Microsoft denies vulnerability in Windows Media Player

Share this article:
A new vulnerability was identified in Windows Media Player (WMP) that reportedly could allow the execution of arbitrary code, but Microsoft said that after investigation the claim is false.

The issue was reported last Thursday on SecurityTracker, a vulnerability notification service. According to the entry, WMP could be exploited if a remote user creates a WAV, SND or MIDI file that, when loaded by the target user, will trigger an integer overflow and execute arbitrary code. It was said to affect Windows Media Player 11 and earlier versions.

The SANS Internet Storm Center subsequently posted an entry on Saturday, stating that a reader tested proof-of-concept (PoC) code on a fully patched Windows XP Service Pack 3 system, resulting in Windows Media Player 9 and 11 crashing.

“Microsoft investigated the claim and found that this is not a product vulnerability,” a Microsoft spokesman wrote in an email to SCMagazineUS.com on Monday. “Microsoft confirmed that the reported crash is not exploitable and does not allow an attacker to execute arbitrary code, as was incorrectly claimed in the public report.”

Mark Loveless, lead information security researcher/scientist at MITRE, a nonprofit research organization, told SCMagazineUS.com on Monday that the vulnerability causes Windows Media Player to crash, but is probably not exploitable.

“There's always the potential in these types of situations, with this type of crash—that it could be it could be exploitable,” Loveless said.

But, the only impact of the vulnerability now is that users will have to restart their media player, Steve Christey, editor of Common Vulnerabilities and Exposures (CVE), a dictionary maintained by MITRE that provides the common names for publicly known security vulnerabilities, told SCMagazineUS.com Monday.

Over the past three or four years, there has been an increase in vulnerabilities in media players, Loveless said. The operating system itself is being locked down and is getting harder to break into, so hackers are moving toward desktop software. Since many of these applications can connect to the web, that erodes the defenses of a traditional firewall.

“Most hackers will go for the lowest-hanging fruit,” Loveless said. “Desktop applications these days are some of the lowest-hanging fruit.”


Share this article:

Sign up to our newsletters

More in News

Brazilian president signs internet 'Bill of Rights' into law

Brazilian president signs internet 'Bill of Rights' into ...

President Dilma Rousseff signed the legislation on Wednesday at the NetMundial conference in Sao Paulo.

Android trojan sends premium SMS messages, targets U.S. users for first time

Android trojan sends premium SMS messages, targets U.S. ...

An SMS trojan for Android, known as FakeInst, has been observed sending premium SMS messages to users all over the world, including, for the first time, the United States.

Report: DDoS up in Q4 2013, vulnerability scanners leveraged to exploit sites

Report: DDoS up in Q4 2013, vulnerability scanners ...

Researchers observed 346 DDoS attacks in the final quarter of 2013 and attackers used Vega and Skipfish vulnerability scanners to exploit web flaws at financial companies.