. \n\nExecution of this exploit requires the Digest::CRC PERL module. On Linux systems this is typically found in a package named such as libdigest-crc-perl or perl-Digest-CRC. \n\n### Platforms\n\nWindows 2000 \n \n\n", "cvss3": {}, "published": "2006-06-16T00:00:00", "type": "saint", "title": "Windows Media Player PNG buffer overflow", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2006-0025"], "modified": "2006-06-16T00:00:00", "id": "SAINT:08C0BDF0A8B3F094CFA0A9F995DBDAAC", "href": "http://www.saintcorporation.com/cgi-bin/exploit_info/wmp_png", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2021-07-28T14:33:21", "description": "Added: 06/16/2006 \nCVE: [CVE-2006-0025](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-0025>) \nBID: [18385](<http://www.securityfocus.com/bid/18385>) \nOSVDB: [26430](<http://www.osvdb.org/26430>) \n\n\n### Background\n\n[Windows Media Player](<http://www.microsoft.com/windows/windowsmedia/default.mspx>) is an audio and video media player for Windows platforms. \n\n### Problem\n\nA buffer overflow in Windows Media Player allows command execution when a user opens a specially crafted PNG image file. \n\n### Resolution\n\nApply the patch referenced in [Microsoft Security Bulletin 06-024](<http://www.microsoft.com/technet/security/bulletin/MS06-024.mspx>). \n\n### References\n\n<http://www.kb.cert.org/vuls/id/608020> \n<http://www.idefense.com/intelligence/vulnerabilities/display.php?id=406> \n\n\n### Limitations\n\nSuccessful exploitation requires a user to download a PNG file and open it in Windows Media Player. \n\nExecution of this exploit requires the Digest::CRC PERL module. On Linux systems this is typically found in a package named such as libdigest-crc-perl or perl-Digest-CRC. \n\n### Platforms\n\nWindows 2000 \n \n\n", "cvss3": {}, "published": "2006-06-16T00:00:00", "type": "saint", "title": "Windows Media Player PNG buffer overflow", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2006-0025"], "modified": "2006-06-16T00:00:00", "id": "SAINT:11A5ADE99E81DDD83C53653FB7C283E6", "href": "http://download.saintcorporation.com/cgi-bin/exploit_info/wmp_png", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-01-26T11:33:20", "description": "Added: 06/16/2006 \nCVE: [CVE-2006-0025](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-0025>) \nBID: [18385](<http://www.securityfocus.com/bid/18385>) \nOSVDB: [26430](<http://www.osvdb.org/26430>) \n\n\n### Background\n\n[Windows Media Player](<http://www.microsoft.com/windows/windowsmedia/default.mspx>) is an audio and video media player for Windows platforms. \n\n### Problem\n\nA buffer overflow in Windows Media Player allows command execution when a user opens a specially crafted PNG image file. \n\n### Resolution\n\nApply the patch referenced in [Microsoft Security Bulletin 06-024](<http://www.microsoft.com/technet/security/bulletin/MS06-024.mspx>). \n\n### References\n\n<http://www.kb.cert.org/vuls/id/608020> \n<http://www.idefense.com/intelligence/vulnerabilities/display.php?id=406> \n\n\n### Limitations\n\nSuccessful exploitation requires a user to download a PNG file and open it in Windows Media Player. \n\nExecution of this exploit requires the Digest::CRC PERL module. On Linux systems this is typically found in a package named such as libdigest-crc-perl or perl-Digest-CRC. \n\n### Platforms\n\nWindows 2000 \n \n\n", "cvss3": {}, "published": "2006-06-16T00:00:00", "type": "saint", "title": "Windows Media Player PNG buffer overflow", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2006-0025"], "modified": "2006-06-16T00:00:00", "id": "SAINT:7ECE8B705CF25CF605B31A74F939ABA7", "href": "https://download.saintcorporation.com/cgi-bin/exploit_info/wmp_png", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "checkpoint_advisories": [{"lastseen": "2021-12-17T12:31:02", "description": "An attacker can exploit this vulnerability by enticing a user to open a crafted PNG file, resulting in the possible injection and execution of arbitrary code on the target system with the privileges of the currently logged-in user. A remote stack buffer overflow vulnerability has been discovered in Microsoft Windows Media Player. The flaw is caused due to an improper parsing of chunk fields in Portable Network Graphics (PNG) files. An attacker can exploit this vulnerability by enticing a user to open a crafted PNG file, resulting in the possible injection and execution of an arbitrary code. Successful exploitation of this vulnerability could cause the code executed to be within the privileges of the currently logged in user.", "cvss3": {}, "published": "2011-04-27T00:00:00", "type": "checkpoint_advisories", "title": "Microsoft Windows Media Player PNG Chunk Handling Stack Overflow (MS06-024) - High Confidence (CVE-2006-0025)", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2006-0025"], "modified": "2013-03-05T00:00:00", "id": "CPAI-2006-326", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-02-10T00:00:00", "description": "Windows Media Player is a feature of the Windows operating system for personal computers. It is used for playing audio and video. The Portable Network Graphics (PNG) specification is an image format used as an alternative to other image formats such as the GIF and TIFF formats. Windows Media Player fails to handle the processing of PNG images. An attacker could exploit this by constructing specially crafted Windows Media Player content that could potentially allow remote code execution if a user visits a malicious Web site or clicks on a specially crafted WMZ file in an email message.The protection outlined in this advisory is an enhancement to SmartDefense Malformed PNG protection published in June 22. 2005 in response to Microsoft Security Bulletin MS05-025.", "cvss3": {}, "published": "2006-07-05T00:00:00", "type": "checkpoint_advisories", "title": "Update Protection against Microsoft Windows Media Player PNG Vulnerability (MS06-024)", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2006-0025"], "modified": "2007-05-15T00:00:00", "id": "CPAI-2006-079", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-03-10T16:44:26", "description": "Portable Network Graphics (PNG) is a popular image file format. Specially crafted PNG files may be used to create a DoS condition and in some cases, arbitrary code execution.", "cvss3": {}, "published": "2013-03-24T00:00:00", "type": "checkpoint_advisories", "title": "Internet Explorer PNG Image Rendering Memory Corruption - improved performance (MS05-025; CVE-2005-1211; CVE-2006-0025)", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2005-1211", "CVE-2006-0025"], "modified": "2013-05-12T00:00:00", "id": "CPAI-2005-99", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-06-27T07:22:44", "description": "An attacker can exploit this vulnerability by enticing a user to open a crafted PNG file, resulting in the possible injection and execution of arbitrary code on the target system with the privileges of the currently logged-in user. A remote stack buffer overflow vulnerability has been discovered in Microsoft Windows Media Player. The flaw is caused due to an improper parsing of chunk fields in Portable Network Graphics (PNG) files. An attacker can exploit this vulnerability by enticing a user to open a crafted PNG file, resulting in the possible injection and execution of an arbitrary code. Successful exploitation of this vulnerability could cause the code executed to be within the privileges of the currently logged in user.", "cvss3": {}, "published": "2012-02-20T00:00:00", "type": "checkpoint_advisories", "title": "Microsoft Windows Media Player PNG Chunk Handling Code Execution (MS06-024; CVE-2006-0025; CVE-2007-2365)", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2006-0025", "CVE-2007-2365"], "modified": "2013-05-16T00:00:00", "id": "CPAI-2012-065", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-02-10T00:00:00", "description": "The Content Protection defenses allow users of VPN-1 NGX R62, R61 and R60 to block malicious content over multiple protocols. The protection includes well known file types such as popular image files and Microsoft Office files that are prone to denial of service and remote code execution vulnerabilities.The Content Protection defenses have been updated, enhanced and improved. It is advised to update your VPN-1 product to the latest SmartDefense update in order for the changes to take effect.", "cvss3": {}, "published": "2006-12-04T00:00:00", "type": "checkpoint_advisories", "title": "Security Best Practice: SmartDefense Content Protection Defenses", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": true, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2005-1219", "CVE-2006-0006", "CVE-2006-0010", "CVE-2006-0025", "CVE-2006-2378", "CVE-2006-3431"], "modified": "2007-05-08T00:00:00", "id": "SBP-2006-13", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "securityvulns": [{"lastseen": "2018-08-31T11:10:18", "description": "Microsoft Security Bulletin MS06-024\r\nVulnerability in Windows Media Player Could Allow Remote Code Execution (917734)\r\nPublished: June 13, 2006\r\n\r\nVersion: 1.0\r\nSummary\r\n\r\nWho Should Read this Document: Customers who use Microsoft Windows Media Player\r\n\r\nImpact of Vulnerability: Remote Code Execution\r\n\r\nMaximum Severity Rating: Critical\r\n\r\nRecommendation: Customers should apply the update immediately\r\n\r\nSecurity Update Replacement: This bulletin replaces a prior security update. See the frequently asked questions (FAQ) section of this bulletin for the complete list.\r\n\r\nCaveats: None\r\n\r\nTested Software and Security Update Download Locations:\r\n\r\nAffected Software:\r\n\u2022\t\r\n\r\nWindows Media Player for XP on Microsoft Windows XP Service Pack 1 \u2013 Download the update\r\n\u2022\t\r\n\r\nWindows Media Player 9 on Microsoft Windows XP Service Pack 2 \u2013 Download the update\r\n\u2022\t\r\n\r\nWindows Media Player 10 on Microsoft Windows XP Professional x64 Edition \u2013 Download the update\r\n\u2022\t\r\n\r\nWindows Media Player 9 on Microsoft Windows Server 2003 \u2013 Download the update\r\n\u2022\t\r\n\r\nWindows Media Player 10 on Microsoft Windows Server 2003 Service Pack 1 \u2013 Download the update\r\n\u2022\t\r\n\r\nWindows Media Player 10 on Microsoft Windows Server 2003 x64 Edition \u2013 Download the update\r\n\u2022\t\r\n\r\nMicrosoft Windows 98, Microsoft Windows 98 Second Edition (SE), and Microsoft Windows Millennium Edition (Me) \u2013 Review the FAQ section of this bulletin for details about these operating systems.\r\n\r\nTested Microsoft Windows Components:\r\n\r\nAffected Components:\r\n\u2022\t\r\n\r\nMicrosoft Windows Media Player 7.1 when installed on Windows 2000 Service Pack 4 \u2013 Download the update\r\n\u2022\t\r\n\r\nMicrosoft Windows Media Player 9 when installed on Windows 2000 Service Pack 4 or Windows XP Service Pack 1 \u2013 Download the update\r\n\u2022\t\r\n\r\nMicrosoft Windows Media Player 10 when installed on Windows XP Service Pack 1 or Windows XP Service Pack 2 \u2013 Download the update\r\nTop of sectionTop of section\r\n\u2022\t\r\n\r\nNon-Affected Software:\r\n\u2022\t\r\n\r\nWindows Media Player 6.4 on all Microsoft Windows operating systems\r\n\u2022\t\r\n\r\nMicrosoft Windows Server 2003 for Itanium-based Systems and Microsoft Windows Server 2003 with SP1 for Itanium-based Systems\r\n\r\nNote The \u201cAffected Software\u201d section applies to Windows Media Player that shipped with a Microsoft Windows operating system. The \u201cAffected Components\u201d section applies to Windows Media Player that was downloaded and installed onto Microsoft Windows.\r\n\r\nNote The security updates for Microsoft Windows Server 2003, Windows Server 2003 Service Pack 1, and Windows Server 2003 x64 Edition also apply to Windows Server 2003 R2.\r\n\r\nThe software in this list has been tested to determine whether the versions are affected. Other versions either no longer include security update support or may not be affected. To determine the support life cycle for your product and version, visit the Microsoft Support Lifecycle Web site.\r\nGeneral Information\r\n\t\r\nExecutive Summary\r\n\r\nExecutive Summary:\r\n\r\nThis update resolves a newly discovered, privately reported vulnerability. The vulnerability is documented in the "Vulnerability Details" section of this bulletin.\r\n\r\nIf a user is logged on with administrative user rights, an attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less affected than users who operate with administrative user rights.\r\n\r\nWe recommend that customers apply the update immediately.\r\n\r\nSeverity Ratings and Vulnerability Identifiers:\r\nVulnerability Identifiers\tImpact of Vulnerability\tWindows Media Player 7.1\tWindows Media Player for XP\tWindows Media Player 9 (All Versions)\tWindows Media Player 10 (All Versions)\r\n\r\nWindows Media Player PNG Vulnerability CVE-2006-0025\r\n\t\r\n\r\nRemote Code Execution\r\n\t\r\n\r\nImportant\r\n\t\r\n\r\nImportant\r\n\t\r\n\r\nCritical\r\n\t\r\n\r\nCritical\r\n\r\nThis assessment is based on the types of systems that are affected by the vulnerability, their typical deployment patterns, and the effect that exploiting the vulnerability would have on them.\r\n\r\nNote The security updates for Microsoft Windows Server 2003, Windows Server 2003 Service Pack 1, and Windows Server 2003 x64 Edition also apply to Windows Server 2003 R2.\r\nTop of sectionTop of section\r\n\t\r\nFrequently Asked Questions (FAQ) Related to this Security Update\r\n\r\nWhat updates does this release replace?\r\nThis security update replaces a prior security update. The security bulletin ID and affected operating systems are listed in the following table.\r\nBulletin ID\tWindows Media Player 7.1 \tWindows Media Player for XP \tWindows Media Player 9 (All Versions) \tWindows Media Player 10 (All Versions)\r\n\r\nMS06-005(911565 )\r\n\t\r\n\r\nReplaced\r\n\t\r\n\r\nReplaced\r\n\t\r\n\r\nReplaced\r\n\t\r\n\r\nReplaced\r\n\r\nI\u2019ve installed the Windows Media Player (KB917734) security update. What version of Wmp.dll or Wmpui.dll should I have installed?\r\nPlease refer to the chart to determine what file version of Wmp.dll or Wmpui.dll you should have installed.\r\nWindows Operating System:\tFile Name\tFile Version\r\n\r\nWindows 2000 Service Pack 4 Windows Media Player 7.1\r\n\t\r\n\r\nWmpui.dll\r\n\t\r\n\r\n7.10.0.3078\r\n\r\nWindows 2000 Service Pack 4 Windows Media Player 9\r\n\t\r\n\r\nWmp.dll\r\n\t\r\n\r\n9.0.0.3349\r\n\r\nWindows XP Service Pack 1 Windows Media Player for XP\r\n\t\r\n\r\nWmpui.dll\r\n\t\r\n\r\n8.0.0.4496\r\n\r\nWindows XP Service Pack 1 Windows Media Player 9\r\n\t\r\n\r\nWmp.dll\r\n\t\r\n\r\n9.0.0.3349\r\n\r\nWindows XP Service Pack 1 Windows Media Player 10\r\n\t\r\n\r\nWmp.dll\r\n\t\r\n\r\n10.0.0.4036\r\n\r\nWindows XP Service Pack 2 Windows Media Player 9\r\n\t\r\n\r\nWmp.dll\r\n\t\r\n\r\n9.0.0.3349\r\n\r\nWindows XP Service Pack 2 Windows Media Player 10\r\n\t\r\n\r\nWmp.dll\r\n\t\r\n\r\n10.0.0.4036\r\n\r\nWindows XP Professional x64 Edition Windows Media Player 10\r\n\t\r\n\r\nWmp.dll\r\n\t\r\n\r\n10.0.0.3704\r\n\r\nWindows Server 2003 Windows Media Player 9\r\n\t\r\n\r\nWmp.dll\r\n\t\r\n\r\n9.0.0.3349\r\n\r\nWindows Server 2003 Service Pack 1 Windows Media Player 10\r\n\t\r\n\r\nWmp.dll\r\n\t\r\n\r\n10.0.0.3704\r\n\r\nWindows Server 2003 x64 Edition Windows Media Player 10\r\n\t\r\n\r\nWmp.dll\r\n\t\r\n\r\n10.0.0.3704\r\n\r\nHow does the extended support for Windows 98, Windows 98 Second Edition, and Windows Millennium Edition affect the release of security updates for these operating systems?\r\nMicrosoft will only release security updates for critical security issues. Updates for non-critical security issues are not offered during this support period. For more information about the Microsoft Support Lifecycle policies for these operating systems, visit the following Web site.\r\n\r\nFor more information about severity ratings, visit the following Web site.\r\n\r\nCritical security updates for this platform are available and are provided as part of this security bulletin and can be downloaded only from the Windows Update Web site. For more information about severity ratings, visit the following Web site.\r\n\r\nExtended security update support for Microsoft Windows NT Workstation 4.0 Service Pack 6a and Windows 2000 Service Pack 2 ended on June 30, 2004. Extended security update support for Microsoft Windows NT Server 4.0 Service Pack 6a ended on December 31, 2004. Extended security update support for Microsoft Windows 2000 Service Pack 3 ended on June 30, 2005. I am still using one of these operating systems. What should I do?\r\nWindows NT Workstation 4.0 Service Pack 6a, Windows NT Server 4.0 Service Pack 6a, Windows 2000 Service Pack 2, and Windows 2000 Service Pack 3 have reached the end of their life cycles. It should be a priority for customers who have these operating system versions to migrate to supported versions to prevent potential exposure to vulnerabilities. For more information about the Windows Product Lifecycle, visit the following Microsoft Support Lifecycle Web site. For more information about the extended security update support period for these operating system versions, visit the Microsoft Product Support Services Web site.\r\n\r\nCustomers who require custom support for these products must contact their Microsoft account team representative, their Technical Account Manager, or the appropriate Microsoft partner representative for custom support options. Customers without an Alliance, Premier, or Authorized Contract can contact their local Microsoft sales office. For contact information, visit the Microsoft Worldwide Information Web site, select the country, and then click Go to see a list of telephone numbers. When you call, ask to speak with the local Premier Support sales manager. For more information, see the Windows Operating System Product Support Lifecycle FAQ.\r\n\r\nCan I use the Microsoft Baseline Security Analyzer (MBSA) or the Enterprise Update Scan Tool (EST) to determine whether this update is required?\r\n\r\nThe following table provides the MBSA detection summary for this security update.\r\nProduct\tMBSA 1.2.1\tEnterprise Update Scan Tool (EST)?\tMBSA 2.0\r\n\r\nWindows Media Player 7.1\r\n\t\r\n\r\nYes\r\n\t\r\n\r\nNot Applicable\r\n\t\r\n\r\nYes\r\n\r\nWindows Media Player for XP\r\n\t\r\n\r\nYes\r\n\t\r\n\r\nNot Applicable\r\n\t\r\n\r\nYes\r\n\r\nWindows Media Player 9\r\n\t\r\n\r\nYes\r\n\t\r\n\r\nNot Applicable\r\n\t\r\n\r\nYes\r\n\r\nMicrosoft Windows Media Player 10\r\n\t\r\n\r\nNo\r\n\t\r\n\r\nYes\r\n\t\r\n\r\nYes\r\n\r\nMBSA 1.2.1 does not support the detection of Windows Media Player 10.\r\n\r\nFor more information about MBSA, visit the MBSA Web site. For more information about the programs that Microsoft Update and MBSA 2.0 currently do not detect, see Microsoft Knowledge Base Article 895660.\r\n\r\nWhat is the Enterprise Update Scan Tool (EST)?\r\nAs part of an ongoing commitment to provide detection tools for bulletin-class security updates, Microsoft delivers a stand-alone detection tool whenever the Microsoft Baseline Security Analyzer (MBSA) and the Office Detection Tool (ODT) cannot detect whether the update is required for an MSRC release cycle. This stand-alone tool is called the Enterprise Update Scan Tool (EST) and is designed for enterprise administrators. When a version of the Enterprise Update Scan Tool is created for a specific bulletin, customers can run the tool from a command line interface (CLI) and view the results of the XML output file. To help customers better utilize the tool, detailed documentation will be provided with the tool. There is also a version of the tool that offers an integrated experience for SMS administrators.\r\n\r\nCan I use a version of the Enterprise Update Scan Tool (EST) to determine whether this update is required?\r\nYes. Microsoft has created a version of the EST that will determine if you have to apply this update. For download links and more information about the version of the EST that is being released this month, see the following Microsoft Web site. SMS customers should review the "Can I use Systems Management Server (SMS) to determine whether this update is required?" FAQ for more information about SMS and EST.\r\n\r\nCan I use Systems Management Server (SMS) to determine whether this update is required?\r\n\r\nThe following table provides the SMS detection summary for this security update.\r\nProduct\tSMS 2.0\tSMS 2003\r\n\r\nWindows Media Player 7.1\r\n\t\r\n\r\nYes\r\n\t\r\n\r\nYes\r\n\r\nWindows Media Player for XP\r\n\t\r\n\r\nYes\r\n\t\r\n\r\nYes\r\n\r\nWindows Media Player 9\r\n\t\r\n\r\nYes\r\n\t\r\n\r\nYes\r\n\r\nMicrosoft Windows Media Player 10\r\n\t\r\n\r\nYes (with EST)\r\n\t\r\n\r\nYes\r\n\r\n\r\nSMS uses MBSA for detection. Therefore, SMS has the same limitation that is listed earlier in this bulletin related to software that MBSA does not detect.\r\n\r\nFor SMS 2.0, the SMS SUS Feature Pack, which includes the Security Update Inventory Tool, can be used by SMS to detect security updates. SMS SUIT uses the MBSA 1.2.1 engine for detection. For more information about the Security Update Inventory Tool, visit the following Microsoft Web site. For more information about the limitations of the Security Update Inventory Tool, see Microsoft Knowledge Base Article 306460. The SMS SUS Feature Pack also includes the Microsoft Office Inventory Tool to detect required updates for Microsoft Office applications.\r\n\r\nFor SMS 2003, the SMS 2003 Inventory Tool for Microsoft Updates can be used by SMS to detect security updates that are offered by Microsoft Update and that are supported by Windows Server Update Services. For more information about the SMS 2003 Inventory Tool for Microsoft Updates, visit the following Microsoft Web site. SMS 2003 can also use the Microsoft Office Inventory Tool to detect required updates for Microsoft Office applications.\r\n\r\nFor more information about SMS, visit the SMS Web site.\r\n\r\nFor information about the EST see the FAQ \u201cWhat is the Enterprise Update Scan Tool (EST)?\u201d and the following Microsoft Web site.\r\nTop of sectionTop of section\r\n\t\r\nVulnerability Details\r\n\t\r\nWindows Media Player PNG Vulnerability - CVE-2006-0025\r\n\r\nA remote code execution vulnerability exists in Windows Media Player due to the way it handles the processing of PNG images. An attacker could exploit the vulnerability by constructing specially crafted Windows Media Player content that could potentially allow remote code execution if a user visits a malicious Web site or opens an email message with malicious content. An attacker who successfully exploited this vulnerability could take complete control of an affected system.\r\n\t\r\nMitigating Factors for Windows Media Player PNG Vulnerability - CVE-2006-0025:\r\n\u2022\t\r\n\r\nIn a Web-based attack scenario, an attacker would have to host a Web site that contains a Web page that is used to attempt to exploit this vulnerability. An attacker would have no way to force users to visit a malicious Web site. Instead, an attacker would have to persuade users to visit the Web site, typically by getting them to click a link that takes them to the attacker's site. It could also be possible to display malicious Web content by using banner advertisements or by using other methods to deliver Web content to affected systems.