eEye Digital Security Discovers Critical Flaw in Windows Media Player; Vulnerability Discovered by Security Leader eEye Indicative of Growing Number of Attacks Targeting Consumer-Oriented Applications.ALISO VIEJO, Calif. -- eEye Digital Security eEye Digital Security is a company that specialises in analysis and prevention of security vulnerabilities in software. Founded by Firas Bushnaq and Marc Maiffret in 1997, the company has been credited by Microsoft with bringing a number of security vulnerabilities to their (R), the leading developer of endpoint security and vulnerability management software solutions, as well as the industry's foremost contributor to security research and education, today announced the discovery of a critical security risk related to Microsoft (Nasdaq:MSFT MSFT Microsoft (stock symbol) MSFT Movimento Sociale Fiamma Tricolore (Italy) MSFT Multi-Stage Fitness Test MSFT Master of Science in Family Therapy MSFT Macalester Students for Fair Trade ) Windows Media Microsoft's audio and video framework for Windows, which embraces playback, encoding and streaming. Windows Media Player is the digital jukebox and media player that comes with every version of Windows. (R) Player. Unless immediately resolved, this flaw allows attackers to take complete control of an affected system and execute harmful action remotely, including installing programs, viewing, changing or deleting data. In addition, eEye's world-class research team has identified this vulnerability as part of a growing trend of attacks that target consumer-oriented applications rather than the operating system operating system (OS) Software that controls the operation of a computer, directs the input and output of data, keeps track of files, and controls the processing of computer programs. itself. "As we saw last month with the flaws patched by Apple for its iTunes and QuickTime applications, attack methods are increasingly targeting applications that are widely used by consumers both on the job and for personal use," said Marc Maiffret Marc Maiffret is the co-founder of eEye Digital Security along with Firas Bushnaq. He is currently serving as Chief Technology Officer, where he is responsible for both high-level product strategy, as well as setting the eEye research agenda. , eEye's co-founder and chief hacking officer. "Given the enormous installed base of the affected program, individuals and enterprises need to address this particular vulnerability immediately. Deploying a non-signature-based, multi-layered intrusion prevention See IPS and IDS. system such as eEye's Blink is a necessity in today's business Today's Business is a show on CNBC that aired in the early morning, 5 to 7AM ET timeslot, hosted by Liz Claman and Bob Sellers, and it was replaced by Wake Up Call on Feb 4, 2002. environments." The vulnerability exists due to an unchecked buffer The lack of validity checking of the data that is written into a program buffer. Buffers are reserved areas in the program (in memory) that accept data from external sources. Unchecked buffers can cause all kinds of errors and erratic behavior. in Windows Media Player Digital jukebox software for Windows from Microsoft that plays a variety of audio, video and streaming formats including MP3, WMA, CD audio and MIDI. Starting with Version 6.2 in 1999, the Windows Media Rights Manager was added for securing copyrighted content. that allows a malicious bitmap file A file that contains an image in one of various bitmap formats such as TIFF, GIF, JPEG and BMP. See graphics formats. (BMP (1) (BitMaP) Also known as a "bump" file, it is the native, bitmapped graphics format in Windows. A BMP can be saved in several color options: 1-, 4-, 8- and 24-bit color provide 2, 16, 256 and 16,000,000 colors respectively. BMP files use the .BMP or . ) to be used to execute commands on a remote system, in the context of a logged-in user. This flaw affects Media Player versions 7.1 through 10 that run on the following Windows operating systems Operating systems can be categorized by technology, ownership, licensing, working state, usage, and by many other characteristics. In practice, many of these groupings may overlap. : Windows NT, Windows 2000 SP4, Windows XP SP1 and 2, and Windows 2003. Unlike signature-based solutions, such as anti-virus or behavior-based solutions, the advantage for Blink customers is its unique approach to preemptive pre·emp·tive or pre-emp·tive adj. 1. Of, relating to, or characteristic of preemption. 2. Having or granted by the right of preemption. 3. a. protection. Blink customers aren't required to do anything further to realize protection from this flaw, as protection is already in place and no updates or policy changes are required. For those interested in reducing IT costs by adhering to regularly scheduled protection policies, thereby eliminating panic patching and maintaining business continuity, an evaluation version of Blink is available for download on eEye's website: http://www.eEye.com/Blink. Over the last five years, eEye has been recognized by industry experts as the preeminent organization in the discovery of the most critical vulnerabilities in various platforms and applications, including the vulnerabilities subsequently leveraged by the Sasser, Witty, Code Red and Sapphire worms, as well as the Microsoft ASN (1) (Autonomous System Number) A unique identifier of an autonomous system on the Internet. Of the 65 thousand ASNs available, more than 30 thousand have been assigned to ISPs and NSPs. ISPs usually have only one ASN, but NSPs may have more than one. vulnerability and hundreds of other important discoveries. This expertise gives eEye a distinct advantage in designing risk management software solutions for the