Security Flaw Discovered in Windows Media Player 7 Can be Blocked by Mail Essentials Email Content Checking Gateway.Business Editors LONDON--(BUSINESS WIRE)--Nov. 3, 2000 GFI GFI Ground Fault Interrupter GFI Go For It GFI Government-Furnished Information GFI Growing Families International GFI Goodness of Fit Indices GFI Government Financial Institutions (Philippines) GFI Gross Farm Income , developer of email content checking & network security software, has discovered a security flaw within Windows Media Player Digital jukebox software for Windows from Microsoft that plays a variety of audio, video and streaming formats including MP3, WMA, CD audio and MIDI. Starting with Version 6.2 in 1999, the Windows Media Rights Manager was added for securing copyrighted content. 7 which allows a malicious user to run arbitrary code on a victim's machine as it attempts to view a web site or an HTML HTML in full HyperText Markup Language Markup language derived from SGML that is used to prepare hypertext documents. Relatively easy for nonprogrammers to master, HTML is the language used for documents on the World Wide Web. email. GFI has notified Microsoft Corp., which issued an advisory (Microsoft security Bulletin number MS00-090). Windows Media Player 7 is included by default on Windows Millennium Editions and is available from Microsoft for free. It includes skinning capabilities that allow it to change interface. GFI has found that this can be exploited to execute code on remote machines. "The exploit works simply by opening an email on a machine which includes Windows Media Player 7 and on which HTML scripts are allowed, or by browsing a malicious site," warned GFI security engineer, Sandro Gauci. "This security problem is exploited by embedding a JavaScript (.js) file within a Media Player skin file (.wmz) which can also be embedded in a Windows Media Download file (.wmd). This does not require the user to run any attachments since the Media Player file is automatically executed using an iframe tag or a window.open() with in a script tag," he explained. GFI advises to filter incoming emails for WMD and WMZ files, and automatically remove JavaScript, iframe tags, meta refresh tags and possibly ActiveX tags from incoming HTML email. "This can be done automatically with an email content checking gateway such as Mail essentials. HTML tags and dangerous attachments will be removed automatically at server level and therefore network admins need not worry about their users receiving malicious attachments or html mails," pointed out Nick Galea galea /ga·lea/ (ga´le-ah) [L.] a helmet-shaped structure. galea aponeuro´tica the aponeurosis connecting the two bellies of the occipitofrontalis muscle. , GFI CEO (1) (Chief Executive Officer) The highest individual in command of an organization. Typically the president of the company, the CEO reports to the Chairman of the Board. . GFI (http://www.gfi.com/bwmp7mes.shtml) develops communications and security software for Windows NT/2000 and has six offices in the US, UK, Germany, France, Australia and Malta. GFI's product range includes FAXmaker, Mail essentials and LANguard. GFI's customers include Microsoft, BMW, the US IRS An abbreviation for the Internal Revenue Service, a federal agency charged with the responsibility of administering and enforcing internal revenue laws. , NASA NASA: see National Aeronautics and Space Administration. NASA in full National Aeronautics and Space Administration Independent U.S. and many more. |
|
||||||||||||||
Printer friendly
Cite/link
Email
Feedback
Reader Opinion