Microsoft downplays Windows Media Player bug

Microsoft Corp. today dismissed reports of a critical vulnerability in its Windows Media Player, saying that the researcher who claims the bug could be exploited is wrong.

The flaw is a "reliability issue with no security risk to customers," Microsoft researchers said.

According to researcher Laurent Gaffi, the vulnerability could be used by hackers armed with malformed .wav, .snd, or .mid audio files to compromise a PC running Windows XP or Vista .

Several editions of Windows Media Player, including Versions 9, 10 and the newest, 11, are vulnerable, Gaffi reported in his disclosure on Dec. 24 to the Bugtraq security mailing list. Gaffi also included proof-of-concept attack code that he said would allow remote code execution.

Microsoft disputed Gaffi's findings, and took him to task for publishing information about the vulnerability before he reported it to company security researchers.

"[Gaffi's] claims are false," said Christopher Budd, a spokesman for the Microsoft Security Response Center in a Monday afternoon post to the MSRC's blog . "We've found no possibility for code execution in this issue."

Budd acknowledged that Gaffi's sample exploit crashes Windows Media Player, but said that the program can be restarted without affecting the rest of the system.

Microsoft researchers with the company's Security Vulnerability Research and Defense (SVRD) group spelled out the impact of Gaffi's exploit in more technical detail in a separate blog entry Monday.

Sign up for ITworld's Daily newsletter
Follow ITworld on Twitter @IT_world

• Email
• Print
• Share
  • Slashdot
  • Digg
  • Stumble
  • Reddit
  • Newsvine