A security vulnerability in Microsoft's Windows Media Player 7 can allow a hacker to get full control over a user's computer, a well-known bug hunter said.
According to Bulgarian security specialist Georgi Guninski, the problem lies with the program's "skins", which allow the user to change the look and feel of the media player. Guninski published a security advisory on his Web site on Monday.
Microsoft confirmed the vulnerability. "A malicious Web site operator can embed a Java applet in a skin file. He can then use a script on a Web page to get access to the [user's] computer," said Michael Aldridge, lead product manager for Microsoft's Windows Digital Media Division.
Upon being downloaded, the skins are installed on the user's system in a directory or folder with a commonly known name, Guninski said.
Guninski said in his advisory that the hacker could browse the system and execute arbitrary programs. This may lead to taking full control of the computer, he said. Guninski rates the vulnerability as "high risk".
Microsoft does not agree with Guninski's assessment. "We take every security issue seriously, but we characterise this as low risk," said Aldridge. "You should not download anything from a place you don't trust," he said, noting that the Web user has to accept the download of the file containing the malicious code.
Microsoft is working on a software patch for the problem. In the meantime, it's safer not to download new skins for Windows Media Player from unknown sites.