Fatal flaws in Media Player, Explorer: Symantec

Two critical flaws in Windows Media Player and Internet Explorer, could render users vulnerable to attacks, Symantec Security Response said on Tuesday.

A vulnerability in various versions of Windows Media Player has the potential for remote code execution by processing malicious bitmap images embedded in Windows Media Player skins.

Even though this vulnerability is within the media player program, it could be exploited through Microsoft Internet Explorer because users often get media that is hosted on the Web.

When content is accessed this way, Microsoft Internet Explorer typically starts the media player automatically to open the media file, which could allow attackers to host the malicious skin file on a Web page as method of attack.

While a direct Web-based attack scenario is not present for Windows Media Player 7.1 on Windows 2000 or Windows Media Player 8 on Windows XP SP1, exploitation could still occur if the skin file is manually downloaded and installed.

This vulnerability affects Windows Media Player 7.1 on Windows 98/98SE/ME/2000, Windows Media Player 8 on Windows XP (up to and including SP1), Windows Media Player 9 on Windows 2000/XP SP2/Server 2003, Windows Media Player 10 on 98/98SE/ME/XP (up to and including SP2).

Cumulative Security Update for Internet Explorer

This update concerns a WMF vulnerability in Internet Explorer that could result in remote code execution and complete system compromise. The vulnerability became public last week, and Microsoft issued a security advisory acknowledging the vulnerability. The vulnerability is limited to Internet Explorer 5.01 and 5.5 running on Windows 2000 and ME platforms.

“Application vulnerabilities, such as the issue in Windows Media Player, are a growing cause of concern,” said Oliver Friedrichs, senior manager, Symantec Security Response.

“It is important that Internet users be cautious, regularly update vulnerable applications, and run up-to-date Internet security software.”

Symantec recommends the following actions for enterprises:

* Evaluate the possible impact of these vulnerabilities to critical systems.

* Plan for required responses including patch deployment and implementation of security best practices using the appropriate security and availability solutions.

* Take proactive steps to protect the integrity of networks and information.

* Verify that appropriate data backup processes and safeguards are in place and effective.

* Remind users to exercise caution in opening all unknown or unexpected e-mail attachments and in following Web links from unknown or unverified sources.

Symantec recommends the following actions for consumers:

* Regularly run Windows Update and install the latest security updates to keep software up to date.

* Avoid opening unknown or unexpected e-mail attachments or following Web links from unknown or unverified sources.

* Consider using an Internet security solution such as Norton Internet Security to protect against today’s known and tomorrow’s unknown threats.

Additional information can be found at this Web site

Symantec’s security experts will closely monitor further information related to these vulnerabilities and will provide updates and security content as necessary.

Would you recommend this article?

Share

Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication.


Jim Love, Chief Content Officer, IT World Canada

Featured Download

IT World Canada Staff
IT World Canada Staffhttp://www.itworldcanada.com/
The online resource for Canadian Information Technology professionals.

Featured Articles

Cybersecurity in 2024: Priorities and challenges for Canadian organizations 

By Derek Manky As predictions for 2024 point to the continued expansion...

Survey shows generative AI is a top priority for Canadian corporate leaders.

Leaders are devoting significant budget to generative AI for 2024 Canadian corporate...

Related Tech News

Tech Jobs

Our experienced team of journalists and bloggers bring you engaging in-depth interviews, videos and content targeted to IT professionals and line-of-business executives.

Tech Companies Hiring Right Now