Security Flaw Discovered in Windows Media Player 7 Can be Blocked by Mail Essentials Email Content Checking Gateway

Business Wire, Nov 23, 2000

Business Editors

LONDON--(BUSINESS WIRE)--Nov. 3, 2000

GFI, developer of email content checking & network security software, has discovered a security flaw within Windows Media Player 7 which allows a malicious user to run arbitrary code on a victim's machine as it attempts to view a web site or an HTML email.

GFI has notified Microsoft Corp., which issued an advisory (Microsoft security Bulletin number MS00-090).

Windows Media Player 7 is included by default on Windows Millennium Editions and is available from Microsoft for free. It includes skinning capabilities that allow it to change interface. GFI has found that this can be exploited to execute code on remote machines.

"The exploit works simply by opening an email on a machine which includes Windows Media Player 7 and on which HTML scripts are allowed, or by browsing a malicious site," warned GFI security engineer, Sandro Gauci.

"This security problem is exploited by embedding a JavaScript (.js) file within a Media Player skin file (.wmz) which can also be embedded in a Windows Media Download file (.wmd). This does not require the user to run any attachments since the Media Player file is automatically executed using an iframe tag or a window.open() with in a script tag," he explained.

GFI advises to filter incoming emails for WMD and WMZ files, and automatically remove JavaScript, iframe tags, meta refresh tags and possibly ActiveX tags from incoming HTML email.

"This can be done automatically with an email content checking gateway such as Mail essentials. HTML tags and dangerous attachments will be removed automatically at server level and therefore network admins need not worry about their users receiving malicious attachments or html mails," pointed out Nick Galea, GFI CEO.

GFI (http://www.gfi.com/bwmp7mes.shtml) develops communications and security software for Windows NT/2000 and has six offices in the US, UK, Germany, France, Australia and Malta. GFI's product range includes FAXmaker, Mail essentials and LANguard. GFI's customers include Microsoft, BMW, the US IRS, NASA and many more.