RE: Windows Media Player executes WMF content in .MP3 files.

From: Menashe Eliezer (
Date: 02/27/02

From: "Menashe Eliezer" <>
To: "Brian McWilliams" <>, "David Korn" <>, <>
Date: Thu, 28 Feb 2002 00:07:09 +0200

Actually, any file extension that is associated with the vulnerable
applications can be used.
Even .WAV files can be used to "hijack" users to a web site containing a
powerful ActiveX Control. The URL can even include a direct link to an
executable, or to a web site that automatically downloads and executes an
There is also a privacy aspect to this exploit. Users that play illegal
multimedia files, such as .MP3 and MPEGs, can be tracked by web sites that
logs their IP Address or even much more personal details. For example, an
ActiveX Control embedded on a web site can pull out your e-mail address.

This technique is powerful. However, there are many ways to "hijack" users
to a web site, and the main issue is: How to protect users from malicious
active content in web sites. Finjan has put a .WAV demo to test your
vulnerability to this attack. Upon opening this audio file with vulnerable
software, a sound will be played and you'll be "hijacked" directly to Finjan
Software's ActiveX demo.
More details can be found in:

Menashe Eliezer
Manager, Malicious Code Research Center
Finjan Software - Proactive Defense Against Malicious Code

-----Original Message----- From: Brian McWilliams [] Sent: Sunday, February 24, 2002 4:14 AM To: David Korn; Subject: Re: Windows Media Player executes WMF content in .MP3 files.

I've confirmed the report below.

Windows Media Player (like RealPlayer) allows content developers to create slide shows or "illustrated audio." That is, you can create a stream in the player's native media format (.asf, .wma. .wmf) that includes embedded URLs, scripts, etc.

Turns out that if you feed the WMP a .wma file that has embedded URLs and that has been renamed to end in .mp3, the WMP will happily treat the file like one of its own and launch the URLs in the browser when it encounters them in the stream.

Demo here:

59k (19 second) wma file that has been renamed to mp3. Should launch three separate Web pages during playback with Windows Media Player.