Microsoft Corp. issued its second security warning and patch of the week when it acknowledged and offered a fix for two flaws in Windows Media Player Wednesday. The flaws affect Windows Media Player 6.4 and 7 and can allow an attacker to run programs and read, modify or delete files on a user’s computer.
The first, and more serious flaw, is the result of a problem in the way Windows Media Player handles .ASX, or Active Stream Redirector, files, which are used in finding and playing streaming media and using playlists, Microsoft said. Due to a flaw in the memory buffer that deals with .ASX files, a special sequence of code could allow an attacker to make the same changes to a machine that the user could, including deleting files and running programs.
The attack code could be embedded in an HTML (hypertext markup language) e-mail sent to a user, or more seriously, could also be made to execute whenever a user visits a Web page. In the first case, the user would have to open the HTML file in order for the attack to work, but in the second, the user need only visit the Web page. Once the attack occurs, the attacker would gain all the privileges the user had.
The second problem, which results from the way Windows Media Player handles Internet shortcuts, can allow an attacker to view files on the user’s computer, but not modify or delete them. This comes about because Internet shortcuts are supposed to be created in Internet Explorer’s cache folder – a repository of reusable, Web-related items – but Windows Media Player instead creates them in the Temporary Files folder. An attack against the second flaw would also employ HTML code in the same way as the first, but this time using the code to create a shortcut in the Temporary Files folder, which would only give the attacker the ability to read files on the machine. However, such an attack is difficult, because the attacker needs to know the exact filename and location of the desired file, Microsoft said.
The patch also fixes a privacy flaw that allows for the collection of user data, which though it would not identify the user by name could be collected into a user profile.
Users ought to apply the patch to Windows Media Player 6.4, but for version 7 they ought to upgrade to version 7.1, Microsoft said.
The flaws in Windows Media Player were disclosed only one day after Microsoft issued another patch, for its Word application, which allowed small programs, called macros, to execute some unauthorized changes within Word. These bulletins marked Microsoft’s sixth and seventh for May, which is roughly the average number of monthly security bulletins issued by the company, and down slightly from the end of 2000.
Microsoft, in Redmond, Washington, can be reached at http://www.microsoft.com/. The security bulletin is at http://www.microsoft.com/technet/security/bulletin/MS01-029.asp.