Microsoft denies vulnerability in Windows Media Player

Updated: at 10 a.m. January 5 to correct alleged vulnerability to denial of service.

Microsoft on Monday denounced reports that a vulnerability exists in Windows Media Player that could pose a security risk for users.

Microsoft said in a company blog post that it had investigated reports that surfaced on the Internet last week and found them to be "false." The flaw is "reliability issue with no security risk to customers," the company said on its Security Vulnerability Research & Defense blog.

The investigation followed claims published Wednesday on the Bugtraq security mailing list by researcher Laurent Gaffie that a vulnerability existed in Windows Media Player 9, 10, and 11. Gaffie said the vulnerability would allow a hacker to create a malformed WAV, SND, or MIDI file to create a denial of service, and included a proof-of-concept code.

Along with its denial, Microsoft criticized Gaffie for publishing his claims without first contacting the software giant:

The security researcher making the initial report didn't contact us or work with us directly but instead posted the report along with proof of concept code to a public mailing list. After that report, other organizations picked the report up and claimed that the issue was a code execution vulnerability in Windows Media Player. Those claims are false. We've found no possibility for code execution in this issue. Yes, the proof of concept code does trigger a crash of Windows Media player, but the application can be restarted right away and doesn't affect the rest of the system.

The company said that the flaw had already been identified during routine code maintenance and corrected in Windows Server 2003 Service Pack 2.

[Imalittleteapot]

Is Microsoft right or do they just not want to release another patch? Has it just been fixed in 2003 or Vista and XP too?

I know MS has the attitude that less software patches mean more secure software. That's what they said with Vista. It's way more secure than XP because they haven't patched nearly as many holes! Only for all the holes they hadn't patched to show up a week later. Not finding them doesn't mean they're not there.

I don't know how they got that idea, but it's that mentality that leads to problems like this. The problem with claiming less patches == more secure is that nobody can trust you anymore when you claim something isn't really a flaw. For all we know you're just trying to keep your patch count down so your software doesn't look like swiss cheese.

However, the real problem is that nobody understands that all software is swiss cheese. Software always has bugs and you'll never find them all because as you add more features, you add more bugs. The most secure policy is a large number of small patches that are continually delivered as quickly as possible, not denial.

Guess it's time to get another media player.

[dhavleak]

That's some high-quality FUD there.

For instance: "MS said Vista is way more secure than XP _because_ they haven't patched nearly as many holes" -- Nope -- they said they haven't had to patch nearly as many holes _because_ Vista is more secure than XP. Well done though.

And then your master stroke: "The problem with claiming less patches == more secure is that nobody can trust you" -- see you're still reversing the causality of their analysis (quite deliberately) and then criticizing them for your incorrect conclusion. Very effective though -- several thousands (if not millions) of people have probably read that garbage and taken it to heart. I hope you're proud of yourself.

Followed by this gem: "However, the real problem is that nobody understands that all software is swiss cheese.". Everybody except you apparently. You give yourself too much credit dude.

[smilin:)]

Fault them for what you wish but MS is pretty good about fixing vulnerabilities.

They always fess up to them.
They provide a fix every time, or at least mitigation steps until a fix can be created.
They take every report very seriously.
They never blackball anyone for reporting vulnerabilities.

MS gets beat up about security all the time (warranted or not) and they take the high road. It's certainly not the easy road but it builds credibility over the long term. It also means when tripe like this gets published they have a reputation they can stand on.

If you want to ***** about why vulnerabilities existed in the first place, go ahead. As far as MS attitude about fixing them I'm going to take their side.

[Penguinisto]

"They always fess up to them. "
Only the ones we hear about... and even then it's a crap shoot:
http://www.cnn.com/TECH/computing/9909/28/ms.security.idg/
http://www.pcworld.com/article/100144/microsoft_denies_ie_patch_problems.html
(just a small taste... there's a ton more).

"They provide a fix every time, or at least mitigation steps until a fix can be created. "
Oh? Since when?
http://www.pcworld.com/article/125365/microsoft_releases_longawaited_internet_explorer_patch.html

To wit: 'Microsoft today released its security software patches for April, addressing an unpatched bug in Internet Explorer that hackers had been exploiting for several weeks.' No mitigation steps were given.

"They take every report very seriously. "
Sure they do.... now.

"They never blackball anyone for reporting vulnerabilities"
Dan Geer disagrees:
http://www.net-security.org/news.php?id=3752
http://www.computerworld.com/securitytopics/security/story/0,10801,85686,00.html


So, is there any more FUD you'd like to spread?

