CIS CYBER SECURITY ADVISORIES
MS-ISAC CYBER SECURITY ADVISORY NUMBER:
Vulnerabilities in Windows Media Could Allow Remote Code Execution (MS11-015) - RISK: HIGH
Multiple vulnerabilities have been identified in Microsoft Windows Media technologies, specifically Windows Media Player, Windows Media Center, and DirectShow. Windows Media Player and Windows Media Center are digital media applications used for playing audio, video, and viewing images.
DirectShow is a component of Windows for streaming media and to perform various operations with media files. Successful exploitation of these vulnerabilities could result in an attacker gaining the same privileges as the logged on user. Depending on the privileges associated with the user, an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.
- Windows XP
- Windows Media Center Edition 2005
- Windows Vista
- Windows Server 2008
- Windows 7
- Large and medium government entities: High
- Small government entities: High
- Large and medium business entities: High
- Small business entities: High
Home users: High
Two remote code execution vulnerabilities have been discovered in Microsoft Windows Media technologies. Details of these vulnerabilities are as follows:
DirectShow Insecure Library Loading Vulnerability
This vulnerability exists due to the way .dll files are loaded by DirectShow. It allows an attacker to load a .dll of the attacker's choosing that could execute arbitrary code without the user's knowledge. The path of the attacker's .dll must be accessible via SMB/CIFS file share (UNC file paths, network or WebDAV shares) or local file system.
This vulnerability exists due to the way .dvr-ms files are handled by 'SBE.dll'. The vulnerability can be exploited through a specially crafted .dvr-ms file or content that is hosted on a web page, delivered to the user via an e-mail, embedded in a Word document or any other multimedia file format.
Successful exploitation of these vulnerabilities could result in an attacker gaining the same privileges as the logged on user. Depending on the privileges associated with the user, an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.
We recommend the following actions be taken:
- Apply the appropriate patch provided by Microsoft to vulnerable systems immediately after appropriate testing.
- Do not visit un-trusted websites or follow links provided by unknown or un-trusted sources.
- Run all software as a non-privileged user (one without administrative privileges) to diminish the effects of a successful attack.
- Inform and educate users regarding the threats posed by attachments and hypertext links contained in emails especially from un-trusted sources.
- Consider removing or restricting access to Windows Media Player in Windows installations if there is no business need for this software.
- Disable loading of libraries from WebDAV and remote network shares if there is no documented business need see Microsoft Knowledge Base Article 2264107 (http://support.microsoft.com/kb/2264107).