Slashdot stories can be listened to in audio form via an RSS feed, as read by our own robotic overlord.

 



Forgot your password?
typodupeerror
Windows Operating Systems Software Bug Security

DirectX Flaw Leaves Windows Vulnerable 530

Posted by michael
from the windows-update-time-again dept.
cryonic*angel writes "Just when you thought it was safe to start buying music from BuyMusic, another another Windows security flaw is found, in DirectX this time, that basically affects every possible windows configuration that is still supported. I wonder, will they indemnify me for this?"
This discussion has been archived. No new comments can be posted.

DirectX Flaw Leaves Windows Vulnerable

Comments Filter:
  • patch me up baby! (Score:5, Informative)

    by Neophytus (642863) on Thursday July 24, 2003 @09:15AM (#6521107)
    Direct download for 9.0b [microsoft.com] (not for nt4.0). Strangely it isn't on the main directx page yet considering the critical nature of the problem. Here is the technet article [microsoft.com] with patches for existing directx versions.
    • Re:patch me up baby! (Score:3, Interesting)

      by Krilomir (29904) *
      I'm quite sure there is a patch up already on windows update. My computer was patched just hours ago. I really don't see anything special about this story. What's so special about this flaw?
      • by Chester K (145560) on Thursday July 24, 2003 @09:38AM (#6521430) Homepage
        I'm quite sure there is a patch up already on windows update. My computer was patched just hours ago. I really don't see anything special about this story. What's so special about this flaw?

        It's a Microsoft bug, it doesn't matter how important it is. You're supposed to be foaming at the mouth and making sweeping statements about how this proves open source is better! Don't you know what website you're on?
        • by Realistic_Dragon (655151) on Thursday July 24, 2003 @10:05AM (#6521773) Homepage
          Don't you know what website you're on?

          Microsoft Security Bulletin MS03-035


          Flaw in Internet Explorer Could Cause Website Name Not To Appear (823803)

          Originally posted: July 23, 2003

          Summary

          Who should read this bulletin: All users of Microsoft® Windows®

          Impact of vulnerability: User may become disorientated on the internet

          Maximum Severity Rating: Moderate

          Recommendation: Administrators of Windows computers should consider applying the update patch.

          Affected Software:

          * Microsoft Windows NT 4.0 Server

          * Microsoft Windows NT 4.0 Terminal Server Edition

          * Microsoft Windows 2000

          * Microsoft Windows XP

          * Microsoft Windows Server 2003

          Technical details

          Technical description:

          A flaw exists in all versions of Internet Explorer that could cause the name of the website being visited not to be displayed.
        • by Entropius (188861) on Thursday July 24, 2003 @10:10AM (#6521831)
          While /. has been known to indulge in a little over-the-top microsoft bashing when bugs like these come out, there's a reason they (especially ones like this) make the front page.

          Windows has a huge installed base, and windows machines tend to be targeted by kiddies looking for DDoS zombies.

          And of course this is a big bug. Run arbitrary code through a midi file? That's huge, and deserves to be on the front page. Apache security holes of much less import make the front page, and they probably belong there too.
        • by FatherOfONe (515801) on Thursday July 24, 2003 @10:12AM (#6521866)
          Man how true it is. I can't believe all the people here that bash Microsoft for their apparent lack of security. I mean whats the problem with checking for patches for your server every hour or so? Even if some of the patches are so bad they crash apps on your server and prevent others from starting. I mean, what is the big deal?

          Hang on a second... it has been 30 seconds since I last checked Microsoft for another security update...

          Ok, I now have another 90MB file I need to apply to the 200 NT boxes I have.... Like I was saying what the heck is the big deal? So what that most vendors release stuff on NT boxes that requires certain service packs, and won't work with others? Yeah this makes server consoldation impossible but who really cares? It isn't that big of a deal, just buy another box. Heck we plan on buying another hundred or so this year.

          Hang on a second it has been another 5 min since my last check at Microsoft for another update...

          Wow only two new updates! This is a first! Now, as I was saying, these open source "Quality is important" types are just zealots. They just don't understand that it isn't that big of a deal to support Windows.

          Sorry, hang on a second... a new Worm just hit or email server...

          Now where was I? Oh yeah, the advantages of running Windows... You have one consistant platform. Well we will when we finally get our 200 NT boxes upgraded to Win2k server. Dag gone it, I have to go and talk to our Microsoft rep again... be back in 15 min...

          Ok I just found out that Windows 2003 server is out now and EVERYONE is going to it. The nice thing is that Microsoft will let us keep running our Win2k servers until the end of the year! Yeah I would like to see what you open source people say about that! See Microsoft isn't bad at all. They even told us that we could run 2003 Server for a full 3 years! Man that will make life great!

          So let all the bitching begin about Microsoft over one SMALL bug! They just don't know what they are talking about...

      • by JAZ (13084) on Thursday July 24, 2003 @09:53AM (#6521605)
        I just tried to run windows update.
        I haven't run it since I built the computer 6 weeks ago, but here is the text of the page I got:

        Windows Update is the online extension of Windows that helps you get the most out of your computer.

