ITS Homepage Click here for text version of ITS homepage University at AlbanyUAlbany Site IndexUAlbany Search
alerts_tag
UNPATCHED* Vulnerability in MediaPlayer


ALARM Group ALERT - click for a description of ALARM, The Computing Alert System


Alert Number:  121007-02
Alert Date:  12/10/07
Alert Title: *UNPATCHED* Vulnerability in MediaPlayer
Update-to: None.
OS/Platform/Application:  Microsoft Windows Media Player 6.4
Category:  ALERT
Severity:  MEDIUM
Attention:  Windows Media Player users (particularly on older versions of Windows, see "*" below)

Summary:  Multiple Internet Security-Related Agencies are currently reporting the existence of a vulnerability in Windows Media Player that could result in a variety of outcomes ranging from (local) denial of service to arbitrary code execution on a vulnerable computer system.  The most likely vector of exploit would be the opening of a maliciously-crafted MP4 media file by an unknowing user.

*It is important to note that at this time the vulnerability has only been shown to affect version 6.4 of Windows Media Player.  This is an older version of the application that is generally found as the default media player installation on older versions of Microsoft Windows such as Windows 2000, 98, 95 and NT.  It is possible that the vulnerable version of this application may exist (as "mplayer2.exe") on other (possibly newer) operating systems as well.  Newer versions of Windows Media player are at this time not believed to be vulnerable to this exploit.

At the time of this writing (11 AM 12/10/07) no patch has been made available from the vendor to address this vulnerability.  A proof-of-concept code to exploit this vulnerability has been released to the public.  This vulnerability is rated as "highly critical" by at least one Security Agency at this time.

Recommended Actions:  Persons who manage or maintain Windows 2000/98/95/NT systems or use Windows Media Player 6.4 are encouraged to read the vulnerability details (links provided below) and to avoid opening untrusted MP4 Media files until a patch has been made available from the vendor.

ITS Actions:  At this time, ITS is taking no specific additional actions to address this vulnerability.

Resources:

SANS Advisory:
http://isc.sans.org/diary.html?storyid=3729

SecurityFocus Advisory:
http://www.securityfocus.com/bid/26773/discuss

Secunia Advisory:
http://secunia.com/advisories/27998/

 
 

BLANKABCDEFGHIJKLMBLANK
BLANKNOPQRSTUVWXYZBLANK
CHOOSE FROM the ITS Site Index

GO TO an ITS Group

Information Technology Services
University at Albany, SUNY
1400 Washington Avenue
Albany, NY 12222
ITS Service Centers:  518-442-4000
  		University at Albany Home Page
Contact UAlbany | Directories | Calendars | Visitors | Site Index | Search
Admissions | Academics | Research | IT Services | Libraries | Athletics
Internet Privacy Policy              IT Policies