ad info  technology > computing
    Editions | myCNN | Video | Audio | Headline News Brief | Feedback  




Consumer group: Online privacy protections fall short

Guide to a wired Super Bowl

Debate opens on making e-commerce law consistent



More than 11,000 killed in India quake

Mideast negotiators want to continue talks after Israeli elections


4:30pm ET, 4/16










CNN Websites
Networks image

Security holes found in Windows Media Player

(IDG) -- Microsoft on Wednesday issued a patch for two security flaws in its Windows Media Player software that could allow malicious users to run programs on other users' PCs.

Although the security flaws are unrelated, except for the fact that they both affect Windows Media Player, Microsoft chose to issue a single patch to allow users to fix both problems at the same time, the company said in a security bulletin posted on its Web site.

The.WMS Script Execution flaw affects Windows Media Player version 7, which is included by default in Microsoft's Windows Millennium Edition operating system targeted at consumers, and is also available for free download from the company's Web site.

  Computerworld's home page
  That's (digital) entertainment!
  Fujitsu shows off new LifeBook notebooks
  Get easy access to streaming broadcasts
  Reviews & in-depth info at
  Questions about computers? Let's editors help you
  Subscribe to's free daily newsletter for IT leaders
  Search in 12 languages
  News Radio
  * Fusion audio primers
  * Computerworld Minute

The software includes a feature called "skins" that allows users to customize the program's interface. However, a custom skin .WMS file could also include script which would execute if Windows Media Player was run and the user had selected the skin that included the script, Microsoft said.

A malicious user could send a skin containing a script to another user and try to entice him or her into using it, or host such a file on a Web site and cause the script to execute whenever a user visited the site. Since the code would reside on the user's local PC, it would be able to execute ActiveX controls, including ones not marked "safe for scripting," and enable the code to take any action that can be accomplished via an ActiveX control, Microsoft said.

The flaw was discovered by GFI Security Labs, a unit of communications and security software provider GFI Fax & Voice.

In a separate statement, GFI advised users to filter incoming e-mails for .WMD and .WMZ files, and automatically remove JavaScript, iframe tags, meta refresh tags and possibly ActiveX tags from incoming HTML (hypertext markup language) e-mail messages.

The second flaw, dubbed the .ASX Buffer Overrun vulnerability, was discovered by @Stake, a Cambridge, Massachusetts-based Internet security consulting company, Microsoft said

It affects versions 6.4 and 7 of Windows Media Player, and the exploits the software's use of Active Stream Redirector .ASX files to enable users to play streaming media residing on intranet or Internet sites.

The code that parses .ASX files has an unchecked buffer, which also could enable a malicious user to run any code on the PC of another user. The code could take any action on the PC that the legitimate user could take, Microsoft said.

Microsoft's security bulletin on the flaws, including links to patches for both Windows Media Player versions 6.4 and 7, can be found on the Web at

The fix will also be available as part of the next periodic update of the software, scheduled for December, Microsoft said.

New security hole found in Microsoft Internet Explorer
November 23, 2000
MS, hacker secretive about meeting
November 22, 2000
Hackers attack Microsoft network
October 27, 2000
Web sites unite to fight denial-of-service war
September 27, 2000
Microsoft security executive promises improvements
July 27, 2000
Denial-of-service threat gets engineering community's attention
July 25, 2000
Microsoft scrambling to fix new Outlook security hole
July 21, 2000
Outlook patch called overkill
May 23, 2000
Microsoft: Bad security, or bad press?
September 28, 1999
CNN In-Depth Specials - Hackers

A challenge to the security software leaders
(NW Fusion)
How to prevent one-click hack attacks
(PC World)
WebShield protects against e-born viruses
In the security realm
(NW Fusion)
EDS to open computer security school
Viruses: The next generation
(PC World)
Third time's no charm for Microsoft
(The Industry Standard)
Microsoft urging IIS users to patch serious security hole

Microsoft Corp.
@stake, Inc.

Note: Pages will open in a new browser window
External sites are not endorsed by CNN Interactive.


Back to the top   © 2001 Cable News Network. All Rights Reserved.
Terms under which this service is provided to you.
Read our privacy guidelines.