Computerworld

Exploit menaces media players from Microsoft, AOL

An attack would likely be delivered via a malicious MP4 file

Attack code threatens popular media players from Microsoft and AOL, said a security expert who told Windows users to remove a buggy coder/decoder (codec) or disable the player programs.

In a weekend alert, Symantec said exploit code had been released that attacked a vulnerability in a flawed MP4 codec produced by 3ivx Technologies. Windows Media Player and Windows Media Player Classic, both from Microsoft, and Winamp Media Player, a popular alternative distributed by Nullsoft, an AOL subsidiary, use the codec.

"Exploitation of this vulnerability allows the attacker to run arbitrary code in the context of the media player," said Symantec analyst Raymond Ball in a note to customers of the company's DeepSight threat network.

The hacker who posted the code claimed that the exploit works against Windows Media Player 6.4, an older edition included with Windows 95, Windows 98 and Windows 2000, but Ball noted that because the codec is "fairly popular," other versions of Windows Media Player, as well as other player programs, may also be vulnerable. The hacker also tweaked the exploit to work against Winamp 5.32, but the current Winamp 5.5 is invulnerable to the attack.

An attack would likely be delivered via a malicious MP4 file, Ball said.

"No patch is available for the vulnerability, making this a high-threat issue," Ball added. "To mitigate this issue until a patch is available, customers are advised to remove the MP4 codec until patches are available, disable media players that use the MP4 codec and be cautious while accessing e-mail, Web content and other means of distributing media files."

Microsoft may be on the verge of patching the problem. Last Thursday, it announced that one of seven security updates scheduled for Tuesday will fix one or more unspecified flaws in Windows Media Player. It's unlikely that Microsoft will patch Version 6.4, however, since it has ended support for the operating systems using that version. But it will release a fix for Version 7.1, the edition included with Windows 2000 Service Pack 4, as well as for all later versions.