[Vegaman_Dan]

Penguinisto wrote:


"Only the ones we hear about... and even then it's a crap shoot:"

Excellent point. And one that Apple and RedHat are equally guilty of. You only know about the problems that are made public. Those other security issues that are fixed through an unrelated iTunes update for example are classic. Thanks for brining this point up. All of the OS's have this issue.



"They provide a fix every time, or at least mitigation steps until a fix can be created. "
"Oh? Since when?"

Well, you have to admit that they do a heck of lot better job of this than either Apple or Linux. Apple sijmply doesn't ackjnowledge the issue and Linux has so many solutions that conflict with each other resulting in a more buggy system than you started with. This is simply the reality of the situation. Again, thanks for bringing it up.


"They take every report very seriously. "
"Sure they do.... now."

Whevenever it comes up, they treat the issue seriously. Just as you do. What's the problem? It's better to have them acknowledge the issue than to stick their fingers in their ears and shout 'Lalalalaalalaalala I can't hear you' as some supporters of OS X and Linux are known to do.



"They never blackball anyone for reporting vulnerabilities"

Excellent point, and one that Apple is also guilty of. This isn't the time to have an OEM kill the messenger so to speak.



"So, is there any more FUD you'd like to spread? "

No, you seem to be doing an excellent job there all by yourself, Penguinisto. Par for the course. :)

[Penguinisto]

Hiya Dan!

You have some problems with your "counterpoints"... RedHat (esp. the Fedora project) is all publicly accessible (as is its source code repositories), so nobody can hide anything when it comes to vulns. Sorry to pop your bubble.

Ditto with Apple's OSX core, Darwin BTW.

That's the problem with your 'me too!' attempts - open source prevents way too much of what you're trying to assert.

BTW - I provided cites and evidence to back me up... so where's yours? ;)

/P

[kojacked]

@Peng:

Making your source code available is not the same this as readily admitting fault. And your sources...well...are a bit dated don't ya think?

September 28, 1999 - http://www.cnn.com/TECH/computing/9909/28/ms.security.idg/
May 20, 2002 - http://www.pcworld.com/article/100144/microsoft_denies_ie_patch_problems.html
Apr 11, 2006 - http://www.pcworld.com/article/125365/microsoft_releases_longawaited_internet_explorer_patch.html
October 7, 2003 - http://www.net-security.org/news.php?id=3752
October 6, 2003 - http://www.computerworld.com/securitytopics/security/story/0,10801,85686,00.html

Times may be a changing but apparently not for you Peng. Hang on to that hate Peng; it suits you well.

[Vegaman_Dan]

Penguinisto wrote:

"Ditto with Apple's OSX core, Darwin BTW. "

You know, I'm rather surprised to hear that. I had no idea that OSX was 100% open source as you are trying to claim here. I suppose I misunderstood who produced it. I had thought it was Apple, but you here are claiming that it's not their OS at all.

Now I know that's nonsense and I'm exaggerating the point, but the point is still valid. Apple's OSX is not open source. The code it was based upon is still open, yes, but OS X itself is not.

I read through your source material. Interesting, but it's based on blogs and op-ed pieces. I would really like to see verifiable and reputable sources being used if possible. Don't just blindly believe what others say.

Good try though. I'll give you that much credit. :)

[Vegaman_Dan]

Penguinsto wrote on May 21st, 2008 on Myspace:

"While I have a Macintosh, and very easy access to installing Windows XP (I'd rather masturbate with a fistful of glass shards than even think of using Vista), I wanted to construct a means of building artwork entirely within Linux"

Okay, here on your Myspace page you do say you use a Mac at home and indicate that you could have XP on there if you want, but doesn't say you actually have any MS products at home. You win that argument for the moment. I have to yield to you on that one.

[Imalittleteapot]

dhavleak: Hey man, don't get mad at me. That's what MS said. It's right here at the link. You'll also notice the OS's that are considered by most to be more secure got significantly more patches. That's because more patches == more holes plugged. Are you telling me you think your OS is more secure if less holes get plugged? How do you come to that conclusion.
http://news.cnet.com/8301-13846_3-9857592-62.html

Vista is more secure because less holes were fixed in a year, that's what they said. Only problem was a week or so later all the holes they hadn't patched started to show up. Seriously, if there's still holes in the software explain to me how fixing less of them is more secure? Seriously, try it.

[lkrupp]

I don't trust so-called security researchers. They seem to have the same motives as earlier virus and malware authors did, namely bragging rights and chest pounding. There's little difference, in my opinion, between a security researcher and a malware author. It would not shock to me learn that some of these researchers are in fact the authors of the malware that exploit the vulnerabilities they report. One of the most annoying traits of some of these people is their shear arrogance. They threaten companies with releasing exploit code unless the company moves to patch according to "their" schedule.

