Feeds

MS gets hacked off with bug hunter

Windows Media Player exploit publicised before patch available

  • alert
  • submit to reddit

HP ProLiant Gen8: Integrated lifecycle automation

A row has broken out between Microsoft and veteran bug hunter Georgi Guninski after he publicised a vulnerability with Windows Media Player 7 before a software patch was available.

As previously reported, a vulnerability involving the "skins" feature of the application exists which could allow hackers to read files on a victim's PC. According to Guninski, if the bug is properly exploited it could allow an attacker to gain control of a victim's machine.

Microsoft is working on a fix that it said will provide a complete solution to the problem. In the interim it is advising users to change their security zone settings within Internet Explorer (as described below).

Michael Aldridge, a lead product manager in Microsoft's digital media division, told The Register that Guninski had only given the software giant a few days notice and said he acted "irresponsibly" in publicising the flaw.

"The vast majority of security professionals handle vulnerabilities in a way that minimises potential harm to users. Unfortunately, there's a small number who, like Mr. Guninski, handle them irresponsibly and put customers at risk," he said.

"In this case, for instance, he publicised the issue only a few days after reporting it to us. It is simply not possible for any vendor - even Microsoft - to develop a high-quality patch in only a few days - our focus is making sure we deliver a complete patch and that does take time and testing."

Guninski said he notified Microsoft on Thursday, January 11 not January 12 and then published an advisory on Monday. He denies he acted irresponsibly, because a workaround was available, and alleged that Microsoft has not fixed another Internet Explorer bug he notified them about as long ago as last July.

"I totally do not agree with Microsoft's speculations that I am the problem for their buggy software. In my opinion they do not care about the security of their customers as they claim, they care about their image in the press," he said.

Guninski has a penchant for uncovering flaws in Internet Explorer and the row about Windows Media Player is not the first time he has clashed swords with Microsoft. Previous Guninski posting of flaws with Microsoft software on full disclosure security mailing list like BugTraq have attracted criticism from Microsoft over short notice periods, but the latest row signals a new low in the software giant's relationship with the veteran Bulgarian bug hunter. ®

Advice from Microsoft on how users can protect themselves from the Windows Media Player vulnerability:

From the tools menu in IE, choose "Internet Options" then the "Security" tab. Select "Internet Zone". Then click on "Custom Level". Under the "Microsoft VM" option list under java permissions click the "java custom settings" button, and choose to disable "run unsigned content".

Related stories

Guninski finds another IE 5.5 security hole
M$ moves slowly to patch latest IE5.5 hole
Previous Mediaplayer 7 security flaw
Woundup New skins for WMP7, IE6 beta due?
Windows Media Player 7 goes gold, browser wars II to follow

The Power of One eBook: Top reasons to choose HP BladeSystem

More from The Register

next story
Apple fanbois SCREAM as update BRICKS their Macbook Airs
Ragegasm spills over as firmware upgrade kills machines
HIDDEN packet sniffer spy tech in MILLIONS of iPhones, iPads – expert
Don't panic though – Apple's backdoor is not wide open to all, guru tells us
NO MORE ALL CAPS and other pleasures of Visual Studio 14
Unpicking a packed preview that breaks down ASP.NET
Captain Kirk sets phaser to SLAUGHTER after trying new Facebook app
William Shatner less-than-impressed by Zuck's celebrity-only app
Cheer up, Nokia fans. It can start making mobes again in 18 months
The real winner of the Nokia sale is *drumroll* ... Nokia
Mozilla fixes CRITICAL security holes in Firefox, urges v31 upgrade
Misc memory hazards 'could be exploited' - and guess what, one's a Javascript vuln
EU dons gloves, pokes Google's deals with Android mobe makers
El Reg cops a squint at investigatory letters
Chrome browser has been DRAINING PC batteries for YEARS
Google is only now fixing ancient, energy-sapping bug
prev story

Whitepapers

Designing a Defense for Mobile Applications
Learn about the various considerations for defending mobile applications - from the application architecture itself to the myriad testing technologies.
How modern custom applications can spur business growth
Learn how to create, deploy and manage custom applications without consuming or expanding the need for scarce, expensive IT resources.
Reducing security risks from open source software
Follow a few strategies and your organization can gain the full benefits of open source and the cloud without compromising the security of your applications.
Boost IT visibility and business value
How building a great service catalog relieves pressure points and demonstrates the value of IT service management.
Consolidation: the foundation for IT and business transformation
In this whitepaper learn how effective consolidation of IT and business resources can enable multiple, meaningful business benefits.