Microsoft: The Windows Media Player Flaw That Wasn't

Microsoft refutes report of code execution vulnerability

Dark Reading Staff, Dark Reading

December 30, 2008

2 Min Read
Dark Reading logo in a gray background | Dark Reading

Microsoft says a vulnerability disclosed publicly last week in Windows Media Player was no security bug.

In a Microsoft Security Response Center (MSRC) blog post yesterday, Microsoft's Christopher Budd called the claims of a code execution vulnerability in Windows Media Player "false."

"We've found no possibility for code execution in this issue. Yes, the proof of concept code does trigger a crash of Windows Media player, but the application can be restarted right away and doesn't affect the rest of the system," Budd wrote.

The reported vulnerability was said to have affected all versions of Windows Media Player, and included proof-of-concept code. Microsoft provided more technical details here refuting the vulnerability.

Microsoft, which decided to go public about the disputed flaw after it was picked up by several media organizations, also used the case as an example of why it prefers researchers practice responsible disclosure.

"Unfortunately, the researcher chose not to come to us with this initial report. If he had, we would've done the exact same investigation we just completed. When we were done, we would have let them know what we found, asked him if he thinks we might have missed something, continued the investigation if there was more information and ultimately closed the case if we didn't find a vulnerability," Budd blogged.

Even so, Microsoft left the door open to work with this researcher in the future. "For this particular case, we actually found this issue as part of our ongoing code maintenance and actually it's already addressed in Windows Server 2003 SP2 and will be addressed in other versions in the future," Budd blogged. "And we hope that the researcher will work with us directly the next time he thinks he found an issue."

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message

About the Author

Dark Reading Staff

Dark Reading

Dark Reading is a leading cybersecurity media site.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights