Quantcast
Subscribe to magazine

Security Hole Patched in Windows Media Player

Microsoft calls flaw 'critical' but won't give details.

Jaikumar Vijayan, Computerworld online

  • 0 Yes
  • 0 No

A buffer-overflow vulnerability in Microsoft Windows Media Player software could let malicious attackers run code of their choice on a victim's system, Microsoft has warned in an advisory.

Microsoft is advising users to immediately apply a patch that takes care of not just the latest threat but also a slew of other vulnerabilities--some of them still undisclosed--that cumulatively pose a "critical" security risk for users.

The latest buffer-overrun vulnerability affects Windows Media Player 6.4, 7, 7.1, or Windows Media Player for Windows XP.

A coding flaw exists in the Advanced Streaming Format (ASF) that's used by Windows Media Player for storing streaming media data and sending it over networks, according to Microsoft. The flaw makes it possible for attackers to send malformed ASF files that could either crash a system or let malicious hackers take administrative control of it.

The flaw can successfully be exploited only by the user actually opening and playing the ASF file, Microsoft said. And there is no capability to exploit this vulnerability via e-mail or a Web page, the company said.

The cumulative patch that has been released for this latest hole also addresses other flaws that are more dangerous. Some of these flaws have already been disclosed by Microsoft and patches for them have been released. The patch can be downloaded from Microsoft's advisory page.

Other Holes

Microsoft said it has also found other security flaws in Windows Media player, but it hasn't released the details. In the worst case, these undisclosed flaws could let malicious users run code on a victim's system that would allow attacks via e-mail or a Web page, the company warned. Today's patch addresses these flaws as well, Microsoft said.

The problem is that undisclosed vulnerabilities pose a serious concern for users, said Russ Cooper, an analyst at TruSecure, a security firm.

"You don't know what to assume ... You simply cannot judge your risk" without having more details on these vulnerabilities, Cooper said. "Microsoft seems to be leaning more and more toward a 'patch immediately or else' strategy that's not good for users."

The latest buffer-overflow problem, which is considered a basic programming error, was precisely the kind of issue that Microsoft said it would address with its recently announced Secure Windows initiative, said John Pescatore, an analyst at Gartner.

"What's really depressing about this flaw is that it shows they are still making the same stupid errors," Pescatore said.

Computerworld
For more enterprise computing news, visit Computerworld. Story copyright © 2007 Computerworld Inc. All rights reserved.

  • Recommend this story?
  • 0 Yes
    0 No
 

Featured APC Accessories

  • APC Back-UPS ES Safeguards your equipment from damaging surges and spikes that travel along your utility & data lines.
  • APC SurgeArrest Performance Highest level of protection for your professional computers, electronics and connected devices, as well as provides surge protection.

People who read this also read:

  • 15 Minutes to a Secure Business Get the Secure in 15 toolkit starting with the "15 Minutes Month-at-a-Glance" calendar. McAfee will send you additional tools and tricks to stay protected around the clock.
  • A Buyer's Guide to Data Protection Implementing data protection products and processes can be daunting. Make the right decisions by exploring what is available and what makes sense for your organization. Use this simple guide to evaluate different vendor offerings.

Sponsored Links