Home Page | Skip to Navigation | Skip to Content | Skip to Search | Skip to Footer

Two Remote Code Execution Vulnerabilities Reported in Windows Media Player and Windows Media Center

( MS11-015, CVE-2011-0032, CVE-2011-0042 )

Summary

Two remote code execution vulnerabilities in Microsoft's Windows Media Player and Windows Media Center have been disclosed; one involves incorrect handling of DVR-MS media files, and the other concerns incorrect path restriction by DirectShow while loading DLLs. A remote attacker may exploit either of these vulnerabilities to take complete control of a vulnerable system.

Details

Windows Media Player is a proprietary digital media player and media library application developed by Microsoft that is used for playing audio, video and viewing images. Windows Media Center is a digital video recorder and media player developed by Microsoft that allows users to view and record live television, as well as organize and play music and videos.

Critical vulnerability CVE-2011-0032 is due to a flaw in Windows Media Player and Windows Media Center that results in the failure to properly parse DVR-MS (Microsoft Digital Video Recording) audio/video media files. A remote attacker could exploit this issue by convincing a user to open a specially crafted DVR-MS file or receive specially crafted streaming content. Successful exploitation of this vulnerability will allow the attacker to remotely execute arbitrary code on the affected system.

Vulnerability CVE-2011-0042 is caused when Microsoft DirectShow, a multimedia framework used by Windows Media Player and Windows Media Center, incorrectly restricts the path used for loading external libraries; this is an instance of what is called a "DLL preloading" or "binary planting" attack. An attacker could convince a user to open a legitimate Windows Media Player file that is located in the same network directory as a specially crafted dynamic link library (DLL) file. Then, while opening the media file, DirectShow would attempt to load the DLL file and then execute arbitrary code contained within it.

Affected Products

This issue affects the Windows Media Player and Windows Media Center applications that are included in the following operating systems:

  • Windows XP Media Center Edition 2005 SP3
  • Windows XP Professional x64 Edition SP2
  • Windows Vista SP1 and SP2
  • Windows Vista x64 Edition SP1 and SP2
  • Windows 7 for 32-bit and x64-based Systems
  • Windows Server 2008 R2 for x64-based Systems
  • Windows Media Center TV Pack for Windows Vista, 32-bit and 64-bit editions

Solution


Check Point IPS Software Blade and NGX SmartDefense provide network protection against these vulnerabilities in the latest IPS update by detecting and blocking transferal of malformed DVR-MS files via HTTP, as well as the transferal of suspicious DLL files via CIFS and WebDAV protocols. For more information see CPAI-2011-0055 and CPAI-2011-0054.

 

Originally Published:

Last Updated: 08-Mar-2011

Legal Notice for Threat Center Advisories