Although the security flaws are unrelated, except for the fact that they both affect Windows Media Player, Microsoft chose to issue a single patch to allow users to fix both problems at the same time, the company said in a security bulletin posted on its Web site.
The.WMS Script Execution flaw affects Windows Media Player version 7, which is included by default in Microsoft's Windows Millennium Edition operating system targeted at consumers, and is also available for free download from the company's Web site.
The software includes a feature called "skins" that allows users to customise the program's interface. However, a custom skin .WMS file could also include script which would execute if Windows Media Player was run and the user had selected the skin that included the script, Microsoft said.
A malicious user could send a skin containing a script to another user and try to entice him or her into using it, or host such a file on a Web site and cause the script to execute whenever a user visited the site. Since the code would reside on the user's local PC, it would be able to execute ActiveX controls, including ones not marked "safe for scripting" and enable the code to take any action that can be accomplished via an ActiveX control, Microsoft said.
The flaw was discovered by GFI Security Labs, a unit of communications and security software provider GFI Fax & Voice Ltd.
In a separate statement, GFI advised users to filter incoming e-mails for .WMD and .WMZ files, and automatically remove JavaScript, iframe tags, meta refresh tags and possibly ActiveX tags from incoming HTML (hypertext markup language) e-mail messages.
The second flaw, dubbed the .ASX Buffer Overrun vulnerability, was discovered by @Stake, an US-based Internet security consulting company, Microsoft saidIt affects versions 6.4 and 7 of Windows Media Player, and the exploits the software's use of Active Stream Redirector .ASX files to enable users to play streaming media residing on intranet or Internet sites.
The code that parses .ASX files has an unchecked buffer, which also could enable a malicious user to run any code on the PC of another user. The code could take any action on the PC that the legitimate user could take, Microsoft said.
Microsoft's security bulletin on the flaws, including links to patches for both Windows Media Player versions 6.4 and 7, can be found on the Web at http://www.microsoft.com/TechNet/security/bulletin/MS00-090.asp/.
The fix will also be available as part of the next periodic update of the software, scheduled for December, Microsoft said.