14 DAY TRIAL // Windows Media Player is one of the most popular multimedia players currently on the market, especially because it is included in every version of the well known operating system, Windows.
Because users are reporting vulnerabilities for all components of the operating system, Microsoft is forced to release updates and patches very often.
This time, the giant is investigating a security issue in Windows Media Player that can allow attackers to compromise a vulnerable computer.
Security Company Secunia said that the flaw can be used by attackers to cause a DoS (Denial of Service) attack or compromise an entire system.
"The vulnerability is caused due to a boundary error when handling "REF HREF" tags in ASX playlists. This can be exploited to cause a limited heap-based buffer overflow via an overly long string with an invalid URL," Secunia said.
The company rated the vulnerability as "highly critical" adding that a successful exploitation will crash the program and may allow the execution of arbitrary code that can compromise a system. It seems like the only version affected by the flaw is 10.00.00.4036 and, because the giant didn't release any patch yet, Secunia said it's safer to refuse opening unsafe playlists.
As a reply to the advisory, Microsoft published a message on the Microsoft Security Response Center Blog saying that "we are currently investigating this report. We are not currently aware of attempts to exploit this vulnerability. The ASX file format is an XML-based media file format which is processed by Windows Media Player.
An attacker could construct a malformed ASX file and use it to cause Media Player to overrun a heap-allocated buffer, potentially leading to remote code execution. We are also investigating other attack vectors to reach the same vulnerable code."
What's the conclusion of this new vulnerability? Microsoft has always had problems with the security of their products and, even if they are releasing updates very quickly, it's obvious we're not safe anymore when we're using specific Microsoft applications.