WMP users are exposed to IE flaws

A security researcher Petko D. Petkov, has found a way to be exposed to Internet Explorer‘s flaws without using it as a default browser. The flaw exists in Windows Media Player‘s meta files, such as .asx, that have the parameter „HTMLview“.

When a user runs a media file on WMP, it may open a webpage, most commonly containing information on the particular media. The problem is that WMP uses Internet Explorer to open these websites, even if it is not your default browser. This exposes you to the huge number of Internet Explorer‘s flaws and, assuming that a hacker has changed the „HTMLview“ parameter to direct the user to a website containing malicious code, the probability of infection is very high.
There are ways of protecting yourself from these problems, such as updating to WMP version 10 or 11 rather than using 9 (the default for WinXP Service Pack 2) or patching your Internet Explorer.

Of course, probably the best way is not to use WMP whatsoever, since it‘s not a great player to begin with.

Petkov has recently been flaw hunting in media meta files and has already nailed such meta files as QTL, a QuickTime format exploited in a recent vulnerability.

Other WMP meta files include .wax, .wvx and .wmx.

Articles