Signature Detail

HTTP: Microsoft Windows Media Player Skin Parsing Code Execution

This signature detects attempts to exploit a known buffer overflow vulnerability in Microsoft Windows Media Player. It is due to insufficient data validation while parsing compressed skin files. A remote attacker can exploit this by enticing the target user to open a crafted WMZ file, potentially causing arbitrary code to be injected and executed in the security context of the current user. In a simple attack case, the affected Windows Media Player can terminate when the malicious file is opened. In a sophisticated attack, where the malicious user is successful in injecting and executing supplied code, the behavior of the system is dependent on the nature of the injected code. Any code injected into the vulnerable component can execute in the security context of the currently logged in user.

Extended Description

Microsoft Windows Media Player is prone to a remote code-execution vulnerability when handling specially crafted skin files. Attackers exploit this issue by coercing unsuspecting users to download and open Windows Media Player skin files (WMZ or WMD files). Note that users must attempt to apply the skin files. Successful exploits allow attackers to execute arbitrary code in the context of the vulnerable application. This facilitates the remote compromise of affected computers.

Affected Products

• Avaya customer_interaction_express_(cie)_server 1.0
• Avaya customer_interaction_express_(cie)_user_interface 1.0
• Avaya customer_interaction_express_(cie)_user_interface 1.0.2
• Microsoft windows_media_player 10.0
• Microsoft windows_media_player 11
• Microsoft windows_media_player 7.1
• Microsoft windows_media_player 9.0

References

• BugTraq: 25305
• CVE: CVE-2007-3037