Thanks xStainDx and RobertH for the heads up. You know, for some reason, I can never beat xStainDx into posting the Security Bulletin update first, it makes me wonder... :P
Date: 26 June 2002
Software: Windows Media Player
Impact: Three new vulnerabilities, the most serious of which could run code of attacker"s choice
Max Risk: Critical
Bulletin: MS02-032 (Q320920)
This is a cumulative patch that includes the functionality of all previously released patches for Windows Media Player 6.4, 7.1 and Windows Media Player for Windows XP. In addition, it eliminates the following three newly discovered vulnerabilities one of which
is rated as critical severity, one of which is rated moderate severity, and the last of which is rated low severity:
- An information disclosure vulnerability that could provide the means to enable an attacker to run code on the user"s system and is rated as critical severity.
- A privilege elevation vulnerability that could enable an attacker who can physically logon locally to a Windows 2000 machine and run a program to obtain the same rights as the operating system.
- A script execution vulnerability related that could run a script of an attacker"s choice as if the user had chosen to run it after playing a specially formed media file and then viewing a specially constructed web page. This particular vulnerability has specific timing requirements that makes attempts to exploit vulnerability difficult and is rated as low severity.