Backdooring Windows Media files (and assorted Microsoft security problems)

Summary:Petko D. Petkov's ongoing research into malicious rigging of media files is now taking aim at Microsoft's ubiquitous Windows Media Player (WMP) software.

Petko D. Petkov's ongoing research into malicious rigging of media files is now taking aim at Microsoft's ubiquitous Windows Media Player (WMP) software.

The latest discovery revolves around manipulating ".asx" files to display a Web page within the standalone media player.

[The] page will be opened within the Media Player surroundings, not a standalone browser. This in particular is very interesting behavior, which I experimented with for a bit. I found that a fully patched windows XP SP2 with IE6 or IE7 and Windows Media Player 9 (default) will open any page of your choice in less restrictive Internet Explorer environment even if your default browser is Firefox, Opera or anything else you have in place. Let me translate this for you. It means that even if you are running Firefox and you think that you are secure, by simply opening a media file, you expose yourself to all IE vulnerabilities there might be.

On my Windows XP SP2 box with WMP 11, Petkov's proof-of-concept exploits triggered a warning dialog:


Clicking 'Yes' launches the media player with the attacker's Web page displayed in the "now playing" window:

In addition to Petkov's disclosure, there are several Microsoft product vulnerabilities that remain unpatched.

These include:

  1. A "moderately critical" vulnerability in the MFC42 and MFC71 libraries offered natively in Windows.  The flaw (technical details here) is caused due to a boundary error in the "FindFile()" function of the CFileFind class in mfc42.dll and mfc42u.dll. This can be exploited to cause a heap-based buffer overflow by passing an overly long argument to the affected function.  Successful exploitation may allow execution of arbitrary code.  The vulnerability is confirmed on a fully-patched Windows XP SP2 including mfc42.dll version 6.2.4131.0 and mfc42u.dll version 6.2.8071.0.
  2. Multiple "highly critical" vulnerabilities in Microsoft Visual Studio. These can can be exploited by malicious people to overwrite arbitrary files or potentially compromise a vulnerable system. Proof-of-concept exploits are publicly available.

Topics: Mobility, Enterprise Software, Hardware, Microsoft, Security, Windows


Ryan Naraine is a journalist and social media enthusiast specializing in Internet and computer security issues. He is currently security evangelist at Kaspersky Lab, an anti-malware company with operations around the globe. He is taking a leadership role in developing the company's online community initiative around secure content managem... Full Bio

zdnet_core.socialButton.googleLabel Contact Disclosure

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Related Stories

The best of ZDNet, delivered

You have been successfully signed up. To sign up for more newsletters or to manage your account, visit the Newsletter Subscription Center.
Subscription failed.