|
Brought to you by:
Suppliers of:
|
|
|
| |
| A remote code execution vulnerability exists in Windows Media Player, Windows Messenger and MSN Messenger because it does not properly handle PNG files with excessive width or height values. An attacker could try to exploit the vulnerability by constructing a malicious PNG that could potentially allow remote code execution if a user visited a malicious Web site or clicked a link in a malicious e-mail message. An attacker who successfully exploited this vulnerability could take complete control of an affected system. |
| |
Credit:
The original article can be found at: http://www.microsoft.com/technet/security/bulletin/MS05-009.mspx
|
| |
Affected Software:
Microsoft Windows Media Player 9 Series (when running on Windows 2000, Windows XP Service Pack 1 and Windows Server 2003) - Download the update
Microsoft Windows Messenger version 5.0 (standalone version that can be installed on all supported operating systems) - Download the update
Microsoft MSN Messenger 6.1 - Download the update
Microsoft MSN Messenger 6.2 - Download the update
Microsoft Windows 98, Microsoft Windows 98 Second Edition (SE), and Microsoft Windows Millennium Edition (ME) Review the FAQ section of this bulletin for details about these operating systems.
Non-Affected Software:
* Windows Media Player 6.4
* Windows Media Player 7.1
* Windows Media Player for Windows XP (8.0)
* Windows Media Player 9 Series for Windows XP Service Pack 2
* Windows Media Player 10
* MSN Messenger for Mac
Affected Components:
Microsoft Windows Messenger version 4.7.0.2009 (when running on Windows XP Service Pack 1) - Download the update
Microsoft Windows Messenger version 4.7.0.3000 (when running on Windows XP Service Pack 2) - Download the update
CVE Information:
PNG Processing Vulnerability- CAN-2004-1244
PNG Processing Vulnerability- CAN-2004-0597
Mitigating Factors for PNG Processing Vulnerability in Windows Media Player:
In a Web-based attack scenario, an attacker would have to host a Web site that contains a Web page that is used to exploit this vulnerability through media containing a reference to a malicious PNG file. An attacker would have no way to force users to visit a Web site. Instead, an attacker would have to persuade them to visit the Web site, typically by getting them to click a link that takes them to the attacker's site or to a site that has been compromised by the attacker.
An attacker who successfully exploited this vulnerability could gain the same user rights as the local user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.
Workarounds for PNG Processing Vulnerability in Windows Media Player:
Microsoft has tested the following workarounds. While these workarounds will not correct the underlying vulnerability, they help block known attack vectors. When a workaround reduces functionality, it is identified below.
There are several different attack vectors that Microsoft has identified for this vulnerability. Each attack vector has a different workaround.
Static WMP File Extension Attack workaround
Disassociate the WMP file extensions.
Disassociate the file extensions (.ASX, .WAX, .WVX, .WPL, .WMX, .WMS, .WMZ) in Windows to avoid previewing or opening files that point to malformed PNG files.
Manual Steps - Windows Media Player method:
* Launch Windows Explorer
* On the Tools Menu select Folder Options
* Select the File Types tab
* Scroll to find the .ASX file extension and then press the Delete button
* Repeat step 4 for each of the file extensions listed above.
In addition, enterprise customers can configure Outlook to block the dangerous files listed using the steps documented in Microsoft Knowledgebase Article 837388. Use these instructions to add the documented file extensions to the Level1 block list.
Home users can configure Outlook Express to block the dangerous files listed using the steps documented in Microsoft Knowledge Base Article 291387. Use this information to configure each of the file extensions as confirm open after download in the Windows file types dialog.
Impact of Workaround: Deleting the file associations with Media Player has a high potential for breaking corporate users who may be using Windows Media Server / Player to deliver web casts, training etc.
Home users trying to watch streaming content on various Web sites may also be impacted by implementing this workaround.
Internet Explorer workaround for WMP ActiveX attack
Disable the Windows Media Player ActiveX Control. To prevent against an attack within a webpage follow these steps to disable the Windows Media Player ActiveX Control:
Follow the instructions documented in Microsoft Knowledge Base Article 240797 to killbit the following CLSIDs in Internet Explorer:
CLSID:{6BF52A52-394A-11D3-B153-00C04F79FAA6}PROGID:WMPlayer.OCX.7
CLSID:{22D6F312-B0F6-11D0-94AB-0080C74C7E95}PROGID:MediaPlayer.MediaPlayer.1
CLSID:{05589FA1-C356-11CE-BF01-00AA0055595A}PROGID:AMOVIE.ActiveMovieControl.2
Impact of Workaround: When you disable the Windows Media Player ActiveX control, pages using this control will no longer function as designed. This prevents any content from being played though the control, including audio and video.
