Last week, reports of a vulnerability in Windows Media Player (WMP) started coming in and Microsoft began to investigate. The issue affects version 11 and earlier of the software, and according to the initial report (now updated), it could be exploited remotely via a specially-crafted SND, MIDI, or WAV file to trigger an integer overflow where a hacker could execute arbitrary code. Microsoft has since investigated the problem and while the company has admitted that WMP does indeed crash under the said circumstances, there is no security problem to be worried about:

The security researcher making the initial report didn't contact us or work with us directly but instead posted the report along with proof of concept code to a public mailing list. After that report, other organizations picked the report up and claimed that the issue was a code execution vulnerability in Windows Media Player. Those claims are false. We've found no possibility for code execution in this issue. Yes, the proof of concept code does trigger a crash of Windows Media player, but the application can be restarted right away and doesn't affect the rest of the system.

Microsoft also notes that the issue is already addressed in Windows Server 2003 SP2 and will be addressed in other versions in the future. If you're interested in the details on the issue discovered, see the second link below.

Further reading: