SANS ISC: MS06-078: 2 Windows Media Format Vulnerabilities (CVE-2006-4702, CVE-2006-6134)

• SANS Site Network
  • Current Site
  • SANS Internet Storm Center
  • Other SANS Sites Help
  • Graduate Degree Programs
  • Security Training
  • Security Certification
  • Security Awareness Training
  • Penetration Testing
  • Industrial Control Systems
  • Cyber Defense Foundations
  • DFIR
  • Software Security
  • Government OnSite Training

SANS ISC InfoSec Forums

This advisory addresses 2 vulnerabilites in the Windows "Media Format Runtime" which is utilized by applications using Windows Media Content.
The unchecked buffer and URL parsing vulnerabilities could result in full system compromise if exploited.
An attacker would create a malicious Advanced Streaming Format (.ASF) file or a malicious Advanced Stream Redirector (.ASX) file and present it to a vulnerable client through a malicious URL, an email attachment or perhaps through a malicious IFRAME or redirect.

These vulnerabilities poses the most risk to systems which are used for web surfing or for checking email. Especially if the user is logged in as Administrator or if an unrestricted or lower than High zone Internet Explorer browser is being used. MS Outlook default restrictions might shield a user, but clicking on a URL within an email launches a browser outside of those restrictions.

Note: Known exploits have been circulating for CVE-2006-6134 (ASX).

Note that it may take several patches to update a system. Windows Media Player 6.4 is patched differently than the Media Format Runtime. It may be a challenge to assess the posture of any given system in regards to these two vulnerabilities short of utilizing the Microsoft tools.

Affected:
Microsoft Windows Media Format 7.1 through 9.5 Series Runtime on the following operating system versions:
Microsoft Windows 2000 Service Pack 4 - Download the update (KB923689)
Microsoft Windows XP Service Pack 2 - Download the update (KB923689)
Microsoft Windows XP Professional x64 Edition - Download the update (KB923689)
Microsoft Windows Server 2003 or Microsoft Windows Server 2003 Service Pack 1 - Download the update (KB923689)
Microsoft Windows Server 2003 x64 Edition - Download the update (KB923689)
Microsoft Windows Media Format 9.5 Series Runtime x64 Edition on the following operating system versions:
Microsoft Windows XP Professional x64 Edition - Download the update (KB923689)
Microsoft Windows Server 2003 x64 Edition - Download the update (KB923689)
Microsoft Windows Media Player 6.4
Windows 2000 Service Pack 4 - Download the update (KB925398)
Microsoft Windows XP Service Pack 2 - Download the update (KB925398)
Microsoft Windows XP Professional x64 Edition ? Download the update (KB925398)
Microsoft Windows Server 2003 or on Microsoft Windows Server 2003 Service Pack 1 ? Download the update (KB925398)
Microsoft Windows Server 2003 x64 Edition ? Download the update (KB925398)

Reference URLs:
http://www.microsoft.com/technet/security/bulletin/ms06-078.mspx
http://support.microsoft.com/kb/923689
http://support.microsoft.com/kb/925398
Windows Media Format ASF Parsing Vulnerability
http://cve.mitre.org/cgi-bin/cvename.cgi?name=2006-4702
Windows Media Format ASX Parsing Vulnerability
http://cve.mitre.org/cgi-bin/cvename.cgi?name=2006-6134
http://research.eeye.com/html/alerts/zeroday/20061122.html
http://blogs.technet.com/msrc/archive/2006/12/07/public-proof-of-concept-code-for-asx-file-format-isssue.aspx