December 19, 2002
XP Flaw Puts MP3, Windows Media Files at Risk
By Dennis Fisher
Thanks to a newly found flaw in Windows XP, two of the most popular audio file formats can be used by crackers to take control of remote PCs. Users only need to hover their mouse pointers over the icons for malicious MP3 or Windows Media files to execute the attacker's code, Microsoft Corp. said in a bulletin published Wednesday.
The vulnerability lies in the Windows Shell, which is the portion of the operating system responsible for defining the user's desktop as well as organizing files and folders and enabling the OS to start applications. An unchecked buffer in a function used by the shell to extract custom attribute data from audio files enables an attacker to create a malicious MP3 or Windows Media file and use it to run code on a remote user's machine.
MP3 files are traded and shared by the millions on sites and peer-to-peer networks all over the Internet. Users commonly download and play files posted by people they've never met, and there is essentially no practical way of verifying the content of these files to ensure that they're not corrupted. The Windows Media format is somewhat less popular than the MP3 format, but is still quite prevalent online.
To exploit the vulnerability, an attacker can do one of three things: host the malicious file on a Web site or on a network share or send it to a user in an HTML mail message. If a user hovered the mouse pointer over the file or the folder containing the file--on a Web page or on the local disk--the code would execute. A user would need to open or preview a mail message containing the code to execute it in the e-mail attack scenario.
A successful attack would either cause the Windows Shell to fail or would run the attacker's code on the user's machine.
The vulnerability is found in Windows XP Home Edition, XP Pro, XP Tablet PC Edition and XP Media Center Edition. The patch for the vulnerability is located here.
There is a similar vulnerability in the popular Winamp media player, according to Foundstone Inc., the security company that discovered both vulnerabilities.