RealTime IT News

Beware Those WMP Skins

Microsoft has tagged its maximum security rating on a flaw in the way 'skin' files are downloaded in some versions of its Windows Media Player (WMP).

The software giant said the security hole was detected in WMP version 7.1 and WMP for Windows XP version 8.0 and could allow an attacker to "force a file masquerading as a skin file" into a user's system.

Microsoft's latest WMP 9 Series is not affected by this vulnerability.

A critical security alert warned that the vulnerability would allow an attacker to place a "malicious executable" on a susceptible system.

Skins, which are used to change the overall appearance of the media player, are custom overlays that consist of collections of one or more files of computer art, organized by an XML file. The XML file tells WMP how to use the files to display a skin as determined by the user. The security flaw exists in the way the skin files are downloaded.

Microsoft said an attacker could breach the hole by hosting a malicious Web site that contained a web page designed to exploit this particular vulnerability. The user would have to visit that site to be at the mercy of an attacker, the company cautioned.

It's not the first time that holes have been found in popular media players. Last month, researchers warned of serious security holes in RealNetworks' RealOne and Apple's QuickTime media players.

Those vulnerabilities, which were not related, affect the way the media players read certain file types and could leave susceptible systems open to intrusion.

Back in July, Microsoft also issued a cumulative patch to fix three flaws in the WMP software.