Windows Media Player Remote Code Execution (923689)

---

• From: "Tony S" <tbtony@xxxxxxxxxxxxxxxx>
• Date: Mon, 23 Apr 2007 16:36:24 -0400

---

Hello!

We recently self-audited our servers and found that one of them has this
high-risk vulnerability. To reference the vulnerability description,

"Multiple vulnerabilities in Windows Media Player could allow remote code
execution. One vulnerability relates to ASX file processing. WMVCORE.DLL
contains an exploitable heap buffer overflow in its handling of "REF HREF"
URLs within ASX files. As ASX files are opened automatically through
Internet Explorer, an attacker could use this to gain remote execution
privileges at the level of the user simply from the user visiting a
malicious web page. The other relates to processing ASF files."

See also http://support.microsoft.com/kb/923689

The OS of the server in question is Windows Server 2003 Standard SP2
v5.2.3790. The DXMASF.DLL file on this system is version 6.4.9.1125 and it
is running MS Windows Media Player version 10. The server has all
updates/patches installed according to the Windows Updates site. Apparantly
the security audit software looks to the version of the DXMASF.DLL file and
if it is not version 6.4.9.1133, it complains that the vulnerability exists.

The security audit vendor is telling me "It appears the file dxmasf.dll does
not get updated by SP2 as it should. The file is unmodified by the service
pack. So if you patched beforehand, you are still protected. But if you did
not patch prior to installing service pack 2, you are now unable to install
the patch. I recommend contacting Microsoft about this, as it looks like
they will need to release another update to fix this."

Please help us to rid the server of this vulnerability.

Thank you in advance,

Tony S, MCP
Network Manager


.

---

• Follow-Ups:
  • Re: Windows Media Player Remote Code Execution (923689)
    • From: Steve Antonio [MSFT]

• Prev by Date: Re: Kerberos DES encryption
• Next by Date: Re: Windows Media Player Remote Code Execution (923689)
• Previous by thread: Domain Controller Certificates and moving to a new server or removing them?
• Next by thread: Re: Windows Media Player Remote Code Execution (923689)
• Index(es):
  • Date
  • Thread

---

Relevant Pages SecurityFocus Microsoft Newsletter #142 ... MICROSOFT VULNERABILITY SUMMARY ... Mollensoft Enceladus Server Suite Clear Text Password Storage... ... FakeBO Syslog Format String Vulnerability ... Methodus 3 Web Server File Disclosure Vulnerability ... (Focus-Microsoft) SecurityFocus Microsoft Newsletter #139 ... OFF any Windows 2000 Managed Dedicated Hosting Solution from Interland. ... Sun ONE Application Server Plaintext Password Vulnerability ... Batalla Naval Remote Buffer Overflow Vulnerability ... (Focus-Microsoft) SecurityFocus Microsoft Newsletter #140 ... Cafelog b2 Remote File Include Vulnerability ... Webfroot Shoutbox Remote Command Execution Vulnerability ... Pablo Software Solutions Baby POP3 Server Multiple Connection... ... Microsoft Windows XP Nested Directory Denial of Service... ... (Focus-Microsoft) SecurityFocus Microsoft Newsletter # 150 ... - automatically set positive security policies for real-time protection, ... MICROSOFT VULNERABILITY SUMMARY ... Meteor FTP Server USER Memory Corruption Vulnerability ... MDaemon SMTP Server Null Password Authentication Vulnerabili... ... (Focus-Microsoft) SecurityFocus Microsoft Newsletter #152 ... MICROSOFT VULNERABILITY SUMMARY ... Real Networks Helix Universal Server Remote Buffer Overflow ... ... NEW PRODUCTS FOR MICROSOFT PLATFORMS ... (Focus-Microsoft)

---

We are proud to have Web Hosting and Rack Housing from 9 Net Avenue Deutschland.
(13)