1. Home
  2. CVE Database
  3. CVE-2008-3009
HIGH · 10.0

CVE-2008-3009

Microsoft Windows Media Player 6.4, Windows Media Format Runtime 7.1 through 11, and Windows Media Services 4.1, 9, and 2008 do not properly use the Service Principal Name (SPN) identifier when valida...

Vulnerability Description

Microsoft Windows Media Player 6.4, Windows Media Format Runtime 7.1 through 11, and Windows Media Services 4.1, 9, and 2008 do not properly use the Service Principal Name (SPN) identifier when validating replies to authentication requests, which allows remote servers to execute arbitrary code via vectors that employ NTLM credential reflection, aka "SPN Vulnerability."

CVSS Score

10.0

HIGH

AV:N/AC:L/Au:N/C:C/I:C/A:C
Confidentiality
COMPLETE
Integrity
COMPLETE
Availability
COMPLETE

Affected Products

VendorProductVersions
MicrosoftWindows Media Player6.4
MicrosoftWindows 2000All versions
MicrosoftWindows Server 2003All versions
MicrosoftWindows XpAll versions
MicrosoftWindows Media Format Runtime7.1
MicrosoftWindows Media Services4.1
MicrosoftWindows Server 2008All versions
MicrosoftWindows VistaAll versions

Related Weaknesses (CWE)

CWE-255

References

FAQ

What is CVE-2008-3009?

CVE-2008-3009 is a vulnerability with a CVSS score of 10.0 (HIGH). Microsoft Windows Media Player 6.4, Windows Media Format Runtime 7.1 through 11, and Windows Media Services 4.1, 9, and 2008 do not properly use the Service Principal Name (SPN) identifier when valida...

How severe is CVE-2008-3009?

CVE-2008-3009 has been rated HIGH with a CVSS base score of 10.0/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2008-3009?

Check the references section above for vendor advisories and patch information. Affected products include: Microsoft Windows Media Player, Microsoft Windows 2000, Microsoft Windows Server 2003, Microsoft Windows Xp, Microsoft Windows Media Format Runtime.