MS-ISAC ADVISORY NUMBER:
2007-026 Updated

DATE(S) ISSUED:
12/11/2007 - Updated

SUBJECT:
Vulnerability in Windows Media File Format Could Allow for Remote Code Execution

OVERVIEW:
A new vulnerability has been discovered which is caused by improper handling of certain Windows media content files. Client applications which make use of Microsoft Media Format Runtime, such as Windows Media Player, can be exploited if a user visits a malicious web page or manually opens a malicious media file. This vulnerability can be exploited if a user visits a malicious webpage which is specially designed to exploit this vulnerability. Alternatively, an attacker could send specially crafted content to a server, such as a streaming media server, which is configured to process the file. An attacker who successfully exploited a system with this vulnerability could take complete control of the affected system.

SYSTEMS AFFECTED:

  • Microsoft Windows 2000 SP4
  • Microsoft XP SP2
  • Microsoft Windows XP Professional x64 SP1 and SP2
  • Microsoft Windows Server 2003 SP1 and SP2
  • Microsoft Windows Server 2003 x64 SP1 and SP2
  • Microsoft Windows Vista
  • Microsoft Windows Vista x64

APPLICATIONS AFFECTED:

  • Microsoft Media Services 9.1
  • Microsoft Media Format Runtime 7.1
  • Microsoft Media Format Runtime 9
  • Microsoft Media Format Runtime 9.5
  • Microsoft Media Format Runtime 11
  • Microsoft Media Format Runtime 9.5 x64 Edition

RISK:
Government:

  • Large and medium government entities: High
  • Small government entities: High

Businesses:

  • Large and medium business entities: High
  • Small business entities: High

Home users: High

DESCRIPTION:
A new vulnerability has been discovered in Microsoft Windows Media File Format, which could allow arbitrary remote code execution on a vulnerable system. The vulnerability is caused by improper parsing of Advanced Systems Format (ASF) files within the Windows Media Format Runtime. ASF is a compressed file format used to deliver streaming multimedia files. ASF files may have a number of different extensions, including .ASF, .WMV, or .WMA.

Client applications which make use of Microsoft Media Format Runtime, such as Windows Media Player, can be exploited if a user visits a malicious web page or manually opens a malicious media file. An alternative attack scenario would be to send the malicious content directly to the streaming media server for processing.

Upon successful exploitation, the attacker could take complete control of an affected system. This could allow the attacker to install programs; add, view or delete user data; or create new accounts on the affected systems.

RECOMMENDATIONS:
We recommend the following actions be taken:

  • Apply the appropriate patch by Microsoft to vulnerable systems immediately after appropriate testing.
  • Logon to your systems as a non-privileged user (one without administrative privileges) to diminish the effects of a successful attack. Employ the principle of least privilege when ever possible.
  • Do not open email attachments, including media content, from untrusted sources. 
  • Do not visit unknown or un-trusted Web sites or clink on links provided in an email.

REFERENCES:
Microsoft:
http://www.microsoft.com/technet/security/Bulletin/MS07-068.mspx(New Window)

CVE:
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0064(New Window)

Security Focus:
http://www.securityfocus.com/bid/26776(New Window)


This cyber advisory was issued by the Multi-State Information Sharing and Analysis Center (MS-ISAC) and was intended for government entities. The information may or may not be applicable to the general public and accordingly, the MS-ISAC does not warrant its use for any specific purposes.