        Windows Update uses ActiveX Controls and active scripting to display content correctly and to determine which updates apply to your computer.

        To view and download updates for your computer, your Internet Explorer security settings must meet the following requirements:

        Security must be set to medium or lower
        Active scripting must be set to enabled
        The download and initialization of ActiveX Controls must be set to enabled
        Note These are default settings for Internet Explorer.

        To check your Internet Explorer security settings

        On the Tools menu in Internet Explorer, click Internet Options.
        Click the Security tab.
        Click the Internet icon, and then click Custom Level.
        Make sure the following settings are set to Enable or Prompt:
        Download signed ActiveX Controls
        Run ActiveX Controls and plug-ins
        Script ActiveX Controls marked safe for scripting
        Active scripting

        (c) 2001 Microsoft Corporation. All rights reserved. Terms of Use.


        This is funny on so many levels:
        - don't ya'll fix ie security?
        - do ya'll trust ms automatically?
        - ms's default setting are medium or lower?!?

        • Re:Windows Update (Score:3, Informative)

          by shamino0 (551710)
          Yeah, Windows Update requires you set Microsoft to medium or lower security.

          But how can it possible be otherwise? The whole purpose of Windows Update is to install core system software - precisely the kind of activity that you generally want to prevent any other web site from attempting.

          Of course, I don't think Windows Update should be done through a web browser in the first place. The Software Update [apple.com] facility in MacOS [apple.com] is a standalone program that can't be used for anything other than fetching and ins

      • by Knightmare (12112) on Thursday July 24, 2003 @09:55AM (#6521649) Homepage
        I can't decide if this is a troll or not. How is this a big vulnerability? Well, take a second and think how easy it is to be exposed to a midi file compared to an executable in an email or a malformed packet on one of Windows many default listening ports.

        Newer versions of outlook and many mail servers can block .exe,.src,.com,etc... extensions from ever making it to your double click happy hand.

        A $35 personal firewall from your local computer store can protect you from port based attacks.

        But when was the last time you saw security software/hardware that blocked midi files? An exploit of this in the wild would mean any webpage, any HTML email, any midi file download would be an attack vector. How is this a small problem?
      • by ssimpson (133662) <slashdot AT samsimpson DOT com> on Thursday July 24, 2003 @10:13AM (#6521879) Homepage

        What's so special about this flaw?

        Are you brainwashed by how many flaws like this we see? This allows a malicious adversary to craft a web page (for IE) or e-mail (for OE / Outlook) that would allow the adversary to execute arbitrary programs in that users context.

        The point isn't that an update is out already, it's that there will remain god knows how many tens of millions of computer vulnerable to this flaw for a long time. Not only will those machines be hacked and taken down, but someone will most likely produce and exploit that turns the machines into a DDoS client, or an SMTP relay for spam, or...You get the idea. In the end it pisses over the rest of the Internet community.

        And it's all thanks to shite security engineering in MS and non-conformance to standards (the MIDI playing is caused by a non-W3c HTML tag "BGSOUND").

        • Re:patch me up baby! (Score:3, Informative)

          by JanusFury (452699)
          And it's all thanks to shite security engineering in MS and non-conformance to standards (the MIDI playing is caused by a non-W3c HTML tag "BGSOUND").

          I don't see how BGSOUND has anything to do with this. You can play MIDIs in webpages without that tag. The OBJECT tag, for example... or an embedded media player control... or a regular old link.
          • Re:patch me up baby! (Score:3, Informative)

            by ssimpson (133662)

            Regular old links need the users to click on a link whereas BGSOUND doesn't require user interaction. Not sure if Object tag / embedded media player can embed in the same way for Outlook / OE based e-mails (I would hope that the users get some kind of prompt, but knowing MS...).

      • by drunk_as_in_beer (661124) on Thursday July 24, 2003 @11:13AM (#6522587)
        What's so special about this flaw?

        What's so special is you actually *don't* have to reboot after applying the patch.
    • by GammaTau (636807) <jni@iki.fi> on Thursday July 24, 2003 @09:27AM (#6521274) Homepage Journal

      Well, you know what they say about downloading and applying Windows patches...

      "They that can give up essential liberty to obtain a little temporary safety deserve neither liberty nor safety."

    • Re:patch me up baby! (Score:5, Informative)

      by BigBir3d (454486) on Thursday July 24, 2003 @09:38AM (#6521423) Journal
      9.0b has been available since Wednesday 7/23, that I know of. That is when I had to manually update the dozen or so machines in my office.
  • by WD_40 (156877) on Thursday July 24, 2003 @09:16AM (#6521111) Homepage
    Let's see, pay for music and get F'ed... download for free and be fine (as long as you don't share).
    • Re:Tough one... (Score:5, Insightful)

      by Latent IT (121513) on Thursday July 24, 2003 @09:28AM (#6521290)
      Let's see, pay for music and get F'ed... download for free and be fine (as long as you don't share).

      So, let me see if I have this right - you think that files off a pay-for-music download site are more likely to be infected vs. files on Kazaa?

      Seriously?
      • by dimer0 (461593) on Thursday July 24, 2003 @10:32AM (#6522132)
        So, let me see if I have this right - you think that files off a pay-for-music download site are more likely to be infected vs. files on Kazaa?

