Feeds

MS gets hacked off with bug hunter

Windows Media Player exploit publicised before patch available

  • alert
  • submit to reddit

Remote control for virtualized desktops

A row has broken out between Microsoft and veteran bug hunter Georgi Guninski after he publicised a vulnerability with Windows Media Player 7 before a software patch was available.

As previously reported, a vulnerability involving the "skins" feature of the application exists which could allow hackers to read files on a victim's PC. According to Guninski, if the bug is properly exploited it could allow an attacker to gain control of a victim's machine.

Microsoft is working on a fix that it said will provide a complete solution to the problem. In the interim it is advising users to change their security zone settings within Internet Explorer (as described below).

Michael Aldridge, a lead product manager in Microsoft's digital media division, told The Register that Guninski had only given the software giant a few days notice and said he acted "irresponsibly" in publicising the flaw.

"The vast majority of security professionals handle vulnerabilities in a way that minimises potential harm to users. Unfortunately, there's a small number who, like Mr. Guninski, handle them irresponsibly and put customers at risk," he said.

"In this case, for instance, he publicised the issue only a few days after reporting it to us. It is simply not possible for any vendor - even Microsoft - to develop a high-quality patch in only a few days - our focus is making sure we deliver a complete patch and that does take time and testing."

Guninski said he notified Microsoft on Thursday, January 11 not January 12 and then published an advisory on Monday. He denies he acted irresponsibly, because a workaround was available, and alleged that Microsoft has not fixed another Internet Explorer bug he notified them about as long ago as last July.

"I totally do not agree with Microsoft's speculations that I am the problem for their buggy software. In my opinion they do not care about the security of their customers as they claim, they care about their image in the press," he said.

Guninski has a penchant for uncovering flaws in Internet Explorer and the row about Windows Media Player is not the first time he has clashed swords with Microsoft. Previous Guninski posting of flaws with Microsoft software on full disclosure security mailing list like BugTraq have attracted criticism from Microsoft over short notice periods, but the latest row signals a new low in the software giant's relationship with the veteran Bulgarian bug hunter. ®

Advice from Microsoft on how users can protect themselves from the Windows Media Player vulnerability:

From the tools menu in IE, choose "Internet Options" then the "Security" tab. Select "Internet Zone". Then click on "Custom Level". Under the "Microsoft VM" option list under java permissions click the "java custom settings" button, and choose to disable "run unsigned content".

Related stories

Guninski finds another IE 5.5 security hole
M$ moves slowly to patch latest IE5.5 hole
Previous Mediaplayer 7 security flaw
Woundup New skins for WMP7, IE6 beta due?
Windows Media Player 7 goes gold, browser wars II to follow

Internet Security Threat Report 2014

More from The Register

next story
Download alert: Nearly ALL top 100 Android, iOS paid apps hacked
Attack of the Clones? Yeah, but much, much scarier – report
NSA SOURCE CODE LEAK: Information slurp tools to appear online
Now you can run your own intelligence agency
Microsoft: Your Linux Docker containers are now OURS to command
New tool lets admins wrangle Linux apps from Windows
Facebook, working on Facebook at Work, works on Facebook. At Work
You don't want your cat or drunk pics at the office
Soz, web devs: Google snatches its Wallet off the table
Killing off web service in 3 months... but app-happy bonkers are fine
First in line to order a Nexus 6? AT&T has a BRICK for you
Black Screen of Death plagues early Google-mobe batch
prev story

Whitepapers

Why cloud backup?
Combining the latest advancements in disk-based backup with secure, integrated, cloud technologies offer organizations fast and assured recovery of their critical enterprise data.
Forging a new future with identity relationship management
Learn about ForgeRock's next generation IRM platform and how it is designed to empower CEOS's and enterprises to engage with consumers.
Designing and building an open ITOA architecture
Learn about a new IT data taxonomy defined by the four data sources of IT visibility: wire, machine, agent, and synthetic data sets.
How to determine if cloud backup is right for your servers
Two key factors, technical feasibility and TCO economics, that backup and IT operations managers should consider when assessing cloud backup.
Reg Reader Research: SaaS based Email and Office Productivity Tools
Read this Reg reader report which provides advice and guidance for SMBs towards the use of SaaS based email and Office productivity tools.