Microsoft Windows Media Player Malformed PNG Remote Code Execution Vulnerability



Date Discovered

June 13, 2006


Microsoft Windows Media Player is prone to a remote code-execution vulnerability. This vulnerability is related to handling of malicious PNG images. PNG images may be embedded in Windows Media Player skin files. Attackers may be able to exploit this issue by causing the application to load a malicious skin file, which could be hosted on an attacker-controlled web page or through email attachments. If successful, an attacker could execute arbitrary code in the context of the affected user. Microsoft has stated that web-based attack scenarios are not possible with Media Player 7.1 on Windows 2000 SP4 and Media Player XP on Windows XP SP2. However, a victim may still be affected if they manually download and install a malicious skin file on these platforms.

Technologies Affected

  • Microsoft Windows Media Player 10.0
  • Microsoft Windows Media Player 7.1
  • Microsoft Windows Media Player 9.0
  • Microsoft Windows Media Player XP


Do not accept or execute files from untrusted or unknown sources.
This issue may be exploited via malicious Media Player content. Users are advised to avoid opening any unsolicited or unexpected files, especially if they arrive from an unfamiliar source. This may limit exposure to this vulnerability.

Do not follow links provided by unknown or untrusted sources.
This issue may be exploited via a malicious website. Users should be wary of visiting websites of questionable integrity, especially if solicited to do so by an untrusted or unfamiliar source.

Implement multiple redundant layers of security.
Deploy host-based intrusion-prevention systems that employ such features as memory protection. This may complicate exploits of memory-protection issues by providing nonexecutable stacks/heaps and randomly mapped memory segments.

Run all software as a nonprivileged user with minimal access rights.
To limit the impact of latent vulnerabilities in applications, perform all nonadministrative tasks as an unprivileged user with minimal access rights.

Microsoft has released a security bulletin and fixes to address this issue.



Greg MacManus is credited with discovery of this vulnerability.

© 1995- Symantec Corporation

Permission to redistribute this alert electronically is granted as long as it is not edited in any way unless authorized by Symantec Security Response. Reprinting the whole or part of this alert in any medium other than electronically requires permission from


The information in the advisory is believed to be accurate at the time of publishing based on currently available information. Use of the information constitutes acceptance for use in an AS IS condition. There are no warranties with regard to this information. Neither the author nor the publisher accepts any liability for any direct, indirect, or consequential loss or damage arising from use of, or reliance on, this information.

Symantec, Symantec products, Symantec Security Response, and are registered trademarks of Symantec Corp. and/or affiliated companies in the United States and other countries. All other registered and unregistered trademarks represented in this document are the sole property of their respective companies/owners.