Stung by recent high-profile vulnerabilities in its Internet Explorer (IE) and SQL Server products, Microsoft this week refuted reports that there was a critical security vulnerability in Windows Media Player (WMP) as well. Critical vulnerabilities are the most serious type of vulnerability, and can cause remote code execution and, thus, remote control of users' PCs.
"On Christmas Day, the \[Microsoft Security Response Center\] opened a case tracking a Bugtraq-posted \[vulnerability\]," a statement on Microsoft's Security Vulnerability Research & Defense reads. "By Saturday evening, we saw reputable Internet sources claiming this bug could lead to executing arbitrary code on the system. We investigated right away and found that this bug cannot be leveraged for arbitrary code execution."
Not only is this flaw not as serious as reported, it's not a security issue at all. And Microsoft has known the flaw for some time and already fixed it on modern versions of Windows. "We found this already through our internal fuzzing efforts," the statement reads. "It was correctly triaged at the time as a reliability issue with no security risk to customers. We do like to get these reliability issues fixed in a future service pack or a future version of the platform whenever possible. This particular bug, for example, has already been fixed in Windows Server 2003 Service Pack 2."
The WMP bug was first reported to the Bugtraq security mailing list by a security researcher named Laurent Gaffie. Microsoft criticized Gaffie for not contacting the company first, as any confusion about the vulnerability--or lack thereof--could have been quickly cleared up without any public silliness. "\[Gaffie\] didn't contact us or work with us directly but instead posted the report along with proof of concept code to a public mailing list," a Microsoft statement reads. "Claims of a code execution vulnerability in Windows Media Player are false."
