MS03-021: A Flaw in Windows Media Player May Permit the Media Library to Be Accessed (819639)


The information in this article applies to:

  • Microsoft Windows Media Player 9 Series for Windows Server 2003
  • Microsoft Windows Media Player 9 Series for Windows XP
  • Microsoft Windows Media Player 9 Series for Windows 2000
  • Microsoft Windows Media Player 9 Series for Windows Millennium Edition
  • Microsoft Windows Media Player 9 Series for Windows 98 Second Edition

Technical Updates

  • June 27, 2003: The "File Information" section was updated.
  • July 1, 2003: Updated the "Download Information" section to point to the correct download URL. No technical information was changed.

SYMPTOMS

With Windows Media Player 9 Series, a flaw in an ActiveX control might permit a Web page to gain access to your Media Library. An attacker who exploits this flaw can gain access only to manipulate the Media Library on your computer. The attacker cannot browse your hard disk and cannot gain access to passwords or encrypted data. Also, the attacker cannot modify actual files on the hard disk; the attacker can modify only the contents of the Media Library entries for those files.

RESOLUTION

Security Patch Information

Download Information

Windows XP, Windows 2000, Windows Millennium Edition, and Windows 98 The following file is available for download from the Microsoft Download Center:

DownloadDownload the 819639 package now.

Release Date: June 25, 2003

For additional information about how to download Microsoft Support files, click the following article number to view the article in the Microsoft Knowledge Base:

119591 How to Obtain Microsoft Support Files from Online Services

Microsoft scanned this file for viruses. Microsoft used the most current virus-detection software that was available on the date that the file was posted. The file is stored on security-enhanced servers that help to prevent any unauthorized changes to the file. Windows Server 2003 The following file is available for download from the Microsoft Download Center:
DownloadDownload the 819639 package now. Release Date: June 25, 2003

For additional information about how to download Microsoft Support files, click the following article number to view the article in the Microsoft Knowledge Base:

119591 How to Obtain Microsoft Support Files from Online Services

Microsoft scanned this file for viruses. Microsoft used the most current virus-detection software that was available on the date that the file was posted. The file is stored on security-enhanced servers that help to prevent any unauthorized changes to the file.

Installation Information

This security patch supports the following Setup switches:
  • /?: Shows the list of installation switches.
  • /q: Specifies Quiet mode (no user intervention).
  • /q:u: Specifies User-Quiet mode, which presents some dialog boxes to the user.
  • /q:a: Specifies Administrator-Quiet mode, which does not present any dialog boxes to the user.
  • /t:full path: Specifies the temporary working folder.
  • /c: Extracts the files without running Setup when used with /t.
  • /c:cmd: Override the installation command that was defined by the author.
  • /r:n: Never restarts the computer after installation.
  • /r:i: Restart the computer if necessary. Automatically restarts the computer if it is necessary to complete the installation.
  • /r:a: Always restarts the computer after installation.
To verify that the security patch is installed on your computer, confirm that the following registry key exists:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\Windows Media Player\wm819639

Deployment Information

To install the security patch without any user intervention, use the following command:

windowsmedia9-kb819639-x86-enu /q:a

To install the security patch without forcing the computer to restart, use the following command:

windowsmedia9-kb819639-x86-enu /r:n

Note You can combine these switches in one command.

For information about how to deploy this security patch with Microsoft Software Update Services, visit the following Microsoft Web site:

http://www.microsoft.com/windowsserversystem/updateservices/evaluation/previous/susoverview.mspx

Restart Requirement

You do not have to restart your computer after you apply this security patch.

Removal Information

You cannot remove this security patch if you are using Microsoft Windows XP, Microsoft Windows 2000, Microsoft Windows Millennium Edition (Me), or Microsoft Windows 98 Second Edition. The Setup technology in these versions of Windows does not support removing the security patch. To remove this security patch if you are running Microsoft Windows Server 2003, use the Add or Remove Programs tool in Control Panel.

Security Patch Replacement Information

This security patch does not replace any other hotfixes.

File Information

The English version of this fix has the file attributes (or later) that are listed in the following table. The dates and times for these files are listed in coordinated universal time (UTC). When you view the file information, it is converted to local time. To find the difference between UTC and local time, use the Time Zone tab in the Date and Time tool in Control Panel. 
   Date         Time   Version     Size       File name
   ----------------------------------------------------
   06-Jun-2003  00:50  9.0.0.3008  4,653,056  Wmp.dll
Files to Support InstallationThe following file is included to support installing the security patch.
   Date         Time   Size   File name
   ---------------------------------------
   06-Jun-2003  22:26  1,566  Wm819639.inf
Files for File-Dependency ReasonsThe following files are included because of file dependencies. 
   Date         Time   Version     Size    File name
   ----------------------------------------------------
   18-Aug-2001  02:43  6.0.2600.0  91,136  Advpack.dll
   06-Jun-2000  20:43  4.71.704.0   2,272  W95inf16.dll
   06-Jun-2000  20:43  4.71.16.0    4,608  W95inf32.dll

STATUS

Microsoft has confirmed that this problem may cause a degree of security vulnerability in the Microsoft products that are listed at the beginning of this article.

MORE INFORMATION

For more information about this vulnerability, visit the following Microsoft Web site:

http://www.microsoft.com/technet/security/bulletin/MS03-021.asp

Modification Type:MajorLast Reviewed:2/24/2006
Keywords:kbHotfixServer kbQFE kbWinXPsp2fix kbWinXPpreSP2fix kbWinServ2003preSP1fix KbSECVulnerability KbSECBulletin kbSecurity kbQFE KB819639 kbAudEndUser kbAudITPRO
©2004 Microsoft Corporation. All rights reserved.