[ISN] Windows Media Player Exposes IE Users To Attack

From: InfoSec News (isnat_private)
Date: Fri May 17 2002 - 02:43:46 PDT

  • Next message: InfoSec News: "[ISN] [Admin note] Request for Comments"

    By Brian McWilliams, Newsbytes
    16 May 2002, 10:51 AM CST
    In a reversal of its previous advice, Microsoft is warning that a
    security flaw in its Internet Explorer browser could enable a
    malicious Web site or e-mail message to automatically download and run
    a dangerous program on victims' computers.
    The flaw, the exploitation of which requires that Microsoft's Windows
    Media Player be installed, is one of six security bugs corrected by a
    patch released Wednesday by Microsoft.
    According to Japan's Little Earth Corporation (LAC), which reported
    the bug to Microsoft on Feb. 13, vulnerable versions of IE will treat
    executable programs as if they contain "safe" content such as audio,
    and will automatically run them.
    In March, Microsoft published a document at its site dismissing LAC's
    report as "inaccurate" and said "the problem has nothing to do with
    either Internet Explorer or the security patch" released last year to
    correct a similar flaw.
    In its bulletin released Wednesday, Microsoft said Internet Explorer
    versions 6 and 5.01 are vulnerable to the attack and thanked LAC for
    reporting the issue.
    LAC has created a harmless demonstration at its Web site that runs an
    executable program when users click a hyperlink. Normally, IE should
    prompt users before downloading and executing such files.
    In an updated advisory published today, LAC researcher Arai Yuu said
    the flaw lies in how IE handles Web content of a type known as "inline
    When a user with a vulnerable browser also has Windows Media Player
    version 6.4 installed, IE will immediately download and execute
    programs that have been specified by the Web page using the
    "Content-disposition: inline" header, Yuu said.
    Windows Media Player (WMP) version 6.4 is installed by default on
    Windows 98 and Windows 2000 systems, according to the researcher.
    Users who have upgraded to WMP version 7.1 are not vulnerable, even if
    running an unpatched version of IE. However, if they have Microsoft's
    Office 2000 suite installed, the inline-disposition attack will be
    successful, Yuu said.
    Microsoft's original bulletin on the topic, which was removed from the
    company's site in late March, said exploiting the vulnerability
    discovered by LAC required that "a third-party media player" be
    present on the system.
    The advisory published by Microsoft Wednesday does not specifically
    mention Windows Media Player's role in the vulnerability.
    Microsoft has rated the flaw a "moderate" security risk and noted that
    the vulnerability is mitigated because attackers would need to know
    that their victims have "specific versions of specific applications on
    their system."
    However, Jani Laatikainen, a Finnish security researcher, who was also
    credited by Microsoft with discovering the flaw, told Newsbytes today
    that he would not immediately disclose details about the IE bug
    "because the vulnerability is so easily exploitable by anyone."
    LAC's advisory is at
    Microsoft's bulletin and cumulative patch are at
    ISN is currently hosted by Attrition.org
    To unsubscribe email majordomoat_private with 'unsubscribe isn'
    in the BODY of the mail.

    This archive was generated by hypermail 2b30 : Fri May 17 2002 - 06:23:26 PDT