Feeds

MS gets hacked off with bug hunter

Windows Media Player exploit publicised before patch available

  • alert
  • submit to reddit

Build a business case: developing custom apps

A row has broken out between Microsoft and veteran bug hunter Georgi Guninski after he publicised a vulnerability with Windows Media Player 7 before a software patch was available.

As previously reported, a vulnerability involving the "skins" feature of the application exists which could allow hackers to read files on a victim's PC. According to Guninski, if the bug is properly exploited it could allow an attacker to gain control of a victim's machine.

Microsoft is working on a fix that it said will provide a complete solution to the problem. In the interim it is advising users to change their security zone settings within Internet Explorer (as described below).

Michael Aldridge, a lead product manager in Microsoft's digital media division, told The Register that Guninski had only given the software giant a few days notice and said he acted "irresponsibly" in publicising the flaw.

"The vast majority of security professionals handle vulnerabilities in a way that minimises potential harm to users. Unfortunately, there's a small number who, like Mr. Guninski, handle them irresponsibly and put customers at risk," he said.

"In this case, for instance, he publicised the issue only a few days after reporting it to us. It is simply not possible for any vendor - even Microsoft - to develop a high-quality patch in only a few days - our focus is making sure we deliver a complete patch and that does take time and testing."

Guninski said he notified Microsoft on Thursday, January 11 not January 12 and then published an advisory on Monday. He denies he acted irresponsibly, because a workaround was available, and alleged that Microsoft has not fixed another Internet Explorer bug he notified them about as long ago as last July.

"I totally do not agree with Microsoft's speculations that I am the problem for their buggy software. In my opinion they do not care about the security of their customers as they claim, they care about their image in the press," he said.

Guninski has a penchant for uncovering flaws in Internet Explorer and the row about Windows Media Player is not the first time he has clashed swords with Microsoft. Previous Guninski posting of flaws with Microsoft software on full disclosure security mailing list like BugTraq have attracted criticism from Microsoft over short notice periods, but the latest row signals a new low in the software giant's relationship with the veteran Bulgarian bug hunter. ®

Advice from Microsoft on how users can protect themselves from the Windows Media Player vulnerability:

From the tools menu in IE, choose "Internet Options" then the "Security" tab. Select "Internet Zone". Then click on "Custom Level". Under the "Microsoft VM" option list under java permissions click the "java custom settings" button, and choose to disable "run unsigned content".

Related stories

Guninski finds another IE 5.5 security hole
M$ moves slowly to patch latest IE5.5 hole
Previous Mediaplayer 7 security flaw
Woundup New skins for WMP7, IE6 beta due?
Windows Media Player 7 goes gold, browser wars II to follow

Secure remote control for conventional and virtual desktops

More from The Register

next story
Why has the web gone to hell? Market chaos and HUMAN NATURE
Tim Berners-Lee isn't happy, but we should be
Microsoft boots 1,500 dodgy apps from the Windows Store
DEVELOPERS! DEVELOPERS! DEVELOPERS! Naughty, misleading developers!
'Stop dissing Google or quit': OK, I quit, says Code Club co-founder
And now a message from our sponsors: 'STFU or else'
Apple promises to lift Curse of the Drained iPhone 5 Battery
Have you tried turning it off and...? Never mind, here's a replacement
Linux turns 23 and Linus Torvalds celebrates as only he can
No, not with swearing, but by controlling the release cycle
Scratched PC-dispatch patch patched, hatched in batch rematch
Windows security update fixed after triggering blue screens (and screams) of death
This is how I set about making a fortune with my own startup
Would you leave your well-paid job to chase your dream?
prev story

Whitepapers

Top 10 endpoint backup mistakes
Avoid the ten endpoint backup mistakes to ensure that your critical corporate data is protected and end user productivity is improved.
Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Backing up distributed data
Eliminating the redundant use of bandwidth and storage capacity and application consolidation in the modern data center.
The essential guide to IT transformation
ServiceNow discusses three IT transformations that can help CIOs automate IT services to transform IT and the enterprise
Next gen security for virtualised datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.