Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
|
|
|
|
|
|
|
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
|
|
|
|
Become a Partner and License Our Database or Notification Service
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Microsoft Windows Media Player Access Control Flaw Lets Remote Users View, Modify, and Delete Media Library Metadata
|
|
SecurityTracker Alert ID: 1007057
|
|
CVE Reference: CAN-2003-0348
(Links to External Site)
|
Date: Jun 25 2003
|
Impact: Disclosure of system information, Disclosure of user information, Modification of user information
|
Fix Available: Yes
Vendor Confirmed: Yes
|
Version(s): 9
|
Description: An access control vulnerability was reported in an ActiveX control included in Windows Media Player. A remote user may be able to view and manipulate metadata in the target user's media library.
It is reported that a remote user can create HTML that, when loaded by the target user, will invoke the vulnerable ActiveX control.
The remote user can then view metadata contained in the target user's media library, according to the report. The remote user can
reportedly delete or rename metadata entries in the Media Library (but not the actual media files themselves) and may be able to
ascertain the user name of the target user by viewing the directory paths to the media files. Metadata entries may include the
name of an artist, a media track, a CD name, a genre of media, and other related information.
Versions prior to 9 are reportedly
not affected.
Microsoft credits Jelmer with reporting this flaw.
|
Impact: A remote user can view, edit, and delete the contents of Media Library metadata on the target user's computer.
|
Solution: The vendor has released the following fix:
Windows Media Player 9 Series:
http://microsoft.com/downloads/details.aspx?FamilyId=36814221-8194-4492-BB29-94DB3D4CB682&d
isplaylang=en
Windows Media Player 9 Series on Windows Server 2003:
http://microsoft.com/downloads/details.aspx?FamilyId=82CD6192-15D8-4E28-9B14-F9B78FF01D8A&displa
ylang=en
The patch can be installed on Windows 98, Windows 98SE, Windows Me, Windows 2000 SP2, SP3, and SP4, Windows XP and Windows
XP SP1, and Windows Server 2003.
Microsoft plans to include this fix in Windows 2000 SP5, Windows XP SP2, and Windows Server
2003 SP1.
A reboot is not required after installing this patch.
Microsoft plans to issue Knowledge Base article 819639 regarding
this issue, to be available shortly at:
http://support.microsoft.com/default.aspx?scid=kb;en-us;819639
|
Vendor URL: www.microsoft.com/technet/security/bulletin/MS03-021.asp (Links to External Site)
|
Cause: Access control error
|
Underlying OS: Windows (Any)
|
|
Message History:
None.
|
Source Message Contents
|
Date: Wed, 25 Jun 2003 14:25:39 -0400
Subject: MS03-021 Flaw In Windows Media Player May Allow Media Library Access
|
http://www.microsoft.com/technet/security/bulletin/MS03-021.asp
CVE: CAN-2003-0348
Version 9
Flaw In Windows Media Player May Allow Media Library Access (819639)
Maximum Severity Rating: Moderate
Microsoft issued Security Bulletin MS03-021 warning of a flaw in an ActiveX control
included in Windows Media Player version 9. A remote user may be able to view and
manipulate metadata in the target user's media library.
It is reported that a remote user can create HTML that, when loaded by the target user,
will invoke the vulnerable ActiveX control. The remote user can then view metadata
contained in the target user's media library, according to the report.. The remote user
can reportedly delete or rename metadata entries in the Media Library (but not the actual
media files themselves) and may be able to ascertain the user name of the target user by
viewing the directory paths to the media files. Metadata entries may include the name of
an artist, a media track, a CD name, a genre of media, and other related information.
Versions prior to 9 are reportedly not affected.
Microsoft credits Jelmer with reporting this flaw.
Windows Media Player 9 Series:
http://microsoft.com/downloads/details.aspx?FamilyId=36814221-8194-4492-BB29-94DB3D4CB682&display
lang=en
Windows Media Player 9 Series on Windows Server 2003:
http://microsoft.com/downloads/details.aspx?FamilyId=82CD6192-15D8-4E28-9B14-F9B78FF01D8A&display
lang=en
The patch can be installed on Windows 98, Windows 98SE, Windows Me, Windows 2000 SP2, SP3,
and SP4, Windows XP and Windows XP SP1, and Windows Server 2003.
Microsoft plans to include this fix in Windows 2000 SP5, Windows XP SP2, and Windows
Server 2003 SP1.
A reboot is not required after installing this patch.
Microsoft plans to issue Knowledge Base article 819639 regarding this issue, to be
available shortly at:
http://support.microsoft.com/default.aspx?scid=kb;en-us;819639
|
|
Go to the Top of This SecurityTracker Archive Page
|
