Zero-day flaw found in Windows Media Player

Security researchers have uncovered a zero-day flaw in Windows Media Player that attackers could exploit to cause a denial of service or launch malicious code on targeted machines. The vulnerability came to light a day after Microsoft confirmed another zero-day flaw in Word that has suffered limited attacks.

According to an advisory from Aliso Viejo, Calif.-based eEye Digital Security, the problem is a buffer overflow error in the Windows Media Player library (WMVCORE.DLL) caused when .asx files with overly long "REF HREF" tags are processed.

Because .asx files are automatically opened when viewed within a Web browser, eEye said attackers could exploit the vulnerability using malicious Web pages or emails. If users were to visit such a Web site or open such an email attachment, their machines could be infected with malware.

Zero-day in the news: Zero-day flaws target 'safe' programs Dec. 6: Zero-day affects Microsoft Word Nov. 6: Microsoft eyes second zero-day threat in a week Nov. 1: Zero-day attacks target Microsoft Visual Studio Sept. 19: Zero-day attack targets IE July 18: Microsoft plans PowerPoint zero-day patch Jun. 16: Microsoft Excel zero-day flaw discovered May 19: Zero-day threat targets Microsoft Word

"An even more critical problem is generated when clients are administrators on their local hosts, which would run the malicious payload with administrator credentials," eEye said.

In its advisory, the French Security Incident Response Team (FrSIRT) rated the flaw critical and said attackers could also exploit it to cause a denial of service.

Atlanta-based Internet Security Systems Inc. (ISS) raised its AlertCon to Level 2 because of the media player flaw.

"Our analysts expect malicious individuals to quickly develop exploit code targeting this issue," ISS said on its Web site.

Microsoft said it is investigating the flaw.

"Microsoft's initial investigation reveals that this proof-of-concept could allow an attacker to execute code in the user's security context," a company spokesman said in an email. "Microsoft is not currently aware of attempts to exploit this vulnerability. "

The company is working with its partners to monitor the situation and will offer customers guidance as neccessary, the spokesman said.

"Upon completion of this investigation, Microsoft will take appropriate action to help protect our customers," the spokesperson said. "This may include providing a security update through our monthly release process or providing an out-of-cycle security update, depending on customer needs."

Until a patch is made available, eEye recommends users disable Windows Media Player's ability to automatically open .asx files.