Microsoft has brushed off claims that a vulnerability has been identified in all versions of Microsoft Windows Media player.
Christopher Budd, Microsoft security program manager, claimed that a report was posted by an anonymous security researcher on Christmas Eve. After the report was posted the Microsoft team looked into it, though Budd claimed that although the proof of concept code does trigger a crash of Windows Media player, the application can be restarted right away and doesn't affect the rest of the system so there is no possibility for code execution in this issue.
Budd was also critical of the researcher, who he claimed ‘didn't contact us or work with us directly but instead posted the report along with proof of concept code to a public mailing list. After that report, other organizations picked the report up and claimed that the issue was a code execution vulnerability in Windows Media Player.'
Budd said: “Unfortunately, the researcher chose not to come to us with this initial report. If he had, we would've done the exact same investigation we just completed. When we were done, we would have let them know what we found, asked him if he thinks we might have missed something, continued the investigation if there was more information and ultimately closed the case if we didn't find a vulnerability.
“While we don't normally talk publicly about issues that aren't vulnerabilities, we've gotten enough questions about this that it seemed a good chance to both answer those questions and explain some more of how we do things in the MSRC.”
He further explained that the center found this issue as part of its ongoing code maintenance and that it is already addressed in Windows Server 2003 SP2 and will be addressed in other versions in the future.