Microsoft downplays Windows Media Player bug

Computerworld - Microsoft Corp. today dismissed reports of a critical vulnerability in its Windows Media Player, saying that the researcher who claims the bug could be exploited is wrong.

The flaw is a "reliability issue with no security risk to customers," Microsoft researchers said.

According to researcher Laurent Gaffi, the vulnerability could be used by hackers armed with malformed .wav, .snd, or .mid audio files to compromise a PC running Windows XP or Vista.

Several editions of Windows Media Player, including Versions 9, 10 and the newest, 11, are vulnerable, Gaffi reported in a Dec. 24 disclosure to the Bugtraq security mailing list. Gaffi also included proof-of-concept attack code that he said would allow remote code execution.

Microsoft disputed Gaffi's findings and took him to task for publishing information about the vulnerability before he reported it to company security researchers.

"[Gaffi's] claims are false," said Christopher Budd, a spokesman for the Microsoft Security Response Center, in a post this afternoon to the MSRC's blog. "We've found no possibility for code execution in this issue."

Budd acknowledged that Gaffi's sample exploit crashes Windows Media Player, but he said that the program can be restarted without affecting the rest of the system.

Microsoft researchers with the company's Security Vulnerability Research and Defense (SVRD) group spelled out the impact of Gaffi's exploit in more technical detail in a separate blog entry today.

"This bug cannot be leveraged for arbitrary code execution," said Jonathan Ness and Fermin Serna of the SVRD team. Ness and Serna said company researchers had found the bug earlier and had fixed it in at least one version of its server software.

"We found this already through our internal fuzzing efforts," they said. "It was correctly triaged at the time as a reliability issue with no security risk to customers."

"We do like to get these reliability issues fixed in a future service pack or a future version of the platform whenever possible. This particular bug, for example, has already been fixed in Windows Server 2003 Service Pack 2," Ness and Serna said.

Microsoft has been wrong before when it has denied that a flaw can be exploited. Last April, for example, the company had to backtrack, and issue a security advisory, about a Windows vulnerability it had denied was a bug just three weeks earlier.

Although that vulnerability has been actively exploited since mid-October, Microsoft has yet to plug the hole.

Read more about spam, malware and vulnerabilities in Computerworld's Spam, Malware and Vulnerabilities Knowledge Center.