eEye Digital Security, one of the leading developers of endpoint security and vulnerability management software solutions, today announced the discovery of a critical security risk related to Microsoft Windows Media Player.
Unless immediately resolved, this flaw allows attackers to take complete control of an affected system and execute harmful action remotely, including installing programs, viewing, changing or deleting data. In addition, eEye's world-class research team has identified this vulnerability as part of a growing trend of attacks that target consumer-oriented applications rather than the operating system itself.
Marc Maiffret, eEye's co-founder and chief hacking officer, said,
"As we saw last month with the flaws patched by Apple for its iTunes and QuickTime applications, attack methods are increasingly targeting applications that are widely used by consumers both on the job and for personal use. Given the enormous installed base of the affected program, individuals and enterprises need to address this particular vulnerability immediately. Deploying a non-signature-based, multi-layered intrusion prevention system such as eEye's Blink is a necessity in today's business environments."
The vulnerability exists due to an unchecked buffer in Windows Media Player that allows a malicious bitmap file (BMP) to be used to execute commands on a remote system, in the context of a logged-in user. This flaw affects Media Player versions 7.1 through 10 that run on the following Windows operating systems: Windows NT, Windows 2000 SP4, Windows XP SP1 and 2, and Windows 2003.
Over the last five years, eEye has been recognized by industry experts as the preeminent organization in the discovery of the most critical vulnerabilities in various platforms and applications, including the vulnerabilities subsequently leveraged by the Sasser, Witty, Code Red and Sapphire worms, as well as the Microsoft ASN vulnerability and hundreds of other important discoveries.
UPDATE: Internet Threat updated to Level 2
|
|
