This is a cumulative patch that includes the functionality of all previously released patches for Windows Media Player XP. In addition, it eliminates the following three newly discovered vulnerabilities: An information disclosure vulnerability that could allow an attacker to run code on the user's system and is rated as critical severity. A privilege elevation vulnerability that could enable an attacker who can physically log on locally to a Windows 2000 machine and run a program to obtain the same rights as the operating system. A script execution vulnerability related that could run a script of an attacker's choice as if the user had chosen to run it after playing a specially formed media file and then viewing a specially constructed web page. This particular vulnerability has specific timing requirements that make attempts to exploit vulnerability difficult and is rated as low severity.
This patch also introduces a configuration change relating to file extensions associated with Windows Media Player. Finally, it introduces a new, optional, security configuration feature for users or organizations that want to take extra precautions beyond applying IE patch MS02-023 and want to disable scripting functionality in the Windows Media Player for versions 7.x or higher.