Cumulative Patch for Windows Media Player Released

Windows Media Player received a hefty update late Wednesday, which corrects three newly discovered security vulnerabilities and contains two configuration changes. The most critical of the flaws could potentially enable an attacker to run code on a user's system, and thus Microsoft recommends all Windows users immediately install the cumulative patch for versions 6.4, 7.1 and Windows Media Player for XP.

A privilege elevation vulnerability that could allow a local user to gain administrator rights and a script execution vulnerability that could run a script of an attacker's choice at a specific time are also corrected in the update.

The patch introduces a new configuration option that allows users to disable the processing of HTML contained in a Windows Media file. Users will need to enable this feature manually if they wish to block potentially malicious code.

In addition, Windows Media Skins will no longer be associated with Windows Media Player once the patch is installed. Although Microsoft claims no vulnerability exists in skin files, the change was made to mitigate any future risk. Skins can still be downloaded and applied manually without issue, according to Microsoft.

The cumulative patch for Windows Media Player is available for download via Microsoft TechNet, along with Windows Update.