Microsoft on Monday denied reports of a critical vulnerability in its Windows Media Player. Redmond said the security researcher who reported an exploitable bug is mistaken.
Laurent Gaffie reported the bug on Christmas Eve via the Bugtraq e-mail list. Gaffie said Windows Media Player fails to handle an exceptional condition when parsing a malformed WAV, SND or MID file, and this flaw could lead to a remote integer overflow. Gaffie then offered proof-of-concept code. The bug reportedly affects all versions of Windows Media Player.
"The security researcher making the initial report didn't contact us or work with us directly, but instead posted the report along with proof-of-concept code to a public mailing list," said Christopher Budd, a spokesperson for the Microsoft Security Response Center. "After that report, other organizations picked the report up and claimed that the issue was a code-execution vulnerability in Windows Media Player. Those claims are false."
Microsoft Goes Defensive
According to Budd, Microsoft found no possibility for code execution in this issue. Although the proof-of-concept code does trigger a crash of Windows Media player, he said the application can be restarted immediately and doesn't affect the rest of the system.
"Unfortunately, the researcher chose not to come to us with this initial report. If he had, we would've done the exact same investigation we just completed," Budd said. "When we were done, we would have let [him] know what we found, asked him if he thinks we might have missed something, continued the investigation if there was more information, and ultimately closed the case if we didn't find a vulnerability. This is how we handle all of the cases we investigate with responsible researchers every year."
Even when people choose not to report issues responsibly, Budd said Microsoft follows the same process: Launch an investigation to fully research the claims and take action to appropriately address all issues discovered. While Microsoft doesn't normally talk about issues that aren't vulnerabilities, Budd said the company received so many questions that it took the opportunity to respond with a thorough explanation of how it handles these issues.
"For this particular case, we actually found this issue as part of our ongoing code maintenance, and actually it's already addressed in Windows Server 2003 SP2 and will be addressed in other versions in the future," Budd said. "And we hope that the researcher will work with us directly the next time he thinks he found an issue. We always say that every new case with a security researcher starts the relationship off fresh: We're happy to work with anyone who reports an issue to us responsibly, regardless of past issues."
Applauding Microsoft's Defense
There's a difference between hypothetical security flaws and security flaws that pose a real threat. The bug Gaffie reported was hypothetical, according to Michael Gartenberg, vice president of mobile strategy for Jupitermedia, and Microsoft made a smart move in clarifying the report.
"Microsoft has taken a lot of hits in the last several years about security issues, but the company has been very good at addressing problems as they come up," Gartenberg said. "It's important for Microsoft to put these things in the proper context and make sure the stories don't get overblown to their detriment.
"Defending themselves when they are right is probably something Microsoft should be doing more of," he continued. "I applaud Microsoft for standing their ground and issuing an accurate report."