Windows Media Player hole called severe Thu Jun 27,12:14 PM ET
Andrew Colley

MELBOURNE, Australia--Melbourne-based IT firm, itSecure, today issued a strong warning to users of recent version Windows Media Player to download software from Microsoft to patch the application's security ( news - external web site) hole.

"Download and install the patch ASAP," advised itSecure's chief security officer, Raoul Wegat.

According to itSecure, the risks associated with failing to patch the alleged weakness are severe.

Wegat said that itSecure rates the alleged vulnerability as severe, as it could allow hackers to run code on the victim's computer.

"Microsoft haven't released any details about it but an attacker can run code of his or her choice on a vulnerable system," said Wegat. "That basically means that an attacker may be able to take over the system".

According itSecure, users running unpatched versions of Windows that don't have inbuilt user-based security access--as is found in Windows NT, Windows 2000 ( news - web sites) and Windows XP ( news - web sites)--are most at risk of an attack.

That would mean that Windows 98 ( news - web sites), common in office and home environments, is the Windows offering that is most vulnerable to attack.

Wegat couldn't say how often itSecure would attach a severe rating to its security alerts but said that it was becoming all-too-often when it comes to Microsoft products.

Missed the newsletter

Wegat said he doesn't know who discovered the vulnerability but that Microsoft has handled its discovery "very discreetly".

"There's been no posting of the problem on any of the security lists or forums so the person that's found the problem has gone straight to Microsoft," said Wegat.

Microsoft's marketing manager for desktop, Paul Roworth, said the company wasted no time in notifying the public of the security flaw through the Microsoft.com knowledge base.

Unfortunately, said Roworth, the public disclosure of the vulnerability fell two days to the wrong side of the approval deadline for the company's fortnightly, 250,000-subscriber security newsletter.

Roworth claims he couldn't pinpoint exactly when the vulnerability first came to Microsoft's attention.

According to Roworth, Microsoft Australia is partially dependent on journalists and interested parties that pro-actively subscribe to its security newsletters and bulletins to inform customers of vulnerabilities in its products.

"In Australia we've got to be cognitive of things like privacy laws," said Roworth. "We have to ensure we are notifying customers that have indicated that they want to be kept up to date by Microsoft".

Back To The Study