Full Disclosure mailing list archives
Re: security notice: Backdooring Windows Media Files
From: "Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP]" <sbradcpa () pacbell net>
Date: Tue, 18 Sep 2007 13:51:19 -0700
Depends on your definition of "fully patched". I don't agree that "fully patched" means tiers one, two and three. There are three levels of Microsoft update: Upper section = Critical and Security updates (which to me is "fully patched") (this isn't just security updates btw) Middle tier = Optional updates = those recommended updates you speak of. Just because Microsoft thinks I need .net 3.0 and Windows media player 11 doesn't mean that I agree with their assessment. There are also some issues in deployment of Media player 11 in corporate settings. Bottom tier = drivers (aka the no patches from here get on my machines at all section) It's all in how you define "fully patched". Top section yes, bottom two, no. Windows media player 11 is in the "optional" as you said. Memisyazici, Aras wrote:
Err... Windows Media Player 11 update DOES come through on M$ Update. Of course not via the Express mode, but via Custom mode. It is a recommended update. When someone tells me "they have fully patched their system" I am assuming that they have applied any and all patched available from M$ without discrimination. -----Original Message----- From: pdp (architect) [mailto:pdp.gnucitizen () googlemail com] Sent: Tuesday, September 18, 2007 3:00 PM To: Memisyazici, Aras Cc: bugtraq () securityfocus com; full-disclosure () lists grok org uk Subject: Re: security notice: Backdooring Windows Media Files yes, of course :) but u are running Windows Media Player 11 which is not the default one for Windows XP SP2. Moreover, this Media Player edition is not slipped through any software update either. Therefore, if you are not a Media Player fan, you will never get this version on a fully patched XP SP2 machine. I tend to use iTunes on XP SP2, so yes I am vulnerable. On 9/18/07, Memisyazici, Aras <arasm () vt edu> wrote:Hi pdp! Great admirer of your work :) I just wanted to inform you that I have tested your claim, on a fully patched/updated Win XP SP2 system withanadmin account logged in, and was warned sufficiently(asked whether I wanted to play asx files, then asked if I was sure by Media Player,thenpop-up was blocked by IE), while the page you tried to produce was blocked via IE's pop-up blocker. You can see/confirm this by viewing these screenshots: http://preview.tinyurl.com/34xpcz (http://i189.photobucket.com/albums/z159/vtknightmare/noworkie1.png ) and http://preview.tinyurl.com/34jx5v (http://i189.photobucket.com/albums/z159/vtknightmare/noworkie2.png ) This was tested on a plain/manila/vanilla version of XP SP2. All I did was update/upgrade to latest available from M$ Update. Sincerely, Aras Memisyazici IT/Security/Dev. Specialist Outreach Information Services Virginia Tech -----Original Message----- From: pdp (architect) [mailto:pdp.gnucitizen () googlemail com] Sent: Tuesday, September 18, 2007 11:58 AM To: bugtraq () securityfocus com; full-disclosure () lists grok org uk Subject: security notice: Backdooring Windows Media Files http://www.gnucitizen.org/blog/backdooring-windows-media-files It is very easy to put some HTML inside files supported by Window Media Player. The interesting thing is that these HTML pages run in less restrictive IE environment. I found that a fully patched windows XP SP2 with IE6 or IE7 and Windows Media Player 9 (default) will open any page of your choice in IE even if your default browser is Firefox, Opera or anything else you have in place. It means that even if you are running Firefox and you think that you are secure, by simply opening a media file, you expose yourself to all IE vulnerabilities there might be. Plus, attackers can perform very very interesting phishing attacks. I prepared a simple POC which spawns a browser window in full screen mode... Think about how easy it is going to be to fake the windows logout - login sequence and phish unaware users' credentialshttp://www.gnucitizen.org/projects/backdooring-windows-media-files/poc02.asx On the other hand Media Player 11 (Vista by default) is not exposed to these attacks. -- pdp (architect) | petko d. petkov http://www.gnucitizen.org
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- security notice: Backdooring Windows Media Files pdp (architect) (Sep 18)
- Re: security notice: Backdooring Windows Media Files jf (Sep 18)
- Re: security notice: Backdooring Windows Media Files Memisyazici, Aras (Sep 18)
- Re: security notice: Backdooring Windows Media Files pdp (architect) (Sep 18)
- Re: security notice: Backdooring Windows Media Files Memisyazici, Aras (Sep 18)
- Re: security notice: Backdooring Windows Media Files Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] (Sep 18)
- Re: security notice: Backdooring Windows Media Files Rahul Mohandas (Sep 19)
- Re: security notice: Backdooring Windows Media Files pdp (architect) (Sep 19)
- Re: security notice: Backdooring Windows Media Files pdp (architect) (Sep 18)