Security Flaw Discovered in Windows Media Player 7
November 23, 2000
LONDON, Nov 3, 2000 (BUSINESS WIRE) GFI, developer of email content checking & network security software, has discovered a security flaw within Windows Media Player 7 which allows a malicious user to run arbitrary code on a victim's machine as it attempts to view a web site or an HTML email.
GFI has notified Microsoft Corp., which issued an advisory (Microsoft security Bulletin number MS00-090).
Windows Media Player 7 is included by default on Windows Millennium Editions and is available from Microsoft for free. It includes skinning capabilities that allow it to change interface. GFI has found that this can be exploited to execute code on remote machines.
"The exploit works simply by opening an email on a machine which includes Windows Media Player 7 and on which HTML scripts are allowed, or by browsing a malicious site," warned GFI security engineer, Sandro Gauci.
"This can be done automatically with an email content checking gateway such as Mail essentials. HTML tags and dangerous attachments will be removed automatically at server level and therefore network admins need not worry about their users receiving malicious attachments or html mails," pointed out Nick Galea, GFI CEO.
GFI (http://www.gfi.com/bwmp7mes.shtml) develops communications and security software for Windows NT/2000 and has six offices in the US, UK, Germany, France, Australia and Malta. GFI's product range includes FAXmaker, Mail essentials and LANguard. GFI's customers include Microsoft, BMW, the US IRS, NASA and many more.
CONTACT: GFI, Stephen Chetcuti Bonavita, +356 382418, FAX: +356 382419