X

Microsoft issues Media Player patch

The patch is intended to plug security holes in the Windows Media Player software that could let an attacker run malicious code and access computer files on a person's PC.

2 min read
Microsoft has released a patch intended to plug security holes in its Windows Media Player software that could allow an attacker to run malicious code and access computer files on a person's PC.

The patch will repair two flaws that affect Media Player versions 6.4 and 7, Microsoft said. The first flaw occurs when a person plays streaming media that resides on an intranet or Internet site that allows the use of playlists. Because of what is called a "buffer overrun" problem, where certain files can be streamed unchecked, a malicious attacker could run code of his or her choice on the machine of an unsuspecting person, Microsoft said in a security bulletin posted on Wednesday.

The second security flaw affects how the Media Player handles Internet shortcuts. The security defect causes the software to save Internet shortcuts to the person's temporary files folder.

Microsoft said the flaw makes it possible for HTML code to be stored in the shortcut file and launched on a Web page or in an HTML e-mail, which would allow code to run on a person's machine, rather than on the Internet. An attacker could exploit this to read, but not add, delete or modify, files on the person's computer.

To fix the security flaws, Microsoft said Media Player 6.4 users should install the patch, which has been posted on its security Web site, while users of Media Player 7 should install the latest version of the software Windows Media Player 7.1, which is available at Microsoft's Web site.

Over the past couple of months, Microsoft has been rushing to patch a number of security problems in its products. Earlier this month, the software giant discovered a serious security hole in its flagship Web server software, Internet Information Server, and rushed to persuade system administrators to patch the flaw before attackers could target their systems.

In April, a problem was discovered with Microsoft Windows 2000, which allowed the system to crash by sending it a request for a simple Web page.

"This is probably the third security problem with Media Player in recent months. You usually get security concerns when you have something that talks to the Internet like software like this does," said Richard Smith, chief technical officer for the Privacy Foundation. "The problems grow the more the software has connectivity with other software, like Web browsers and e-mail."