mailing list archives
RE: Windows Media Player executes WMF content in .MP3 files.
From: "Menashe Eliezer" <menashe () finjan com>
Date: Thu, 28 Feb 2002 00:07:09 +0200
Actually, any file extension that is associated with the vulnerable
applications can be used.
Even .WAV files can be used to "hijack" users to a web site containing a
powerful ActiveX Control. The URL can even include a direct link to an
executable, or to a web site that automatically downloads and executes an
There is also a privacy aspect to this exploit. Users that play illegal
multimedia files, such as .MP3 and MPEGs, can be tracked by web sites that
logs their IP Address or even much more personal details. For example, an
ActiveX Control embedded on a web site can pull out your e-mail address.
This technique is powerful. However, there are many ways to "hijack" users
to a web site, and the main issue is: How to protect users from malicious
active content in web sites. Finjan has put a .WAV demo to test your
vulnerability to this attack. Upon opening this audio file with vulnerable
software, a sound will be played and you'll be "hijacked" directly to Finjan
Software's ActiveX demo.
More details can be found in:
Manager, Malicious Code Research Center
Finjan Software - Proactive Defense Against Malicious Code
From: Brian McWilliams [mailto:brian () pc-radio com]
Sent: Sunday, February 24, 2002 4:14 AM
To: David Korn; bugtraq () securityfocus com
Subject: Re: Windows Media Player executes WMF content in .MP3 files.
I've confirmed the report below.
Windows Media Player (like RealPlayer) allows content developers to create
slide shows or "illustrated audio." That is, you can create a stream in the
player's native media format (.asf, .wma. .wmf) that includes embedded
URLs, scripts, etc.
Turns out that if you feed the WMP a .wma file that has embedded URLs and
that has been renamed to end in .mp3, the WMP will happily treat the file
like one of its own and launch the URLs in the browser when it encounters
them in the stream.
59k (19 second) wma file that has been renamed to mp3. Should launch three
separate Web pages during playback with Windows Media Player.
- RE: Windows Media Player executes WMF content in .MP3 files. Menashe Eliezer (Mar 01)