Microsoft has warned users of a flaw in an antipiracy feature in its Windows Media Player and has released a patch to prevent systems being hacked.
All currently supported versions of Windows Media Player (versions 6.4, 7.1 and Windows Media Player for Windows XP) are flawed in their handling of license requests for certain secure media files. An attacker could exploit this flaw to hijack a user's system and take control of it.
When it requests license information from a server, the media player erroneously discloses the location on the user's system of the Internet Explorer cache it uses to temporarily store files. An attacker could use this information to bypass IE's security mechanisms and run executable files in the cache.
Internet Explorer places information that a web page or an HTML email needs to have stored on the user's system — a file for example — in the cache and retrieves it later for handling. One way the cache is protected against direct access is by using dynamic folder names.
An attacker could exploit the vulnerability by sending an HTML email with a specially formed Windows Media file or by hosting the file on a website. In both cases, the IE cache location could be returned to the attacker's site once the file is played, at which point the attacker could try to run an executable in the cache.
Microsoft has released a 'cumulative' software patch to fix this problem. This includes all previously released patches for Windows Media Player plus two more patches that fix less broad security problems.
Microsoft rates one flaw — the newly patched privilege elevation vulnerability in Windows Media Player 7.1 — "critical" when run on Windows 2000. A malicious user could exploit the flaw in a part of Media Player that deals with storage devices to increase privilege levels on a Windows 2000 system. But the user would need to write a special software program to do that.
The third newly patched vulnerability affects only Windows Media Player 7.1 and could allow an attacker to run a script of his choice on the user's PC. Microsoft deems this a "low" risk vulnerability as a successful attack requires a specific series of user actions to follow in exact order.
More information about the flaws and the patch, which Microsoft urges users apply immediately, can be found here.