• PC World
• » Software

A buffer-overflow vulnerability in Microsoft Windows Media Player software could let malicious attackers run code of their choice on a victim's system, Microsoft has warned in an advisory.

Microsoft is advising users to immediately apply a patch that takes care of not just the latest threat but also a slew of other vulnerabilities--some of them still undisclosed--that cumulatively pose a "critical" security risk for users.

The latest buffer-overrun vulnerability affects Windows Media Player 6.4, 7, 7.1, or Windows Media Player for Windows XP.

A coding flaw exists in the Advanced Streaming Format (ASF) that's used by Windows Media Player for storing streaming media data and sending it over networks, according to Microsoft. The flaw makes it possible for attackers to send malformed ASF files that could either crash a system or let malicious hackers take administrative control of it.

The flaw can successfully be exploited only by the user actually opening and playing the ASF file, Microsoft said. And there is no capability to exploit this vulnerability via e-mail or a Web page, the company said.

The cumulative patch that has been released for this latest hole also addresses other flaws that are more dangerous. Some of these flaws have already been disclosed by Microsoft and patches for them have been released. The patch can be downloaded from Microsoft's advisory page.

Other Holes

Microsoft said it has also found other security flaws in Windows Media player, but it hasn't released the details. In the worst case, these undisclosed flaws could let malicious users run code on a victim's system that would allow attacks via e-mail or a Web page, the company warned. Today's patch addresses these flaws as well, Microsoft said.

The problem is that undisclosed vulnerabilities pose a serious concern for users, said Russ Cooper, an analyst at TruSecure, a security firm.

"You don't know what to assume ... You simply cannot judge your risk" without having more details on these vulnerabilities, Cooper said. "Microsoft seems to be leaning more and more toward a 'patch immediately or else' strategy that's not good for users."

The latest buffer-overflow problem, which is considered a basic programming error, was precisely the kind of issue that Microsoft said it would address with its recently announced Secure Windows initiative, said John Pescatore, an analyst at Gartner.

"What's really depressing about this flaw is that it shows they are still making the same stupid errors," Pescatore said.

• See more like this:
• bug,
• flaw,
• hole,
• patch,
• windows media player,
• wmp,
• microsoft,
• security