Microsoft Windows Media Player skin downloading could allow an attacker to execute code

mediaplayer-skin-code-execution (11953) The risk level is classified as HighHigh Risk

Description:

Microsoft Windows Media Player could allow a remote attacker to place malicious skin files in any known folder on a victim's system. Windows Media Player fails to properly validate URLs when downloading skin files. This could allow a remote attacker to create a specially-crafted URL link, that when clicked, would cause a malicious file to be placed into any known folder on the victim's system, such as the startup folder. This would cause the malicious file to be executed when the victim's computer is restarted. An attacker could exploit this vulnerability by hosting the malicious URL on a Web site or by sending it to the victim in an email.


Consequences:

Gain Access

Remedy:

Apply the appropriate patch for your system, as listed in Microsoft Security Bulletin MS03-017. See References.

References:

  • CIAC Information Bulletin N-092: Microsoft Windows Media Player Skins Flaw.
  • Microsoft Security Bulletin MS03-017: Flaw in Windows Media Player Skins Downloading could allow Code Execution (817787).
  • BID-7517: Microsoft Windows Media Player Skin File Code Execution Vulnerability
  • CVE-2003-0228: Directory traversal vulnerability in Microsoft Windows Media Player 7.1 and Windows Media Player for Windows XP allows remote attackers to execute arbitrary code via a skins file with a URL containing hex-encoded backslash characters (%5C) that causes an executable to be placed in an arbitrary location.
  • US-CERT VU#384932: Microsoft Windows Media Player fails to properly evaluate URLs when downloading skin files

Platforms Affected:

  • Microsoft Windows Media Player 7.1
  • Microsoft Windows Media Player 8

Reported:

May 07, 2003

The information within this database may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (IBM Internet Security Systems X-Force) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.

For corrections or additions please email xforce@iss.net

Return to the main page