Microsoft has released a new patch for several versions of Windows Media Player, one of the most common programs used for multimedia playback in the business world. The threat, which is rated Critical, is related to the way the software handles downloading of the decorative “skins” for the popular multimedia player.

MS03-017, “Flaw in Windows Media Player Skins Downloading Could Allow Code Execution,” addresses the newly discovered vulnerability in Media Player versions 7.1 and 8. Skins are XML files used to control the graphics that alter the appearance of Media Player. They are merely decorative and the vulnerability isn’t actually related to the skins themselves, which are still considered harmless.

Skin files are normally downloaded to the Temporary Internet Files folder in part to speed loading of the often large graphics files and also because these files are allocated locations dynamically. That makes it impossible (or at least quite difficult) for an attacker to predict where on the computer they are located, reducing the possibility of an attacker remotely accessing the PC.

Microsoft Windows Media Player 7.1 and version 8 (the one that comes with Windows XP) are affected. No versions of Media Player 9 are vulnerable to this flaw. Since earlier versions of Media Player are no longer supported, Microsoft did not test them and makes no guarantee that versions prior to 7.1 are free of this vulnerability.

Risk level–critical
Exploiting this flaw could allow an attacker to download arbitrary code to a system and load it into the Startup folder or take other actions.

Mitigating factors
If the target computer has a newer version of Outlook or Outlook Express installed or has applied the recommended security patches to older versions, it will be much more difficult to exploit this threat because users would have to be tricked into opening a malicious e-mail or visit a bogus Web site. See MS03-017 for more details about this. Even if successful, the attacker could run programs only in the security context of the user; therefore, the level of the threat depends on whether the user has administrator or lower-level of privileges.

Fix–install the patch
It’s important to note that there’s nothing actually wrong with any skins themselves, so there is no need to ban them or attempt to locate all of them and remove them from networked or stand-alone PCs in the workplace (or home systems). The problem is in the way Media Player 7.1 and 8 actually download the files.

The patch corrects the faulty way in which Media Player validates the address used in downloading files. Without the patch, a malformed URL could trick the computer into downloading what appears to be a skin but is actually malicious code.

Final word
Many companies are now sending company video clips to users rather than simple e-mails, and Media Player is the preferred tool to play back streaming video on Windows-based computers. Media Player may also be used to play back audio recordings of lectures, speeches, or pep talks from management. So even if your company isn’t making use of Media Player, you should know that many others are.

I probably don’t have to tell you that some bored end users are likely to want to spice up these presentations by downloading some different skins for the player just to personalize their work environment a bit. Therefore, you need to be aware that users could potentially be tricked into downloading malicious files disguised as Windows Media Player skins.

Another flaw to watch

In other disturbing news, it was recently disclosed that there has been a long-standing problem in Passport related to the password recovery feature. Users may find that they are currently unable to change their Passport passwords—a step taken by Microsoft to block this threat, which allowed anyone to take over a Password account and capture any personal information people were incautious enough to provide to Microsoft. Since there is no particular action administrators can take regarding this threat, I won’t go into any details here. You can read more about the Passport threat in the CNET news report, which indicates that Microsoft acted quickly to block this attack once it was informed of it through proper channels.