Media Player flaw flays PC security
Microsoft warns that a flaw in the way its digital media software handles the download of interface "skins" could allow attackers to take over PCs.
The vulnerability could let an intruder create a file that appears to be a Windows Media Player skin, but that in reality is a malicious program. The program can be copied to a location of the intruder's choice when downloaded. An online vandal could, for example, have a Trojan horse loaded onto a victim's start-up folder, so that it executes when the computer is restarted.
"Windows Media Player normally copies into the Internet cache and then into an unpredictable location," said Stephen Toulouse, security program manager for Microsoft. "If it has a skin extension, it can be copied into a predictable location," or one determined by an attacker.
The software giant released an advisory for Windows Media Player 7.1 and Windows Media Player for XP (version 8.0) and urged customers to patch their systems immediately. Windows Media Player 9.0 is not affected by the issue.
Finland-based security firm Oy Online Solutions identified the issue and notified Microsoft on March 14. The security firm on Wednesday released another advisory, saying the flaw circumvents a basic security measure implemented by Microsoft.
"To prevent certain Internet-based attacks, the program uses a random element in the download path so that the exact file name of the downloaded skin file can't be guessed by a potential attacker," the company wrote in an e-mail advisory sent to CNET News.com.
Windows Media Player has had security problems before. Almost a year ago, a vulnerability was found in the way Media Player 6.4, 7.1 and Media Player for XP handle content protected by digital rights management technology. Attackers could modify the code for such protections and cause the Media Player to run a program of their choice.
A flaw found in Media Player 7 in January 2001 also took advantage of the way the program handled skins.
Microsoft's Toulouse stressed that an attacker would have to place the fake skin file on a Web server and convince people to download it or send the skin to users of Outlook 98 or 2000 who haven't applied the Outlook E-mail Security Update. The update restricts what scripts can run in e-mail by setting the application to the default setting for Outlook Express 6.0 and Outlook 2002.
The company said it has posted both its technical and consumer bulletins online and has notified the 52,000 users who have signed up for Microsoft's end-user bulletin.