Hole found in Windows Media Player "skins"

Security experts are warning of a high-risk security hole affecting Microsoft Windows Media Player 7 "skins," which are used to give the desktop application a custom look and feel.

Bug hunter Georgi Guninski of Bulgaria published an advisory of the exploit Monday, warning of a security vulnerability by which attackers could read local files and browse directories that would enable them to execute arbitrary programs.

"It is a high risk," said Elias Levy, chief technology officer for SecurityFocus.com. The vulnerability "allows you to take full control of a machine. Someone could do whatever they want to."

Guninski said that the problem is in the Windows Media Player skins, which alter the appearance of a program interface but not its functions.

"The key here is (Guninski's) downloaded Java applets into a known location, which is the directory that holds the skin for Microsoft Media Player," Levy said. "Obviously Windows Media Player and Internet Explorer are widely deployed applications...so we should be encouraging people to upgrade once Microsoft releases a patch for it."

Michael Aldridge, lead product manager for Microsoft's Windows Digital Media division, said people can already protect themselves from the vulnerability. In the Internet Explorer, Internet options for security zones allow a consumer to disable any unsigned Java content so it cannot run on a PC.

Aldridge said Guninski notified Microsoft of the vulnerability Friday.

"Like any security issue, we take anything like this very seriously," Aldridge said. "Once we've thoroughly investigated it and figured out various permeations, we obviously want to post a patch as soon as possible."

Levy said skins have become popular among computer users and companies because they apply a custom look, such as branding, to applications.