Microsoft paves over media player flaws

The company is urging people to "immediately" download a new patch designed to fix "critical" security holes as well as previous problems in several versions of its media player.

2 min read
Microsoft is warning people that a series of flaws in its Windows Media Player could allow a malicious hacker to hijack people's computer systems and perform a variety of actions.

Reader Resources
Find Windows
Media Player Patch

The flaws, found in some anti-piracy and storage features of the software, affect Media Player for Windows XP and Media Player versions 6.4 and 7.1, according to a security bulletin on Microsoft's Web site.

The company rates the problems as "critical"--Microsoft's most severe rating--and urges people to "immediately" download a patch, which was released Wednesday. The company said the patch would also fix previous problems with the software.

In the most severe exploit of a flaw, a hacker could take over a computer system and perform any task the computer's owner is allowed to do, such as opening files or accessing certain parts of a network.

The flaw that's rated "critical" mishandles Windows Media Player's requests for media files containing "digital rights management" software, potentially allowing attackers access to Internet Explorer's cache, the place where temporary IE files are stored. The other flaws result from how the media player software responds to storage devices and the way it stores play lists.

To fall victim to an attack of the most severe kind, a person would have to obtain a media file--through e-mail or by downloading it, for example. An attacker would then have to introduce an executable file into the person's browser cache and run it to gain access to the computer.

"It's not a straightforward, push-one-button-and-bad-things-happen type of thing. But there's a possibility a hacker could run code, and that's why we're rating it as critical," said Christopher Budd, a Microsoft security program manager.

Security holes have been a constant problem in Microsoft products, leading Chairman Bill Gates in January to promise to make security the company's top priority.