Title: Windows Media Player Internet Shortcut Execution Vulnerability
Severity: HIGH
Description:
Windows Media Player is an application used for digital audio, and video content viewing.
Typically internet shortcuts are created and saved on the user's system in the MSIE Internet cache. Due to a flaw in the implementation of WMP, internet shortcuts are created by WMP and saved in the temporary internet files folder with known filenames.
When IE opens a file from its cache, it is opened in the Internet Zone, which restricts what the HTML/Script can do. However, a file residing on the local system outside of this cache is opened by IE in the Local Computer Zone, which has considerably more privileges than the Internet Zone.
When WMP creates Internet shortcuts, it stores them outside of the MSIE cache. As a result, these shortcuts when opened are done so in the Local Computer Zone. This may allow for maliciously crafted shortcuts to read files and send back the data to webservers.
This particular vulnerability does not require that the user click on the shortcut to execute the code, an attacker could execute the shortcut using the same method used to create it. However, knowledge of the relative path to the location where the shortcut is created must be known.
Knowledge of the relative path to the temporary internet files folder is dependent on the operating system the target is using. Windows 95, 98 and ME has a commonly known default location. However, Windows NT 4.0 and Win2K's temporary internet files folder resides in the user's local settings, which would vary from system to system.
Successful exploitation of this vulnerability could assist in further attacks against the target host.
Affected Products:
- Microsoft Windows Media Player 6.4
- Microsoft Windows Media Player 7.0.0
References:
- Microsoft: Microsoft Security Bulletin MS01-029
Juniper Networks provides this content via a wide variety of sources and production methods. If notified of errors or omissions in the content of this page, Juniper Networks, at its discretion, will modify or remove the page or leave the content as is, depending on various factors including but not limited to the reputation and authority of the party providing the notification. Please use the contact information displayed elsewhere on this page to report any errors or omissions regarding the content on this page.
