Microsoft Media Player Versions 9 and 10 Arbitrary HTML Pop-up (deprecated)

Medium Nessus Network Monitor Plugin ID 2901

Synopsis

The remote client can be tricked into opening up an HTML page.

Description

The remote host is running Microsoft Media Player. There is a flaw in this version of Media Player that would allow a remote attacker to cause an HTML pop-up window to appear when a specially formed media file was opened. An attacker exploiting this flaw would need to be able to convince a user to download or browse to the malicious file. Successful exploitation would result in an HTML page opening on the remote system. This flaw would typically be used in conjunction with social engineering or a browser exploit.

Solution

Upgrade to version 9.0.0.3263, 10.0.0.3901 or higher.

See Also

http://support.microsoft.com/kb/892313

Plugin Details

Severity: Medium

ID: 2901

File Name: 2901.prm

Family: Generic

Published: 2005/05/12

Modified: 2016/02/05

Dependencies: 2601

Risk Information

Risk Factor: Medium

CVSSv2

Base Score: 4.3

Temporal Score: 4.3

Vector: CVSS2#AV:N/AC:M/Au:N/C:P/I:N/A:N

Temporal Vector: CVSS2#E:H/RL:U/RC:C

CVSSv3

Base Score: 3.6

Temporal Score: 3.6

Vector: CVSS3#AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N

Temporal Vector: CVSS3#E:H/RL:U/RC:C

Reference Information

BID: 13607