Title: Flaw in Windows Media Player Skins Downloading could allow Code
Execution (817787)
Date: May 7, 2003
Software: Microsoft Windows Media Player 7.1; Microsoft Windows Media Player
for Windows XP (Version 8.0)
Impact: Arbitrary code execution
Maximum Severity Rating: Critical
Bulletin: MS03-017

The Microsoft Security Response Center has released Microsoft Security
Bulletin MS03-017

What Is It?
The Microsoft Security Response Center has released Microsoft Security
Bulletin MS03-017 which concerns a vulnerability in Microsoft Windows Media
Player versions 7.1 and 8.0. Customers are advised to review the
information in the bulletin, test and deploy the patch immediately in their
environments, if applicable.

More information is now available at
http://www.microsoft.com/technet/security/bulletin/MS03-017.asp

If you have any questions regarding the patch or its implementation after
reading the above listed bulletin you should contact Product Support
Services in the United States at 1-866-PCSafety (1-866-727-2338).
International customers should contact their local subsidiary.

--
Regards,

Jerry Bryant - MCSE, MCDBA
Microsoft IT Communities

Get Secure! www.microsoft.com/security


This posting is provided "AS IS" with no warranties, and confers no rights.

Xref: kermit microsoft.public.multimedia.windows.mediaplayer:19 965 microsoft.public.windowsxp.security_admin:62962

On Wed, 7 May 2003 10:52:57 -0700, "Jerry Bryant [MSFT]"
> wrote:

>Title: Flaw in Windows Media Player Skins Downloading could allow Code
>Execution (817787)
>Date: May 7, 2003
>Software: Microsoft Windows Media Player 7.1; Microsoft Windows Media Player
>for Windows XP (Version 8.0)
>Impact: Arbitrary code execution
>Maximum Severity Rating: Critical
>Bulletin: MS03-017
>
>The Microsoft Security Response Center has released Microsoft Security
>Bulletin MS03-017
>
>What Is It?
>The Microsoft Security Response Center has released Microsoft Security
>Bulletin MS03-017 which concerns a vulnerability in Microsoft Windows Media
>Player versions 7.1 and 8.0. Customers are advised to review the
>information in the bulletin, test and deploy the patch immediately in their
>environments, if applicable.
>
>More information is now available at
>http://www.microsoft.com/technet/security/bulletin/MS03-017.asp
>
>If you have any questions regarding the patch or its implementation after
>reading the above listed bulletin you should contact Product Support
>Services in the United States at 1-866-PCSafety (1-866-727-2338).
>International customers should contact their local subsidiary.


Is it concievable that this problem could have migrated to Version 9?

I have been having continual Blue Screen serious errors ever since I
downloaded the installer for the upgrade. This happened at the same
time that this problem apparently was detected, around the first of
this month. Co-incidentally, I had also for the very first time
downloaded a skin from a non Microsoft Site, which I did not like, and
thought I had deleted.

This blue screen is now occurring ever time I boot my computer. After
then re-booting, the computer seems to be operating properly.

But I find this situation very troubling. I have searched the
Knowledge base with no results so far. I am at a loss. Ihave searched
for the error category (102), and also the other string which appears
in the event viewer (Error code 0000000a, parameter1 000000b0,
parameter2 00000002, parameter3 00000000, parameter4 804d71af.) The
search always gives no results.

I have done a couple of Restores to earlier times, but the blue screen
is still occuruing.

(The manufacturer of my computer, a MAJOR brand which shall remain
nameless, has the same answer to every problem: Reinstall the OS and
all Drivers. No matter what the problem, that is their response. Seems
to me to be like amputation at the hip for a hangnail on the big toe.)

If anyone out there has some input on this, I would greatly appreciate
it.

