|
DISCLAIMER: Installing computer monitoring tools on computers you do not own or do not have permission to monitor may violate local, state or federal law.
Logging other people's keystrokes or breaking
into other people's computer without their permission can
be considered illegal by the courts of many countries.
The monitoring software reviewed here is ONLY for authorized
system administrators and/or owners of computers.
We assume no liability and are not responsible for any misuse
or damage caused by the keylogging software. The end user of
this software is obliged to obey all applicable local, state,
federal and other laws in his country of residence.
December 30th, 2008
Microsoft downplays Windows Media Player bug
Microsoft Corp. today dismissed reports of a critical vulnerability in its Windows Media Player, saying that the researcher who claims the bug could be exploited is wrong.
The flaw is a "reliability issue with no security risk to customers," Microsoft researchers said.
According to researcher Laurent Gaffi, the vulnerability could be used by hackers armed with malformed .wav, .snd, or .mid audio files to compromise a PC running Windows XP or Vista.
Several editions of Windows Media Player, including Versions 9, 10 and the newest, 11, are vulnerable, Gaffi reported in his disclosure on Dec. 24 to the Bugtraq security mailing list. Gaffi also included proof-of-concept attack code that he said would allow remote code execution.
Microsoft disputed Gaffi's findings, and took him to task for publishing information about the vulnerability before he reported it to company security researchers.
"[Gaffi's] claims are false," said Christopher Budd, a spokesman for the Microsoft Security Response Center in a Monday afternoon post to the MSRC's blog. "We've found no possibility for code execution in this issue."
Budd acknowledged that Gaffi's sample exploit crashes Windows Media Player, but said that the program can be restarted without affecting the rest of the system.
Microsoft researchers with the company's Security Vulnerability Research and Defense (SVRD) group spelled out the impact of Gaffi's exploit in more technical detail in a separate blog entry Monday.
"This bug cannot be leveraged for arbitrary code execution," say Jonathan Ness and Fermin Serna of the SVRD team. Ness and Serna said company researchers had found the bug earlier, and fixed it in at least one version of its server software.
"We found this already through our internal fuzzing efforts," they said. "It was correctly triaged at the time as a reliability issue with no security risk to customers."
"We do like to get these reliability issues fixed in a future service pack or a future version of the platform whenever possible. This particular bug, for example, has already been fixed in Windows Server 2003 Service Pack 2," Ness and Serna said.
Microsoft has been wrong before when it has denied that a flaw can be exploited. Last April, for example, the company had to backtrack, and issue a security advisory, about a Windows vulnerability it had denied was a bug just three weeks before.
Although that vulnerability has been actively exploited since mid-October, Microsoft has yet to plug the hole.
Source: ComputerWorld
All news for September, 2009
All news for 2009 year
All news for 2008 year
All news for 2007 year
All news for 2006 year
All news for 2005 year
All news for 2004 year
DONATION: www.Anti-Keylogger.Org and www.Keylogger.Org is an independent research projects supported by a team of enthusiasts. If you find this project useful and would like to help foster its continued development, please consider making a donation.  Thanks in advance for your support! |
