ad info

 
CNN.com  technology > computing
    Editions | myCNN | Video | Audio | Headline News Brief | Feedback  

 

  Search
 
 

 
TECHNOLOGY
TOP STORIES

Consumer group: Online privacy protections fall short

Guide to a wired Super Bowl

Debate opens on making e-commerce law consistent

(MORE)

TOP STORIES

More than 11,000 killed in India quake

Mideast negotiators want to continue talks after Israeli elections

(MORE)

MARKETS
4:30pm ET, 4/16
144.70
8257.60
3.71
1394.72
10.90
879.91
 


WORLD

U.S.

POLITICS

LAW

ENTERTAINMENT

HEALTH

TRAVEL

FOOD

ARTS & STYLE



(MORE HEADLINES)
*
 
CNN Websites
Networks image


Security holes found in Windows Media Player

IDG.net

(IDG) -- Microsoft on Wednesday issued a patch for two security flaws in its Windows Media Player software that could allow malicious users to run programs on other users' PCs.

Although the security flaws are unrelated, except for the fact that they both affect Windows Media Player, Microsoft chose to issue a single patch to allow users to fix both problems at the same time, the company said in a security bulletin posted on its Web site.

The.WMS Script Execution flaw affects Windows Media Player version 7, which is included by default in Microsoft's Windows Millennium Edition operating system targeted at consumers, and is also available for free download from the company's Web site.

MORE COMPUTING INTELLIGENCE
IDG.net   IDG.net home page
  Computerworld's home page
  That's (digital) entertainment!
  Fujitsu shows off new LifeBook notebooks
  Get easy access to streaming broadcasts
  Reviews & in-depth info at IDG.net
  E-BusinessWorld
  TechInformer
  Questions about computers? Let IDG.net's editors help you
  Subscribe to IDG.net's free daily newsletter for IT leaders
  Search IDG.net in 12 languages
  News Radio
  * Fusion audio primers
  * Computerworld Minute

The software includes a feature called "skins" that allows users to customize the program's interface. However, a custom skin .WMS file could also include script which would execute if Windows Media Player was run and the user had selected the skin that included the script, Microsoft said.

A malicious user could send a skin containing a script to another user and try to entice him or her into using it, or host such a file on a Web site and cause the script to execute whenever a user visited the site. Since the code would reside on the user's local PC, it would be able to execute ActiveX controls, including ones not marked "safe for scripting," and enable the code to take any action that can be accomplished via an ActiveX control, Microsoft said.

The flaw was discovered by GFI Security Labs, a unit of communications and security software provider GFI Fax & Voice.

In a separate statement, GFI advised users to filter incoming e-mails for .WMD and .WMZ files, and automatically remove JavaScript, iframe tags, meta refresh tags and possibly ActiveX tags from incoming HTML (hypertext markup language) e-mail messages.

The second flaw, dubbed the .ASX Buffer Overrun vulnerability, was discovered by @Stake, a Cambridge, Massachusetts-based Internet security consulting company, Microsoft said

It affects versions 6.4 and 7 of Windows Media Player, and the exploits the software's use of Active Stream Redirector .ASX files to enable users to play streaming media residing on intranet or Internet sites.

The code that parses .ASX files has an unchecked buffer, which also could enable a malicious user to run any code on the PC of another user. The code could take any action on the PC that the legitimate user could take, Microsoft said.

Microsoft's security bulletin on the flaws, including links to patches for both Windows Media Player versions 6.4 and 7, can be found on the Web at http://www.microsoft.com/TechNet/security/bulletin/MS00-090.asp/.

The fix will also be available as part of the next periodic update of the software, scheduled for December, Microsoft said.




RELATED STORIES:
New security hole found in Microsoft Internet Explorer
November 23, 2000
MS, hacker secretive about meeting
November 22, 2000
Hackers attack Microsoft network
October 27, 2000
Web sites unite to fight denial-of-service war
September 27, 2000
Microsoft security executive promises improvements
July 27, 2000
Denial-of-service threat gets engineering community's attention
July 25, 2000
Microsoft scrambling to fix new Outlook security hole
July 21, 2000
Outlook patch called overkill
May 23, 2000
Microsoft: Bad security, or bad press?
September 28, 1999
CNN In-Depth Specials - Hackers

RELATED IDG.net STORIES:
A challenge to the security software leaders
(NW Fusion)
How to prevent one-click hack attacks
(PC World)
WebShield protects against e-born viruses
(InfoWorld)
In the security realm
(NW Fusion)
EDS to open computer security school
(IDG.net)
Viruses: The next generation
(PC World)
Third time's no charm for Microsoft
(The Industry Standard)
Microsoft urging IIS users to patch serious security hole
(Computerworld)

RELATED SITES:
Microsoft Corp.
@stake, Inc.
GFI

Note: Pages will open in a new browser window
External sites are not endorsed by CNN Interactive.

 Search   

Back to the top   © 2001 Cable News Network. All Rights Reserved.
Terms under which this service is provided to you.
Read our privacy guidelines.