Security flaw touches Windows Media Player, IE

"Critical" flaw affects Microsoft's media player and browser, including on Windows XP with SP2, a security firm reports.

Dawn Kawamoto Former Staff writer, CNET News
Dawn Kawamoto covered enterprise security and financial news relating to technology for CNET News.
Dawn Kawamoto
2 min read
A "critical" flaw that affects both Microsoft's Windows Media Player and Internet Explorer has been uncovered, a security company reported late Monday.

The security flaw, which is found in the default installations of Media Player and the IE browser, could let attackers launch a remote execution of code, according to an advisory posted by eEye Digital Security.

Systems affected by the flaw include Windows XP with Service Pack 1 and Service Pack 2, Windows NT, Windows 2003 and Windows 2003 SP1, and all versions of Windows 2000.

Although eEye does not believe the vulnerability is "wormable," the company rated it "critical" because it could allow for a remote execution of code and affects installations of Media Player and IE at their default settings, an eEye representative said.

"The flaw can be exploited if the user opens a wrong file or goes to a wrong Web site," said Marc Maiffret, eEye's chief hacking officer. "Then the attacker can execute code as the user, who is viewing the file or Web site."

A Microsoft spokeswoman confirmed the software giant had received eEye's advisory, but noted that because details of the vulnerabilities were not made public, there haven't been any known attempts to exploit the flaws.

The Microsoft Security Response Center continues to investigate the report, the spokeswoman said.

The discovery of this latest flaw comes days after Microsoft issued an advisory that a security patch it released early last week contained problems that could, in some instances, lock people out of their PC. As part of its regular monthly patching schedule, Microsoft last week issued patches for 14 security flaws in Windows, one of which had the potential to be exploited by a major worm.

eEye noted that the latest vulnerability is not linked to any of the 14 security flaws patched last week.