A new vulnerability was identified in Windows Media Player (WMP) that reportedly could allow the execution of arbitrary code, but Microsoft said that after investigation the claim is false.
The issue was reported last Thursday on SecurityTracker, a vulnerability notification service. According to the entry, WMP could be exploited if a remote user creates a WAV, SND or MIDI file that, when loaded by the target user, will trigger an integer overflow and execute arbitrary code. It was said to affect Windows Media Player 11 and earlier versions.
The SANS Internet Storm Center subsequently posted an entry on Saturday, stating that a reader tested proof-of-concept (PoC) code on a fully patched Windows XP Service Pack 3 system, resulting in Windows Media Player 9 and 11 crashing.
“Microsoft investigated the claim and found that this is not a product vulnerability,” a Microsoft spokesman wrote in an email to SCMagazineUS.com on Monday. “Microsoft confirmed that the reported crash is not exploitable and does not allow an attacker to execute arbitrary code, as was incorrectly claimed in the public report.”
Mark Loveless, lead information security researcher/scientist at MITRE, a nonprofit research organization, told SCMagazineUS.com on Monday that the vulnerability causes Windows Media Player to crash, but is probably not exploitable.
“There's always the potential in these types of situations, with this type of crash—that it could be it could be exploitable,” Loveless said.
But, the only impact of the vulnerability now is that users will have to restart their media player, Steve Christey, editor of Common Vulnerabilities and Exposures (CVE), a dictionary maintained by MITRE that provides the common names for publicly known security vulnerabilities, told SCMagazineUS.com Monday.
Over the past three or four years, there has been an increase in vulnerabilities in media players, Loveless said. The operating system itself is being locked down and is getting harder to break into, so hackers are moving toward desktop software. Since many of these applications can connect to the web, that erodes the defenses of a traditional firewall.
“Most hackers will go for the lowest-hanging fruit,” Loveless said. “Desktop applications these days are some of the lowest-hanging fruit.”
The issue was reported last Thursday on SecurityTracker, a vulnerability notification service. According to the entry, WMP could be exploited if a remote user creates a WAV, SND or MIDI file that, when loaded by the target user, will trigger an integer overflow and execute arbitrary code. It was said to affect Windows Media Player 11 and earlier versions.
The SANS Internet Storm Center subsequently posted an entry on Saturday, stating that a reader tested proof-of-concept (PoC) code on a fully patched Windows XP Service Pack 3 system, resulting in Windows Media Player 9 and 11 crashing.
“Microsoft investigated the claim and found that this is not a product vulnerability,” a Microsoft spokesman wrote in an email to SCMagazineUS.com on Monday. “Microsoft confirmed that the reported crash is not exploitable and does not allow an attacker to execute arbitrary code, as was incorrectly claimed in the public report.”
Mark Loveless, lead information security researcher/scientist at MITRE, a nonprofit research organization, told SCMagazineUS.com on Monday that the vulnerability causes Windows Media Player to crash, but is probably not exploitable.
“There's always the potential in these types of situations, with this type of crash—that it could be it could be exploitable,” Loveless said.
But, the only impact of the vulnerability now is that users will have to restart their media player, Steve Christey, editor of Common Vulnerabilities and Exposures (CVE), a dictionary maintained by MITRE that provides the common names for publicly known security vulnerabilities, told SCMagazineUS.com Monday.
Over the past three or four years, there has been an increase in vulnerabilities in media players, Loveless said. The operating system itself is being locked down and is getting harder to break into, so hackers are moving toward desktop software. Since many of these applications can connect to the web, that erodes the defenses of a traditional firewall.
“Most hackers will go for the lowest-hanging fruit,” Loveless said. “Desktop applications these days are some of the lowest-hanging fruit.”
