Microsoft denies Media Player vulnerability

Microsoft denies Media Player vulnerability

Microsoft claims that the flaw discovered by Gaffie - while real - can only cause Media Player to crash, with no security implications.

Microsoft has claimed this week that reports of a security vulnerability in its Windows Media Player are “false,” after proof of concept code was posted to the Bugtraq security mailing list last week.

According to CNet, the software giant is hastily quelling the claims by Laurent Gaffie that Windows Media Player versions 9, 10, and 11 all contain a flaw which allows remote execution of code – which is to say, 0wnage by J. Random Cracker.

In a post to its security blog on Monday, Microsoft has admitted that there is a flaw which allows malformed WAV, SND or MIDI files to crash Windows Media Player but denies that there is any possibility for remote code execution. Calling Gaffie's claims “false,” the company has stated that the flaw “does trigger a crash of Windows Media Player, but the application can be restarted right away and [it] doesn't affect the rest of the system.

While chastising Gaffie for the rather rude approach of not thinking to “contact [Microsoft] or work with us directly but instead [to post] the report along with proof of concept code to a public mailing list,” the company has claimed that the problem is already well in hand: having been picked up as part of a routine round of code maintenance, the problem is already patched in Windows Server 2003 Service Pack 2 with fixes for other versions in the pipeline.

Do you think that Gaffie should have followed best practices and contacted Microsoft before publicising what appears to be an over-egged vulnerability report, or is Microsoft attempting to gloss over the seriousness of this issue? Share your thoughts over in the forums.


Discuss in the forums Reply 1st January 2009, 12:14 Quote
Meh, big deal, like we would see somthing strange in it crashing anyway lol, come on people, 'tis Microsoft =D
wuyanxu 1st January 2009, 13:42 Quote
there's also the freezing issue with Zune on the new years day :P
perplekks45 1st January 2009, 20:08 Quote
Contacting them directly? For what exactly? Being ignored? Happened to me while working with OXML files and digital signatures. Works as intended was the only statement. Seems to be the case here as well.

Who in his right mind uses WMP anyways? I know, all those people who use IE as well...
Log in

You are not logged in, please login with your forum account below. If you don't already have an account please register to start contributing.

Discuss in the forums