Software // Enterprise Applications
News
12/8/2006
11:56 AM
Connect Directly
RSS
E-Mail
50%
50%

Windows Media Player Sports Critical Bug

The vulnerability in Media Player 9 and 10 will let a malicious .asx-formatted playlist, if opened by an unsuspecting user, completely compromise the machine.

Proof-of-concept code that exploits a critical bug in Windows Media Player has gone public, Microsoft Corp. warned users late Thursday.

A vulnerability in Media Player 9 and 10 can be used by attackers to grab control of a PC, security researchers warned. A malicious .asx-formatted playlist, if opened by an unsuspecting user, could completely compromise the machine.

"We're aware of proof-of-concept code published publicly affecting Windows Media ASX file format [and] we are currently investigating," wrote Alexandra Huft, a security program manager with the Microsoft Security Response Center, on the team's blog. "We are not currently aware of attempts to exploit this vulnerability," she added.

Because .asx playlists open automatically within a browser, hackers would only need to coax users to a malicious Web site to snatch their systems. Microsoft has offered no workarounds or other tactical advice.

The Media Player vulnerability was first reported Nov. 22 by eEye Digital Security, which originally listed it as only a denial-of-service risk. Other security vendors, including Internet Security Systems Inc. and FrSIRT, posted warnings Thursday.

FrSIRT, which labeled the vulnerability as "critical," advised Windows XP users to upgrade to Media Player 11, disable the .asx format, or change settings so that playlists don't automatically open within Internet Explorer.

Microsoft plans to release six security updates Tuesday, Dec. 12, five of which will involve Windows. In its usual early notification, however, the Redmond, Wash. developer did not say whether the Media Player bug would be fixed this month.

Comment  | 
Print  | 
More Insights
Building A Mobile Business Mindset
Building A Mobile Business Mindset
Among 688 respondents, 46% have deployed mobile apps, with an additional 24% planning to in the next year. Soon all apps will look like mobile apps and it's past time for those with no plans to get cracking.
Register for InformationWeek Newsletters
White Papers
Current Issue
InformationWeek Tech Digest - July 22, 2014
Sophisticated attacks demand real-time risk management and continuous monitoring. Here's how federal agencies are meeting that challenge.
Flash Poll
Video
Slideshows
Twitter Feed
InformationWeek Radio
Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.