eEye Digital Security » News

News

eEye Digital Security Discovers Critical Flaw in Windows Media Player

– Vulnerability discovered by security leader eEye indicative of growing number of attacks targeting consumer-oriented applications –

(ALISO VIEJO, CA) February 14, 2006 — eEye Digital Security®, the leading developer of endpoint security and vulnerability management software solutions, as well as the industry’s foremost contributor to security research and education, today announced the discovery of a critical security risk related to Microsoft (NASDAQ: MSFT) Windows Media® Player. Unless immediately resolved, this flaw allows attackers to take complete control of an affected system and execute harmful action remotely, including installing programs, viewing, changing or deleting data. In addition, eEye’s world-class research team has identified this vulnerability as part of a growing trend of attacks that target consumer-oriented applications rather than the operating system itself.

“As we saw last month with the flaws patched by Apple for its iTunes and QuickTime applications, attack methods are increasingly targeting applications that are widely used by consumers both on the job and for personal use,” said Marc Maiffret, eEye’s co-founder and chief hacking officer. “Given the enormous installed base of the affected program, individuals and enterprises need to address this particular vulnerability immediately. Deploying a non-signature-based, multi-layered intrusion prevention system such as eEye’s Blink is a necessity in today’s business environments.”

The vulnerability exists due to an unchecked buffer in Windows Media Player that allows a malicious bitmap file (BMP) to be used to execute commands on a remote system, in the context of a logged-in user. This flaw affects Media Player versions 7.1 through 10 that run on the following Windows operating systems: Windows NT, Windows 2000 SP4, Windows XP SP1 and 2, and Windows 2003. Unlike signature-based solutions, such as anti-virus or behavior-based solutions, the advantage for Blink customers is its unique approach to preemptive protection. Blink customers aren't required to do anything further to realize protection from this flaw, as protection is already in place and no updates or policy changes are required. For those interested in reducing IT costs by adhering to regularly scheduled protection policies, thereby eliminating panic patching and maintaining business continuity, an evaluation version of Blink is available for download on eEye's website:http://www.eeye.com/blink.

Over the last five years, eEye has been recognized by industry experts as the preeminent organization in the discovery of the most critical vulnerabilities in various platforms and applications, including the vulnerabilities subsequently leveraged by the Sasser, Witty, Code Red and Sapphire worms, as well as the Microsoft ASN vulnerability and hundreds of other important discoveries. This expertise gives eEye a distinct advantage in designing risk management software solutions for the assessment, remediation and prevention of vulnerabilities and the attacks that leverage them. While Microsoft is addressing seven vulnerabilities with this month’s patch update, eEye’s upcoming advisories’ page continues to list three other flaws related to Microsoft platforms, two of which are also considered to be high risk, as they can be remotely exploited. The oldest vulnerability in that list was discovered and reported 225 days ago, a fact that is worrisome for network administrators, but of no concern for eEye customers benefiting from Blink’s technology. For more information about upcoming advisories, please visit http://www.eeye.com/html/research/upcoming advisories.

As a service to the network security community, eEye's Research Team, headed by Maiffret, conducts a Vulnerability Expert Forum during the second week of every month. These web seminars enable participants to stay current on the potential risks and remediation requirements, such as those announced today, by exploring the effect that high-risk vulnerabilities and exploits have on network environments and infrastructures. To register for the February Vulnerability Expert Forum, please visit http://www.eeye.com/html/company/events.

In addition to serving the security community, these events also function as an educational venue for eEye’s channel partners to learn about issues their enterprise customers are facing and what technologies can be utilized to better serve them. eEye’s channel program serves as one of the largest and most comprehensive networks within the vulnerability management market, with more than 300 reseller and services partners in over 70 countries. eEye's commitment to the channel extends to its successful relationships with leading security-focused resellers, solution providers and system integrators—all of who are able to enhance their product portfolios with eEye’s award-winning risk management solutions. The collaboration of eEye and its partners expands its collective global reach, thereby enhancing network security and mitigating risk for businesses of all sizes. For more information on eEye’s Partner Network, please visit http://www.eeye.com/html/Partners.

About Blink® Endpoint Vulnerability Prevention
Designed to be implemented on individual assets such as servers, PCs and laptops, Blink is the first endpoint product to combine multiple layers of security technologies to protect enterprises from zero-day attacks that leverage yet unknown vulnerabilities within enterprise networks. This comprehensive security solution allows organizations to defer patching vulnerable machines until regularly scheduled maintenance cycles, thereby saving millions of dollars in business disruption and the associated IT resource drain caused by panic patching. Additionally, Blink eliminates the problem of so-called “socially engineered” security threats, in which hackers trick individuals into downloading malware or otherwise making their own machines vulnerable to attack. As a result, Blink uniquely protects assets from vulnerabilities, as opposed to only thwarting attacks.

eEye's integrated family of vulnerability management solutions helps IT and security professionals to confidently safeguard their valuable digital assets. Working in conjunction with popular tools such as firewalls and intrusion detection systems, eEye's product portfolio also includes Retina® Network Security Scanner, REM™ Security Management Console, Iris® Network Traffic Analyzer and SecureIIS™ Web Server Protection.

About eEye Digital Security

eEye Digital Security® is pioneering a new class of security products:integrated threat management. This next-generation of security detects vulnerabilities and threats, prevents intrusions, protects all of an enterprise’s key computing resources, from endpoints to network assets to web sites and web applications, all while providing a centralized point of security management and network visibility.eEye’s research team is consistently the first to identify new threats in the wild, and our products leverage that research to deliver on the goal of making network security as easy to use and reliable as networking itself. Founded in 1998 and headquartered in Orange County, California, eEye Digital Security protects more than 9,000 corporate and government organizations worldwide, including half of the Fortune 100. For more information, please visit www.eeye.com

About eEye Digital Security

Primary Agency Contact

EMEA Agency Contact

Corporate Contact