MS02-032: Cumulative Patch for Windows Media Player

Thanks xStainDx and RobertH for the heads up. You know, for some reason, I can never beat xStainDx into posting the Security Bulletin update first, it makes me wonder... :P

Date: 26 June 2002

Software: Windows Media Player

Impact: Three new vulnerabilities, the most serious of which could run code of attacker's choice

Max Risk: Critical

Bulletin: MS02-032 (Q320920)

This is a cumulative patch that includes the functionality of all previously released patches for Windows Media Player 6.4, 7.1 and Windows Media Player for Windows XP. In addition, it eliminates the following three newly discovered vulnerabilities one of which

is rated as critical severity, one of which is rated moderate severity, and the last of which is rated low severity:

An information disclosure vulnerability that could provide the means to enable an attacker to run code on the user's system and is rated as critical severity.
A privilege elevation vulnerability that could enable an attacker who can physically logon locally to a Windows 2000 machine and run a program to obtain the same rights as the operating system.
A script execution vulnerability related that could run a script of an attacker's choice as if the user had chosen to run it after playing a specially formed media file and then viewing a specially constructed web page. This particular vulnerability has specific timing requirements that makes attempts to exploit vulnerability difficult and is rated as low severity.

It also introduces a configuration change relating to file extensions associated with Windows Media Player. Finally, it introduces a new, optional, security configuration feature for users or organizations that want to take extra precautions beyond applying IE patch MS02-023 and want to disable scripting functionality in the Windows Media Player for versions 7.x or higher.

Download: Patch for Microsoft Windows Media Player 6.4