XP Flaw Puts MP3, Windows Media Files at Risk

An attacker can create a malicious MP3 or Windows Media file and use it to run code on a remote user's machine.

Thanks to a newly found flaw in Windows XP, two of the most popular audio file formats can be used by crackers to take control of remote PCs. Users only need to hover their mouse pointers over the icons for malicious MP3 or Windows Media files to execute the attackers code, Microsoft Corp. said in a bulletin published Wednesday.

The vulnerability lies in the Windows Shell, which is the portion of the operating system responsible for defining the users desktop as well as organizing files and folders and enabling the OS to start applications. An unchecked buffer in a function used by the shell to extract custom attribute data from audio files enables an attacker to create a malicious MP3 or Windows Media file and use it to run code on a remote users machine.

MP3 files are traded and shared by the millions on sites and peer-to-peer networks all over the Internet. Users commonly download and play files posted by people theyve never met, and there is essentially no practical way of verifying the content of these files to ensure that theyre not corrupted. The Windows Media format is somewhat less popular than the MP3 format, but is still quite prevalent online.

To exploit the vulnerability, an attacker can do one of three things: host the malicious file on a Web site or on a network share or send it to a user in an HTML mail message. If a user hovered the mouse pointer over the file or the folder containing the file--on a Web page or on the local disk--the code would execute. A user would need to open or preview a mail message containing the code to execute it in the e-mail attack scenario.

A successful attack would either cause the Windows Shell to fail or would run the attackers code on the users machine.

The vulnerability is found in Windows XP Home Edition, XP Pro, XP Tablet PC Edition and XP Media Center Edition. The patch for the vulnerability is located here.

There is a similar vulnerability in the popular Winamp media player, according to Foundstone Inc., the security company that discovered both vulnerabilities.