\r\n\u2022\t\r\n\r\nWhen using Microsoft Windows 2000 Service Pack 4 with Windows Media Player 7.1 or Windows XP Service Pack 1 with Windows Media Player for XP, users are not vulnerable in a Web-based attack scenario. Users are still vulnerable if a user downloads and installs a malicious Windows Media Player skin.\r\n\u2022\t\r\n\r\nIn an e-mail attack scenario, an attacker could exploit the vulnerability by sending a specially crafted .WMZ file to the user and by persuading the user to open the file.\r\n\u2022\t\r\n\r\nAn attacker who successfully exploited this vulnerability could gain the same user rights as the local user. Users whose accounts are configured to have fewer user rights on the system could be less affected than users who operate with administrative user rights.\r\nTop of sectionTop of section\r\n\t\r\nWorkarounds for Windows Media Player PNG Vulnerability - CVE-2006-0025:\r\n\r\nMicrosoft has tested the following workarounds. While these workarounds will not correct the underlying vulnerability, they help block known attack vectors. When a workaround reduces functionality, it is identified in the following section.\r\n\r\nThere are several different attack vectors that Microsoft has identified for this vulnerability. Each attack vector has a different workaround.\r\n\r\nNote The following steps require Administrator privileges. We recommend that you restart the computer after you apply this workaround. Alternatively, you can log out and log back in after you apply the workaround.\r\n\t\r\nModify the Access Control List on the DirectX \u201cFilter Graph no thread\u201d Registry Key\r\n\r\nModifying the Access Control List on the \u201cFilter Graph no thread\u201d registry key helps protect the affected system from attempts to exploit this vulnerability. To modify the Filter Graph no Thread Splitter registry key, follow these steps.\r\n\r\nNote Using Registry Editor incorrectly can cause serious problems that may require you to reinstall your operating system. Microsoft cannot guarantee that problems resulting from the incorrect use of Registry Editor can be solved. Use Registry Editor at your own risk. For information about how to edit the registry, view the "Changing Keys and Values" Help topic in Registry Editor (Regedit.exe) or view the "Add and Delete Information in the Registry" and "Edit Registry Data" Help topics in Regedt32.exe.\r\n\r\nNote We recommend backing up the registry before you edit it.\r\n\r\nFor Windows 2000\r\n\r\nNote Make a note of the permissions that are listed in the dialog box so that you can restore them to their original values at a later time\r\n\r\n1.\r\n\t\r\n\r\nClick Start, click Run, type regedt32, and then click OK.\r\n\r\n2.\r\n\t\r\n\r\nExpand HKEY_CLASSES_ROOT, expand CLSID, and then click {E436EBB8-524F-11CE-9F53-0020AF0BA770}.\r\n\r\n3.\r\n\t\r\n\r\nClick Security, and then click Permissions.\r\n\r\n4.\r\n\t\r\n\r\nClick to clear the Allow Inheritable Permissions from the parent to propagate to this object check box. You are prompted to click Copy, Remove, or Cancel. Click Remove, and then click OK.\r\n\r\n5.\r\n\t\r\n\r\nYou receive a message that states that no one will be able to access this registry key. Click Yes when you are prompted to do so.\r\n\r\nFor Windows XP Service Pack 1 or later operating systems\r\n\r\nNote Make a note of the permissions that are listed in the dialog box so that you can restore them to their original values at a later time.\r\n\r\n1.\r\n\t\r\n\r\nClick Start, click Run, type "regedit" (without the quotation marks), and then click OK.\r\n\r\n2.\r\n\t\r\n\r\nExpand HKEY_CLASSES_ROOT, expand CLSID, and then click {E436EBB8-524F-11CE-9F53-0020AF0BA770}.\r\n\r\n3.\r\n\t\r\n\r\nClick Edit, and then click Permissions.\r\n\r\n4.\r\n\t\r\n\r\nClick Advanced.\r\n\r\n5.\r\n\t\r\n\r\nClick to clear the Inherit from parent the permission entries that apply to child objects. Include these with entries explicitly defined here check box. You are prompted to click Copy, Remove, or Cancel. Click Remove, and then check OK.\r\n\r\n6.\r\n\t\r\n\r\nYou receive a message that states that no one will be able to access this registry key. Click Yes, and then click OK to close the Permissions for {E436EBB8-524F-11CE-9F53-0020AF0BA770} dialog box.\r\n\r\nNote If you have backed up and removed the DirectX \u201cFilter Graph no thread\u201d registry key, you do not need to modify the Access Control List on the DirectX \u201cFilter Graph no thread\u201d registry key.\r\n\r\nImpact of Workaround: This workaround disables image rendering and audio and video playback in any number of DirectX-enabled applications\r\nTop of sectionTop of section\r\n\t\r\nBackup and remove the DirectX \u201cFilter Graph no thread\u201d registry key\r\n\r\nRemoving the \u201cFilter Graph no thread\u201d registry key helps protect the affected system from attempts to exploit this vulnerability. To backup and remove the \u201cFilter Graph no thread\u201d registry key, follow these steps:\r\n\r\nNote Using Registry Editor incorrectly can cause serious problems that may require you to reinstall your operating system. Microsoft cannot guarantee that problems resulting from the incorrect use of Registry Editor can be solved. Use Registry Editor at your own risk. For information about how to edit the registry, view the "Changing Keys and Values" Help topic in Registry Editor (Regedit.exe) or view the "Add and Delete Information in the Registry" and "Edit Registry Data" Help topics in Regedt32.exe.\r\n\r\nNote We recommend backing up the registry before you edit it.\r\n\r\n1.\r\n\t\r\n\r\nClick Start, click Run, type \u201cregedit" (without the quotation marks), and then click OK.\r\n\r\n2.\r\n\t\r\n\r\nExpand HKEY_CLASSES_ROOT, expand CLSID, and then click {E436EBB8-524F-11CE-9F53-0020AF0BA770}.\r\n\r\n3.\r\n\t\r\n\r\nClick File, and then click Export.\r\n\r\n4.\r\n\t\r\n\r\nIn the Export Registry File dialog box, type a file name in the File Name box, and then click Save.\r\n\r\n5.\r\n\t\r\n\r\nClick Edit, and then click Delete to remove the registry key.\r\n\r\n6.\r\n\t\r\n\r\nIn the Confirm Key Delete dialog box, you receive a \u201cAre you sure you want to delete this key and all of its sub keys\u201d message. Click Yes.\r\n\r\nNote If you have backed up and remove the \u201cDirectX \u201cFilter Graph no thread\u201d registry key, you do not need to modify the Access Control List on the DirectX \u201cFilter Graph no thread\u201d registry key.\r\n\r\nImpact of Workaround: This workaround disables image rendering and audio and video playback in any number of DirectX-enabled applications.\r\nTop of sectionTop of section\r\n\t\r\nUn-register Wmp.dll\r\n\r\nUn-registering the Wmp.dll registry key helps protect the affected system from attempts to exploit this vulnerability. To modify the Wmp.dll registry key, follow these steps.\r\n\r\n1.\r\n\t\r\n\r\nClick Start, click Run, type "regsvr32 -u %windir%\system32\wmp.dll" (without the quotation marks), and then click OK.\r\n\r\n2.\r\n\t\r\n\r\nWhen a dialog box appears that confirms that the process has been successful, click OK.\r\n\r\n3.\r\n\t\r\n\r\nSelect the File Types tab.\r\n\r\nImpact of Workaround: This workaround disables the Windows Media Player and applications that use the embedded Windows Media ActiveX Control.\r\nTop of sectionTop of section\r\n\t\r\nDisassociate the WMZ file extensions\r\n\r\nDisassociation of WMZ in Windows prevents previewing or opening WMZ files that point to malformed PNG files.