Thank You
LostOne

"LostOne" > wrote in message =
...
> On Wed, 7 May 2003 10:52:57 -0700, "Jerry Bryant [MSFT]"
> > wrote:
>=20
> >Title: Flaw in Windows Media Player Skins Downloading could allow =
Code
> >Execution (817787)
> >Date: May 7, 2003
> >Software: Microsoft Windows Media Player 7.1; Microsoft Windows Media =
Player
> >for Windows XP (Version 8.0)
> >Impact: Arbitrary code execution
> >Maximum Severity Rating: Critical
> >Bulletin: MS03-017
> >
> >The Microsoft Security Response Center has released Microsoft =
Security
> >Bulletin MS03-017
> >
> >What Is It?
> >The Microsoft Security Response Center has released Microsoft =
Security
> >Bulletin MS03-017 which concerns a vulnerability in Microsoft Windows =
Media
> >Player versions 7.1 and 8.0. Customers are advised to review the
> >information in the bulletin, test and deploy the patch immediately in =
their
> >environments, if applicable.
> >
> >More information is now available at
> >http://www.microsoft.com/technet/security/bulletin/MS03-017.asp
> >
> >If you have any questions regarding the patch or its implementation =
after
> >reading the above listed bulletin you should contact Product Support
> >Services in the United States at 1-866-PCSafety (1-866-727-2338).
> >International customers should contact their local subsidiary.
>=20
>=20
> Is it concievable that this problem could have migrated to Version 9?
>=20

No. See the bulletin=20
http://microsoft.com/technet/security/bulletin/MS03-017.asp=20
which states directly
Windows Media Player 9 Series is not affected by this issue


> I have been having continual Blue Screen serious errors ever since I
> downloaded the installer for the upgrade. This happened at the same
> time that this problem apparently was detected, around the first of
> this month. Co-incidentally, I had also for the very first time
> downloaded a skin from a non Microsoft Site, which I did not like, and
> thought I had deleted.
>=20
> This blue screen is now occurring ever time I boot my computer. After
> then re-booting, the computer seems to be operating properly.=20
>=20
> But I find this situation very troubling. I have searched the
> Knowledge base with no results so far. I am at a loss. Ihave searched
> for the error category (102), and also the other string which appears
> in the event viewer (Error code 0000000a, parameter1 000000b0,
> parameter2 00000002, parameter3 00000000, parameter4 804d71af.) The
> search always gives no results.
>=20

0xA stop in due to an attempt to access memory while in the=20
wrong execution state. This can happen from a program the=20
corrupts its pointers, has overflowed a buffer, etc.
Here, memory owned by the kernel is having an access attempt=20
made on it by something that is not in kernel mode.
If you have a blue screen traceback when this happens, the=20
instruction causing the error is at address in parameter 4, so=20
you can use the loaded modules list in the blue screen to find=20
what contains that address and that is your culprit.
Given the address that is being accessed (unsucessfully) is=20
very low (parameter 1) you likely have something trying to=20
use corrupt location info.


> I have done a couple of Restores to earlier times, but the blue screen
> is still occuruing.
>=20
> (The manufacturer of my computer, a MAJOR brand which shall remain
> nameless, has the same answer to every problem: Reinstall the OS and
> all Drivers. No matter what the problem, that is their response. Seems
> to me to be like amputation at the hip for a hangnail on the big toe.)
>=20
> If anyone out there has some input on this, I would greatly appreciate
> it.
>=20
> Thank You
> LostOne

Thanks for taking the time to respond. But, I am still in a quandary.
Please see the two comments interleaved below.

On Wed, 7 May 2003 18:33:41 -0700, "Roger Abell [MVP]"
> wrote:

>"LostOne" > wrote in message ...
>> On Wed, 7 May 2003 10:52:57 -0700, "Jerry Bryant [MSFT]"
>> > wrote:
>>
>> >Title: Flaw in Windows Media Player Skins Downloading could allow Code
>> >Execution (817787)
>> >Date: May 7, 2003
>> >Software: Microsoft Windows Media Player 7.1; Microsoft Windows Media Player
>> >for Windows XP (Version 8.0)
>> >Impact: Arbitrary code execution
>> >Maximum Severity Rating: Critical
>> >Bulletin: MS03-017
>> >
>> >The Microsoft Security Response Center has released Microsoft Security
>> >Bulletin MS03-017
>> >
>> >What Is It?
>> >The Microsoft Security Response Center has released Microsoft Security
>> >Bulletin MS03-017 which concerns a vulnerability in Microsoft Windows Media
>> >Player versions 7.1 and 8.0. Customers are advised to review the
>> >information in the bulletin, test and deploy the patch immediately in their
>> >environments, if applicable.
>> >
>> >More information is now available at
>> >http://www.microsoft.com/technet/security/bulletin/MS03-017.asp
>> >
>> >If you have any questions regarding the patch or its implementation after
>> >reading the above listed bulletin you should contact Product Support
>> >Services in the United States at 1-866-PCSafety (1-866-727-2338).
>> >International customers should contact their local subsidiary.
>>
>>
>> Is it concievable that this problem could have migrated to Version 9?
>>
>
>No. See the bulletin
>http://microsoft.com/technet/security/bulletin/MS03-017.asp
>which states directly
>Windows Media Player 9 Series is not affected by this issue
>
>

