Windows Media Player Hits Sour Note

A security vulnerability in Microsoft's Windows Media Player 7 can allow a hacker to get full control over your PC, a well-known bug-hunter says.

The problem lies with the program's "skins," which let you change the look and feel of the media player, according to Bulgarian security specialist Georgi Guninski. He has published a security advisory on his Web site.

Microsoft confirms the vulnerability, and suggests a workaround until the company can plug the hole.

"A malicious Web site operator can embed a Java applet in a skin file, a WMZ file. He can then use a script on a Web page to get access to the (user's) computer," says Michael Aldridge, lead product manager for Microsoft's Windows Digital Media Division.

When downloaded, skins are installed on your system in a directory, or folder, with a commonly known name, Guninski says.

A hacker could browse the system and execute arbitrary programs, Guninski says in his advisory. This may lead to taking full control of the computer, he says. Guninski rates the vulnerability as "high risk."

Rating the Risk

Microsoft does not agree with Guninski's assessment but is working on a software patch to fix the problem.

"We take every security issue seriously, but we characterize this as low risk," Aldridge says. In the meantime, there is also a workaround for the problem, he says.

"Because Window Media Player depends on Internet Explorer for its security, users can protect themselves with its security features," Aldridge says.

Aldridge recommends concerned users disable Internet Explorer's capability to run unsigned Java content.

To do this, select "Internet Options" in the "Tools" pull-down menu of Internet Explorer. Select the "Security" tab and click on "Custom Level." Scroll down to "Java permissions," select "Custom Settings," click "Java Custom Settings," and select "Edit Permissions." Finally select "Disable" under "Run Unsigned Content."

In general, Aldridge recommends safe practices on the Web.

"You should not download anything from a place you don't trust," he says. The user is asked to accept the download of the file containing the malicious code with Windows Media Player.

"What we're dealing with here is no different than any of the security issues that have cropped up with the Internet over the years with downloading and installing applets," Aldridge says. Best advice: "Stick with people you know are reputable."

Flaw Number Three

This is not the first security hole found in Windows Media Player 7. Microsoft patched two flaws in the program last November. One of the issues also had to do with the skins feature of Windows Media Player.

Windows Media Player 7 is part of Microsoft's latest consumer edition of Windows, Windows Millennium Edition, and is available separately as a free download.

Guninski says he alerted Microsoft on January 11. Microsoft won't speculate on the vulnerability of other media players that use skins, like RealJukebox, MusicMatch Jukebox, or WinAmp. However, Aldridge did say it is possible they're vulnerable, depending on how those players implement the skins.

(Cameron Crouch of PCWorld.com contributed to this report.)