CERT-In Vulnerability Note
CIVN-2008-0189
Microsoft Windows Media Components Vulnerabilities
Original Issue Date:December 11, 2008
Severity Rating: MEDIUM
Systems Affected
- Windows Media Player 6.4
- Windows Media Format Runtime 7.1
- Windows Media Format Runtime 9.0
- Windows Media Format Runtime 9.5
- Windows Media Format Runtime 11
- Windows Media Services 4.1
- Windows Media Services 9 Series
- Windows Media Services 2008
Overview
Multiple vulnerabilities have been reported in Windows Media components. Successful exploitation of the most severe vulnerability could allow remote code execution in user's context and take complete control of an affected system.
Description
Windows Media is a multimedia framework for media creation and distribution for Microsoft Windows. Its components are Windows Media Player, Windows Media Format Runtime and Windows Media Services.
NTLM (NT LAN Manager) is an authentication protocol based on a challenge/response mechanism.
A service principal name (SPN) is the name by which a client uniquely identifies an instance of a service. The SPN provides a service identity type used for authenticating the service to the client. When a client wants to connect to a service, it locates an instance of the service, composes an SPN for that instance, connects to the service, and presents the SPN for the service to authenticate.
The Intra-Site Automatic Tunnel Addressing Protocol (ISATAP) provides IPv6 connectivity within an IPv4 Intranet.
1.SPN Vulnerability
(
CVE-2008-3009
)
This is a remote code execution vulnerability which is caused by Windows Media components that do not correctly opt-in to NTLM credential-reflection protections which can be exploited to gain access of an affected system through replay attacks. An attacker who successfully exploited this vulnerability could execute code in logged-on users context and take complete control of an affected system.
An attacker who successfully exploited this vulnerability could also execute code with Windows Media Services distribution credentials. In this instance, an attacker could execute code with the same rights as the NETWORK SERVICE account.
2. ISATAP Vulnerability
(
CVE-2008-3010
)
This is an information disclosure vulnerability which is caused by affected Windows Media components that incorrectly treat Internet resources as a part of the Local Intranet zone when connecting to a server that is using an ISATAP address. An attacker can exploit this vulnerability by convincing a user to access malicious server share or Web site that requires authentication. Successful exploitation of this vulnerability could allow an attacker could to gain the NTLM credentials of the logged-on user. These credentials may be subsequently reflected back to the user's system to execute code with the same rights as the logged-on user. This could allow an attacker who is external to the intranet zone to gather NTLM credentials for an enterprise environment.
Workaround
- Block IP Protocol Type 41 ISATAP at the firewall to run applications with the least necessary privileges.
Solution
Apply appropriate updates as mentioned in the Microsoft Security Bulletin
MS08-076
Vendor Information
Microsoft
http://www.microsoft.com/technet/security/Bulletin/ms08-076.mspx
References
Secunia
http://secunia.com/advisories/33058/
SecurityTracker
http://www.securitytracker.com/alerts/2008/Dec/1021372.html
SecurityFocus
http://www.securityfocus.com/bid/32653
Cisco
http://tools.cisco.com/security/center/viewAlert.x?alertId=17180
http://tools.cisco.com/security/center/viewAlert.x?alertId=17181
VUPEN
http://www.vupen.com/english/advisories/2008/3388
CVE Name
CVE-2008-3009
CVE-2008-3010
Disclaimer
The information provided herein is on "as is" basis, without warranty of any kind.
Contact Information
Email: info@cert-in.org.in Phone: +91-11-2436857
Postal address
Indian Computer Emergency Response Team (CERT-In)
Ministry of Electronics and Information Technology
Government of India
Electronics Niketan
6, CGO Complex, Lodhi Road,
New Delhi - 110 003
India
|