Questions about Vulnerability Claim in Windows Media Player

Happy holidays to everyone. While it’s been a snowy holiday season for us in the Pacific Northwest (some of us are still snowed in), the MSRC never closes and we are always working to help keep customers safe.

In that vein, we’ve received some questions about a vulnerability report that was initially posted late on Christmas eve.  When we saw it we set our teams to work over the holidays to investigate it. They’ve wrapped up their investigation and since we’ve gotten questions on it, I wanted to pass along what we’ve found.

If you haven’t seen it, there was a report about a possible issue affecting all versions of Microsoft Windows Media player.  The security researcher making the initial report didn’t contact us or work with us directly but instead posted the report along with proof of concept code to a public mailing list. After that report, other organizations picked the report up and claimed that the issue was a code execution vulnerability in Windows Media Player.

Those claims are false. We’ve found no possibility for code execution in this issue. Yes, the proof of concept code does trigger a crash of Windows Media player, but the application can be restarted right away and doesn’t affect the rest of the system. My colleague, Jonathan Ness has gone through with more of the technical details here.

Unfortunately, the researcher chose not to come to us with this initial report. If he had, we would’ve done the exact same investigation we just completed. When we were done, we would have let them know what we found, asked him if he thinks we might have missed something, continued the investigation if there was more information and ultimately closed the case if we didn’t find a vulnerability. This is how we handle all of the cases we investigate with responsible researchers every year. And even when people choose not to report issues responsibly, we do the same thing: launch an investigation to fully research the claims and take action to appropriately address any and all issues that we find in that investigation. While we don’t normally talk publically about issues that aren’t vulnerabilities, we’ve gotten enough questions about this that it seemed a good chance to both answer those questions and explain some more of how we do things in the MSRC.

For this particular case, we actually found this issue as part of our ongoing code maintenance and actually it’s already addressed in Windows Server 2003 SP2 and will be addressed in other versions in the future. And we hope that the researcher will work with us directly the next time he thinks he found an issue. We always say that every new case with a security researcher starts the relationship off fresh: we’re happy to work with anyone who reports an issue to us responsibly, regardless of past issues.



*This posting is provided “AS IS” with no warranties, and confers no rights.*