Microsoft has claimed this week that reports of a security vulnerability in its Windows Media Player are “false
,” after proof of concept code was posted to the Bugtraq security mailing list last week.
According to CNet
, the software giant is hastily quelling the claims
by Laurent Gaffie that Windows Media Player versions 9, 10, and 11 all contain a flaw which allows remote execution of code – which is to say, 0wnage by J. Random Cracker.
In a post
to its security blog on Monday, Microsoft has admitted that there is a flaw which allows malformed WAV, SND or MIDI files to crash Windows Media Player but denies that there is any possibility for remote code execution. Calling Gaffie's claims “false
,” the company has stated that the flaw “does trigger a crash of Windows Media Player, but the application can be restarted right away and [it] doesn't affect the rest of the system.
While chastising Gaffie for the rather rude approach of not thinking to “contact [Microsoft] or work with us directly but instead [to post] the report along with proof of concept code to a public mailing list,
” the company has claimed that the problem is already well in hand: having been picked up as part of a routine round of code maintenance, the problem is already patched in Windows Server 2003 Service Pack 2 with fixes for other versions in the pipeline.
Do you think that Gaffie should have followed best practices and contacted Microsoft before publicising what appears to be an over-egged vulnerability report, or is Microsoft attempting to gloss over the seriousness of this issue? Share your thoughts over in the forums