And not exploitable for arbitrary code execution

Dec 30, 2008 11:08 GMT  ·  By

Microsoft has squashed reports of a new zero-day Critical vulnerability affecting versions 9, 10, and 11 of Windows Media Player, which emerged ahead of Christmas. The Redmond company indeed confirmed that there was an issue that could lead to Windows Media Player crashing, however, it denied that it could be remotely exploitable, or that an attacker could execute arbitrary code on affected systems.

According to the software giant, the intersection of the Windows Media Player bug and malformed WAV,SND,MID files can generate an unmanageable CPU exception when executing a div instruction. As a result, Windows Media Player will crash, but a remote integer overflow, as the initial Proof-of-Concept published in the wild claimed, is out of the question.

“There was a report about a possible issue affecting all versions of Microsoft Windows Media player. The security researcher making the initial report didn’t contact us or work with us directly, but instead posted the report along with proof of concept code to a public mailing list,” Christopher Budd, security program manager, Microsoft Security Response Center, stated.

“Those claims are false. We’ve found no possibility for code execution in this issue. Yes, the proof of concept code does trigger a crash of Windows Media player, but the application can be restarted right away and doesn’t affect the rest of the system.”

Budd went on to emphasize the importance of communicating potential security vulnerabilities to Microsoft for independent security researchers. The Redmond company was, in fact, already aware of the Windows Media Player bug, which had been classified as not posing a security risk to users. With the release of SP2 for Windows Server 2003, the issue was addressed in the server platform, and Budd promised that additional Windows operating systems would also receive fixes.

“We found this already through our internal fuzzing efforts. It was correctly triaged at the time as a reliability issue with no security risk to customers. We do like to get these reliability issues fixed in a future service pack or a future version of the platform whenever possible,” Microsoft's Jonathan Ness explained.