\r\n\r\n1.\r\n\t\r\n\r\nLaunch Windows Explorer.\r\n\r\n2.\r\n\t\r\n\r\nClick Tools, Folder Options and then Select the File Types tab.\r\n\r\n3.\r\n\t\r\n\r\nScroll to find the WMZ file extension and then click Delete.\r\n\r\nNote Removing the skin file association needs to be done in addition to at least one of the workarounds listed above.\r\n\r\nImpact of Workaround: This workaround prevents users from applying skin files to Windows Media Player by double clicking on them. Users can still apply skin files that are in their default \u2018skins\u2019 directory.\r\nTop of sectionTop of section\r\nTop of sectionTop of section\r\n\t\r\nFAQ for Windows Media Player PNG Vulnerability - CVE-2006-0025:\r\n\r\nWhat is the scope of the vulnerability?\r\nA remote code execution vulnerability exists in Windows Media Player due to the way it handles the processing of PNG images. An attacker could exploit the vulnerability by constructing specially crafted Windows Media Player content that could potentially allow remote code execution if a user visits a malicious Web site or clicks on a specially crafted WMZ file in an email message. An attacker who successfully exploited this vulnerability could take complete control of an affected system.\r\n\r\nIf a user is logged on with administrative user rights, an attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less affected than users who operate with administrative user rights.\r\n\r\nWhat causes the vulnerability?\r\nAn unchecked buffer in the PNG processing code within Windows Media Player.\r\n\r\nWhat is Windows Media Player?\r\nWindows Media Player is a feature of the Windows operating system for personal computers. It is used for playing audio and video.\r\n\r\nWhat might an attacker use the vulnerability to do?\r\nAn attacker who successfully exploited this vulnerability could take complete control of the affected system.\r\n\r\nHow could an attacker exploit the vulnerability?\r\nIn a Web-based attack scenario, an attacker would have to host a Web site that contains a Web page that is used to attempt to exploit this vulnerability. An attacker would have no way to force users to visit a malicious Web site. Instead, an attacker would have to persuade them to visit the Web site, typically by getting them to click a link that takes them to the attacker's site. It could also be possible to display malicious Web content by using banner advertisements or by using other methods to deliver Web content to affected systems.\r\n\r\nIn an e-mail attack scenario, an attacker could exploit the vulnerability by sending a specially crafted file to the user and by persuading the user to open the file.\r\n\r\nWhat systems are primarily at risk from the vulnerability?\r\nWorkstations and terminal servers are primarily at risk. Servers could be at more risk if users who do not have sufficient administrative permissions are given the ability to log on to servers and to run programs. However, best practices strongly discourage allowing this.\r\n\r\nAre Windows 98, Windows 98 Second Edition, or Windows Millennium Edition critically affected by this vulnerability?\r\nYes. This vulnerability is critical for Windows Media Player 9 on Windows 98 Second Edition, and Windows Millennium Edition. Critical security updates for these platforms may not be available concurrently with the other security updates provided as part of this security bulletin. They will be made available as soon as possible following the release. When these security updates are available, you will be able to download them only from the Windows Update Web site. For more information about severity ratings, visit the following Web site.\r\n\r\nWhat does the update do?\r\nThe update removes the vulnerability by modifying the way that the Windows Media Player validates the processing code before it passes it to the allocated buffer.\r\n\r\nWhen this security bulletin was issued, had this vulnerability been publicly disclosed?\r\nNo. Microsoft received information about this vulnerability through responsible disclosure. Microsoft had not received any information to indicate that this vulnerability had been publicly disclosed when this security bulletin was originally issued.\r\n\r\nWhen this security bulletin was issued, had Microsoft received any reports that this vulnerability was being exploited?\r\nNo. Microsoft had not received any information to indicate that this vulnerability had been publicly used to attack customers and had not seen any examples of proof of concept code published when this security bulletin was originally issued.\r\nTop of sectionTop of section\r\nTop of sectionTop of section\r\nTop of sectionTop of section\r\n\t\r\nSecurity Update Information\r\n\r\nAffected Software:\r\n\r\nFor information about the specific security update for your affected software, click the appropriate link:\r\n\t\r\nWindows Server 2003 (all versions)\r\n\r\nPrerequisites\r\nThis security update requires Windows Server 2003 or Windows Server 2003 Service Pack 1.\r\n\r\nNote The security updates for Microsoft Windows Server 2003 and Microsoft Windows Server 2003 Service Pack 1 also apply to Microsoft Windows Server 2003 R2.\r\n\r\nInclusion in Future Service Packs:\r\nThe update for this issue will be included in future Service Pack or Update Rollup.\r\n\r\nInstallation Information\r\n\r\nThis security update supports the following setup switches.\r\nSupported Security Update Installation Switches\r\nSwitch\tDescription\r\n\r\n/help\r\n\t\r\n\r\nDisplays the command-line options.\r\nSetup Modes\t \r\n\r\n/passive\r\n\t\r\n\r\nUnattended Setup mode. No user interaction is required, but installation status is displayed. If a restart is required at the end of setup, a dialog box will be presented to the user with a timer warning that the computer will restart in 30 seconds.\r\n\r\n/quiet\r\n\t\r\n\r\nQuiet mode. This is the same as unattended mode, but no status or error messages are displayed.\r\nRestart Options\t \r\n\r\n/norestart\r\n\t\r\n\r\nDoes not restart when installation has completed.\r\n\r\n/forcerestart\r\n\t\r\n\r\nRestarts the computer after installation and forces other applications to close at shutdown without saving open files first.\r\n\r\n/warnrestart[:x]\r\n\t\r\n\r\nDisplays a dialog box with a timer warning the user that the computer will restart in x seconds. (The default setting is 30 seconds.) Intended for use with the /quiet switch or the /passive switch.\r\n\r\n/promptrestart\r\n\t\r\n\r\nDisplay a dialog box prompting the local user to allow a restart.\r\nSpecial Options\t \r\n\r\n/overwriteoem\r\n\t\r\n\r\nOverwrites OEM files without prompting.\r\n\r\n/nobackup\r\n\t\r\n\r\nDoes not back up files needed for uninstallation.\r\n\r\n/forceappsclose\r\n\t\r\n\r\nForces other programs to close when the computer shuts down.\r\n\r\n/log: path\r\n\t\r\n\r\nAllows the redirection of installation log files.\r\n\r\n/integrate:path\r\n\t\r\n\r\nIntegrates the update into the Windows source files. These files are located at the path that is specified in the switch.\r\n\r\n/extract[:path]\r\n\t\r\n\r\nExtracts files without starting the Setup program.\r\n\r\n/ER\r\n\t\r\n\r\nEnables extended error reporting.\r\n\r\n/verbose\r\n\t\r\n\r\nEnables verbose logging. During installation, creates %Windir%\CabBuild.log. This log details the files that are copied. Using this switch may cause the installation to proceed more slowly.\r\n\r\nNote You can combine these switches into one command. For backward compatibility, the security update also supports many of the setup switches that the earlier version of the Setup program uses. For more information about the supported installation switches, see Microsoft Knowledge Base Article 262841. For more information about the Update.exe installer, visit the Microsoft TechNet Web site.