Microsoft denies the severity of a Media Player exploit
The proof of concept for a Windows Media Player exploit does exist, and it has been shared. But it's not a vulnerability, Microsoft said, because it would need to trigger remote code execution...and this one doesn't.
Coder Laurent Jaffié recently posted to some "security" sites (at least one of which clearly deserves the prefix "in-") a Perl script that literally does nothing more than create a malformed .WAV file. If you play that WAV file in Windows Media Player, well, it evidently crashes. And Jaffié's description of the file in his comments actually does not claim to do more than that -- specifically, he calls it a "remote integrer [sic] overflow."
Somehow, the word was spread in recent days that Jaffié had discovered an overflow that triggers the possibility of remote code execution. Yet a check of the Perl script shows no such proof of any concept of exploitability -- literally, all it does is make a WAV file that crashes WMP.
Still, that didn't stop alarm bells from sounding anyway. British IT news site Heise Online tested Jaffié's code and confirmed that it did indeed crash WMP. But rather than take the test further, Heise then took the word of another Web site which claimed the crash was exploitable, prior to that site issuing a retraction yesterday. Heise has not corrected its version.
"Security Tracker say that the vulnerability can allow code to pass through the hole," reads the Heise story. "If this is true it won't be long before real exploits appear. This was demonstrated with the recent zero day vulnerability of Internet Explorer."
But the world at large was introduced by the issue yesterday when Microsoft squashed Heise's report like...well, like a bug, providing technical details to back itself up.
"The security researcher making the initial report didn't contact us or work with us directly but instead posted the report along with proof of concept code to a public mailing list," reads the Security Response Team's statement yesterday. "After that report, other organizations picked the report up and claimed that the issue was a code execution vulnerability in Windows Media Player. Those claims are false. We've found no possibility for code execution in this issue. Yes, the proof of concept code does trigger a crash of Windows Media player, but the application can be restarted right away and doesn't affect the rest of the system."
As the new Microsoft vulnerability team's Jonathan Ness blogged in a separate post, the crash takes place when an intentionally malformed WAV file produces data that would normally set the rate at which data plays back, but which instead produces a quotient that doesn't fit in a 32-bit register. That should trigger a CPU exception, but in this case, WMP doesn't handle that exception.
Ness wrote, "There is no memory corruption here and the value does not appear to be used for any memory allocation. Rather, the operation is calculating a value related to the rate at which the media is to be played."
Microsoft currently considers the problem a reliability issue with Windows Media Player, and is promising to fix it. That fix would most likely come with a future WMP patch, rather than a Patch Tuesday feature.