Microsoft Security Bulletin (MS01-010): Frequently Asked Questions

What's this bulletin about?
Microsoft Security Bulletin MS01-010 announces the availability of a patch that eliminates a vulnerability in Microsoft® Windows Media Player 7. Microsoft is committed to protecting customers' information,and is providing the bulletin to inform customers of the vulnerability and what they can do about it.

What's the scope of the vulnerability?
This vulnerability could enable a malicious user to run Java code of his choice on another user's computer via a feature in Windows Media Player 7. Such a program could take virtually any action on the user's machine that she herself could take, and could be used to compromise data on the victim's computer, misuse software already on it, download additional software and run it, or take additional action.
The vulnerability only affects Windows Media Player 7. The feature at issue here was not available in previous versions of Windows Media Player.

Is this the same vulnerability described in MS00-090, "WMS Script Execution?"
No. Though the problems may seem similar the issue here is not so much the ability for a script or ActiveX control to run, but the fact that a .WMZ file is downloaded to a known directory on a user's machine. Since a .WMZ file is really just a .ZIP file with a different extension, it can contain Java class files that a web page can directly access and run.

What causes the vulnerability?
The Java language allows Java code to be run directly from a .ZIP file. Since skins use the .ZIP format, any Java code in a skin can be directly accessed by a malicious web page.

What's a .WMZ file?
WMZ is the default extension for a zipped Windows Media Player skins file (which contain both a custom skin and the art associated with a skin). Skins are a new feature introduced in Windows Media Player 7, and they enable the user to customize the look and feel of Windows Media Player.
Windows Media Player 7 includes a number of default skins that the user can choose from, but it's also possible to develop custom skins that create an entirely new look and feel.

Is this a problem with the default skins that come with Windows Media Player 7?
No. Customers who are using any of the default skins are not at risk from this vulnerability. The problem arises only in conjunction with custom-written skins packaged with a malicious Java file.

What's the problem with the implementation of Java in a skins file?
The vulnerability at issue here is the ability for Java code to execute under the local computer context when packaged in a .WMZ file. Since the default IE settings assume that any program run under the local computer zone is safe -- any Java code (malicious or not)will be allowed to run under this setting.

Who should use the patch?
Microsoft recommends that all users running Windows Media Player 7.0 consider installing the patch.

What does the patch do?
The patch eliminates the ability for a malicious user to access any code they insert as part of a .WMZ file.

Where can I get the patch?
The download location for the patch is provided in the "Patch Availability" section of the security bulletin.

How do I use the patch?
Knowledge Base article 287045 (available soon) contains detailed instructions for applying the patch.

How can I tell if I installed the patch correctly?
The Knowledge Base article 287045 (available soon) provides a manifest of the files in the patch package. The easiest way to verify that you've installed the patch correctly is to verify that these files are present on your computer, and have the same sizes and creation dates as shown in the KB article.

What is Microsoft doing about this issue?

Where can I learn more about best practices for security?
The Microsoft TechNet Security web site is the best to place to get information about Microsoft security.

How do I get technical support on this issue?
Microsoft Product Support Services can provide assistance with this or any other product support issue.

Top of page