January 25, 2001, 5:03 PM — A security vulnerability in Microsoft Corp.'s Windows Media Player 7 can allow a hacker to get full control over a user's computer, a well known bug hunter said.
According to Bulgarian security specialist Georgi Guninski the problem lies with the program's "skins," which allow the user to change the look and feel of the media player. Guninski published a security advisory on his Web site on Monday.
Microsoft confirmed the vulnerability. "A malicious Web site operator can embed a Java applet in a skin file. He can then use a script on a Web page to get access to the 'user's' computer," said Michael Aldridge, lead product manager for Microsoft's Windows Digital Media Division.
Upon being downloaded, the skins are installed on the user's system in a directory, or folder, with a commonly known name, Guninski said.
Guninski said in his advisory that the hacker could browse the system and execute arbitrary programs. This may lead to taking full control of the computer, he said. Guninski rates the vulnerability as "high risk."
Microsoft does not agree with Guninski's assessment. "We take every security issue seriously, but we characterize this as low risk," said Aldridge. "You should not download anything from a place you don't trust," he said, noting that the Web user has to accept the download of the file containing the malicious code.
Microsoft is working on a software patch for the problem. In the meantime it's safer not to download new skins for Windows Media Player from unknown sites.
There is also a workaround for the problem, said Aldridge -- disable the ability to run unsigned Java content. To do this select "Internet Options" in the "Tools" pull-down menu of Internet Explorer, select the "Security" tab and click on "Custom Level." Scroll down to "Java permissions," select "Custom Settings," click "Java Custom Settings," and select "Edit Permissions". Finally select "Disable" under "Run Unsigned Content."
This is not the first security hole found in Windows Media Player 7. Microsoft patched two flaws in the program in November last year. One of the issues also had to do with the skin feature of Windows Media Player.
Windows Media Player 7 is part of Microsoft's latest consumer edition of Windows, Windows Millennium Edition, and is available for free download from the company's Web site.
Guninski said he alerted Microsoft on Jan. 11.
Microsoft, in Redmond, Washington, can be reached at (425) 882-8080 or at www.microsoft.com. Georgi Guninski is at www.guninski.com.
