Microsoft has tagged its maximum security rating on a
flaw in the way ‘skin’ files are downloaded in some versions of its Windows
Media Player (WMP).
The software giant said the security hole was detected in WMP version 7.1
and WMP for Windows XP version 8.0 and could allow an attacker to “force a
file masquerading as a skin file” into a user’s system.
Microsoft’s latest WMP 9 Series is not affected by this
vulnerability.
A critical security alert warned that the
vulnerability would allow an attacker to place a “malicious executable” on a
susceptible system.
Skins, which are used to change the overall appearance of the media
player, are custom overlays that consist of collections of one or more files
of computer art, organized by an XML file. The XML file tells WMP how to use
the files to display a skin as determined by the user. The security flaw
exists in the way the skin files are downloaded.
Microsoft said an attacker could breach the hole by hosting a malicious
Web site that contained a web page designed to exploit this particular
vulnerability. The user would have to visit that site to be at the mercy of
an attacker, the company cautioned.
It’s not the first time that holes have been found in popular media
players. Last month, researchers
warned of serious security holes in RealNetworks’ RealOne and Apple’s
QuickTime media players.
Those vulnerabilities, which were not related, affect the way the media
players read certain file types and could leave susceptible systems open to
intrusion.
Back in July, Microsoft also issued a
cumulative patch to fix three flaws in the WMP software.
