Information Security News mailing list archives

Previous By Date Next
Previous By Thread Next

Hole found in Windows Media Player "skins"

From: InfoSec News <isn () C4I ORG>
Date: Tue, 16 Jan 2001 20:50:33 -0600
http://news.cnet.com/news/0-1005-200-4499270.html?tag=st.ne.1002.tgif.ni

By Gwendolyn Mariano
Staff Writer, CNET News.com
January 16, 2001, 3:15 p.m. PT

Security experts are warning of a high-risk security hole affecting
Microsoft Windows Media Player 7 "skins," which are used to give the
desktop application a custom look and feel.

Bug hunter Georgi Guninski of Bulgaria published an advisory of the
exploit Monday, warning of a security vulnerability by which attackers
could read local files and browse directories that would enable them
to execute arbitrary programs.

"It is a high risk," said Elias Levy, chief technology officer for
SecurityFocus.com. The vulnerability "allows you to take full control
of a machine. Someone could do whatever they want to."

Guninski said that the problem is in the Windows Media Player skins,
which alter the appearance of a program interface but not its
functions.

"The key here is (Guninski's) downloaded Java applets into a known
location, which is the directory that holds the skin for Microsoft
Media Player," Levy said. "Obviously Windows Media Player and Internet
Explorer are widely deployed applications...so we should be
encouraging people to upgrade once Microsoft releases a patch for it."

Michael Aldridge, lead product manager for Microsoft's Windows Digital
Media division, said people can already protect themselves from the
vulnerability. In the Internet Explorer, Internet options for security
zones allow a consumer to disable any unsigned Java content so it
cannot run on a PC.

Aldridge said Guninski notified Microsoft of the vulnerability Friday.

"Like any security issue, we take anything like this very seriously,"
Aldridge said. "Once we've thoroughly investigated it and figured out
various permeations, we obviously want to post a patch as soon as
possible."

Levy said skins have become popular among computer users and companies
because they apply a custom look, such as branding, to applications.

ISN is hosted by SecurityFocus.com
---
To unsubscribe email LISTSERV () SecurityFocus com with a message body of
"SIGNOFF ISN".
Previous By Date Next
Previous By Thread Next

Current thread: