Web Attack: Embed Tag NPDSPlay DLL Buffer Overflow
This attack could pose a moderate security threat. It does not require immediate action.
This signature detects attempts to exploit a buffer overflow vulnerability in the NPDSPLAY.DLL.
The Microsoft Windows Media Player plugin for non-Microsoft browsers is prone to a buffer-overflow vulnerability. The application fails to do proper boundary checks on user-supplied data before using it in a finite-sized buffer.
The problem presents itself in the way Media Player handles an 'EMBED' element in a malicious HTML page or email. An excessively long 'EMBED' source tag can cause a stack-based overflow and permit the overwriting of a Structured Memory Handler (SEH). Specifically, the issue occurs in 'npdsplay.10001040'.
An attacker can exploit this issue to execute arbitrary code on the victim users computer in the context of the victim user. This may facilitate a compromise of the affected computer.
This issue is exploitable only through non-Microsoft browsers that have the Media Player plugin installed. Possible browsers include:
- Firefox .9 and later - Netscape 8
Other browsers with the plugin installed may also be affected.
Microsoft Windows 2000 Advanced Server SP1, SP2, SP3, SP4
Microsoft Windows 2000 Datacenter Server SP1, SP2, SP3, SP4
Microsoft Windows 2000 Professional SP1, SP2, SP3, SP4
Microsoft Windows 2000 Server SP1, SP2, SP3, SP4
Microsoft Windows Server 2003 Datacenter Edition SP1
Microsoft Windows Server 2003 Datacenter x64 Edition
Microsoft Windows Server 2003 Enterprise Edition SP1
Microsoft Windows Server 2003 Enterprise x64 Edition
Microsoft Windows Server 2003 Standard Edition SP1
Microsoft Windows Server 2003 Standard x64 Edition
Microsoft Windows Server 2003 Web Edition SP1
Microsoft Windows XP
Microsoft Windows XP Home SP1, SP2
Microsoft Windows XP Media Center Edition SP1, SP2
Microsoft Windows XP Professional SP1, SP2
Microsoft Windows XP Professional x64 Edition
Microsoft Windows XP Tablet PC Edition SP1, SP2
Workaround: Microsoft has supplied the following workaround for this issue:
Modify the Access Control List on the 'npdsplay.dll' file
Modifying the Access Control List on the 'npdsplay.dll' file helps protect the affected system from attempts to exploit this vulnerability. To modify the 'npdsplay.dll file', follow these steps:
1. Click Start > Run... 2. Type:
cacls c:\program files\Windows Media Player\npdsplay.dll /d everyone
3. Click OK.
Solution:Microsoft has released security advisory MS06-006 with updates to address this issue.