A bug in the way that Microsoft's Windows Media Player 6.4 handles a certain type of streaming media file can allow attackers, given the right conditions, to execute any code on target systems, Microsoft said in a security bulletin released Tuesday. At the same time, Microsoft issued a fix for the problem.
The security hole is caused by a programming error in the way Windows Media Player 6.4 deals with .ASF (Active Streaming Format) files, Microsoft said. An attacker can exploit this flaw by creating a special .ASF file, which if opened by a user running the unpatched Media Player could result in either Windows Media Player crashing or in code of the attacker's choice being run on the system, allowing the attacker to have all the user's privileges, Microsoft said.
The scope of the problem is mitigated, as the flaw cannot be exploited automatically or through e-mail and because the attacker must know -- or guess -- the target computer's operating system in order for code to be executed, Microsoft said.
Though the vulnerability only fully affects Windows Media Player 6.4, some components of version 6.4 are included for backward compatibility in versions 7 and 7.1, Microsoft said. Because of this, Microsoft also urged users of those versions to apply the patch. Windows XP users should apply the Critical Update for Windows XP that was released in late October, the company said.
More information about the bug, as well as the patch to fix it, can be found at http://www.microsoft.com/technet/security/bulletin/MS01-056.asp.