Network management Toolkit

Windows Media Player flaw could expose sensitive files

Tags:
Windows Media Player 9,
Vulnerability,
Patch,
Flaw

John McCormick Tech Republic

Published: 08 Jul 2003 15:46 BST

Microsoft's Media Player 9 has a vulnerability that could allow an attacker to play or modify media files on a target system. The big danger here is that many companies and even government agencies have begun to take advantage of fast network connections to move far beyond text email and make important announcements in video clips that are sent to employees. These clips often contain sensitive inside information. This flaw does not allow attackers to do more than tap into the files on the vulnerable systems, but that could be a devastating disclosure for some companies. MS03-021 addresses this threat.

Applicability
This ActiveX flaw is found in Media Player 9, but not in earlier versions of the software, including version 8.0, which ships with Windows XP. Media Player 9 ships with Windows Server 2003, but it can be downloaded and run on any Windows system using Windows 98 or later, so it may be found on any system where the user routinely downloads the latest versions of software updates.

According to Microsoft, "Systems Administrators who have deployed Windows Server 2003 as a Terminal Server would likely disable Internet Explorer Enhanced Security Configuration to allow users of the Terminal Server to utilize Internet Explorer in an unrestricted mode." That configuration would expose the system to this vulnerability.

Risk level
Since this Media Player flaw doesn't allow attackers to execute code or take over other system functions, Microsoft rates this as only a moderate threat. But depending on what is contained in your media files, the problem could be a dangerous disclosure risk. It is possible to use this vulnerability to alter, or view, media files.

Mitigating factors
This version of Media Player is mostly found in Windows Server 2003 systems, and many admins have probably made sure that the Media Player is disabled on that server OS. In addition, the default configuration of WS2K3 blocks this exploit.

Also, companies that do not make use of multimedia presentations or do not store them on vulnerable systems can probably ignore this threat.

Fix
Apply the patch released by Microsoft.

Final word
Organisations that use Windows Media Player files to distribute announcement videos to employees should consider streaming those files from a server rather than allowing employees to download them to their desktops. This would mitigate potential disclosure from this flaw. It would also better secure and protect any sensitive information in those files because it would keep them from being transferred to outside sources or being nabbed by hackers who find a way to compromise the network in another manner.

There is very little reason to run Windows Media Player on a server. So unless you need it for a specific task on Windows Server 2003, make sure it is disabled on all WS2K3 systems.