Windows Media Player 7 opens system for hackers
A security vulnerability in Microsoft Corp.'s Windows Media Player 7 can allow a hacker to get full control over a user's computer, a well known bug hunter said.
According to Bulgarian security specialist Georgi Guninski the problem lies with the program's "skins," which allow the user to change the look and feel of the media player. Guninski published a security advisory on his Web site on Monday.
Microsoft confirmed the vulnerability. "A malicious Web site operator can embed a Java applet in a skin file. He can then use a script on a Web page to get access to the 'user's' computer," said Michael Aldridge, lead product manager for Microsoft's Windows Digital Media Division.
Upon being downloaded, the skins are installed on the user's system in a directory, or folder, with a commonly known name, Guninski said.
Guninski said in his advisory that the hacker could browse the system and execute arbitrary programs. This may lead to taking full control of the computer, he said. Guninski rates the vulnerability as "high risk."
Microsoft does not agree with Guninski's assessment. "We take every security issue seriously, but we characterize this as low risk," said Aldridge. "You should not download anything from a place you don't trust," he said, noting that the Web user has to accept the download of the file containing the malicious code.
Microsoft is working on a software patch for the problem. In the meantime it's safer not to download new skins for Windows Media Player from unknown sites.
There is also a workaround for the problem, said Aldridge -- disable the ability to run unsigned Java content. To do this select "Internet Options" in the "Tools" pull-down menu of Internet Explorer, select the "Security" tab and click on "Custom Level." Scroll down to "Java permissions," select "Custom Settings," click "Java Custom Settings," and select "Edit Permissions". Finally select "Disable" under "Run Unsigned Content."
This is not the first security hole found in Windows Media Player 7. Microsoft patched two flaws in the program in November last year. One of the issues also had to do with the skin feature of Windows Media Player.
Windows Media Player 7 is part of Microsoft's latest consumer edition of Windows, Windows Millennium Edition, and is available for free download from the company's Web site.
Guninski said he alerted Microsoft on Jan. 11.
Microsoft, in Redmond, Washington, can be reached at (425) 882-8080 or at www.microsoft.com. Georgi Guninski is at www.guninski.com.
ITworld.com
Sign up for ITworld's Daily newsletter
Follow ITworld on Twitter @IT_world
jfruh
Apple syncing patent can't come soon enough
pasmith
New Twitter features borrow from 3rd party clients
Esther Schindler
Open Source Changes the Software Acquisition Process
mikelgan
How to set up continuous podcast play on the new iTunes
David Strom
Five important Windows 7 mobility features
sjvn
Guard your Wi-Fi for your own sake
Sandra Henry-Stocker
Grepping on Whole Words
Sidekick: The Good News & the Bad News
Either way you look at it Microsoft Data Center management did not follow standards or best practices in this failure. In which case it makes me wonder more about the outsourcing of corporate data much less personal data.
- mburton325
Join the conversation here
Quick, practical advice for IT pros. Made fresh daily.
Want to cash in on your IT savvy? Send your tip to tips@itworld.com. If we post it, we'll send you a $25 Amazon e-gift card.
