Security Holes Found in Windows Media Player

You probably never worry about the security of your media player. But maybe you should.

Last week, Microsoft issued a patch for two security flaws in its Windows Media Player software that could allow malicious users to run programs on other users' PCs.

Although the security flaws are unrelated, except that they both affect Windows Media Player, Microsoft chose to issue a single patch to allow users to fix both problems at the same time, the company says in a security bulletin posted on its Web site.

Microsoft's security bulletin describes the flaws and includes links to patches for both Windows Media Player versions 6.4 and 7.

The fix will also be available as part of the next periodic update of the software, scheduled for December.

The ".WMS Script Execution" flaw affects Windows Media Player version 7, which is included by default in Microsoft's Windows Millennium Edition operating system targeted at consumers. (Download Microsoft Windows Media Player here.)

The software includes a feature called "skins" that allows users to customize the program's interface. However, a custom skin .wms file could also include script that would execute if Windows Media Player was run and the user had selected the skin that included the script, Microsoft says.

A malicious user could send a skin containing a script to any number of people and try to entice them into using it. Or such a file could be hosted on a Web site and cause the script to execute whenever a user visits the site. Since the code would reside on the user's local PC, it would be able to execute ActiveX controls, including ones not marked "safe for scripting," and enable the code to take any action that can be accomplished via an ActiveX control, Microsoft says.

The flaw was discovered by GFI Security Labs, a unit of GFI Fax & Voice, a communications and security software provider.

In a separate statement, GFI advised users to filter incoming e-mails for .wmd and .wmz files, and automatically remove JavaScript, iframe tags, meta refresh tags, and possibly ActiveX tags from incoming HTML e-mail messages.

The second flaw, dubbed the ".ASX Buffer Overrun vulnerability," was discovered by @Stake, an Internet security consulting company based in Cambridge, Massachusetts.

It affects versions 6.4 and 7 of Windows Media Player and exploits the software's use of Active Stream Redirector .asx files to enable users to play streaming media residing on intranet or Internet sites.

The code that parses .asx files has an unchecked buffer, which also could enable a malicious user to run any code on the PC of another user. The code could take any action on the PC that the legitimate user could take, Microsoft says.