Microsoft denies vulnerability in Windows Media Player

Software giant says flaw is a "reliability issue with no security risk to customers" and criticizes researcher for not contacting the company.

Steven Musil Night Editor / News
Steven Musil is the night news editor at CNET News. He's been hooked on tech since learning BASIC in the late '70s. When not cleaning up after his daughter and son, Steven can be found pedaling around the San Francisco Bay Area. Before joining CNET in 2000, Steven spent 10 years at various Bay Area newspapers.
Expertise I have more than 30 years' experience in journalism in the heart of the Silicon Valley.
Steven Musil
2 min read
Updated: at 10 a.m. January 5 to correct alleged vulnerability to denial of service.

Microsoft on Monday denounced reports that a vulnerability exists in Windows Media Player that could pose a security risk for users.

Microsoft said in a company blog post that it had investigated reports that surfaced on the Internet last week and found them to be "false." The flaw is "reliability issue with no security risk to customers," the company said on its Security Vulnerability Research & Defense blog.

Microsoft patch

The investigation followed claims published Wednesday on the Bugtraq security mailing list by researcher Laurent Gaffie that a vulnerability existed in Windows Media Player 9, 10, and 11. Gaffie said the vulnerability would allow a hacker to create a malformed WAV, SND, or MIDI file to create a denial of service, and included a proof-of-concept code.

Along with its denial, Microsoft criticized Gaffie for publishing his claims without first contacting the software giant:

The security researcher making the initial report didn't contact us or work with us directly but instead posted the report along with proof of concept code to a public mailing list. After that report, other organizations picked the report up and claimed that the issue was a code execution vulnerability in Windows Media Player. Those claims are false. We've found no possibility for code execution in this issue. Yes, the proof of concept code does trigger a crash of Windows Media player, but the application can be restarted right away and doesn't affect the rest of the system.

The company said that the flaw had already been identified during routine code maintenance and corrected in Windows Server 2003 Service Pack 2.