Microsoft is pouring cold water on public reports of a serious code execution vulnerability in the newest versions of its Windows Media Player software.
Following the release of proof-of-concept code alongside a claim that the bug can be remotely exploitable to launch arbitrary code, a Microsoft spokesman insists this "is not a product vulnerability."
Here's Microsoft's full statement:
Microsoft is aware of a falsely reported vulnerability in Microsoft Windows Media Player Dec. 25, 2008. Microsoft investigated the claim and found that this is not a product vulnerability. Microsoft confirmed that the reported crash is not exploitable and does not allow an attacker to execute arbitrary code, as was incorrectly claimed in the public report.
The statement follows an advisory from researcher Laurent Gaffie that a remote user can create a specially crafted WAV, SND, or MIDI file to trigger an integer overflow and execute arbitrary code on the target system.
Gaffie claims the bug affects all versions of the media player, including WMP 11.
Jonathan Ness from Microsoft's SWI team provides more details on why this bug isn't exploitable and says it was already discovered internally and slated for fixing in a future service pack:
We found this already through our internal fuzzing efforts. It was correctly triaged at the time as a reliability issue with no security risk to customers. We do like to get these reliability issues fixed in a future service pack or a future version of the platform whenever possible. This particular bug, for example, has already been fixed in Windows Server 2003 Service Pack 2.
On the MSRC blog, Christopher Budd laments the fact that the researcher went public with an advisory instead of reporting it directly to Microsoft.
* Image source: LuChOeDu Flickr photostream (Creative Commons 2.0)