But what if I had just recieved/loaded.downloaded the malicious file
while I was still using v8, immediately before upgrading to WMP9?
Wouldn't the malicious code still be somewhere on my computer?

>> I have been having continual Blue Screen serious errors ever since I
>> downloaded the installer for the upgrade. This happened at the same
>> time that this problem apparently was detected, around the first of
>> this month. Co-incidentally, I had also for the very first time
>> downloaded a skin from a non Microsoft Site, which I did not like, and
>> thought I had deleted.
>>
>> This blue screen is now occurring ever time I boot my computer. After
>> then re-booting, the computer seems to be operating properly.
>>
>> But I find this situation very troubling. I have searched the
>> Knowledge base with no results so far. I am at a loss. Ihave searched
>> for the error category (102), and also the other string which appears
>> in the event viewer (Error code 0000000a, parameter1 000000b0,
>> parameter2 00000002, parameter3 00000000, parameter4 804d71af.) The
>> search always gives no results.
>>
>
>0xA stop in due to an attempt to access memory while in the
>wrong execution state. This can happen from a program the
>corrupts its pointers, has overflowed a buffer, etc.
>Here, memory owned by the kernel is having an access attempt
>made on it by something that is not in kernel mode.
>If you have a blue screen traceback when this happens, the
>instruction causing the error is at address in parameter 4, so
>you can use the loaded modules list in the blue screen to find
>what contains that address and that is your culprit.
>Given the address that is being accessed (unsucessfully) is
>very low (parameter 1) you likely have something trying to
>use corrupt location info.
>

Please do not take offense, or think I am being a smartass. I
absolutely respect your technical expertise. But...

I really cannot understand most of what you just said, and what I do
understand has not led me to a solution.

By "blue screen traceback" do you mean the response from Microsoft to
the error report? That is very generic, and not in any way helpful. It
just says it is likely a driver problem, but they are unable to
determine anything more specific. I have opted to track it, but that
does not seem to accomplish anything.

I am in no way a technical person. Is it possible in simple terms to
tell me what to do? It sounds like you are telling me to do something
with the information in parameter 4. But I have no Idea what that
would be.

I probably sound like a jerk, but I am truly lost.

Any further comments are appreciated. And please forgive my technical
ineptitude.

Thank You.
LostOne (Still..)

>
>> I have done a couple of Restores to earlier times, but the blue screen
>> is still occuruing.
>>
>> (The manufacturer of my computer, a MAJOR brand which shall remain
>> nameless, has the same answer to every problem: Reinstall the OS and
>> all Drivers. No matter what the problem, that is their response. Seems
>> to me to be like amputation at the hip for a hangnail on the big toe.)
>>
>> If anyone out there has some input on this, I would greatly appreciate
>> it.
>>
>> Thank You
>> LostOne

On Wed, 07 May 2003 15:43:03 -0700, While I was using pressure to stop
the bleeding, LostOne > posted:
..
>(The manufacturer of my computer, a MAJOR brand which shall remain
>nameless, has the same answer to every problem: Reinstall the OS and
>all Drivers. No matter what the problem, that is their response. Seems
>to me to be like amputation at the hip for a hangnail on the big toe.)

A friend who worked the tech support escalations desk at Company once
told me that most tech support people were to tell customers to
re-install to solve most problems. Apparently, although it is a major
inconvenience for the customer, it saves the company tech support people
lots of time.

However, he said that usually if a customer bitches enough and asks for
the Escalation Desk, then they would often actually try to solve the
problem.

--
Bill

In accordance with Federal and State Law;
Any cat caught stalking a Songbird, can be shot.