This all smells of the fox guarding the henhouse.

[Vegaman_Dan]

Generally there is a plague of news and other people all clamoring about the vulnerability. Lots of people wil lhave independantly proven it's true and attack the OEM for letting it be there.

This time... it's silence. It's only this person making the claim and the OEM is calling their bluff. Seems to me if it was legit, there would be a heck of a lot more people than just one all tryiing to prove it.

It still could be true. It just doesn't have that feel though.

[Rants&Raves]

Ridiculous. Why does anyone do anything for free ? So they can either feel good about what they do, feel good about themselves, or drum up business. Security researchers are no different than you, you are just scared because you don't understand them.

Personally, I'd rather see these guys making Windows safer than writing virii.

[Penguinisto]

"Personally, I'd rather see these guys making Windows safer than writing virii."

That's the problem with closed-source software - they can't. So, they're stuck with contacting the vendor and hoping the vendor does that.

(Usually with open-source software, if you find one, you can include not only exploit code, but submit a diff to the product's code maintainer that contains a suggested fix).

[Penguinisto]

Err, "This time... it's silence" should read "This time, it's Christmas". Holidays tend to make things tough for getting resources to test things on a 3rd-party basis.

[Seaspray0]

Penguin still hasn't backed up his pack of lies. I called him on it over a month ago and he's been ignoring me ever since. Penguin, I will not just "go away".

[Penguinisto]

Seaspray, you've reduced yourself to blathering. Kindly grow up.

[Vegaman_Dan]

Penguinisto:

Seaspray did call you out earlier. You didn't respond. He's asked mulitple times for you to back up your claims and you failed to do so. There's an easy way to make him back down though-

Simply back up your claims. That's all there is to it. Back up your claims with facts, not blogs, and you can put him in his place. Until then, your credibility is worth zilch.

People judge you by your words, and when you don't back them up when called out, it calls serious doubt about your credibility in the first place.

It's up to you.

[Penguinisto]

If you want to follow him/her/it down that road, Dan be my guest...

Now, if you want to assert that it is hard to modify open-source software so as to secure it (when one merely needs to submit a diff/patch, as evidenced by nearly 15 years of kernel.org's mailing lists), then please, make yourself look silly in demanding that I "back up" my "claim" or saying it is otherwise a lie.

If you want to demand that I "back up" my "claim" that most folks take the holidays off from work, hey, go for it - look as stupid as you like. No skin offa mine. ;)

/P

[Vegaman_Dan]

Penguinisto wrote:

"If you want to demand that I "back up" my "claim" that most folks take the holidays off from work, hey, go for it - look as stupid as you like. No skin offa mine. ;)"

Ah, I see. You were challenged on your ability to tell the truth. Your claims of evidence were challenged. Your very own words were challenged when you went back on them. And your answer? You change the subject or pull this sort of stunt.

There's a word for that sort of person.

Coward.

[Vegaman_Dan]

Could be true, could be false, but it seems odd nobody else has been able to back up the claim.

[Penguinisto]

The exploit code is there - I just hope that a white-hat third party can verify it one way or the other before a black-hat does.

Memory errors are tricky - if your exploit requires memory goofs to work, then odds are good that it will only work under a given set of conditions. The trick is in how common those conditions are. I just hope MSFT was smart enough to test it under actual conditions, and not just on machinery that runs under "best practices".

[Ice Moose]

P, did you ever read the post at SecurityFocus? Integer overflow is as much a memory error as a cow is a ballerina, probably even less.

It would be really interesting to see how division by zero can be exploited.

[Dalkorian]

Ice Moose, it's better to keep your mouth shut and let others wonder if you're an idiot than it is to open your mouth and remove all doubt.

[Penguinisto]

@Ice Moose: Hadn't read it yet, but yes, Integer overflows can be (and often are) exploited:
http://www.net-security.org/vuln.php?id=2536
http://www.net-security.org/vuln.php?id=2534

...and pardon my attempt to make it easier for laymen to read by using the phrase "memory error".

[Ice Moose]

Dalkorian, please enlighten me by providing a link to any documented case when division by zero leads to arbitrary code execution and I promise not to open my mouth ever again. But if you won't, please keep yours shut.

P, integer overflow in the cases you referred to are completely undrelated to the issue at hand, which is division by zero. Pointer integer overflows caused by addition, multiplication, shifts or non-zero divisions are not resulting in CPU exceptions, and therefore is exploitable (as it's app responsibility to handle them). Div by zero's by contrast result in hard CPU exception, and as such are not exploitable.

