Researchers reckon a security bug in Windows Media Player creates a means for hackers to inject hostile code onto vulnerable systems. However Microsoft has denied this, saying that the bug only creates a means to crash the software without posing a more damaging security risk.

The WMP integer overflow bug reportedly kicks in when the media player attempts to process maliciously constructed WAV, SND, or MIDI files. Security researchers have created proof of concept code demonstrating the vulnerability, the SANS Institute's Internet Storm Centre reports.

Fully patched Windows XP systems running either Windows Media Player 9 and 11 are each potentially vulnerable, according to tests by SecurityTracker. Other configurations may also be affected.

In a posting on Microsoft's Security Response blog, Redmond's security gnomes downplay the seriousness of the flaw, criticising researchers for spooking the internet community with what Microsoft charecterises as a premature disclosure. ®

Related stories

• Apple media server rumored for Macworld Expo (30 December 2008)
• iPlayer finally makes friendly with Mac and Linux (19 December 2008)
• Bumper MS patch batch spells client-side misery (10 December 2008)
• Updated In-the-wild attacks find hole in (fully-patched) IE 7 (9 December 2008)
• MS dreams big as IE 6 for Windows Mobile nears (13 November 2008)