Microsoft on Monday denounced reports that a vulnerability exists in Windows Media Player that could pose a security risk for users.
Microsoft said in a company blog post that it had investigated reports that surfaced on the Internet last week and found them to be "false." The flaw is "reliability issue with no security risk to customers," the company said on its Security Vulnerability Research & Defense blog.
The investigation followed claims published Wednesday on the Bugtraq security mailing list by researcher Laurent Gaffie that a vulnerability existed in Windows Media Player 9, 10, and 11. Gaffie said the vulnerability would allow a hacker to create a malformed WAV, SND, or MIDI file to create a denial of service, and included a proof-of-concept code.
Along with its denial, Microsoft criticized Gaffie for publishing his claims without first contacting the software giant:
The security researcher making the initial report didn't contact us or work with us directly but instead posted the report along with proof of concept code to a public mailing list. After that report, other organizations picked the report up and claimed that the issue was a code execution vulnerability in Windows Media Player. Those claims are false. We've found no possibility for code execution in this issue. Yes, the proof of concept code does trigger a crash of Windows Media player, but the application can be restarted right away and doesn't affect the rest of the system.
The company said that the flaw had already been identified during routine code maintenance and corrected in Windows Server 2003 Service Pack 2.
Microsoft on Tuesday released its September 2008 security bulletin summary.
The four bulletins concern Windows GDI+, Windows Media Player, and Microsoft Office OneNote. All are rated critical by Microsoft. There is no cumulative patch for Internet Explorer this month.
Starting next month, Microsoft plans to share the technical details of new vulnerabilities to give software developers time to update affected products before the public announcement.
Also in October, Microsoft will start providing each bulletin with an Exploitability Index to help system administrators prioritize the patches. All current Microsoft security patches for both Windows and Office software are available via Microsoft Update or the individual bulletins detailed below.
MS08-052: Critical
Entitled "Vulnerabilities in GDI+ Could Allow Remote Code Execution (954593)," this bulletin affects all supported editions of Windows XP, Windows Server 2003, Windows Vista, and Windows Server 2008, Microsoft Internet Explorer 6 Service Pack 1 when installed on Microsoft Windows 2000 Service Pack 4, Microsoft Digital Image Suite 2006, SQL Server 2000 Reporting Services Service Pack 2, all supported editions of SQL Server 2005, Microsoft Report Viewer 2005 Service Pack 1 Redistributable Package, and Microsoft Report Viewer 2008 Redistributable Package. It addresses the issues detailed in CVE-2008-5348, CVE-2008-3012, CVE-2008-3013, CVE-2008-3014, and CVE-2008-3015. Microsoft says these vulnerabilities "could allow remote code execution, if a user viewed a specially crafted image file using affected software or browsed a Web site that contains specially crafted content."
MS08-053: Critical
Entitled "Vulnerability in Windows Media Encoder 9 Could Allow Remote Code Execution (954156)," this bulletin affects all supported and affected editions of Microsoft Windows 2000, Windows XP, and Windows Vista, as well as supported and affected versions of Windows Server 2003 and Windows Server 2008. It addresses the vulnerability detailed in CVE-2008-3008. Microsoft says the vulnerability could "allow remote code execution, if a user viewed a specially crafted Web page. An attacker who successfully exploited this vulnerability could take complete control of an affected system."
MS08-054: Critical
Entitled "Vulnerability in Windows Media Player Could Allow Remote Code Execution (954154)," this bulletin affects all supported and affected editions of Windows Media Player 11. This bulletin addresses the issues detailed in CVE-2008-2253. Microsoft says there is a "vulnerability in Windows Media Player that could allow remote code execution when a specially crafted audio file is streamed from a Windows Media server. If a user is logged on with administrative user rights, an attacker who successfully exploited this vulnerability could take complete control of an affected system."
MS08-055: Critical
Entitled "Vulnerability in Microsoft Office Could Allow Remote Code Execution (955047)," this bulletin affects supported editions of Microsoft Office OneNote 2007 and supported editions of Microsoft Office XP, Microsoft Office 2003, and 2007 Microsoft Office System. This bulletin addresses the vulnerability detailed in CVE-2008-3007. Microsoft says "if a user clicks a specially crafted OneNote URL...an attacker who successfully exploited this vulnerability could take complete control of an affected system."
On Thursday, Microsoft announced four security bulletins for Tuesday. The announcement is intended as a heads-up for IT departments before Patch Tuesday. All four are considered critical, the most serious ranking offered by the software giant.
Among the critical patches, two affect Windows Media Player, one affects Windows, while the other affects Microsoft Office. All could enable remote code execution if exploited.
Starting next month, Microsoft will be sharing the technical details of new vulnerabilities to give software developers a catch to update affected products before the public announcement. Also in October, Microsoft will start providing each bulletin with an Exploitability Index to help system administrators prioritize the patches.
- prev
- 1
- next
