Microsoft refutes report of code execution vulnerability
Microsoft says a vulnerability disclosed publicly last week in Windows Media Player was no security bug.
In a Microsoft Security Response Center (MSRC) blog post yesterday, Microsoft's Christopher Budd called the claims of a code execution vulnerability in Windows Media Player "false."
"We've found no possibility for code execution in this issue. Yes, the proof of concept code does trigger a crash of Windows Media player, but the application can be restarted right away and doesn't affect the rest of the system," Budd wrote.
The reported vulnerability was said to have affected all versions of Windows Media Player, and included proof-of-concept code. Microsoft provided more technical details here refuting the vulnerability.
Microsoft, which decided to go public about the disputed flaw after it was picked up by several media organizations, also used the case as an example of why it prefers researchers practice responsible disclosure.
"Unfortunately, the researcher chose not to come to us with this initial report. If he had, we would've done the exact same investigation we just completed. When we were done, we would have let them know what we found, asked him if he thinks we might have missed something, continued the investigation if there was more information and ultimately closed the case if we didn't find a vulnerability," Budd blogged.
Even so, Microsoft left the door open to work with this researcher in the future. "For this particular case, we actually found this issue as part of our ongoing code maintenance and actually it's already addressed in Windows Server 2003 SP2 and will be addressed in other versions in the future," Budd blogged. "And we hope that the researcher will work with us directly the next time he thinks he found an issue."
Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message
About the Author(s)
You May Also Like
Guarding the Cloud: Top 5 Cloud Security Hacks and How You Can Avoid Them
April 4, 2024Cybersecurity Strategies for Small and Med Sized Businesses
April 11, 2024Defending Against Today's Threat Landscape with MDR
April 18, 2024Securing Code in the Age of AI
April 24, 2024
Black Hat USA - August 3-8 - Learn More
August 3, 2024Cybersecurity's Hottest New Technologies: What You Need To Know
March 21, 2024Black Hat Asia - April 16-19 - Learn More
April 16, 2024