A security researcher discovered an "alleged vulnerability" involving Windows Media Player, however Microsoft claims that there is no possibility for harmful code execution.
In fact, Bill Gates' dominating opus labels the claim as "false" after an extensive investigation over the Christmas holidays. According to the company, the security researcher never contacted Microsoft about the vulnerability, but rather posted the report along with proof of concept code to a public mailing list. Microsoft says that once the report began to circulate, other "organizations" began to claim that the issue was a code execution vulnerability in Windows Media Player version 9, 10, and 11.
Apparently, the researcher's concept code actually does crash the media software, however the incident remains within the application, and doesn't effect with Windows operating system itself. In fact, Windows Media Player can be restarted immediately after the crash. Microsoft claims that the issue was already addressed in Windows Server 2003 SP2, and will be addressed in other future versions. Microsoft actually seemed rather baffled as to why the researcher chose not to contact the company directly.
"Unfortunately, the researcher (Laurent Gaffié) chose not to come to us with this initial report," says a Microsoft Security Response Center blog entry. "If he had, we would’ve done the exact same investigation we just completed. When we were done, we would have let them know what we found, asked him if he thinks we might have missed something, continued the investigation if there was more information, and ultimately closed the case if we didn’t find a vulnerability. This is how we handle all of the cases we investigate with responsible researchers every year."
Recently Microsoft has been in a constant, negative spotlight, first with accusations that the company knew about faulty hardware before shipping the first batch of Xbox 360 consoles. Just last week Microsoft scrambled to generate a fix for a security hole in all versions of Internet Explorer, and earlier this week thousands of 30GB Zune portable media devices locked up at 12:00:01 a.m. Although Microsoft poses to release Windows 7 Beta 1 next month which already appears on Torrent search lists.
Thankfully, the supposed Media Player vulnerability was an erroneous claim... or at least that's what Microsoft says. "We’ve found no possibility for code execution in this issue," the company said.