Zero Day Exploit Found in Windows Media Player

filenavigator writes "Another zero day flaw has been reported in Windows Media player. It comes only one day after a serious zero day flaw was found in word. The flaw is dangerous because it involves IE and Outlook's ability to automatically launch .asx files. No fix from Microsoft has been announced yet."

Does Not Affect WMP 11 or Vista

[ThinkFr33ly]

FYI, this does not seem to affect Windows Media Player 11, which is available via Windows Update or the WMP site [microsoft.com].

It also does not affect Vista, both because Vista comes with WMP 11, and thanks to IE7 running in protected mode [microsoft.com]. This would likely cause the browser to crash, however.

All it takes is a jump instruction.

[Anonymous Coward]

x86 processors have a local jump instruction that is 4 bytes long. If the exploiter is able to get his code loaded within range of that jump instruction, you're fucked. And really, getting code loaded like that is not a difficult thing to do.

In fact, many x86 operating systems have used such a technique to dynamically patch kernel code. They insert a couple of nop operations after a function prologue. These operations normally do nothing, but can be replaced with a jump instruction at runtime. This allows for the instructions of the existing function to be replaced with ease.

Re:Danger: Four-byte programs could be launched?

[Frankie70]

A buffer overflow is a buffer overflow, but if you RTFA... you discover that the maximum overflow of the buffer is four bytes. Anybody know of any four-byte long spyware programs?


Are you a moron?
The code which is executed need not fit into the 4 bytes.

Re:How is this dangerous?

[LO0G]

It depends on your heap allocator. IIRC, on the Windows XP heap (without service packs) an application could be owned with just a 1 byte heap overflow (if the phase of the moon was right). On XP SP2's heap it's WAY harder to exploit overflows, because the heap was hardened against this kind of attack. On Vista, it's even harder, the heap was hardened well beyond what was done in XP SP2.

I have no idea of how exploitable the various *nix or OSX heap implementations are - I'm sure that some are even more exploitable than XP's heap was (the original 4.2 BSD heap was very exploitable, IIRC), and I'm also sure that some of them are hardened as well as Vista's.

But heap hardening just makes exploitation harder (this is true of ALL defense-in-depth techniques). Even if your platform has a hardened heap and NX protection and stack canaries and ASLR, it's still possible to successfully exploit a vulnerability - it's many many orders of magnitude harder than if those features weren't present, but it's still possible to attack the system.

Re:zero-day exploit

[Bargearse]

When Slashdot get their hands on it :)
Neither the linked article, or the eEye alert, say that there is an exploit available, just that it's a flaw.

And eEye somehow missed listing "upgrade to the unaffected WMP11" as a form of mitigation.

Re:Fix found for zero day flaw

[Valacosa]

He's not gay. If he were gay, he'd be telling us to buy a Mac.

A good chance to try VLC

[Giorgio Maone]

VideoLAN - VLC Media Player [videolan.org] is an all-in-one open source and cross platform program which does much more than WMP: it's an user-friendly player, but also a powerful and flexible transcoder for almost every audio/video format and even a stream server supporting various network protocols.

Worth a try as a better replacement, especially for power users.

There's More - If you read the security lists

[SkiifGeek]

The recent coverage of ASX Playlist issues seems somewhat strange. For the uninitiated, here is a quick wrapup:

XMPlay ASX buffer overflow PoC code posted to milw0rm - 21 November

This PoC demonstrated an exploitable buffer overflow condition in the handling of 'ref href' URIs. A CVE entry (CVE-2006-6063 - though this only identifies the .m3u method of exploiting the vulnerability) appears around the same time, and reporting is carried by the usual third parties. With no fix present, this remains an effective 0-day (plus, with existing malware targeting .asx files it could make for interesting real-world use).

Windows Media Player DoS code posted to BugTraq - 22 November

Oddly, this code represented an almost exact duplicate of the buffer overflow demonstrated the day before, only with the exploit payload removed and replaced with a bunch of 'A's, and fails to draw much interest from third parties. It isn't until eEye publishes data on this issue (and increases the perceived threat posed) on their 0-day reporting / information site that it attracts some attention from other reporting parties (such as FrSIRT on 7 December), though uptake is slow.

Leaving Chinese Soup's critique (BugTraq) of eEye's analysis aside (why they haven't identified on the XMPlay vulnerability is another question), users need to be aware that if they replace WMP with XMPlay as the default handler of .asx content, then they are potentially creating a much riskier environment than if they accept the current DoS risk against their platform.

If this particular code release had appropriate accompanying documentation, it would be possible to work out whether it is a derivative of the earlier code, or fortuitous timing on something found independently.

Criticism has been recently levelled against third party reporting bodies for failing to adequately investigate reports (after one of the recent MoKB OS X corrupted .dmg file handling errors), and the way that information is flowing between, and being distributed by, third party reporting bodies in this case is showing similar patterns.

In summary:
  - There is a known 0-day targeting a vulnerability in XMPlay's handling of malicious .asx (and other content types) data passed via 'ref href' that can lead to arbitrary code execution.
  - There is a known DoS targeting WMP that is exploited via a long string passed via 'ref href' and using the .asx media type
  - There has been no proven link between the two disclosures
  - It has yet to be shown that the WMP vulnerability leads to arbitrary code execution
  - The advice to replace WMP as the default .asx filetype handler can lead to an increased security risk if the replacement application is XMPlay (accepting arbitrary code execution in an effort to avoid a DoS).

Re:How much of userland runs in ring0?

[Anonymous Coward]

Actually, the Windows Display Driver Model (WDDM) in Vista does move the majority of the video driver into ring3. Without the WDDM driver you don't get the fancy-pants accelerated UI. A lot of people focus on the obvious improvements in Vista, which are few, but there are a lot of underlying changes which will move to fundamentally overhaul the platform. WDDM is one of them. Combined with the DX10 requirements for graphics cards they will soon have all of the scheduling and memory management features as the CPU.

http://www.hardocp.com/news.html?news=MTkyNzgsLCxo bmV3cywsLDE= [hardocp.com]

Re:Another 0-day?

[jfedor]

It doesn't mean anything (well, except for "unpatched as of yet" or "disclosed in a not-very-responsible way"). In the pirated movies/games community "zero-day" means that the illegal release was done on the same day that the movie was released to theaters or the game was put on shelves in stores. In the security vulnerabilities community the term is used because many people think it sounds like something a hacker would say (a hacker like Angelina Jolie that is).

-jfedor