Windows Media Player Control Security

Microsoft® Windows Media® Player control should be used with caution in environments that require high security.

Windows Media Player control does not feature the intimate interaction with system hardware commonly found in other multimedia features, so it does not involve the same types of security concerns as these other features. Instead, the Windows Media Player control can introduce vulnerabilities to a platform through interaction with other software outside the control of the platform developer or applications programmer.

Windows Media Player control is built on top of DirectShow and is therefore susceptible to all of the same security issues. For more information, see DirectShow Security.

It is possible for a malicious media source to attempt an attack on the Windows Media Player control through the use of script embedded in ASF files. Scripts embedded in ASF files are generally used to enrich multimedia playback in many ways. One way is to allow the ASF file to cause the media player to start a Web browser and display a page that compliments the media content in the ASF file. This practice is known as URL flipping, and it is designed to take place silently and seamlessly during playback. However, a malicious media source can direct Windows Media Player to silently flip to a dangerous URL. Windows Media Player enables URL flipping by default, but you can change this behavior through the registry or by setting the InvokeURLs property to FALSE. For more information see Windows Media Player Control Registry Settings.

As is the case when using any multimedia feature built to support specific media types, always make sure that you are reading data from a trusted source. Also, make sure that you understand the full security implications inherent to the media type that you are supporting, such as the ability for .asf files to contain scripts.

See Also

Windows Media Player Control | Windows Media Player Control Registry Settings | InvokeURLs | DirectShow Security

Last updated on Wednesday, April 13, 2005

© 2005 Microsoft Corporation. All rights reserved.