NY.gov Portal State Agency Listing
The following cyber advisory was issued by the New York State Office of Information Technology Services and is intended for State government entities. The information may or may not be applicable to the general public and, accordingly, the State does not warrant its use for any specific purposes.

ITS ADVISORY NUMBER:
2012-001

DATE(S) ISSUED:
01/10/2012

SUBJECT:
Vulnerabilities in Microsoft Windows Media Could Allow Remote Code Execution (MS12-004)

OVERVIEW:

Two vulnerabilities have been identified in Microsoft Windows Media.  One has been identified in the Microsoft Windows Media Player application and another in DirectShow, both of which could allow remote code execution. Windows Media Player is a media library application that is used for playing audio, video, and viewing images.  DirectShow is used for streaming media on Windows operating systems. It is a part of DirectX, which is a set of low level Application Programming Interfaces (APIs) used by Windows programs for multimedia support. Successful exploitation of these vulnerabilities could result in an attacker gaining the same privileges as the logged on user. Depending on the privileges associated with the user, an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

SYSTEMS AFFECTED:

  • Windows XP
  • Windows Server 2003
  • Windows Vista
  • Windows 7
  • Windows Server 2008

RISK:
Government:

  • Large and medium government entities: High
  • Small government entities: High

Businesses:

  • Large and medium business entities: High
  • Small business entities: High

Home users: High

DESCRIPTION:
The first remote code execution vulnerability exists in the way that the Windows Media Player multimedia library (winmm.dll) handles a specially crafted MIDI file (.mid). The second remote code execution vulnerability is caused by the improper handling of specially crafted media files in DirectShow.

An attacker could take advantage of either of these vulnerabilities if a user visits a specially crafted website or opens a specially crafted file. Successful exploitation of either of these vulnerabilities could result in an attacker gaining the same privileges as the logged on user. Depending on the privileges associated with the user, an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

RECOMMENDATIONS:
We recommend the following actions be taken:

  • Apply the appropriate patch provided by Microsoft to vulnerable systems immediately after appropriate testing.
  • Remind users not to visit untrusted websites or follow links provided by unknown or untrusted sources.
  • Remind users not to open e-mail attachments from unknown or un-trusted sources.
  • Run all software as a non-privileged user (one without administrative privileges) to diminish the effects of a successful attack.

REFERENCES:
Microsoft:
http://technet.microsoft.com/en-us/security/bulletin/ms12-004

CVE:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0003
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0004

Security Focus:
http://www.securityfocus.com/bid/51292
http://www.securityfocus.com/bid/51295