Security hole found in Windows Media Player

Microsoft is investigating a new vulnerability in Windows Media Player that could be used to run malicious code on a user's PC

Users are being advised to disable a certain type of file in Microsoft's Windows Media Player software following the discovery of a new security hole in the software.

The flaw, which affects Windows Media Player versions 9 and 10, could allow a malicious hacker to run unauthorized software on a victim's PC or cause a denial of service attack, according to security company FrSIRT, which rated the problem critical in an advisory Thursday.

The flaw is due to a buffer overflow error that can occur when Windows Media Player is used to run ".asx" media files, according to a warning from eEye Digital Security.

Such files open automatically in a Web browser, meaning a hacker would need only to post an infected .asx file in a Web page and then try to lure users to visit the page, eEye Digital said. An infected file could also be sent via email, in which case users would need to be persuaded to open it.

Microsoft said an initial investigation revealed that the "proof of concept" code could allow an attacker to execute code on a user's machine. It said it was unaware of any attempts to exploit the vulnerability, and it was unclear Friday morning if the proof of concept code it referred to was in the hands of hackers.

Users can protect against the vulnerability in Internet Explorer by preventing it from opening .asx files automatically. Turning off Active Scripting would also greatly reduce, but not eliminate, the risk, Microsoft said. FrSIRT also recommended that users upgrade to Windows Media Player 11, which it said is not affected.

Microsoft was still determining Friday whether it needed to issue an "out of cycle" security fix for the problem or patch it with its next monthly software update.

The flaw was originally reported on Nov. 22, when it was identified only as a denial-of-service issue.

Some discussion boards described the problem as a "zero-day exploit," although it was unclear if that was the case. Zero-day exploits occur when exploit code is released on the same day that a flaw is uncovered, giving users no time to protect themselves.

It's been another busy week for Microsoft's security teams. On Tuesday the company warned of an unpatched vulnerability in Word that had been the subject of what it called "limited attacks." And on Thursday it said it was readying several patches for Visual Studio and Windows that it plans to release next week.

The patches currently due for next week do not address the problems with Word and Windows Media Player.

Join the newsletter!

Or

Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.
Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

James Niccolai

IDG News Service
Show Comments

Cool Tech

Toys for Boys

Family Friendly

Stocking Stuffer

SmartLens - Clip on Phone Camera Lens Set of 3

Learn more >

Christmas Gift Guide

Click for more ›

Brand Post

Most Popular Reviews

Latest Articles

Resources

PCW Evaluation Team

Aysha Strobbe

Microsoft Office 365/HP Spectre x360

Microsoft Office continues to make a student’s life that little bit easier by offering reliable, easy to use, time-saving functionality, while continuing to develop new features that further enhance what is already a formidable collection of applications

Michael Hargreaves

Microsoft Office 365/Dell XPS 15 2-in-1

I’d recommend a Dell XPS 15 2-in-1 and the new Windows 10 to anyone who needs to get serious work done (before you kick back on your couch with your favourite Netflix show.)

Maryellen Rose George

Brother PT-P750W

It’s useful for office tasks as well as pragmatic labelling of equipment and storage – just don’t get too excited and label everything in sight!

Cathy Giles

Brother MFC-L8900CDW

The Brother MFC-L8900CDW is an absolute stand out. I struggle to fault it.

Luke Hill

MSI GT75 TITAN

I need power and lots of it. As a Front End Web developer anything less just won’t cut it which is why the MSI GT75 is an outstanding laptop for me. It’s a sleek and futuristic looking, high quality, beast that has a touch of sci-fi flare about it.

Emily Tyson

MSI GE63 Raider

If you’re looking to invest in your next work horse laptop for work or home use, you can’t go wrong with the MSI GE63.

Featured Content

Product Launch Showcase

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?