CVE-2008-3009
First published: Wed Dec 10 2008(Updated: )
Microsoft Windows Media Player 6.4, Windows Media Format Runtime 7.1 through 11, and Windows Media Services 4.1, 9, and 2008 do not properly use the Service Principal Name (SPN) identifier when validating replies to authentication requests, which allows remote servers to execute arbitrary code via vectors that employ NTLM credential reflection, aka "SPN Vulnerability."
Credit: secure@microsoft.com secure@microsoft.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Microsoft Windows Media Player | =6.4 | |
| Microsoft Windows 2000 | =sp4 | |
| Microsoft Windows Server 2003 | ||
| Microsoft Windows Server 2003 | =sp1 | |
| Microsoft Windows Server 2003 | =sp2 | |
| Microsoft Windows XP | ||
| Microsoft Windows XP | =sp2 | |
| Microsoft Windows XP | =sp2 | |
| Microsoft Windows XP | =sp3 | |
| Microsoft Windows Media Format Runtime | =7.1 | |
| Microsoft Windows Media Services | =4.1 | |
| Microsoft Windows Media Services | =9 | |
| Microsoft Windows Media Services | =2008 | |
| Microsoft Windows Server 2008 | ||
| Microsoft Windows Server 2008 | ||
| Microsoft Windows Media Format Runtime | =11 | |
| Microsoft Windows Vista | ||
| Microsoft Windows Vista | =sp1 | |
| Microsoft Windows Vista | =sp1 | |
| Microsoft Windows Vista | =gold | |
| Microsoft Windows XP | ||
| Microsoft Windows Media Format Runtime | =11 | |
| Microsoft Windows Media Format Runtime | =9.5 | |
| Microsoft Windows Media Format Runtime | =9.5 | |
| Microsoft Windows Media Format Runtime | =9 | |
| All of | ||
| Microsoft Windows Media Player | =6.4 | |
| Any of | ||
| Microsoft Windows 2000 | =sp4 | |
| Microsoft Windows Server 2003 | ||
| Microsoft Windows Server 2003 | =sp1 | |
| Microsoft Windows Server 2003 | =sp2 | |
| Microsoft Windows XP | ||
| Microsoft Windows XP | =sp2 | |
| Microsoft Windows XP | =sp2 | |
| Microsoft Windows XP | =sp3 | |
| All of | ||
| Microsoft Windows Media Format Runtime | =7.1 | |
| Microsoft Windows 2000 | =sp4 | |
| All of | ||
| Microsoft Windows Media Services | =4.1 | |
| Microsoft Windows 2000 | =sp4 | |
| All of | ||
| Microsoft Windows Media Services | =9 | |
| Any of | ||
| Microsoft Windows Server 2003 | ||
| Microsoft Windows Server 2003 | =sp1 | |
| Microsoft Windows Server 2003 | =sp2 | |
| Microsoft Windows XP | =sp3 | |
| All of | ||
| Microsoft Windows Media Services | =2008 | |
| Any of | ||
| Microsoft Windows Server 2008 | ||
| Microsoft Windows Server 2008 | ||
| All of | ||
| Microsoft Windows Media Format Runtime | =11 | |
| Any of | ||
| Microsoft Windows Server 2008 | ||
| Microsoft Windows Server 2008 | ||
| Microsoft Windows Vista | ||
| Microsoft Windows Vista | =sp1 | |
| Microsoft Windows Vista | =gold | |
| Microsoft Windows XP | ||
| Microsoft Windows XP | =sp2 | |
| Microsoft Windows XP | =sp2 | |
| Microsoft Windows XP | =sp3 | |
| All of | ||
| Microsoft Windows Media Format Runtime | =11 | |
| Any of | ||
| Microsoft Windows Server 2003 | ||
| Microsoft Windows Server 2003 | =sp2 | |
| Microsoft Windows XP | ||
| Microsoft Windows XP | =sp2 | |
| All of | ||
| Microsoft Windows Media Format Runtime | =9.5 | |
| Any of | ||
| Microsoft Windows Server 2003 | ||
| Microsoft Windows Server 2003 | =sp2 | |
| Microsoft Windows XP | ||
| Microsoft Windows XP | =sp2 | |
| All of | ||
| Microsoft Windows Media Format Runtime | =9.5 | |
| Any of | ||
| Microsoft Windows Server 2003 | ||
| Microsoft Windows Server 2003 | =sp1 | |
| Microsoft Windows Server 2003 | =sp2 | |
| Microsoft Windows XP | ||
| Microsoft Windows XP | =sp2 | |
| Microsoft Windows XP | =sp2 | |
| Microsoft Windows XP | =sp3 | |
| All of | ||
| Microsoft Windows Media Format Runtime | =9 | |
| Any of | ||
| Microsoft Windows 2000 | =sp4 | |
| Microsoft Windows XP | =sp2 | |
| Microsoft Windows XP | =sp3 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- http://www.securitytracker.com/id?1021372
- http://www.securitytracker.com/id?1021373
- http://www.securityfocus.com/bid/32653
- http://www.us-cert.gov/cas/techalerts/TA08-344A.html
- http://secunia.com/advisories/33058
- http://www.vupen.com/english/advisories/2008/3388
- https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A5942
- https://docs.microsoft.com/en-us/security-updates/securitybulletins/2008/ms08-076
- collector/nvd-historical
- agent/references
- agent/author
- agent/type
- agent/event
- agent/last-modified-date
- agent/softwarecombine
- agent/first-publish-date
- collector/nvd-api
- agent/software-canonical-lookup-request
- agent/severity
- agent/weakness
- agent/description
- agent/tags
- collector/nvd-index
- collector/mitre-cve
- source/MITRE
- vendor/microsoft
- canonical/microsoft windows media player
- version/microsoft windows media player/6.4
- canonical/microsoft windows 2000
- version/microsoft windows 2000/sp4
- canonical/microsoft windows server 2003
- version/microsoft windows server 2003/sp1
- version/microsoft windows server 2003/sp2
- canonical/microsoft windows xp
- version/microsoft windows xp/sp2
- version/microsoft windows xp/sp3
- canonical/microsoft windows media format runtime
- version/microsoft windows media format runtime/7.1
- canonical/microsoft windows media services
- version/microsoft windows media services/4.1
- version/microsoft windows media services/9
- version/microsoft windows media services/2008
- canonical/microsoft windows server 2008
- version/microsoft windows media format runtime/11
- canonical/microsoft windows vista
- version/microsoft windows vista/sp1
- version/microsoft windows vista/gold
- version/microsoft windows media format runtime/9.5
- version/microsoft windows media format runtime/9