Microsoft Says WMP Vulnerability Not Harmful

From Tom's Hardware: In fact, Bill Gates' dominating opus labels the claim as "false" after an extensive investigation over the Christmas holidays. According to the company, the security researcher never contacted Microsoft about the vulnerability, but rather posted the report along with proof of concept code to a public mailing list. Microsoft says that once the report began to circulate, other "organizations" began to claim that the issue was a code execution vulnerability in Windows Media Player version 9, 10, and 11.

Apparently, the researcher's concept code actually does crash the media software, however the incident remains within the application, and doesn't effect with Windows operating system itself. In fact, Windows Media Player can be restarted immediately after the crash. Microsoft claims that the issue was already addressed in Windows Server 2003 SP2, and will be addressed in other future versions. Microsoft actually seemed rather baffled as to why the researcher chose not to contact the company directly.

"Unfortunately, the researcher (Laurent Gaffié) chose not to come to us with this initial report," says a Microsoft Security Response Center blog entry. "If he had, we would’ve done the exact same investigation we just completed. When we were done, we would have let them know what we found, asked him if he thinks we might have missed something, continued the investigation if there was more information, and ultimately closed the case if we didn’t find a vulnerability. This is how we handle all of the cases we investigate with responsible researchers every year."

View: Article @ Source Site