Title

Microsoft Windows Media Memory Corruption Vulnerability (Cat II impact)

Discussion

Microsoft has released a security bulletin addressing multiple vulnerabilities affecting Microsoft Windows Media. To exploit this vulnerability, an attacker would entice a user to open a malicious .dvr-ms file. If successfully exploited, this vulnerability would allow an attacker to execute arbitrary code and compromise an affected system. At this time, there are no known exploits associated with this vulnerability; USCYBERCOM is not aware of any DoD related incidents. Windows Media Player DVR-MS Memory Corruption Vulnerability - (CVE-2011-3401): A remote code execution vulnerability exists in the way that Windows Media Player and Windows Media Center handle .dvr-ms files. This vulnerability is caused when Windows Media Player and Windows Media Center do not properly parse specially crafted .dvr-ms media files. This vulnerability could allow an attacker to execute arbitrary code if the attacker convinces a user to open a specially crafted .dvr-ms file.

Check Content

See IAVM notice and vendor bulletin for additional information. Microsoft Bulletin MS11-092. (2648048). Vulnerable Applications/Systems: Windows XP Media Center 2005 SP3 Windows XP SP3 Windows XP x64 SP2 Windows Vista SP2 (x86 and x64) Windows 7 (x86 and x64) Windows 7 SP1 (x86 and x64) Verify that the patch has been installed by checking that the following sample file is at the version indicated or later. See the vendor bulletin for additional information and any Vulnerable Systems/Applications not listed below. Encdec.dll Windows XP Media Center - 6.5.2715.5512 Windows XP SP3 - 6.5.2600.6161 Windows Vista SP2 - 6.6.6002.18528 or 22726 Windows 7 - 6.6.7600.16899 or 21070 Windows 7 SP1 - 6.6.7601.17708 or 21840 Wencdec.dll Windows XP SP2 x64 - 6.5.3790.4916

Fix Text

Additional Identifiers

Rule ID:

Vulnerability ID: V-30826

Group Title:

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.