Flaw found in Windows Media Player

Microsoft has warned that a buffer-overflow vulnerability in Windows Media Player software could let malicious attackers run code...

Microsoft has warned that a buffer-overflow vulnerability in Windows Media Player software could let malicious attackers run code of their choice on a victim's system.

The software giant advises users to immediately apply a patch that takes care of not just the latest threat, but also a number of other vulnerabilities - some of them still undisclosed - that cumulatively pose a "critical" security risk for users.

The latest buffer-overflow vulnerability affects Windows Media Player 6.4, 7, 7.1 and Windows Media Player for Windows XP.

A coding flaw exists in the advanced streaming format (ASF) that Windows Media Player uses to store streaming media data and send it over networks, said Microsoft. The vulnerability allows attackers to send malformed ASF files that could either crash a system or let malicious hackers take administrative control of the machine.

The flaw can only be exploited when users play the ASF file, Microsoft said. Attackers cannot exploit the vulnerability through e-mail or a Web page.

The patch for this latest hole - which can be downloaded from Microsoft's advisory page - also addresses more dangerous flaws in Windows Media Player. Microsoft has disclosed some of these flaws and has already released patches.

However, the company will not reveal details of other security holes it has found in the software. At worst, these undisclosed flaws could let malicious users run code on a victim's system that allows them to attack through e-mail or a Web page. The latest patch addresses these flaws, said Microsoft.

Russ Cooper, an analyst at US security firm TruSecure, said undisclosed vulnerabilities cause concern among users. "You don't know what to assume. You simply cannot judge your risk [without having more details on these vulnerabilities]," he said.

"Microsoft seems to be leaning more and more towards a 'patch-immediately-or-else' strategy that's not good for users."

The latest buffer-overflow problem, which is considered a basic programming error, is precisely the kind of issue that Microsoft said it would address with its recently announced Secure Windows initiative, said Gartner analyst John Pescatore.

"What's really depressing about this flaw is that it shows they [Microsoft] are still making the same stupid errors," he added.

Read more on Business applications

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.