int(2197)

Vulnerability Bulletins


Desbordamiento de búfer en Windows Media Player

Vulnerability classification

Property Value
Confidence level Oficial
Impact Obtener acceso
Dificulty Principiante
Required attacker level Acceso remoto sin cuenta a un servicio exotico

System information

Property Value
Affected manufacturer Microsoft
Affected software Windows Media Player 7.1
Windows Media Player 9
Windows Media Player 10

Description

Se ha descubierto una vulnerabilidad de desbordamiento de búfer en Windows Media Player 7.1, 9 y 10. La vulnerabilidad reside en el manejo de ficheros bitmap (.BMP).

Un atacante remoto podría ejecutar código arbitrario mediante un fichero .bmp especialmente diseñado.

Solution



Actualización de software

Microsoft
Windows Media Player for XP / Microsoft Windows XP SP1
http://www.microsoft.com/downloads/details.aspx?FamilyId=110054F2-244D-4036-B98C-E951CBA7E9BA
Windows Media Player 9 / Microsoft Windows XP SP2
http://www.microsoft.com/downloads/details.aspx?FamilyId=8F9EEF16-04F7-4DA8-A0EF-1797B52D0B4B
Windows Media Player 9 / Microsoft Windows Server 2003
http://www.microsoft.com/downloads/details.aspx?FamilyId=8F9EEF16-04F7-4DA8-A0EF-1797B52D0B4B
Microsoft Windows Media Player 7.1 / Windows 2000 SP4
http://www.microsoft.com/downloads/details.aspx?FamilyId=26A0B9E1-1242-4E55-B3D4-8377B83257C6
Microsoft Windows Media Player 9 / Windows 2000 SP4, Windows XP SP1
http://www.microsoft.com/downloads/details.aspx?FamilyId=8F9EEF16-04F7-4DA8-A0EF-1797B52D0B4B
Microsoft Windows Media Player 10 / Windows XP SP1,SP2
http://www.microsoft.com/downloads/details.aspx?FamilyId=182735E1-9382-4F2E-A624-D2316A96B411

Standar resources

Property Value
CVE CVE-2006-0006
BID

Other resources

Microsoft Security Bulletin (MS06-005)
http://www.microsoft.com/technet/security/Bulletin/MS06-005.mspx

Microsoft Security Bulletin (MS06-024)
http://www.microsoft.com/technet/security/Bulletin/MS06-024.mspx

Version history

Version Comments Date
1.0 Aviso emitido 2006-02-15
2.0 Exploit público disponible 2006-02-21
2.1 Aviso emitido por Microsoft (MS06-024) 2006-06-23
Ministerio de Defensa
CNI
CCN
CCN-CERT