Feeds

MS gets hacked off with bug hunter

Windows Media Player exploit publicised before patch available

  • alert
  • submit to reddit

Secure remote control for conventional and virtual desktops

A row has broken out between Microsoft and veteran bug hunter Georgi Guninski after he publicised a vulnerability with Windows Media Player 7 before a software patch was available.

As previously reported, a vulnerability involving the "skins" feature of the application exists which could allow hackers to read files on a victim's PC. According to Guninski, if the bug is properly exploited it could allow an attacker to gain control of a victim's machine.

Microsoft is working on a fix that it said will provide a complete solution to the problem. In the interim it is advising users to change their security zone settings within Internet Explorer (as described below).

Michael Aldridge, a lead product manager in Microsoft's digital media division, told The Register that Guninski had only given the software giant a few days notice and said he acted "irresponsibly" in publicising the flaw.

"The vast majority of security professionals handle vulnerabilities in a way that minimises potential harm to users. Unfortunately, there's a small number who, like Mr. Guninski, handle them irresponsibly and put customers at risk," he said.

"In this case, for instance, he publicised the issue only a few days after reporting it to us. It is simply not possible for any vendor - even Microsoft - to develop a high-quality patch in only a few days - our focus is making sure we deliver a complete patch and that does take time and testing."

Guninski said he notified Microsoft on Thursday, January 11 not January 12 and then published an advisory on Monday. He denies he acted irresponsibly, because a workaround was available, and alleged that Microsoft has not fixed another Internet Explorer bug he notified them about as long ago as last July.

"I totally do not agree with Microsoft's speculations that I am the problem for their buggy software. In my opinion they do not care about the security of their customers as they claim, they care about their image in the press," he said.

Guninski has a penchant for uncovering flaws in Internet Explorer and the row about Windows Media Player is not the first time he has clashed swords with Microsoft. Previous Guninski posting of flaws with Microsoft software on full disclosure security mailing list like BugTraq have attracted criticism from Microsoft over short notice periods, but the latest row signals a new low in the software giant's relationship with the veteran Bulgarian bug hunter. ®

Advice from Microsoft on how users can protect themselves from the Windows Media Player vulnerability:

From the tools menu in IE, choose "Internet Options" then the "Security" tab. Select "Internet Zone". Then click on "Custom Level". Under the "Microsoft VM" option list under java permissions click the "java custom settings" button, and choose to disable "run unsigned content".

Related stories

Guninski finds another IE 5.5 security hole
M$ moves slowly to patch latest IE5.5 hole
Previous Mediaplayer 7 security flaw
Woundup New skins for WMP7, IE6 beta due?
Windows Media Player 7 goes gold, browser wars II to follow

Providing a secure and efficient Helpdesk

More from The Register

next story
Microsoft on the Threshold of a new name for Windows next week
Rebranded OS reportedly set to be flung open by Redmond
Business is back, baby! Hasta la VISTA, Win 8... Oh, yeah, Windows 9
Forget touchscreen millennials, Microsoft goes for mouse crowd
SMASH the Bash bug! Apple and Red Hat scramble for patch batches
'Applying multiple security updates is extremely difficult'
Apple: SO sorry for the iOS 8.0.1 UPDATE BUNGLE HORROR
Apple kills 'upgrade'. Hey, Microsoft. You sure you want to be like these guys?
ARM gives Internet of Things a piece of its mind – the Cortex-M7
32-bit core packs some DSP for VIP IoT CPU LOL
Lotus Notes inventor Ozzie invents app to talk to people on your phone
Imagine that. Startup floats with voice collab app for Win iPhone
prev story

Whitepapers

A strategic approach to identity relationship management
ForgeRock commissioned Forrester to evaluate companies’ IAM practices and requirements when it comes to customer-facing scenarios versus employee-facing ones.
Storage capacity and performance optimization at Mizuno USA
Mizuno USA turn to Tegile storage technology to solve both their SAN and backup issues.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
Beginner's guide to SSL certificates
De-mystify the technology involved and give you the information you need to make the best decision when considering your online security options.
Security for virtualized datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.