Security Holes Pop Up in Unexpected Places

With so many obvious security holes that systems administrators have to watch out for, keeping up with all the potential problem areas that the Windows OSs present is tough. It's even worse when the security problems occur in a little-used but ubiquitous application such as the Windows Media Player (WMP).

On June 26, Microsoft released a rollup patch to protect an application that we rarely think of as a security problem (indeed, that we rarely think about at all in the corporate environment), WMP. And these holes aren't minor problems: The patch includes a fix that prevents HTML scripting from running within media files—a concept that's tough to explain to users who haven't actually experienced it. The fact that the media file format supports scripting and does more than display media content is something that most systems administrators aren't aware of—something I wouldn't even expect them to be aware of. The delivery mechanism for the file doesn't even need to be something obvious, such as an email link. Downloading a seemingly innocuous media file at home and bringing it to work on a CD-ROM or laptop can leave your local computer or entire network vulnerable to attack.

The rollup patch fixes security holes that exist in all versions of WMP since WMP 6.4: WMP for Windows XP, WMP 7.1, and WMP 6.4. The rollup patch also fixes three other WMP holes, for which Microsoft earlier released individual patches. For descriptions of those vulnerabilities, see the following Microsoft articles:

Regardless of whether you've applied any or all of these security patches, download and install the rollup patch. You can also read a complete description of the vulnerabilities that the patch repairs or download the patch for your version of WMP.

If you haven't already done so, I strongly suggest that you subscribe to the Microsoft Security Notification Service and create rules in your email application that will promptly bring these email alerts to your attention.

Hide comments


  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.