Users login

Create an account »


Users login

Home » Hacking News » Next Virus Exploit: Media Player?

Next Virus Exploit: Media Player?

by Nikola Strahija on March 27th, 2002 Security experts believe Windows Media Player could soon be targeted by malicious virus writers who are now all but shut out of attacking another Microsoft product, Outlook 2002.

They have discovered that the program allows malicious hackers to easily bypass Outlook's new security features, which block delivery of dangerous e-mailed attachments and turn off active scripting by default. A downloadable security update from Microsoft adds the same protections to Outlook 2000.

The experts say HTML-formatted e-mail containing code identified as a file that Media Player "trusts" can be embedded in an e-mail, which Outlook will then automatically allow the player to execute.

"Bad guys will keep looking for a way into a system. If they think Outlook is harder to get into, they'll try something else like WMP," said Richard Forno, chief technology officer at Shadowlogic, said. "They'll keep turning doorknobs until they can exploit something."

Over the past year, security experts have found a handful of methods in which they are able to surreptitiously run malicious code through Media Player. The most recent exploit, discovered by security sleuth Richard Smith, uses the "Windows Media Skin" (.wms) format to bypass Outlook's bolstered security features.

Skins are used to change the appearance of the player. Because Windows considers .wms files to be safe, an HTML e-mail purporting to contain .wms code will automatically launch the player and execute the code -- which could be malicious.

Smith posted details of his discovery on BugTraq, a security mailing list, several weeks after notifying Microsoft of the problem.

A Microsoft spokesman said the company has an "active ongoing investigation" into the issue and chided Smith for his decision to go public with the details.

"This poster chose to publicize the information before Microsoft could complete its investigation of the issue, potentially putting customers at risk," the Microsoft official said.

Smith said his advisory is a simple variation of other Media Player problems that have been publicly discussed for nearly a year.

"Microsoft has been dragging its feet on WMP Outlook security issues," Smith said. "And Microsoft needs to stop blaming security researchers for Microsoft product defects."

The Microsoft official said that scripting in WMP "does not itself represent a security issue; as with all product features, there are mechanisms in place to ensure the safe operation of these features."

But a test of the problem that Smith documented confirmed that the player, on Windows XP systems with Office XP's default security settings, automatically executed e-mailed malicious code purporting to be a skin file, with no way for the e-mail's recipient to block the file from running.

Users can turn off scripting in Outlook and Explorer, but scripting cannot be disabled in Media Player. The exploit will work with WMP versions 7 and 8, even if scripting is disabled in Outlook and Explorer.

Microsoft's official said scripting cannot be turned off in the player because it is "an important feature for creating synchronized multimedia presentations, and new kinds of streaming services for online radio as well as online advertising."

According to recent testimony in Microsoft's antitrust trial, Media Player is installed on over 350 million computers. The player comes pre-installed on all XP and Windows Me systems. Currently, uninstalling WMP seems to be the only way to protect systems from the exploit.

Newsletter signup

Signup to our monthly newsletter and stay in touch with IT news!

Free E-books

We've got ebooks! But they're not online. :( Please give us a few days to bring downloads back.


Have something to say or just wanna drop us a line? Please keep this in mind: to spam, we reply with spam.

Contact us »