=====================================================================
                                   CERT-Renater

                        Note d'Information No. 2010/VULN123
_____________________________________________________________________

DATE                      : 14/04/2010

HARDWARE PLATFORM(S)      : /

OPERATING SYSTEM(S)       : Windows 2000, Windows XP running Windows Media Player.

======================================================================
KB979402
http://www.microsoft.com/technet/security/bulletin/ms10-027.mspx
______________________________________________________________________

Microsoft Security Bulletin (979402)

Vulnerability in Windows Media Player Could Allow Remote Code Execution

Published: April 13, 2010

Version: 1.0

General Information

Executive Summary

  This security update resolves a privately reported vulnerability in Windows
  Media Player. The vulnerability could allow remote code execution if Windows
  Media Player opened specially crafted media content hosted on a malicious Web
  site. An attacker who successfully exploited this vulnerability could gain the
  same user rights as the local user. Users whose accounts are configured to
  have fewer user rights on the system could be less impacted than users who
  operate with administrative user rights.

  This security update is rated Critical for Windows Media Player 9 Series when
  installed on all supported editions of Microsoft Windows 2000 and Windows XP.

  The security update addresses the vulnerability by modifying the way the
  Windows Media Player ActiveX control handles specially crafted media content
  hosted on a malicious Web site.

  Recommendation: The majority of customers have automatic updating enabled and
  will not need to take any action because this security update will be
  downloaded and installed automatically. Customers who have not enabled
  automatic updating need to check for updates and install this update manually.
  For information about specific configuration options in automatic updating,
  see Microsoft Knowledge Base Article 294871.

  For administrators and enterprise installations, or end users who want to
  install this security update manually, Microsoft recommends that customers
  apply the update immediately using update management software, or by checking
  for updates using the Microsoft Update service.

Affected Software

  Microsoft Windows 2000 Service Pack 4
  Windows XP Service Pack 2
  Windows XP Service Pack 3

Mitigating Factors

  An attacker who successfully exploited this vulnerability could gain the same
  user rights as the local user. Users whose accounts are configured to have
  fewer user rights on the system could be less impacted than users who operate
  with administrative user rights.

  In a Web-based attack scenario, an attacker would have to host a Web site that
  contains a Web page that is used to exploit this vulnerability. An attacker
  would have no way to force users to visit a malicious Web site. Instead, an
  attacker would have to convince them to visit the Web site, typically by
  getting them to click a link that takes them to the attacker's Web site.

  By default, all supported versions of Microsoft Outlook and Microsoft Outlook
  Express open HTML e-mail messages in the "Restricted Sites" zone. The
  Restricted sites zone helps mitigate attacks that could try to exploit this
  vulnerability by preventing Active Scripting and ActiveX controls from being
  used when reading HTML e-mail messages. However, if a user clicks a link in
  an e-mail message, the user could still be vulnerable to exploitation of this
  vulnerability through the Web-based attack scenario.

Workarounds

Prevent the Windows Media Player ActiveX control from running in Internet
Explorer

  You can disable attempts to instantiate the Windows Media Player ActiveX
  control in Internet Explorer by setting the kill bit for the control in the
  registry.

  Warning: If you use Registry Editor incorrectly, you may cause serious
  problems that may require you to reinstall your operating system. Microsoft
  cannot guarantee that you can solve problems that result from using Registry
  Editor incorrectly. Use the Registry Editor at your own risk. For
  information about how to edit the registry, view the "Changing Keys And Values"
  Help topic in Registry Editor (Regedit.exe) or view the "Add and Delete
  Information in the Registry" and "Edit Registry Data" Help topics in Regedt32.exe.

  Note: We recommend backing up the registry before you edit it.

  For detailed steps that you can use to prevent an ActiveX control from running
  in Internet Explorer, see Microsoft Knowledge Base Article 240797.

  To prevent the ActiveX control from running in Internet Explorer, follow
  these steps:
    1.  Save the following to a file with a .REG extension such as
        Disable_WMP.reg:

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{6BF52A52-394A-11d3-B153-00C04F79FAA6}]

"Compatibility Flags"=dword:00000400

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{6BF52A52-394A-11d3-B153-00C04F79FAA6}]

"Compatibility Flags"=dword:00000400

    2.  Run the above registry script on the target machine with either one of
        the following methods:

        For the interactive method, double-click the Disable_WMP.reg file as
        an administrator.

        For the managed deployment method, run the following command:

            Regedit.exe /s Disable_WMP.reg

        You can also apply the registry changes across domains by using Group
        Policy.

    Note: You must restart Internet Explorer for your changes to take effect.

Set Internet and Local intranet security zone settings to "High" to block
ActiveX Controls and Active Scripting in these zones

  You can help protect against exploitation of this vulnerability by changing
  your settings for the Internet security zone to block ActiveX controls and
  Active Scripting. You can do this by setting your browser security to High.

Vulnerability Information

Media Player Remote Code Execution Vulnerability - CVE-2010-0268

  A remote code execution vulnerability exists in the Windows Media Player
  ActiveX control. An attacker who successfully exploited this vulnerability
  could take complete control of an affected system. An attacker could then
  install programs or view, change, or delete data with full user rights.


======================================================================

          =========================================================
          Les serveurs de référence du CERT-Renater
          http://www.urec.fr/securite
          http://www.cru.fr/securite
          http://www.renater.fr
          =========================================================
          + CERT-RENATER          | tel : 01-53-94-20-44          +
          + 151 bd de l'Hopital   | fax : 01-53-94-20-41          +
          + 75013 Paris           | email: certsvp@renater.fr     +
          =========================================================