Microsoft Refutes Windows Media Player Vulnerability
Microsoft is denying that an alleged vulnerability affecting its Windows Media Player software, identified by a security researcher on Christmas Eve, is a security risk for PC users.
On a company blog Monday, Microsoft said the claims posted on SecurityFocus's Bugtraq site on Dec. 24 that a bug in Windows Media Player 9, 10 or 11 on Windows XP or Vista allowed remote code execution are "false." Dec. 24 is known in much of the world as Christmas Eve, the night before the annual Christmas holiday.
"We've found no possibility for code execution in this issue," according to a Microsoft Security Response Center blog entry.
Microsoft acknowledged that the code posted on Bugtraq does crash Windows Media Player, Microsoft's software for playing music and video files, but the application can be restarted "right away" and doesn't affect the rest of the system.
Microsoft also in the blog entry criticizes the security researcher, identified as Laurent Gaffi
"If he had, we would've done the exact same investigation we just completed," according to the blog entry. "When we were done, we would have let them know what we found, asked him if he thinks we might have missed something, continued the investigation if there was more information and ultimately closed the case if we didn't find a vulnerability. This is how we handle all of the cases we investigate with responsible researchers every year."
Microsoft said it began investigating the report of the vulnerability as soon as it was posted late Christmas Eve, and that researchers worked over the holiday period to look into the situation.
Microsoft ultimately discovered that the so-called vulnerability was part of "ongoing code maintenance" and that it's already been addressed in Windows Server 2003 Service Pack 2. Microsoft plans to address the problem in future versions of its software.