January 03, 2001, 11:02 AM — Microsoft Corp. has issued a patch for two security flaws in its Windows Media Player software that could allow malicious users to run programs on other users' PCs.
Although the security flaws are unrelated, except for the fact that they both affect Windows Media Player, Microsoft chose to issue a single patch to allow users to fix both problems at the same time, the company said in a security bulletin posted on its Web site.
The.WMS Script Execution flaw affects Windows Media Player version 7, which is included by default in Microsoft's Windows Millennium Edition operating system targeted at consumers, and is also available for free download from the company's Web site.
The software includes a feature called "skins" that allows users to customize the program's interface. However, a custom skin .WMS file could also include script which would execute if Windows Media Player was run and the user had selected the skin that included the script, Microsoft said.
A malicious user could send a skin containing a script to another user and try to entice him or her into using it, or host such a file on a Web site and cause the script to execute whenever a user visited the site. Since the code would reside on the user's local PC, it would be able to execute ActiveX controls, including ones not marked "safe for scripting," and enable the code to take any action that can be accomplished via an ActiveX control, Microsoft said.
The flaw was discovered by GFI Security Labs, a unit of communications and security software provider GFI Fax & Voice Ltd.
The second flaw, dubbed the .ASX Buffer Overrun vulnerability, was discovered by @Stake Inc., a Cambridge, Mass.-based Internet security consulting company, Microsoft said.
It affects versions 6.4 and 7 of Windows Media Player, exploiting the software's use of Active Stream Redirector .ASX files to enable users to play streaming media residing on intranet or Internet sites.
The code that parses .ASX files has an unchecked buffer, which also could let a malicious to run any code on the PC of another user. The code could take any action on the PC that the legitimate user could take, Microsoft said.
Microsofts frequently asked questions about the security holes and patch to fix them are posted at www.microsoft.com/technet/security/bulletin/fq00-090.asp. The fix will also be available as part of the next periodic update of the software, scheduled for December, Microsoft said.