Windows Media Player flaw could expose sensitive files

A major flaw in Windows Media Player 9 could allow an attacker to view and modify media files. This could potentially compromise confidential information for companies that distribute internal announcements via video.

Microsoft's Media Player 9 has a vulnerability that could allow an attacker to play or modify media files on a target system. The big danger here is that many companies and even government agencies have begun to take advantage of fast network connections to move far beyond text e-mail and make important announcements in video clips that are sent to employees. These clips often contain sensitive inside information. This flaw does not allow attackers to do more than tap into the files on the vulnerable systems, but that could be a devastating disclosure for some companies. MS03-021 addresses this threat.

This ActiveX flaw is found in Media Player 9, but not in earlier versions of the software, including version 8.0, which ships with Windows XP. Media Player 9 ships with Windows Server 2003, but it can be downloaded and run on any Windows system using Windows 98 or later, so it may be found on any system where the user routinely downloads the latest versions of software updates.

According to Microsoft, "Systems Administrators who have deployed Windows Server 2003 as a Terminal Server would likely disable Internet Explorer Enhanced Security Configuration to allow users of the Terminal Server to utilize Internet Explorer in an unrestricted mode." That configuration would expose the system to this vulnerability.

Risk level
Since this Media Player flaw doesn't allow attackers to execute code or take over other system functions, Microsoft rates this as only a moderate threat. But depending on what is contained in your media files, the problem could be a dangerous disclosure risk. It is possible to use this vulnerability to alter, or view, media files.

Mitigating factors
This version of Media Player is mostly found in Windows Server 2003 systems, and many admins have probably made sure that the Media Player is disabled on that server OS. In addition, the default configuration of WS2K3 blocks this exploit.

Also, companies that do not make use of multimedia presentations or do not store them on vulnerable systems can probably ignore this threat.

Apply the patch released by Microsoft.

Final word
Organizations that use Windows Media Player files to distribute announcement videos to employees should consider streaming those files from a server rather than allowing employees to download them to their desktops. This would mitigate potential disclosure from this flaw. It would also better secure and protect any sensitive information in those files because it would keep them from being transferred to outside sources or being nabbed by hackers who find a way to compromise the network in another manner.

There is very little reason to run Windows Media Player on a server. So unless you need it for a specific task on Windows Server 2003, make sure it is disabled on all WS2K3 systems.

Also watch out for…
  • MS03-022 addresses a flaw in ISAPI that allows an attacker to run arbitrary code on some Windows 2000 systems. The threat is rated moderate, but the software is not installed by default on Win2K Server and is not even available for Win2K Pro.
  • A variant of the Sobig virus is apparently being used by spammers to spread their unwanted messages. This is a new and disturbing trend, although I don't see how spammers expect to avoid prosecution if they are really doing this on purpose.
  • Symantec's online security tester has been distributing a flawed ActiveX code that can let hackers penetrate your system. Anyone who has used the free site recently needs to go back and retest.
  • E-mail boxes are filling up with a British Air hoax chain letter. There's no malicious content, this is just a time/resource waster. If any of your users fall for this one, you should consider revoking their license to use a keyboard.
  • There's some mysterious code wandering around the Internet that looks suspicious but has yet to be identified. ISS says it knows which hacker tool is causing the traffic.
  • There are multiple buffer overflow bugs in the GNU bug-track system GNATS.
  • Although it's not a security flaw, I thought you might also be interested in the fact that Utah Senator Orrin Hatch recently told his colleagues on The Judiciary Committee that he felt people who download software in violation of U.S. copyright laws should, if all else fails, have their computers destroyed. Senator Hatch's official Web page was taken down the next day (although a copy was still available on, apparently because it was found to be using unlicensed software. The site was then hastily modified to include the appropriate copyright information for using the software.


Editor's Picks

Free Newsletters, In your Inbox