[tm_anon]

The most stable software is always the newest. At least, that's what the companies selling it want you to think. XP will be more secure than Vista for a while just because it's been maintained. Not only have those hacking systems had more time to work with it, but those who work to protect systems have had more time to work with it. Mac OS is more secure than Windows because more hackers use Windows. Hackers tend to be younger and younger people tend to use the OS that plays the newest games. Linux on the other hand is maintained constantly by almost every person who uses it, at least to some degree. It's stable on its own and, with certain distros, it comes with software rivalling if not bettering Windows and Mac. It has its own drawbacks, such as having a steeper learning curve and not as much compatibility with Flash or MSFT's stranglehold on the gaming industry for PCs. But given that Linux is more stable from my own usage standpoint and has a smaller footprint on my harddrive while allowing most, if not all, new features available on Vista, including all the extra features for visualizing and working with the desktop, I'll stick with Linux. Yes, I've used XP and yes I like it. It's just too bloated and too easily taken control of by hackers.

[Penguinisto]

Well, there's one way to find out... exploit code is included. Shouldn't take much to find out what it does... just have to scrounge up a test Vista machine @ work tomorrow morning, get Perl on it, and find out.

Now, if MSFT claims it isn't a bug, and it gets exploited widely, someone is going to end up with egg on their faces. If it isn't, then it isn't - that's the dilemma with dismissing something that has exploit code attached to it.

Just one problem w/ the article: that ain't bugtraq - that's "securitytracker.com" Bugtraq is on SecurityFocus.com

[stevenmusil]

I included the wrong link. Thanks for pointing it out.

[Penguinisto]

No worries... the domain names are pretty close, and I would've been prone to the same goof :)

/P

[Vegaman_Dan]

Penguinisto wrote:

" Shouldn't take much to find out what it does... just have to scrounge up a test Vista machine @ work tomorrow morning, get Perl on it, and find out. "

Wait a moment here- you have previously publically stated you do not own, use, or support any Microsoft products and do not have any Microsoft OS installed on any system at your company. You even went on to brag how you were able to convert your entire company away from Microsoft to using only Linux and OS X systems.

Now you are saying something different. I know things change, but I'm just curious what the real story is.

Thanks.

[Penguinisto]

*sigh*... Dan, you're an idiot. I have said that I do not use or own it at home.

[Vegaman_Dan]

Penguinisto wrote::

"*sigh*... Dan, you're an idiot. I have said that I do not use or own it at home. "

Well, to tell the truth, you said you did not use it, own it, or support it at your JOB. You even went on to brag about how you converted a major publishing empire from Windows to Linux and OSX. These are YOUR claims. Why are you now going back on them?

*sigh* is right. If you can't even get your own story straight, Penguinisto, how can anyone have a hope of believing anything you say?

At this point, the only thing anyone can truly believe is that aren't reliable in your comments.

[goodspeed8701]

Microsoft I trust you.

[tm_anon]

Do I sense sarcasm?

[HlLLARY CLITON]

much ado about nothing, man your New Years beverage cups and party

[ferretboy88]

Better than Quicktime which is swiss cheese.

[Dalkorian]

LOL - that's like saying it's better to have your house destroyed by an tornado than by a hurricane. In my view though it doesn't matter, either way your house is destroyed.

[ITcomposer]

Ohh i can crash WMP, i found a vulnerability! I am a god! ..... ok ok all sarcasm aside, these "Security researchers" are looking for their 15 minutes of fame thats all, you know a CNET article, and they got it!
Guys if these people really find something bad in the windows code, they'll get on the horn with MS first and then only then after the patch is out say ok, this is how the flaw works. But these fools went completely opposite that mantra, what fools!

[Dalkorian]

Many of these companies have been outright hostile to security researchers, who are actually doing them (and all of us) a favor in the end (pointing out vulnerabilities before "bad people" exploit them). I have no idea if this is what happened here or not, but M$ has been one of the bad ones in the past (disclaimer: their reputation toward security researchers have improved over the years, they're no where near as bad as they once were).

[GrantPinnacle]

If someone really wants to break in........they will always find a way...............

Grant Waldman
www.pinnaclelists.com

[Dalkorian]

Burglars usually come in through your windows.

:-D

[TippmannA5]

Amarok=Linux

[inachu]

its people downloading worthless fake infected video that download codecs that yet contain more trash to download more worthless stuff saying your pc is infected when it is not.

[Penguinisto]

Once something is downloaded, it can be launched. Get the idea?