Content-Type HTTP Header Attack:
The only way to prevent this attack is to remove all of the possible MIME type entries from the registry that associate Windows Media Player with the MIME type listed in the Content-Type header being returned by the server since they all can be abused to exploit the vulnerability. Below is a list of MIME types that are associated with the WMP CLSID.
HKEY_CLASSES_ROOT\MIME\Database\Content Type\application/vnd.ms-wpl
HKEY_CLASSES_ROOT\MIME\Database\Content Type\application/x-mplayer2
HKEY_CLASSES_ROOT\MIME\Database\Content Type\application/x-ms-wmd
HKEY_CLASSES_ROOT\MIME\Database\Content Type\application/x-ms-wmz
HKEY_CLASSES_ROOT\MIME\Database\Content Type\audio/aiff
HKEY_CLASSES_ROOT\MIME\Database\Content Type\audio/basic
HKEY_CLASSES_ROOT\MIME\Database\Content Type\audio/mid
HKEY_CLASSES_ROOT\MIME\Database\Content Type\audio/midi
HKEY_CLASSES_ROOT\MIME\Database\Content Type\audio/mp3
HKEY_CLASSES_ROOT\MIME\Database\Content Type\audio/mpeg
HKEY_CLASSES_ROOT\MIME\Database\Content Type\audio/mpegurl
HKEY_CLASSES_ROOT\MIME\Database\Content Type\audio/mpg
HKEY_CLASSES_ROOT\MIME\Database\Content Type\audio/wav
HKEY_CLASSES_ROOT\MIME\Database\Content Type\audio/x-aiff
HKEY_CLASSES_ROOT\MIME\Database\Content Type\audio/x-mid
HKEY_CLASSES_ROOT\MIME\Database\Content Type\audio/x-midi
HKEY_CLASSES_ROOT\MIME\Database\Content Type\audio/x-mp3
HKEY_CLASSES_ROOT\MIME\Database\Content Type\audio/x-mpeg
HKEY_CLASSES_ROOT\MIME\Database\Content Type\audio/x-mpegurl
HKEY_CLASSES_ROOT\MIME\Database\Content Type\audio/x-mpg
HKEY_CLASSES_ROOT\MIME\Database\Content Type\audio/x-ms-wax
HKEY_CLASSES_ROOT\MIME\Database\Content Type\audio/x-ms-wma
HKEY_CLASSES_ROOT\MIME\Database\Content Type\audio/x-wav
HKEY_CLASSES_ROOT\MIME\Database\Content Type\midi/mid
HKEY_CLASSES_ROOT\MIME\Database\Content Type\video/avi
HKEY_CLASSES_ROOT\MIME\Database\Content Type\video/mpeg
HKEY_CLASSES_ROOT\MIME\Database\Content Type\video/mpg
HKEY_CLASSES_ROOT\MIME\Database\Content Type\video/msvideo
HKEY_CLASSES_ROOT\MIME\Database\Content Type\video/x-ivf
HKEY_CLASSES_ROOT\MIME\Database\Content Type\video/x-mpeg
HKEY_CLASSES_ROOT\MIME\Database\Content Type\video/x-mpeg2a
HKEY_CLASSES_ROOT\MIME\Database\Content Type\video/x-ms-asf
HKEY_CLASSES_ROOT\MIME\Database\Content Type\video/x-ms-asf-plugin
HKEY_CLASSES_ROOT\MIME\Database\Content Type\video/x-msvideo
HKEY_CLASSES_ROOT\MIME\Database\Content Type\video/x-ms-wm
HKEY_CLASSES_ROOT\MIME\Database\Content Type\video/x-ms-wmp
HKEY_CLASSES_ROOT\MIME\Database\Content Type\video/x-ms-wmv
HKEY_CLASSES_ROOT\MIME\Database\Content Type\video/x-ms-wmx
HKEY_CLASSES_ROOT\MIME\Database\Content Type\video/x-ms-wvx
Impact of Workaround: These MIME type registry keys all have a CLSID value which points to the following CLSID:
HKEY_CLASSES_ROOT\CLSID\{CD3AFA8F-B84F-48F0-9393-7EDC34128127}\InprocServer32
This CLSID is associated with WMP.DLL which is responsible for launching Windows Media Player when these MIME types are used. Un-registering WMP.DLL will break Windows Media Player.
The MIME types listed in this workaround are specific to Windows XP. There may be additional MIME types available on other platforms.
Additional information about Windows Media Player File Name Extensions if available at the following MSDN Web site.
Frequently Asked Questions:
What is the scope of the vulnerability?