\r\n\r\nDeployment Information\r\n\r\nTo install the security update without any user intervention, use the following command at a command prompt for Windows Server 2003:\r\n\r\nWindowsMedia9-KB917734-x86-enu /quiet\r\n\r\nWindowsServer2003-KB917734-x86-enu/quiet\r\n\r\nWindowsServer2003.WindowsXP-KB917734-x64-enu/quiet\r\n\r\nNote Use of the /quiet switch will suppress all messages. This includes suppressing failure messages. Administrators should use one of the supported methods to verify the installation was successful when they use the /quiet switch. Administrators should also review the KB917734.log file for any failure messages when they use this switch.\r\n\r\nTo install the security update without forcing the system to restart, use the following command at a command prompt for Windows Server 2003:\r\n\r\nWindowsMedia9-KB917734-x86-enu /norestart\r\n\r\nWindowsServer2003-KB917734-x86-enu /norestart\r\n\r\nWindowsServer2003.WindowsXP-KB917734-x64-enu/norestart\r\n\r\nFor information about how to deploy this security update by using Software Update Services, visit the Software Update Services Web site. For more information about how to deploy this security update using Windows Server Update Services, visit the Windows Server Update Services Web site. This security update will also be available through the Microsoft Update Web site.\r\n\r\nRestart Requirement\r\n\r\nThis update does not require a restart. The installer stops the required services, applies the update, and then restarts the services. However, if the required services cannot be stopped for any reason, or if required files are being used, this update will require a restart. If this behavior occurs, a message appears that advises you to restart.\r\n\r\nThis security update does not support HotPatching. For more information about HotPatching see Microsoft Knowledge Base Article 897341.\r\n\r\nRemoval Information\r\n\r\nTo remove this update, use the Add or Remove Programs tool in Control Panel.\r\n\r\nSystem administrators can also use the Spuninst.exe utility to remove this security update. The Spuninst.exe utility is located in the following the: %Windir%\$NTUninstallKB917734$\Spuninst folder or %Windir%\$NtUninstallKB917734_WMP9$\Spuninst folder.\r\nSupported Spuninst.exe Switches\r\nSwitch\tDescription\r\n\r\n/help\r\n\t\r\n\r\nDisplays the command-line options.\r\nSetup Modes\t \r\n\r\n/passive\r\n\t\r\n\r\nUnattended Setup mode. No user interaction is required, but installation status is displayed. If a restart is required at the end of setup, a dialog box will be presented to the user with a timer warning that the computer will restart in 30 seconds.\r\n\r\n/quiet\r\n\t\r\n\r\nQuiet mode. This is the same as unattended mode, but no status or error messages are displayed.\r\nRestart Options\t \r\n\r\n/norestart\r\n\t\r\n\r\nDoes not restart when installation has completed.\r\n\r\n/forcerestart\r\n\t\r\n\r\nRestarts the computer after installation and forces other applications to close at shutdown without saving open files first.\r\n\r\n/warnrestart[:x]\r\n\t\r\n\r\nDisplays a dialog box with a timer warning the user that the computer will restart in x seconds. (The default setting is 30 seconds.) Intended for use with the /quiet switch or the /passive switch.\r\n\r\n/promptrestart\r\n\t\r\n\r\nDisplay a dialog box prompting the local user to allow a restart.\r\nSpecial Options\t \r\n\r\n/forceappsclose\r\n\t\r\n\r\nForces other programs to close when the computer shuts down.\r\n\r\n/log:path\r\n\t\r\n\r\nAllows the redirection of installation log files.\r\n\r\nFile Information\r\n\r\nThe English version of this security update has the file attributes that are listed in the following table. The dates and times for these files are listed in coordinated universal time (UTC). When you view the file information, it is converted to local time. To find the difference between UTC and local time, use the Time Zone tab in the Date and Time tool in Control Panel.\r\n\r\nWindows Media Player 9 on Windows Server 2003, Web Edition; Windows Server 2003, Standard Edition; Windows Server 2003, Datacenter Edition; Windows Server 2003, Enterprise Edition; Windows Small Business Server 2003:\r\nFile Name\tVersion\tDate\tTime\tSize\r\n\r\nWmp.dll\r\n\t\r\n\r\n9.0.0.3349\r\n\t\r\n\r\n24-Apr-2006\r\n\t\r\n\r\n22:40\r\n\t\r\n\r\n4,730,880\r\n\r\nWindows Media Player 10 on Windows Server 2003, Web Edition; Windows Server 2003 with SP1, Standard Edition; Windows Server 2003 with SP1, Datacenter Edition; Windows Server 2003, Enterprise Edition; Windows Small Business Server 2003 with SP1; Windows Server 2003 R2, Web Edition; Windows Server 2003 R2, Standard Edition; Windows Server 2003 R2, Datacenter Edition; Windows Server 2003 R2, Enterprise Edition; Windows Small Business Server 2003 R2:\r\nFile Name\tVersion\tDate\tTime\tSize\tFolder\r\n\r\nWmp.dll\r\n\t\r\n\r\n10.0.0.3704\r\n\t\r\n\r\n18-May-2006\r\n\t\r\n\r\n02:20\r\n\t\r\n\r\n6,045,696\r\n\t\r\n\r\nSP1GDR\r\n\r\nWmp.dll\r\n\t\r\n\r\n10.0.0.3704\r\n\t\r\n\r\n18-May-2006\r\n\t\r\n\r\n04:01\r\n\t\r\n\r\n6,045,696\r\n\t\r\n\r\nSP1QFE\r\n\r\nWindows Media Player 10 on Windows Server 2003, Standard x64 Edition; Windows Server 2003, Enterprise x64 Edition; and Windows Server 2003, Datacenter x64 Edition; Windows Server 2003 R2, Standard x64 Edition; Windows Server 2003 R2, Enterprise x64 Edition; and Windows Server 2003 R2, Datacenter x64 Edition:\r\nFile Name\tVersion\tDate\tTime\tSize\tCPU\tFolder\r\n\r\nWwmp.dll\r\n\t\r\n\r\n10.0.0.3704\r\n\t\r\n\r\n18-May-2006\r\n\t\r\n\r\n04:17\r\n\t\r\n\r\n6,045,696\r\n\t\r\n\r\nx64\r\n\t\r\n\r\nSP1GDR\wow\r\n\r\nWwmp.dll\r\n\t\r\n\r\n10.0.0.3704\r\n\t\r\n\r\n18-May-2006\r\n\t\r\n\r\n04:17\r\n\t\r\n\r\n6,045,696\r\n\t\r\n\r\nx64\r\n\t\r\n\r\nSP1QFE\wow\r\n\r\nNotes When you install these security updates, the installer checks to see if one or more of the files that are being updated on your system have previously been updated by a Microsoft hotfix.\r\n\r\nIf you have previously installed a hotfix to update one of these files, the installer copies the RTMQFE or SP1QFE files to your system. Otherwise, the installer copies the RTMGDR or SP1GDR files to your system. Security updates may not contain all variations of these files. For more information about this behavior, see Microsoft Knowledge Base Article 824994.\r\n\r\nFor more information about this behavior, see Microsoft Knowledge Base Article 824994.\r\n\r\nFor more information about the Update.exe installer, visit the Microsoft TechNet Web site.\r\n\r\nFor more information about the terminology that appears in this bulletin, such as hotfix, see Microsoft Knowledge Base Article 824684.\r\n\u2022\t\r\n\r\nMicrosoft Baseline Security Analyzer\r\n\r\nTo verify that a security update has been applied to an affected system, you can use the Microsoft Baseline Security Analyzer (MBSA) tool. MBSA allows administrators to scan local and remote systems for missing security updates and for common security misconfigurations. For more information about MBSA, visit the Microsoft Baseline Security Analyzer Web site.\r\n\u2022\t\r\n\r\nFile Version Verification\r\n\r\nNote Because there are several versions of Microsoft Windows, the following steps may be different on your computer. If they are, see your product documentation to complete these steps.\r\n\r\n1.\r\n\t\r\n\r\nClick Start, and then click Search.\r\n\r\n2.\r\n\t\r\n\r\nIn the Search Results pane, click All files and folders under Search Companion.\r\n\r\n3.\r\n\t\r\n\r\nIn the All or part of the file name box, type a file name from the appropriate file information table, and then click Search.\r\n\r\n4.\r\n\t\r\n\r\nIn the list of files, right-click a file name from the appropriate file information table, and then click Properties.\r\n\r\nNote Depending on the version of the operating system or programs installed, some of the files that are listed in the file information table may not be installed.\r\n\r\n5.\r\n\t\r\n\r\nOn the Version tab, determine the version of the file that is installed on your computer by comparing it to the version that is documented in the appropriate file information table.\r\n\r\nNote Attributes other than the file version may change during installation. Comparing other file attributes to the information in the file information table is not a supported method of verifying that the update has been applied. Also, in certain cases, files may be renamed during installation. If the file or version information is not present, use one of the other available methods to verify update installation.\r\n\u2022\t\r\n\r\nRegistry Key Verification\r\n\r\nYou may also be able to verify the files that this security update has installed by reviewing the following registry keys.\r\n\r\nWindows Media Player 9 on Windows Server 2003, Web Edition; Windows Server 2003, Standard Edition; Windows Server 2003, Enterprise Edition; Windows Server 2003, Datacenter Edition; Windows Small Business Server 2003:\r\n\r\nHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\Windows Media Player 9\SP0\KB917734_WMP9\Filelist\r\n\r\nWindows Media Player 10 on Windows Server 2003, Web Edition with SP1; Windows Server 2003, Standard Edition with SP1; Windows Server 2003, Enterprise Edition with SP1; Windows Server 2003, Datacenter Edition with SP1; Windows Server 2003 R2, Web Edition; Windows Server 2003 R2, Standard Edition; Windows Server 2003 R2, Datacenter Edition; Windows Server 2003 R2, Enterprise Edition; Windows Small Business Server 2003 R2; Windows Server 2003, Standard x64 Edition; Windows Server 2003, Enterprise x64 Edition; and Windows Server 2003, Datacenter x64 Edition; Windows Server 2003 R2, Standard x64 Edition; Windows Server 2003 R2, Enterprise x64 Edition; and Windows Server 2003 R2, Datacenter x64 Edition:\r\n\r\nHKEY_LOCAL_MACHINE\Microsoft\Updates\Windows Server 2003\SP2\KB917734\Filelist\r\n\r\nNote This registry key may not contain a complete list of installed files. Also, this registry key may not be created correctly if an administrator or an OEM integrates or slipstreams the 917734 security update into the Windows installation source files.\r\nTop of sectionTop of section\r\n\t\r\nWindows XP (all versions)\r\n\r\nPrerequisites\r\nThis security update requires Microsoft Windows XP Service Pack 1 or a later version. For more information, see Microsoft Knowledge Base Article 322389.\r\n\r\nInclusion in Future Service Packs:\r\nThe update for this issue will be included in a future Service Pack or Update Rollup.\r\n\r\nRevisions: \r\n\u2022\t\r\n\r\nV1.0 (June 13, 2006): Bulletin published.", "edition": 1, "cvss3": {}, "published": "2006-06-13T00:00:00", "title": "Microsoft Security Bulletin MS06-024", "type": "securityvulns", "bulletinFamily": "software", "cvss2": {}, "cvelist": ["CVE-2006-0025"], "modified": "2006-06-13T00:00:00", "id": "SECURITYVULNS:DOC:13136", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:13136", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "canvas": [{"lastseen": "2021-07-28T14:33:19", "edition": 3, "description": "**Name**| ms06_024 \n---|--- \n**CVE**| CVE-2006-0025 \n**Exploit Pack**| [CANVAS](<http://http://www.immunityinc.com/products-canvas.shtml>) \n**Description**| Microsoft Windows Media Player Malformed PNG Vulnerability \n**Notes**| CVE Name: CVE-2006-0025 \nVENDOR: Microsoft \nMSADV: MS06-024 \nRepeatability: One shot \nMSRC: http://www.microsoft.com/technet/security/bulletin/ms06-024.mspx \nCVS URL: http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-0025 \nDate public: 6/13/2006 \nCVE Url: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-0025 \nCVSS: 7.5 \n\n", "cvss3": {}, "published": "2006-06-13T19:06:00", "type": "canvas", "title": "Immunity Canvas: MS06_024", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2006-0025"], "modified": "2006-06-13T19:06:00", "id": "MS06_024", "href": "http://exploitlist.immunityinc.com/home/exploitpack/CANVAS/ms06_024", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "nessus": [{"lastseen": "2021-08-19T13:15:29", "description": "The remote host is running Microsoft Windows Media Player version 9. There is a vulnerability in the remote version of this software that may allow an attacker to execute arbitrary code on the remote host. To exploit this flaw, an attacker would need to be able to convince a user to open a malicious media resource using the vulnerable player.", "cvss3": {"score": 5, "vector": "CVSS:3.0/AV:A/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L"}, "published": "2006-06-13T00:00:00", "type": "nessus", "title": "Microsoft Windows Media Player PBG File Processing Overflow (917734)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2006-0025"], "modified": "2019-03-06T00:00:00", "cpe": ["cpe:2.3:a:microsoft:windows_media_player:*:*:*:*:*:*:*:*"], "id": "3651.PRM", "href": "https://www.tenable.com/plugins/nnm/3651", "sourceData": "Binary data 3651.prm", "cvss": {"score": 5.4, "vector": "CVSS2#AV:A/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-08-19T13:15:36", "description": "The remote host is running Windows Media Player.\n\nThere is a vulnerability in the remote version of this software that could allow an attacker to execute arbitrary code on the remote host.\n\nTo exploit this flaw, one attacker would need to set up a rogue PNG image and send it to a victim on the remote host.", "cvss3": {"score": null, "vector": null}, "published": "2006-06-13T00:00:00", "type": "nessus", "title": "MS06-024: Vulnerability in Windows Media Player Could Allow Remote Code Execution (917734)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2006-0025"], "modified": "2018-11-15T00:00:00", "cpe": ["cpe:/o:microsoft:windows"], "id": "SMB_NT_MS06-024.NASL", "href": "https://www.tenable.com/plugins/nessus/21688", "sourceData": "#\n# Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(21688);\n script_version(\"1.34\");\n script_cvs_date(\"Date: 2018/11/15 20:50:30\");\n\n script_cve_id(\"CVE-2006-0025\");\n script_bugtraq_id(18385);\n script_xref(name:\"CERT\", value:\"608020\");\n script_xref(name:\"MSFT\", value:\"MS06-024\");\n script_xref(name:\"MSKB\", value:\"917734\");\n\n script_name(english:\"MS06-024: Vulnerability in Windows Media Player Could Allow Remote Code Execution (917734)\");\n script_summary(english:\"Checks the version of Media Player\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"Arbitrary code can be executed on the remote host through the Media Player.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote host is running Windows Media Player.\n\nThere is a vulnerability in the remote version of this software that\ncould allow an attacker to execute arbitrary code on the remote host.\n\nTo exploit this flaw, one attacker would need to set up a rogue PNG\nimage and send it to a victim on the remote host.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://docs.microsoft.com/en-us/security-updates/SecurityBulletins/2006/ms06-024\");\n script_set_attribute(attribute:\"solution\", value:\n\"Microsoft has released a set of patches for Windows 2000, XP and\n2003.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_canvas\", value:\"true\");\n script_set_attribute(attribute:\"canvas_package\", value:'CANVAS');\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2006/06/13\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2006/06/13\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2006/06/13\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:microsoft:windows\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(english:\"This script is Copyright (C) 2006-2018 Tenable Network Security, Inc.\");\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_dependencies(\"smb_hotfixes.nasl\", \"ms_bulletin_checks_possible.nasl\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, 'Host/patch_management_checks');\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"smb_hotfixes_fcheck.inc\");\ninclude(\"smb_hotfixes.inc\");\ninclude(\"smb_func.inc\");\ninclude(\"misc_func.inc\");\n\nget_kb_item_or_exit(\"SMB/MS_Bulletin_Checks/Possible\");\n\nbulletin = 'MS06-024';\nkb = '917734';\n\nkbs = make_list(kb);\nif (get_kb_item(\"Host/patch_management_checks\")) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);\n\nget_kb_item_or_exit(\"SMB/Registry/Enumerated\");\nget_kb_item_or_exit(\"SMB/WindowsVersion\", exit_code:1);\n\nif (hotfix_check_sp_range(win2k:'4,5', xp:'1,2', win2003:'0,1') <= 0) audit(AUDIT_OS_SP_NOT_VULN);\n\nversion = get_kb_item_or_exit(\"SMB/WindowsMediaPlayer\");\n\nrootfile = hotfix_get_systemroot();\nif (!rootfile) exit(1, \"Failed to get the system root.\");\n\nshare = hotfix_path2share(path:rootfile);\nif (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);\n\nif ( hotfix_is_vulnerable(os:\"5.2\", sp:0, file:\"Wmp.dll\", version:\"9.0.0.3349\", min_version:\"9.0.0.0\", dir:\"\\system32\", bulletin:bulletin, kb:kb) ||\n hotfix_is_vulnerable(os:\"5.2\", arch:\"x86\", file:\"Wmp.dll\", version:\"10.0.0.3704\", min_version:\"10.0.0.0\", dir:\"\\system32\", bulletin:bulletin, kb:kb) ||\n hotfix_is_vulnerable(os:\"5.2\", arch:\"x64\", file:\"Wwmp.dll\", version:\"10.0.0.3704\", min_version:\"10.0.0.0\", dir:\"\\system32\", bulletin:bulletin, kb:kb) ||\n hotfix_is_vulnerable(os:\"5.1\", file:\"Wmp.dll\", version:\"9.0.0.3349\", min_version:\"9.0.0.0\", dir:\"\\system32\", bulletin:bulletin, kb:kb) ||\n hotfix_is_vulnerable(os:\"5.1\", sp:1, file:\"Wmpui.dll\", version:\"8.0.0.4496\", min_version:\"8.0.0.0\", dir:\"\\system32\", bulletin:bulletin, kb:kb) ||\n hotfix_is_vulnerable(os:\"5.1\", file:\"Wmp.dll\", version:\"10.0.0.4036\", min_version:\"10.0.0.0\", dir:\"\\system32\", bulletin:bulletin, kb:kb) ||\n hotfix_is_vulnerable(os:\"5.0\", file:\"Wmpui.dll\", version:\"7.10.0.3078\", min_version:\"7.0.0.0\", dir:\"\\system32\", bulletin:bulletin, kb:kb) ||\n hotfix_is_vulnerable(os:\"5.0\", file:\"Wmp.dll\", version:\"9.0.0.3349\", min_version:\"9.0.0.0\", dir:\"\\system32\", bulletin:bulletin, kb:kb) )\n{\n set_kb_item(name:\"SMB/Missing/\"+bulletin, value:TRUE);\n hotfix_security_hole();\n\n hotfix_check_fversion_end();\n exit(0);\n}\nelse\n{\n hotfix_check_fversion_end();\n audit(AUDIT_HOST_NOT, 'affected');\n}\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-08-19T13:15:29", "description": "The remote host is running Microsoft Media Player version 10. There is a vulnerability in the remote version of this software that may allow an attacker to execute arbitrary code on the remote host. To exploit this flaw, one attacker would need to be able to convince a user to open a malicious media resource using the vulnerable player.", "cvss3": {"score": 5, "vector": "CVSS:3.0/AV:A/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L"}, "published": "2006-06-13T00:00:00", "type": "nessus", "title": "Microsoft Windows Media Player PNG Processing Overflow (917734)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2006-0025"], "modified": "2019-03-06T00:00:00", "cpe": ["cpe:2.3:a:microsoft:windows_media_player:*:*:*:*:*:*:*:*"], "id": "3650.PRM", "href": "https://www.tenable.com/plugins/nnm/3650", "sourceData": "Binary data 3650.prm", "cvss": {"score": 5.4, "vector": "CVSS2#AV:A/AC:M/Au:N/C:P/I:P/A:P"}}], "cert": [{"lastseen": "2021-09-28T17:52:13", "description": "### Overview\n\nMicrosoft Windows Media Player contains a stack-based buffer overflow vulnerability that may allow a remote, unauthenticated attacker to execute arbitrary code on a vulnerable system. \n\n### Description\n\n**Windows Media Player**\n\nWindows Media Player is a multimedia application that comes with Microsoft Windows. \n \n**The Problem** \n \nWindows Media Player fails to properly validate PNG image files (.png), potentially allowing a stack-based buffer overflow to occur. \n\nFor more information refer to Microsoft Security Bulletin [MS06-024](<http://www.microsoft.com/technet/security/Bulletin/MS06-024.mspx>) \n \n--- \n \n### Impact\n\nA remote, unauthenticated attacker may be able to execute arbitrary code. If the attacked user is running with administrative privileges, the attacker could take complete control of an affected system. \n \n--- \n \n### Solution\n\n**Apply a patch from Microsoft** \nMicrosoft addresses this vulnerability with the updates listed in Microsoft Security Bulletin [MS06-024](<http://www.microsoft.com/technet/security/Bulletin/MS06-024.mspx>). \n \n--- \n \nFor a list of workarounds refer to Microsoft Security Bulletin [MS06-024](<http://www.microsoft.com/technet/security/Bulletin/MS06-024.mspx>). \n \n--- \n \n### Vendor Information\n\n608020\n\nFilter by status: All Affected Not Affected Unknown\n\nFilter by content: __ Additional information available\n\n__ Sort by: Status Alphabetical\n\nExpand all\n\n**Javascript is disabled. Click here to view vendors.**\n\n### Microsoft Corporation __ Affected\n\nUpdated: June 13, 2006 \n\n### Status\n\nAffected\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nPlease see [MS06-024](<http://www.microsoft.com/technet/security/bulletin/ms06-02.mspx>).\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23608020 Feedback>).\n\n \n\n\n### CVSS Metrics\n\nGroup | Score | Vector \n---|---|--- \nBase | | \nTemporal | | \nEnvironmental | | \n \n \n\n\n### References\n\n<http://www.microsoft.com/technet/security/bulletin/ms06-024.mspx>\n\n### Acknowledgements\n\nThis vulnerability was reported in Microsoft Security Bulletin MS06-024. Microsoft credits Greg MacManus of iDEFENSE with providing information related to this vulnerability.\n\nThis document was written by Jeff Gennari\n\n### Other Information\n\n**CVE IDs:** | [CVE-2006-0025](<http://web.nvd.nist.gov/vuln/detail/CVE-2006-0025>) \n---|--- \n**Severity Metric:** | 40.72 \n**Date Public:** | 2006-06-13 \n**Date First Published:** | 2006-06-13 \n**Date Last Updated: ** | 2006-06-13 21:22 UTC \n**Document Revision: ** | 17 \n", "cvss3": {}, "published": "2006-06-13T00:00:00", "type": "cert", "title": "Microsoft Windows Media Player PNG processing buffer overflow", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2006-0025"], "modified": "2006-06-13T21:22:00", "id": "VU:608020", "href": "https://www.kb.cert.org/vuls/id/608020", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "cve": [{"lastseen": "2022-03-23T13:54:47", "description": "Stack-based buffer overflow in Microsoft Windows Media Player 9 and 10 allows remote attackers to execute arbitrary code via a PNG image with a large chunk size.", "cvss3": {}, "published": "2006-06-13T19:06:00", "type": "cve", "title": "CVE-2006-0025", "cwe": ["CWE-119"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2006-0025"], "modified": "2018-10-12T21:38:00", "cpe": ["cpe:/a:microsoft:windows_media_player:10", "cpe:/a:microsoft:windows_media_player:9"], "id": "CVE-2006-0025", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2006-0025", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cpe23": ["cpe:2.3:a:microsoft:windows_media_player:10:*:*:*:*:*:*:*", "cpe:2.3:a:microsoft:windows_media_player:9:*:*:*:*:*:*:*"]}]}