assessment, remediation and prevention of vulnerabilities and the attacks that leverage them. While Microsoft is addressing seven vulnerabilities with this month's patch update, eEye's upcoming advisories' page continues to list three other flaws related to Microsoft platforms, two of which are also considered to be high risk, as they can be remotely exploited. The oldest vulnerability in that list was discovered and reported 225 days ago, a fact that is worrisome for network administrators, but of no concern for eEye customers benefiting from Blink's technology. For more information about upcoming advisories, please visit http://www.eEye.com/html/Research/upcoming/index.html. As a service to the network security community, eEye's Research Team, headed by Maiffret, conducts a Vulnerability Expert Forum during the second week of every month. These web seminars enable participants to stay current on the potential risks and remediation requirements, such as those announced today, by exploring the effect that high-risk vulnerabilities and exploits have on network environments and infrastructures. To register for the February Vulnerability Expert Forum, please visit http://www.eEye.com/html/Company/events. In addition to serving the security community, these events also function as an educational venue for eEye's channel partners to learn about issues their enterprise customers are facing and what technologies can be utilized to better serve them. eEye's channel program serves as one of the largest and most comprehensive networks within the vulnerability management market, with more than 300 reseller and services partners in over 70 countries. eEye's commitment to the channel extends to its successful relationships with leading security-focused resellers, solution providers and system integrators -- all of who are able to enhance their product portfolios with eEye's award-winning risk management solutions. The collaboration of eEye and its partners expands its collective global reach, thereby enhancing network security and mitigating risk for businesses of all sizes. For more information on eEye's Partner Network, please visit http://www.eEye.com/html/Partners/index.html. About Blink(R) Endpoint Vulnerability Prevention Designed to be implemented on individual assets such as servers, PCs and laptops, Blink is the first endpoint product to combine multiple layers of security technologies to protect enterprises from zero-day attacks that leverage yet unknown vulnerabilities within enterprise networks. This comprehensive security solution allows organizations to defer patching vulnerable machines until regularly scheduled maintenance cycles, thereby saving millions of dollars in business disruption and the associated IT resource drain caused by panic patching. Additionally, Blink eliminates the problem of so-called "socially engineered" security threats, in which hackers trick individuals into downloading malware or otherwise making their own machines vulnerable to attack. As a result, Blink uniquely protects assets from vulnerabilities, as opposed to only thwarting attacks. eEye's integrated family of vulnerability management solutions helps IT and security professionals to confidently safeguard their valuable digital assets. Working in conjunction with popular tools such as firewalls and intrusion detection systems, eEye's product portfolio also includes Retina(R) Network Security Scanner Software that analyzes a network to determine its exposure to unwanted intruders. Also called "vulnerability scanners," such products check client PCs, servers, routers, firewalls, network appliances, system software and applications for vulnerabilities that include open ports, trapdoors, , REM(TM) Security Management Console, Iris(R) Network Traffic Analyzer and SecureIIS(TM) Web Server Protection. About eEye Digital Security(R) eEye Digital Security(R) is the leading developer of endpoint security and vulnerability management software solutions, as well as the industry's foremost contributor to security research and education. eEye's award-winning software products provide a complete risk management solution that addresses the full lifecycle of security threats: before, during and after attacks. eEye customers Citigroup and the U.S. Department of Defense represent the largest deployments of vulnerability assessment and prevention technology in the private and public sector. Overall, eEye protects the networks and digital assets of more than 8,500 corporate and government deployments worldwide, including Avon, Continental Airlines, Dow Jones, EDS (Electronic Data Systems, Plano, TX, www.eds.com) Founded in 1962 by H. Ross Perot (independent candidate for the President of the U.S. in 1992), EDS is the largest outsourcing and data processing services organization in the country. , Prudential, University of Miami This article is about the university in Coral Gables, Florida. For the university in Oxford, Ohio, see Miami University. The University of Miami (also known as Miami of Florida,[2] UM,[3] or just The U , Viacom, Vodafone, Warner Music and Wyeth. Founded in 1998, eEye Digital Security is a privately held, venture-backed firm with headquarters in Orange County, California Orange County is a county in Southern California, United States. Its county seat is Santa Ana. According to the 2000 Census, its population was 2,846,289, making it the second most populous county in the state of California, and the fifth most populous in the United States. . For more information, please visit www.eEye.com. All trademarks contained within this press release are the sole property of their respective owners and are hereby acknowledged. |
|
||||||||||||||||
Printer friendly
Cite/link
Email
Feedback
Reader Opinion