9.3 - MS11-015

Executive Summary

Summary
Title	Vulnerabilities in Windows Media Could Allow Remote Code Execution (2510030)

Informations
Name	MS11-015	First vendor Publication	2011-03-08
Vendor	Microsoft	Last vendor Modification	2011-03-16
Severity (Vendor)	Critical	Revision	1.2

Security-Database Scoring CVSS v3

Cvss vector : N/A
Overall CVSS Score	NA
Base Score	NA	Environmental Score	NA
impact SubScore	NA	Temporal Score	NA
Exploitabality Sub Score	NA

Calculate full CVSS 3.0 Vectors scores

Security-Database Scoring CVSS v2

Cvss vector : (AV:N/AC:M/Au:N/C:C/I:C/A:C)
Cvss Base Score	9.3	Attack Range	Network
Cvss Impact Score	10	Attack Complexity	Medium
Cvss Expoit Score	8.6	Authentication	None Required
Calculate full CVSS 2.0 Vectors scores

Detail

Revision Note: V1.2 (March 16, 2011): Removed erroneous references to Windows XP Home Edition Service Pack 3 and Windows XP Tablet PC Edition Service Pack 3 in Non-Affected Software. This is an informational change only. There were no changes to the security update files or detection logic. For customers who are running Windows XP Home Edition or Windows XP Table PC Edition and who have not already applied this update, Microsoft recommends applying the update immediately. Customers who have already applied the update do not need to take any action.Summary: This security update resolves one publicly disclosed vulnerability in DirectShow and one privately reported vulnerability in Windows Media Player and Windows Media Center. The more severe of these vulnerabilities could allow remote code execution if a user opens a specially crafted Microsoft Digital Video Recording (.dvr-ms) file. In all cases, a user cannot be forced to open the file; for an attack to be successful, a user must be convinced to do so.

Original Source

Url : http://www.microsoft.com/technet/security/bulletin/MS11-015.mspx

CWE : Common Weakness Enumeration

%	Id	Name
100 %	CWE-20	Improper Input Validation

OVAL Definitions

Definition Id: oval:org.mitre.oval:def:12281

Oval ID:	oval:org.mitre.oval:def:12281
Title:	DVR-MS Vulnerability
Description:	SBE.dll in the Stream Buffer Engine in Windows Media Player and Windows Media Center in Microsoft Windows XP SP2 and SP3, Windows XP Media Center Edition 2005 SP3, Windows Vista SP1 and SP2, Windows 7 Gold and SP1, and Windows Media Center TV Pack for Windows Vista does not properly parse Digital Video Recording (.dvr-ms) files, which allows remote attackers to execute arbitrary code via a crafted file, aka "DVR-MS Vulnerability."
Family:	windows	Class:	vulnerability
Reference(s):	CVE-2011-0042	Version:	7
Platform(s):	Microsoft Windows XP Microsoft Windows Vista Microsoft Windows Server 2008 Microsoft Windows Server 2008 R2 Microsoft Windows 7	Product(s):
Definition Synopsis:
Vulnerable Windows XP Media Center Edition 2005 Service Pack 3 Microsoft Windows XP (x86) SP3 is installed AND Media Center is installed AND the version of Encdec.dll is less than 6.5.2715.5512 OR Vulnerable Microsoft Windows XP (x86) SP3 Microsoft Windows XP (x86) SP3 is installed AND the version of Encdec.dll is less than 6.5.2600.6076 OR Vulnerable Microsoft Windows XP x64 SP2 Microsoft Windows XP x64 Edition SP2 is installed AND the version of Encdec.dll is less than 6.5.3790.4826 OR Vulnerable Microsoft Windows Vista SP1 x86/x64 Microsoft Windows Vista SP1 x86/x64 Microsoft Windows Vista (32-bit) Service Pack 1 is installed AND Microsoft Windows Vista x64 Edition Service Pack 1 is installed AND GDR or LDR Service branch the version of Encdec.dll is less than 6.6.6001.18571 OR LDR the version of Encdec.dll is less than 6.6.6001.22822 AND the version of Encdec.dll is greater than or equal 6.6.6001.22000 OR Vulnerable Microsoft Windows Vista SP2 x86/x64 Microsoft Windows Vista SP2 x86/x64 Microsoft Windows Vista (32-bit) Service Pack 2 is installed AND Microsoft Windows Vista x64 Edition Service Pack 2 is installed AND GDR or LDR Service branch the version of Encdec.dll is less than 6.6.6002.18363 OR LDR the version of Encdec.dll is less than 6.6.6002.22558 AND the version of Encdec.dll is greater than or equal 6.6.6002.22000 OR Vulnerable Microsoft Windows 7 x86/x64, Windows Server 2008 R2 x64 Microsoft Windows 7 x86/x64, Windows Server 2008 R2 x64 Microsoft Windows 7 (32-bit) is installed AND Microsoft Windows 7 x64 Edition is installed AND Microsoft Windows Server 2008 R2 x64 Edition is installed AND GDR or LDR Service branch the version of Encdec.dll is less than 6.6.7600.16724 OR LDR the version of Encdec.dll is less than 6.6.7600.20865 AND the version of Encdec.dll is greater than or equal to 6.6.7600.20000 OR Vulnerable Microsoft Windows 7 x86/x64 SP1, Windows Server 2008 R2 x64 SP1 Microsoft Windows 7 x86/x64 SP1, Windows Server 2008 R2 x64 SP1 Microsoft Windows 7 (32-bit) Service Pack 1 is installed AND Microsoft Windows 7 x64 Service Pack 1 is installed AND Microsoft Windows Server 2008 R2 x64 Service Pack 1 is installed AND GDR or LDR Service branch the version of Encdec.dll is less than 6.6.7601.17528 OR LDR the version of Encdec.dll is less than 6.6.7601.21626 AND the version of Encdec.dll is greater than or equal to 6.6.7601.21000

Definition Id: oval:org.mitre.oval:def:12506

Oval ID:	oval:org.mitre.oval:def:12506
Title:	DirectShow Insecure Library Loading Vulnerability
Description:	Untrusted search path vulnerability in DirectShow in Microsoft Windows Vista SP1 and SP2, Windows 7 Gold and SP1, Windows Server 2008 R2 and R2 SP1, and Windows Media Center TV Pack for Windows Vista allows local users to gain privileges via a Trojan horse DLL in the current working directory, as demonstrated by a directory that contains a Digital Video Recording (.dvr-ms), Windows Recorded TV Show (.wtv), or .mpg file, aka "DirectShow Insecure Library Loading Vulnerability."
Family:	windows	Class:	vulnerability
Reference(s):	CVE-2011-0032	Version:	7
Platform(s):	Microsoft Windows XP Microsoft Windows Vista Microsoft Windows Server 2008 Microsoft Windows Server 2008 R2 Microsoft Windows 7	Product(s):
Definition Synopsis:
Vulnerable Microsoft Windows Vista SP1 x86/x64 Microsoft Windows Vista SP1 x86/x64 Microsoft Windows Vista (32-bit) Service Pack 1 is installed AND Microsoft Windows Vista x64 Edition Service Pack 1 is installed AND GDR or LDR Service branch the version of Encdec.dll is less than 6.6.6001.18571 OR LDR the version of Encdec.dll is less than 6.6.6001.22822 AND the version of Encdec.dll is greater than or equal 6.6.6001.22000 OR Vulnerable Microsoft Windows Vista SP2 x86/x64 Microsoft Windows Vista SP2 x86/x64 Microsoft Windows Vista (32-bit) Service Pack 2 is installed AND Microsoft Windows Vista x64 Edition Service Pack 2 is installed AND GDR or LDR Service branch the version of Encdec.dll is less than 6.6.6002.18363 OR LDR the version of Encdec.dll is less than 6.6.6002.22558 AND the version of Encdec.dll is greater than or equal 6.6.6002.22000 OR Vulnerable Microsoft Windows 7 x86/x64, Windows Server 2008 R2 x64 Microsoft Windows 7 x86/x64, Windows Server 2008 R2 x64 Microsoft Windows 7 (32-bit) is installed AND Microsoft Windows 7 x64 Edition is installed AND Microsoft Windows Server 2008 R2 x64 Edition is installed AND GDR or LDR Service branch the version of Encdec.dll is less than 6.6.7600.16724 OR LDR the version of Encdec.dll is less than 6.6.7600.20865 AND the version of Encdec.dll is greater than or equal to 6.6.7600.20000 OR Vulnerable Microsoft Windows 7 x86/x64 SP1, Windows Server 2008 R2 x64 SP1 Microsoft Windows 7 x86/x64 SP1, Windows Server 2008 R2 x64 SP1 Microsoft Windows 7 (32-bit) Service Pack 1 is installed AND Microsoft Windows 7 x64 Service Pack 1 is installed AND Microsoft Windows Server 2008 R2 x64 Service Pack 1 is installed AND GDR or LDR Service branch the version of Encdec.dll is less than 6.6.7601.17528 OR LDR the version of Encdec.dll is less than 6.6.7601.21626 AND the version of Encdec.dll is greater than or equal to 6.6.7601.21000

CPE : Common Platform Enumeration

Type	Description	Count
Application	Microsoft Windows Xp Media Center cpe:2.3:a:microsoft:windows_xp_media_center:2005:sp3::::::	1
Os	Microsoft Windows 7 cpe:2.3:o:microsoft:windows_7:-:::::::* cpe:2.3:o:microsoft:windows_7:-:sp1:::ultimate_n::x86: cpe:2.3:o:microsoft:windows_7:-:sp1:::ultimate_n::x64:	3
Os	Microsoft Windows Server 2008 cpe:2.3:o:microsoft:windows_server_2008:r2::::::x64:	1
Os	Microsoft Windows Vista cpe:2.3:o:microsoft:windows_vista::sp1::::::* cpe:2.3:o:microsoft:windows_vista::sp2::::::*	2
Os	Microsoft Windows Xp cpe:2.3:o:microsoft:windows_xp::sp3::::::* cpe:2.3:o:microsoft:windows_xp::sp2:x64:::::	2

SAINT Exploits

Description	Link
Microsoft Windows Media Player DVR-MS File Code Execution	More info here

OpenVAS Exploits

Date	Description
2011-03-09	Name : Microsoft Windows Media Remote Code Execution Vulnerabilities (2510030) File : nvt/secpod_ms11-015.nasl

Open Source Vulnerability Database (OSVDB)

Id	Description
71016	Microsoft Windows Media Player / Center .dvr-ms File Handling Arbitrary Code ... Microsoft Windows Media Player and Center contain a flaw related to the Stream Buffer Engine (SBE.dll) not properly parsing Microsoft Digital Video Recording (.dvr-ms) media files that may allow an attacker to execute arbitrary code. No further details have been provided.
71015	Microsoft Windows DirectShow Path Subversion Arbitrary DLL Injection Code Exe... Microsoft Windows DirectShow is prone to a flaw in the way it loads dynamic-link libraries (DLL). The program uses a fixed path to look for specific files or libraries. This path includes directories that may not be trusted or under user control. By placing a custom version of the file or library in the path, the program will load it before the legitimate version. This allows an attacker to inject custom code that will be run with the privilege of the program or user executing the program. This can be done by tricking a user into opening a .wtv, .drv-ms or .mpg file from the local file system or a USB drive in some cases. This attack can be leveraged remotely in some cases by placing the malicious file or library on a network share or extracted archive downloaded from a remote source.

Description

71016

Microsoft Windows Media Player / Center .dvr-ms File Handling Arbitrary Code ...

Microsoft Windows Media Player and Center contain a flaw related to the Stream Buffer Engine (SBE.dll) not properly parsing Microsoft Digital Video Recording (.dvr-ms) media files that may allow an attacker to execute arbitrary code. No further details have been provided.

71015

Microsoft Windows DirectShow Path Subversion Arbitrary DLL Injection Code Exe...

Microsoft Windows DirectShow is prone to a flaw in the way it loads dynamic-link libraries (DLL). The program uses a fixed path to look for specific files or libraries. This path includes directories that may not be trusted or under user control. By placing a custom version of the file or library in the path, the program will load it before the legitimate version. This allows an attacker to inject custom code that will be run with the privilege of the program or user executing the program. This can be done by tricking a user into opening a .wtv, .drv-ms or .mpg file from the local file system or a USB drive in some cases. This attack can be leveraged remotely in some cases by placing the malicious file or library on a network share or extracted archive downloaded from a remote source.

Information Assurance Vulnerability Management (IAVM)

Date	Description
2011-03-10	IAVM : 2011-A-0031 - Multiple Vulnerabilities in Microsoft Windows Media Severity : Category II - VMSKEY : V0026088

Snort® IPS/IDS

Date	Description
2014-01-10	Microsoft Media Player dvr-ms file parsing remote code execution attempt RuleID : 18498 - Revision : 16 - Type : FILE-OTHER
2014-01-10	Microsoft Windows Media Player and shell extension request for ehtrace.dll ov... RuleID : 18497 - Revision : 17 - Type : OS-WINDOWS
2014-01-10	Microsoft Windows Media Player and shell extension ehtrace.dll dll-load explo... RuleID : 18496 - Revision : 15 - Type : OS-WINDOWS

Nessus® Vulnerability Scanner

Date	Description
2011-03-08	Name : The version of Windows Media installed on the remote host has multiple code e... File : smb_nt_ms11-015.nasl - Type : ACT_GATHER_INFO

Alert History

If you want to see full details history, please login or register.

Date	Informations
2014-02-17 11:46:53	Multiple Updates
2014-01-19 21:30:37	Multiple Updates
2013-11-11 12:41:21	Multiple Updates

Global Informations

Type	Count
CWE ID(s)	1
Oval ID(s)	2
CPE ID(s)	9
Saint Exploit(s)	1
osvdb(s)	2
Openvas Exploit(s)	1
IAVM(s)	1
Snort® Rule(s)	3
Nessus® Exploit(s)	1

	Related
9.3	CVE-2011-0042
9.3	CVE-2011-0032
0	KB2269637
Info : listing not affected by your CVSS Env Score

Same Subject	Severity
Login to view 3 more Alert(s)