Security Alert!

[HomeLAN]

From an e-mail here at work:

I will update machines here ASAP. in the meantime ASF files should not be viewed by anyone here in the office. Not usually a problem since they are rarely sent via email. ASF files are generally movies found on websites. Home users should take heed as well until your system is patched, get it here:

http://www.microsoft.com/technet/security/bulletin/ms01-056.asp.

Problem:
Title: Windows Media Player .ASF Processor Contains Unchecked
Buffer
Date: 20 November 2001
Software: Windows Media Player
Impact: Run code of attacker's choice
Max Risk: Critical
Bulletin: MS01-056

Why?:
======
One of the streaming media formats supported by Windows Media
Player is Advanced Streaming Format (ASF). A security vulnerability
occurs in Windows Media Player 6.4 because the code that processes
ASF files contains an unchecked buffer.

By creating a specially malformed ASF file and inducing a user to
play it, an attacker could overrun the buffer, with either of two
results: in the simplest case, Windows Media Player 6.4 would fail;
in the more complex case, code chosen by the attacker could be made
to run on the user's computer, with the privileges of the user.
The scope of this vulnerability is rather limited. It affects only
Windows Media Player 6.4, and can only be exploited by the user
opening and deliberately playing an ASF file. There is no
capability to exploit this vulnerability via email or a web page.

However, the patch eliminates additional vulnerabilities.
Specifically, it eliminates all known vulnerabilities affecting
Windows Media Player 6.4 - discussed in Microsoft Security
Bulletins MS00-090, MS01-029, and MS01-042 - as well as some
additional variants of these vulnerabilities that were discovered
internally by Microsoft. Some of these vulnerabilities could be
exploited via email or a web page. In addition, some affect
components of Windows Media Player 6.4 that, for purposes of
backward compatibility, ship with Windows Media Player 7, and
7.1. We therefore recommend that customers running any of these
versions of Windows Media Player apply the patch to ensure that
they are fully protected against all known vulnerabilities.

Windows Media Player for Windows XP includes components of
Windows Media Player 6.4, but they are not affected by the ASF
buffer overrun or by any of the other vulnerabilities discussed
in the security bulletins listed above. However, the version 6.4
components that ship with Windows Media Player for Windows XP are
affected by some of the newly discovered variants of these
vulnerabilities. Rather than installing this patch, however, we
recommend that customers install the 25 October 2001 Critical
Update for Windows XP.

 

[Professur]

Microsoft strikes again. Thanks HL for the update.