Microsoft Windows Media Player ActiveX control could disclose sensitive information
| mediaplayer-activex-obtain-information (12440) |  Medium Risk |
Description:
Microsoft Windows Media Player could allow a remote attacker to obtain sensitive information, caused by a vulnerability in the ActiveX control. By creating a malicious Web page that invokes the ActiveX control, a remote attacker could obtain information contained in the Windows Media Library. An attacker could exploit this vulnerability by hosting the malicious Web page on a Web site or by sending it to a victim as an HTML email.
Platforms Affected:
- Microsoft, Windows 2003 Server
- Microsoft, Windows Media Player 9
Remedy:
Apply the appropriate patch for your system, as listed in the latest Microsoft Security Bulletin. See References.
— OR —
Use Microsoft Automatic Update if it is supported by your operating system. The original bulletin issued by Microsoft has been superseded.
Consequences:
Obtain Information
References:
- Microsoft Security Bulletin MS03-021, Flaw In Windows Media Player May Allow Media Library Access (819639) at http://www.microsoft.com/technet/security/bulletin/ms03-021.mspx.
- Microsoft Security Bulletin MS05-009, Vulnerability in PNG Processing Could Allow Remote Code Execution (890261) at http://www.microsoft.com/technet/security/bulletin/ms05-009.mspx.
- Microsoft Security Bulletin MS06-005, Vulnerability in Windows Media Player Could Allow Remote Code Execution (911565) at http://www.microsoft.com/technet/security/Bulletin/MS06-005.mspx.
- Microsoft Security Bulletin MS06-024, Vulnerability in Windows Media Player Could Allow Remote Code Execution (917734) at http://www.microsoft.com/technet/security/Bulletin/MS06-024.mspx.
- SecuriTeam Mailing List, Windows NT focus 25 Jun 2003, Flaw In Windows Media Player May Allow Media Library Access at http://www.securiteam.com/windowsntfocus/5OP0N1FAAO.html.
- BID-8034: Microsoft Media Player 9 Unauthorized Media Library Access Vulnerability
- CVE-2003-0348: A certain Microsoft Windows Media Player 9 Series ActiveX control allows remote attackers to view and manipulate the Media Library on the local system via HTML script.
- US-CERT VU#320516: Windows Media Player 9 ActiveX control does not adequately validate access to Windows Media Library
Reported:
Jun 25, 2003
The information within this database may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (IBM Internet Security Systems X-Force) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.
For corrections or additions please email xforce@iss.net