What's the scope of the vulnerability?
This is a buffer overrun vulnerability. It could enable an attacker to run code of his choice on the machine of another user is he was able to convince the user to visit a web site he controlled or to open a specially crafted HTML e-mail.
The program would be capable of taking any action on the user's machine that the user herself could take, including adding, creating or deleting files, communicating with web sites or potentially even reformatting the hard drive.
What causes the vulnerability?
The vulnerability results because there is an unchecked buffer in a section of Windows Media Player that handles .NSC files. By including a particular type of malformed entry in a .NSC file, an attacker could cause code of his choice to execute when a user played the file.
What's a .NSC file?
Windows Media Station files (.NSC) were first introduced in NetShow 2.0 as NetShow Channels. In Windows Media Player, .NSC files are called Windows Media Station Files.
.NSC files are essentially playlists that contain information to allow Windows Media Player to connect to and play streaming media. Windows Media Player uses Windows Media Station (.nsc) files to get the information it needs to receive multicast content over the Internet. These files can contain information such as stream location and rollover URL, as well as descriptive information about the station. Where standard streaming multimedia sends a single media stream to a single recipient, multicasting allows a single media stream to be received by more than one person, much like a Television or Radiobroadcast. .NSC files contain the information necessary to allow multimedia multicast streams to be processed correctly by Windows Media.
What's wrong with how Windows Media Player handles .NSC files?
One of the buffers that read data from .NSC files doesn't perform proper input validation. As a result, it would be possible for an attacker to craft a specially formed .NSC file that can overrun the buffer and modify the executable Windows Media Player code that is running.
What could this enable an attacker to do?
When it runs, Windows Media Player runs in the security context of the currently-logged-on user. If an attacker were to successfully exploit this vulnerability, the malicious code then could do anything on the machine that the current user could do. This means that the actions an attacker could take will depend a great deal on what privileges the user has on the system when they run the attacker's code.
| • | If the victim had only limited privileges on the machine, the attacker's code would be similarly limited. However, in most cases even an unprivileged user could add, delete or change data files, run programs, send data to or receive data from a web site, and so forth - so the attacker's code could take these actions as well. |
| • | If the victim had administrative privileges, the code could use these as well, and cause greater damage. However, if the least privilege principle has been observed, users will not have been given administrative privileges unless absolutely required. |
How could an attacker maliciously exploit this vulnerability?
There are two likely scenarios that that an attacker might try to exploit this vulnerability.
| • | He could send an HTML e-mail that would launch the malicious .NSC file when opened. An attacker could target specific individuals with this approach. |
| • | He could host an .NSC file on a web site and cause it to be launched automatically whenever someone visited the site. This approach would require that the attacker wait for the potential victims to come to his site. |
I'm using the Outlook E-mail Security Update, does this help protect me?
Customers who have deployed the Outlook E-Mail Security Update or who are using Outlook 2002 are protected from HTML e-mail-based attempts to exploit this vulnerability by the default security settings. The OESU and Outlook 2002 both set the Security Zone for HTML e-mail to the Restricted Sites Zone which automatically disables ActiveX controls in HTML e-mail. This means that an HTML e-mail with a .NSC file embedded by a malicious user would not run in Outlook, rendering the attack harmless.
If the malicious user placed the .NSC file on a web site, would it run automatically in the browser?
When using Internet Explorer (IE), the default security settings for the Internet Zone make it possible for a web site to automatically open .NSC files when a user visits the web site. This is because ActiveX controls are enabled by default in the Internet Zone in IE.
However, users can use change the settings in the Internet Zone to disable ActiveX controls. If users make this change, then .NSC files will not launch automatically.
You said previously that the attacker would need to overrun the buffer with carefully-chosen data in order to run code of his choice. What would happen if she just overran it with random data?
If the buffer were overrun with random data, it would cause Windows Media Player to fail. This wouldn't pose a security problem, and the user could simply restart it and resume normal operation.
You said previously that the attacker would need to know the specific operations system that the user was running. Why is that?
To mount an effective attack exploiting this vulnerability, an attacker would need to know the potential victim's specific operating system so that he could tailor the malformed file appropriately for his platform. If the file is not fashioned appropriately for the user's platform, the attack would fail, causing Windows Media Player to crash, but not execute the attacker's code.
What does the patch do?
The patch eliminates the vulnerability by implementing proper input validation for .NSC files.
