Media Player 'skins' in security alert
Published: 08 May 2003 08:42 BST
Microsoft warned Windows Media Player users on Wednesday that a flaw in the way the application handles the download of "skins," or interface colours and motifs, could allow an attacker to take over a victim's PC.
The vulnerability could let an intruder create a file that appears to be a Windows Media Player skin, but that in reality is a malicious program. The program can be copied to a location of the intruder's choice when downloaded. An online vandal could, for example, have a Trojan horse loaded onto a victim's start-up folder, so that it executes when the computer is restarted.
"Windows Media Player normally copies into the Internet cache and then into an unpredictable location," said Stephen Toulouse, security program manager for Microsoft. "If it has a skin extension, it can be copied into a predictable location," or one determined by an attacker.
The software giant released an advisory for Windows Media Player 7.1 and Windows Media Player for XP (version 8.0) and urged customers to patch their systems immediately. Windows Media Player 9.0 is not affected by the issue.
Finland-based security firm Oy Online Solutions identified the issue and notified Microsoft on 14 March. The security firm on Wednesday released another advisory, saying the flaw circumvents a basic security measure implemented by Microsoft.
"To prevent certain Internet-based attacks, the program uses a random element in the download path so that the exact file name of the downloaded skin file can't be guessed by a potential attacker," the company wrote in an email advisory sent to CNET News.com.
Windows Media Player has had security problems before. Almost a year ago, a vulnerability was found in the way Media Player 6.4, 7.1 and Media Player for XP handle content protected by digital rights management technology. Attackers could modify the code for such protections and cause the Media Player to run a program of their choice.
A flaw found in Media Player 7 in January 2001 also took advantage of the way the program handled skins.
Microsoft's Toulouse stressed that an attacker would have to place the fake skin file on a Web server and convince people to download it or send the skin to users of Outlook 98 or 2000 who haven't applied the Outlook Email Security Update. The update restricts what scripts can run in email by setting the application to the default setting for Outlook Express 6.0 and Outlook 2002.
The company said it has posted both its technical and consumer bulletins online and has notified the 52,000 users who have signed up for Microsoft's end-user bulletin.
Let the editors know what you think in the Mailroom.
Did you find this article useful?
33 out of 65 people found this useful
- Share this article:
