eEye: Discovered Critical Flaw in Windows Media Player

ALISO VIEJO, CA – eEye Digital Security®, the leading developer of endpoint security and vulnerability management software solutions, as well as the industry’s foremost contributor to security research and education, today announced the discovery of a critical security risk related to Microsoft (NASDAQ: MSFT) Windows Media® Player. Unless immediately resolved, this flaw allows attackers to take complete control of an affected system and execute harmful action remotely, including installing programs, viewing, changing or deleting data. In addition, eEye’s world-class research team has identified this vulnerability as part of a growing trend of attacks that target consumer-oriented applications rather than the operating system itself.

“As we saw last month with the flaws patched by Apple for its iTunes and QuickTime applications, attack methods are increasingly targeting applications that are widely used by consumers both on the job and for personal use,” said Marc Maiffret, eEye’s co-founder and chief hacking officer. “Given the enormous installed base of the affected program, individuals and enterprises need to address this particular vulnerability immediately. Deploying a non-signature-based, multi-layered intrusion prevention system such as eEye’s Blink is a necessity in today’s business environments.”

The vulnerability exists due to an unchecked buffer in Windows Media Player that allows a malicious bitmap file (BMP) to be used to execute commands on a remote system, in the context of a logged-in user. This flaw affects Media Player versions 7.1 through 10 that run on the following Windows operating systems: Windows NT, Windows 2000 SP4, Windows XP SP1 and 2, and Windows 2003. Unlike signature-based solutions, such as anti-virus or behavior-based solutions, the advantage for Blink customers is its unique approach to preemptive protection. Blink customers aren’t required to do anything further to realize protection from this flaw, as protection is already in place and no updates or policy changes are required. For those interested in reducing IT costs by adhering to regularly scheduled protection policies, thereby eliminating panic patching and maintaining business continuity, an evaluation version of Blink is available for download on eEye’s website: http://www.eeye.com/blink.

Over the last five years, eEye has been recognized by industry experts as the preeminent organization in the discovery of the most critical vulnerabilities in various platforms and applications, including the vulnerabilities subsequently leveraged by the Sasser, Witty, Code Red and Sapphire worms, as well as the Microsoft ASN vulnerability and hundreds of other important discoveries. This expertise gives eEye a distinct advantage in designing risk management software solutions for the assessment, remediation and prevention of vulnerabilities and the attacks that leverage them. While Microsoft is addressing seven vulnerabilities with this month’s patch update, eEye’s upcoming advisories’ page continues to list three other flaws related to Microsoft platforms, two of which are also considered to be high risk, as they can be remotely exploited. The oldest vulnerability in that list was discovered and reported 225 days ago, a fact that is worrisome for network administrators, but of no concern for eEye customers benefiting from Blink’s technology. For more information about upcoming advisories, please visit http://www.eeye.com/html/research/upcoming advisories.

As a service to the network security community, eEye’s Research Team, headed by Maiffret, conducts a Vulnerability Expert Forum during the second week of every month. These web seminars enable participants to stay current on the potential risks and remediation requirements, such as those announced today, by exploring the effect that high-risk vulnerabilities and exploits have on network environments and infrastructures. To register for the February Vulnerability Expert Forum, please visit http://www.eeye.com/html/company/events.

In addition to serving the security community, these events also function as an educational venue for eEye’s channel partners to learn about issues their enterprise customers are facing and what technologies can be utilized to better serve them. eEye’s channel program serves as one of the largest and most comprehensive networks within the vulnerability management market, with more than 300 reseller and services partners in over 70 countries. eEye’s commitment to the channel extends to its successful relationships with leading security-focused resellers, solution providers and system integrators-all of who are able to enhance their product portfolios with eEye’s award-winning risk management solutions. The collaboration of eEye and its partners expands its collective global reach, thereby enhancing network security and mitigating risk for businesses of all sizes. For more information on eEye’s Partner Network, please visit http://www.eeye.com/html/Partners.

About eEye Digital Security

eEye Digital Security is the leading developer of endpoint security and vulnerability management software solutions, as well as the industry’s foremost contributor to security research and education. eEye’s award-winning software products provide a complete vulnerability management solution that addresses the full lifecycle of security threats: before, during and after attacks. eEye’s customers, Citigroup and US Department of Defense, represent the largest deployments of vulnerability assessment and prevention technology in the private and public sector. eEye protects the networks and digital assets of more than 8,500 corporate and government deployments worldwide, including EDS, Avon, Continental Airlines, Dow Jones, Prudential, University of Miami, Viacom, Vodafone, Warner Music and Wyeth. Founded in 1998, eEye Digital Security is a privately held, venture-backed firm with headquarters in Orange County, California. For more information, please go to www.eEye.com.