0 day: Exploiting by using Windows Media Files

Media Player meta files all have the same structure, XML. Digging deeper into the XML, pdp from Gnucitizen found several tags which can be abused for malicious purposes.

In simple words, HTMLView will display a page of our choice within the standalone Windows Media Player. I repeat, the page will be opened within the Media Player surroundings, not a standalone browser. This in particular is very interesting behavior, which I experimented with for a bit.
I found that a fully patched windows XP SP2 with IE6 or IE7 and Windows Media Player 9 (default) will open any page of your choice in less restrictive Internet Explorer environment even if your default browser is Firefox, Opera or anything else you have in place.
Let me translate this for you. It means that even if you are running Firefox and you think that you are secure, by simply opening a media file, you expose yourself to all IE vulnerabilities there might be.

Not good. I guess using the default Media player (Browser, Emailclient, ....) was never a good idea anyway. Personally, I prefer VLC as player, Firefox as browser and Eudora as emailclient. Like in real life: diversity is essential for survival. Just my opinion.