MS-ISAC ADVISORY NUMBER:
2008-046

DATE(S) ISSUED:
12/29/2008

SUBJECT:
Microsoft Windows Media Player WAV/MID/MIDI/SND File Parsing Integer Overflow Vulnerability

OVERVIEW:

A vulnerability has been identified in Microsoft Windows Media Player. Windows Media Player is a digital media player and media library application that is used for playing audio, video, and viewing images. This application is installed by default on all versions of Windows and is often set as the default media player. Exploitation can occur if a user visits a specially crafted webpage or opens a malicious media file which takes advantage of this vulnerability. Successful exploitation could result in an attacker gaining the same privileges as the logged on user. The attacker could then potentially access sensitive or confidential information, install programs, view, change, or delete data, or create new accounts.

At this time there is no patch and there are no workarounds available. Exploit code is available to the public.

SYSTEMS AFFECTED:

  • Microsoft Windows Media Player 9
  • Microsoft Windows Media Player 10
  • Microsoft Windows Media Player 11

RISK:

Government:
Large and medium government entities: High
Small government entities: High

Businesses:
Large and medium business entities: High
Small business entities: High

Home users: High

DESCRIPTION:
An integer overflow vulnerability has been discovered in the way versions of Microsoft Windows Media player handles specially crafted WAV, MID, and SND files. Windows media player is often set as the default media player and can be executed by visiting a web page, opening an email attachment or opening a media file of the type WAV, MID, MIDI, or SND. Successful exploitation will result in an attacker gaining the same privileges as the Windows Media Player process. The attacker could then potentially access sensitive or confidential information, install programs, view, change, or delete data, or create new accounts.

Proof of concept code for this vulnerability has been publicly released and verified in our lab to cause a denial of service condition. At this time we have not seen any reports of this vulnerability being exploited on the Internet.

At this time there is no patch and there are no workarounds available. Exploit code is available to the public.

RECOMMENDATIONS:
We recommend the following actions be taken:

  • Deploy network intrusion detection systems to monitor network traffic for malicious activity.
  • Do not accept or execute WAV, MID, MIDI, or SND files from untrusted or unknown sources.
  • Do not download or open WAV, MID, MIDI, or SND files from un-trusted websites.
  • Run all software as a non-privileged user (one without administrative privileges) to diminish the effects of a successful attack.
  • Do not visit un-trusted websites or follow links provided by unknown or un-trusted sources.

REFERENCES:

SecurityFocus
http://www.securityfocus.com/bid/33018(New Window)

Cisco
http://tools.cisco.com/security/center/viewAlert.x?alertId=17338(New Window)

Security Tracker
http://securitytracker.com/alerts/2008/Dec/1021495.html(New Window)

SANS Internet Storm Center
http://isc.sans.org/diary.html?storyid=5563(New Window)


This cyber advisory was issued by the Multi-State Information Sharing and Analysis Center (MS-ISAC) and was intended for government entities. The information may or may not be applicable to the general public and accordingly, the MS-ISAC does not warrant its use for any specific purposes.