This is a remote code execution vulnerability. An attacker who successfully exploited this vulnerability could take complete control of an affected system.
What causes the vulnerability?
Windows Media Player does not completely validate PNG image formats with a excessive width or height values.
What is PNG?
PNG stands for Portable Network Graphics. The Portable Network Graphics (PNG) format was designed to replace the older and simpler GIF format and, to some extent, the much more complex TIFF format. Additional information about PNG can be found at the following Web site.
What might an attacker use the vulnerability to do?
An attacker who successfully exploited this vulnerability could take complete control of the affected system.
Who could exploit the vulnerability?
Any anonymous user who could host a malformed PNG file on a Web site, network share, or persuade a user to open a PNG file that is sent as an attachment in email could seek to exploit this vulnerability.
How could an attacker exploit the vulnerability?
An attacker could exploit the vulnerability by hosting a specially crafted PNG file on a Web site or network share, and entice a user to visit that Web site. Additionally, and attacker could send a link to a malicious PNG file in an email message and entice a user to click on the link.
What systems are primarily at risk from the vulnerability?
Workstations and terminal servers are primarily at risk. Servers could be at more risk if users who do not have sufficient administrative credentials are given the ability to log on to servers and run programs. However, best practices strongly discourage allowing this.
Are Windows 98, Windows 98 Second Edition or Windows Millennium Edition critically affected by this vulnerability?
Windows 98 is not critically affected by this vulnerability, however Windows 98 Second Edition, and Windows Millennium Edition are. A Critical security update for these platforms is available and is provided as part of this security bulletin and can be downloaded from the Windows Update Web site.
For more information about severity ratings, visit the following Web site.
What does the update do?
The update addresses the vulnerability by modifying the way that Windows Media Player validates the width and height of a PNG file
When this security bulletin was issued, had this vulnerability been publicly disclosed?
A vulnerability similar to this has been publicly released and assigned Common Vulnerability and Exposure number CAN-2004-0597.
Is this vulnerability the same as the vulnerability described in CAN-2004-0597?
While similar to the vulnerability described here, Windows Media Player does not use or incorporate the affected libpng library. However, Windows Media Player is configured in such a way that makes it susceptible to the vulnerability described here.
When this security bulletin was issued, had Microsoft received any reports that this vulnerability was being exploited?
No. Microsoft had not received any information to indicate that this vulnerability had been publicly used to attack customers and had not seen any examples of proof of concept code published when this security bulletin was originally issued.
Mitigating Factors for PNG Processing Vulnerability in Windows Messenger:
* The nature of the vulnerability is different in Windows Messenger than in MSN Messenger or Windows Media Player. The vulnerability in Windows Messenger would be very complex to exploit and requires a large amount of effort and knowledge about the internal network of an organization to attempt to exploit this vulnerability.
* A user would have to be running Windows Messenger and have it configured to receive .NET Alerts.
Workarounds for PNG Processing Vulnerability in Windows Messenger:
Microsoft has tested the following workarounds. While these workarounds will not correct the underlying vulnerability, they help block known attack vectors. When a workaround reduces functionality, it is identified below.
Turn off the .NET Alerts feature in Windows Messenger.
Open Windows Messenger
* Go to the Tools menu and select Options
* In the Options Dialog go to the Privacy tab.
* Check the option that says Don t download any tabs to my computer
Note this setting will take effect the next time you sign into Windows Messenger.
.Net Alerts are only available on Passport accounts that have signed up to receive them. Users who have never configured their account to receive these alerts will not have this setting available.
FAQ for PNG Processing Vulnerability in Windows Messenger:
What is the scope of the vulnerability?
This is a remote code execution vulnerability. An attacker who successfully exploited this vulnerability could take complete control of an affected system.
What causes the vulnerability?
Windows Messenger implements the public lipng 1.2.5 version library that is recently found to have several known vulnerabilities.
What is PNG?
PNG stands for Portable Network Graphics. The Portable Network Graphics (PNG) format was designed to replace the older and simpler GIF format and, to some extent, the much more complex TIFF format. Additional information about PNG can be found at the following Web site.
What might an attacker use the vulnerability to do?
An attacker who successfully exploited this vulnerability could take complete control of the affected system.
Who could exploit the vulnerability?
The vulnerability in Windows Messenger would be very complex to exploit and requires a large amount of effort and knowledge about the internal network of an organization to attempt to exploit this vulnerability. An attacker would either need the ability to spoof the .NET Messenger service, or would have to intercept and rewrite communications between the client and the server. Simply sending a malformed PNG image file to Windows Messenger does not exploit this vulnerability.
What systems are primarily at risk from the vulnerability?
