Security holes found in Windows Media Player

Although the security flaws are unrelated, except for the fact that they both affect Windows Media Player, Microsoft chose to issue a single patch to allow users to fix both problems at the same time, the company said in a security bulletin posted on its Web site.

The.WMS Script Execution flaw affects Windows Media Player version 7, which is included by default in Microsoft's Windows Millennium Edition operating system targeted at consumers, and is also available for free download from the company's Web site.

The software includes a feature called "skins" that allows users to customise the program's interface. However, a custom skin .WMS file could also include script which would execute if Windows Media Player was run and the user had selected the skin that included the script, Microsoft said.

A malicious user could send a skin containing a script to another user and try to entice him or her into using it, or host such a file on a Web site and cause the script to execute whenever a user visited the site. Since the code would reside on the user's local PC, it would be able to execute ActiveX controls, including ones not marked "safe for scripting" and enable the code to take any action that can be accomplished via an ActiveX control, Microsoft said.

The flaw was discovered by GFI Security Labs, a unit of communications and security software provider GFI Fax & Voice Ltd.

In a separate statement, GFI advised users to filter incoming e-mails for .WMD and .WMZ files, and automatically remove JavaScript, iframe tags, meta refresh tags and possibly ActiveX tags from incoming HTML (hypertext markup language) e-mail messages.

The second flaw, dubbed the .ASX Buffer Overrun vulnerability, was discovered by @Stake, an US-based Internet security consulting company, Microsoft saidIt affects versions 6.4 and 7 of Windows Media Player, and the exploits the software's use of Active Stream Redirector .ASX files to enable users to play streaming media residing on intranet or Internet sites.

The code that parses .ASX files has an unchecked buffer, which also could enable a malicious user to run any code on the PC of another user. The code could take any action on the PC that the legitimate user could take, Microsoft said.

Microsoft's security bulletin on the flaws, including links to patches for both Windows Media Player versions 6.4 and 7, can be found on the Web at http://www.microsoft.com/TechNet/security/bulletin/MS00-090.asp/.

The fix will also be available as part of the next periodic update of the software, scheduled for December, Microsoft said.

Join the PC World newsletter!

Error: Please check your email address.

Struggling for Christmas presents this year? Check out our Christmas Gift Guide for some top tech suggestions and more.

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Terho Uimonen

PC World

Most Popular Reviews

Follow Us

Best Deals on GoodGearGuide

Shopping.com

Latest News Articles

Resources

GGG Evaluation Team

Kathy Cassidy

STYLISTIC Q702

First impression on unpacking the Q702 test unit was the solid feel and clean, minimalist styling.

Anthony Grifoni

STYLISTIC Q572

For work use, Microsoft Word and Excel programs pre-installed on the device are adequate for preparing short documents.

Steph Mundell

LIFEBOOK UH574

The Fujitsu LifeBook UH574 allowed for great mobility without being obnoxiously heavy or clunky. Its twelve hours of battery life did not disappoint.

Andrew Mitsi

STYLISTIC Q702

The screen was particularly good. It is bright and visible from most angles, however heat is an issue, particularly around the Windows button on the front, and on the back where the battery housing is located.

Simon Harriott

STYLISTIC Q702

My first impression after unboxing the Q702 is that it is a nice looking unit. Styling is somewhat minimalist but very effective. The tablet part, once detached, has a nice weight, and no buttons or switches are located in awkward or intrusive positions.

Latest Jobs

Shopping.com

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?