Windows Media Player Vulnerable To Hackers: Truth Or Fiction?

This is going to become a very interesting topic to watch for at least the next three weeks or so. According to a security researcher, a bug in Windows Media Player is a gateway for hackers to inject hostile code onto vulnerable systems. The research has been published on Security Tracker and on SANS complete with a proof of concept sample. However Microsoft has denied that this causes nothing more than a crash of Windows Media Player:

Those claims are false. We’ve found no possibility for code execution in this issue. Yes, the proof of concept code does trigger a crash of Windows Media player, but the application can be restarted right away and doesn’t affect the rest of the system.

They then go on to rip the researcher a new one:

Unfortunately, the researcher chose not to come to us with this initial report. If he had, we would’ve done the exact same investigation we just completed. When we were done, we would have let them know what we found, asked him if he thinks we might have missed something, continued the investigation if there was more information and ultimately closed the case if we didn’t find a vulnerability. This is how we handle all of the cases we investigate with responsible researchers every year. And even when people choose not to report issues responsibly, we do the same thing: launch an investigation to fully research the claims and take action to appropriately address any and all issues that we find in that investigation.

Oh, in case you were wondering, Microsoft said that the flaw had already been identified during routine code maintenance and corrected in Windows Server 2003 Service Pack 2. Other fixes for other operating systems are apparently coming “real soon now.”

So is this fact or fiction? Until I see someone verify this research, it’s hard to say. But if you see a fix for this on the next “patch Tuesday” then it may be fact.

Leave a Reply

%d bloggers like this: