Subject: | |
From: | |
Reply To: | |
Date: | Tue, 20 Nov 2001 14:14:41 -0500 |
Content-Type: | text/plain |
Parts/Attachments: |
|
|
Microsoft Warns Of Media Player Security Vulnerability
By Steven Bonisteel, Newsbytes
REDMOND, WASHINGTON, U.S.A.,
20 Nov 2001, 12:27 PM CST
Microsoft Corp. [NASDAQ:MSFT] is urging users of its Windows Media
Player software to apply a security patch that plugs a hole in one
version that can allow a malicious attacker to take control of a user's
PC.
The Redmond, Wash., company said in a bulletin published Monday night
that code in Windows Media Player 6.4 used to play Advanced Streaming
Format (ASF) content is prone to what is known as a buffer overrun.
Buffer overruns can occur when software fails to ensure that incoming
data will fit within the computer memory reserved for it. Extra data
spilled into memory might simply cause a program to crash. However, a
savvy hacker can turn a buffer overrun into a doorway to vulnerable
computers if he or she can inject malicious code with the overrun and
get it to execute.
The Code Red worms were examples of code that exploited buffer overruns
in Web severs to automatically traverse the Internet. But Microsoft
pointed out that a hacker hoping to use the Windows Media Player
vulnerability would have to entice individuals to download and play the
specially malformed ASF files.
Microsoft said the newly discovered problem is specific to its version
6.4 Media Player, but that it has created a patch that fixes a number of
vulnerabilities - one for which Microsoft offered a fix a year ago and
some of which are in code that is also part of newer releases of the
software.
The company said it is urging users of all version of the Windows Media
Player - through version 7.1 - to download the patch.
Windows XP users are being asked to download an updated Windows Media
Player via Microsoft's Windows Update site, rather than apply a patch.
Additional information and links to the software updates is here:
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/
security/bulletin/MS01-056.asp.
Reported by Newsbytes.com, http://www.newsbytes.com .
12:27 CST
(20011120/WIRES ONLINE, PC, BUSINESS/WINMP/PHOTO)
C 2001 The Washington Post Company
VICUG-L is the Visually Impaired Computer User Group List.
To join or leave the list, send a message to
[log in to unmask] In the body of the message, simply type
"subscribe vicug-l" or "unsubscribe vicug-l" without the quotations.
VICUG-L is archived on the World Wide Web at
http://maelstrom.stjohns.edu/archives/vicug-l.html
|
|
|