Workstations and terminal servers are primarily at risk. Servers could be at more risk if users who do not have sufficient administrative credentials are given the ability to log on to servers and run programs. However, best practices strongly discourage allowing this.
Are Windows 98, Windows 98 Second Edition or Windows Millennium Edition critically affected by this vulnerability?
No. None of these vulnerabilities are critical in severity on Windows 98, on Windows 98 Second Edition, or on Windows Millennium Edition. For more information about severity ratings, visit the following Web site.
Could the vulnerability be exploited over the Internet?
No. An attacker would either need the ability to spoof the .NET Messenger service, or would have to intercept and rewrite communications between the client and the server.
Simply sending a malformed PNG to Windows Messenger does not exploit this vulnerability. Microsoft has provided information about how you can help protect your PC. End users can visit the Protect Your PC Web site. IT Professionals can visit the Security Guidance Center Web site.
What does the update do?
The update addresses the vulnerability by updating the library used by Windows Messenger to one that completely validates the PNG image file that is being processed. Additionally, Windows Messenger will now validate that PNG image files are properly formatted.
When this security bulletin was issued, had this vulnerability been publicly disclosed?
These vulnerabilities have been publicly released and assigned Common Vulnerability and Exposure number CAN-2004-0597, CAN-2004-0598 and CAN-2004-0599.
When this security bulletin was issued, had Microsoft received any reports that this vulnerability was being exploited?
No. Microsoft had not received any information to indicate that this vulnerability had been publicly used to attack customers and had not seen any examples of proof of concept code published when this security bulletin was originally issued.
Mitigating Factors for PNG Processing Vulnerability in MSN Messenger:
MSN Messenger, by default, does not allow anonymous people to send you messages. An attacker would first need to entice you to add them to your contacts list.
Workarounds for PNG Processing Vulnerability in MSN Messenger:
Microsoft has tested the following workarounds. While these workarounds will not correct the underlying vulnerability, they help block known attack vectors. When a workaround reduces functionality, it is identified below.
* Do not add addresses that you do not recognize or trust to your contacts list.
* Review all of the contacts currently in your contact list and remove or block any that you do not know, do not trust or no longer need.
* Disable display picture in MSN Messenger using the following steps:
Click Tools. Click Options. Click the Personal Tab
Clear the check box Show Display Picture from Others in Instant Message Conversations .
* Disable Emoticons using the following steps:
Click Tools. Click Options. Click the Messages Tab
Clear the check box Show emoticons in instant messages
Clear the check box Show custom emoticons in instant message .
* Do not agree to accept file transfers from contacts you do not know or trust.
FAQ for PNG Processing Vulnerability in MSN Messenger:
Is the MSN Messenger 7.0 beta affected by this vulnerability?
No. This vulnerability was reported prior to the release of the MSN Messenger 7.0 beta, and is therefore already incorporated into that product version.
What is the scope of the vulnerability?
This is a remote code execution vulnerability. An attacker who successfully exploited this vulnerability could take complete control of an affected system.
What causes the vulnerability?
MSN Messenger implements the public lipng 1.2.5 version library that is recently found to have several known vulnerabilities.
What is PNG?
PNG stands for Portable Network Graphics. The Portable Network Graphics (PNG) format was designed to replace the older and simpler GIF format and, to some extent, the much more complex TIFF format. Additional information about PNG can be found at the following Web site.
What might an attacker use the vulnerability to do?
An attacker who successfully exploited this vulnerability could take complete control of the affected system.
Who could exploit the vulnerability?
An attacker would likely seek to exploit this vulnerability by convincing a user to add them to their contacts list, and sending a specially crafted emoticon or display picture.
What systems are primarily at risk from the vulnerability?
Workstations and terminal servers are primarily at risk. Servers could be at more risk if users who do not have sufficient administrative credentials are given the ability to log on to servers and run programs. However, best practices strongly discourage allowing this.
Are Windows 98, Windows 98 Second Edition or Windows Millennium Edition critically affected by this vulnerability?
Yes. Customers running an affected version of MSN Messenger should install the updated version of MSN Messenger.
What does the update do?
The update removes the vulnerability by updating the library used by MSN Messenger to one that correctly validates the PNG file being passed to it.
When this security bulletin was issued, had this vulnerability been publicly disclosed?
These vulnerabilities have been publicly released and assigned Common Vulnerability and Exposure number CAN-2004-0597.
When this security bulletin was issued, had Microsoft received any reports that this vulnerability was being exploited?
No. Microsoft had not received any information to indicate that this vulnerability had been publicly used to attack customers and had not seen any examples of proof of concept code published when this security bulletin was originally issued.
|
|
|
|
|