        For those of us who are running Mozilla and not IE, etc, buymusic.com's home page has a quite amusing message:

        ---

        Thank you for visiting BuyMusic.com.

        In order to take full advantage of BuyMusic.com's offerings you must be on a Windows Operating System using Internet Explorer version 5.0 or higher.

        --- /That's/ the point the poster was making.
    • Re:Tough one... (Score:5, Insightful)

      by jmorris42 (1458) * <jmorris@@@beau...org> on Thursday July 24, 2003 @09:40AM (#6521445)
      Unless you running Linux, then make sure you have the latest mpg123 (and libmpg123, which powers xmms) or one of those mp3 files could be evil and 0wn3z your ass.

      Nobody is 100% safe these days. I used to be confident and tell people to 'hit me with their best shot' because I wouldn't be running untrusted executables and data files couldn't carry nasties. Now we have mpg123 and in the past we had a buffer overflow in libtiff. Pine could get you owned with a bogus header once. Sendmail of course has been a security nightmare.

      Yes *NIX is safer, sendmail in it's worst year never matched the horrors of Outlook, but never feel safe. Which sucks major ass because we shouldn't have to just accept as a given that the only safe computing is a sealed box with no external media or network connection. Personally I'd like to see a whole year set aside to making software SAFE instead of adding features.
    • by Quarters (18322)
      If you're paying someone so you can download craptastic MIDI files then this security flaw is the least of your problems.
  • by NoCoward (648971) on Thursday July 24, 2003 @09:16AM (#6521116) Homepage Journal
    My Win2k solution already downloaded and installed the update last night automatically via WindowsUpdate.com. Nice system.
    • Nice System My Ass (Score:3, Insightful)

      by nurb432 (527695)
      So, what did the patch automatically break for you.

      What EULA change did it automatically agree to for you?

      Oh, and dont forget the option of faking out your machine and letting it automatically download a trojan..

      Automatic NOTICES are a good thing, automatic INSTALLS are not..
      • by iainl (136759)
        "Automatic NOTICES are a good thing, automatic INSTALLS are not.."

        Automatic notices are the default option, if memory serves. Certainly, thats what my XP Home machine is set to do. You can choose to have automatic install should you wish, but you don't have to. I left it on notify only, not because I find their EULA notices scary, but simply because I didn't want it deciding that I really shouldn't check my 3 items of email over a 56k connection without installing 20Mb of patches for unrelated things first
    • by FrostedWheat (172733) on Thursday July 24, 2003 @09:33AM (#6521352)
      My Win2k solution

      If that was the solution, what the heck was the problem?!
    • So you let this 'solution' download and install software without your approval?

      I sure hope that isn't a production environment.
  • by advocate_one (662832) on Thursday July 24, 2003 @09:17AM (#6521118)
    move along now folks... nothing new here...
    mind you... the particular buffer overflow is unusual...MIDI files... who'd have thought???
    • the particular buffer overflow is unusual...MIDI files... who'd have thought???

      Hey, a 208k MIDI file! I bet it's... extra long! =)

      Actually, worse is that IE seems to just play any midi file off any webpage, unless you specifically tell it not to. I can't actually tell if that's vulnerable or not, though.
    • by ratfynk (456467) on Thursday July 24, 2003 @09:57AM (#6521679) Journal
      Actually its been known for a long time, but the software writers just have to put up with it, use DirectX or your midi interface will not work, or worse still it might until some user goes and loads the newest MS DirectX. So you play along with the DirectX game or your software will not work. The usual MS bullshit.
      DirectX controls have been a problem in music notation software for years.
      Maybe now someone will write a real piece of music notation software that doesn't use f'ing midi timing to set note placement. One of my main peeves with commercial notation software.

      I have seen the possibility that midi could be used as a hack for years! In fact a little friend of mine has used this exploit to demonstrate a flaw in the whole concept of midi as a scripting control. He has written a replacement algorythm that directly generates wave at the processor level and then sends it to the sound card without the use of shitty DirectX. DirectX sucks for security and flexability always has and always will, because of its fork processes. I personaly do not care if my notation software can make sound, so I just have to put up with useless junk midi. Read my journal entry about more music #32862

  • ...So? (Score:2, Interesting)

    by Jonsey (593310)
    So what you're saying is Windows, without proper patches & updating us unsecure?

    Sounds like every other OS out there! : )

    Nah, thanks for calling attention to this, I'm going to be patching my clients to 9.0b tonight.
  • logged in (Score:2, Informative)

    by dirvish (574948)
    If I remember/understand correctly someone has to be logged onto the machine to take advantage of this exploit. If they are allready logged on they could do lots of other stuff anyways? Hmmmm...doesn't sound too serious.
  • Huh? BuyMusic? (Score:4, Insightful)

    by mhore (582354) on Thursday July 24, 2003 @09:18AM (#6521136)
    From what I read, the exploit comes in the form of a weird MIDI file. Are you buying MIDI files from BuyMusic, or...?

    Mike.
  • Hmmm... (Score:5, Funny)

    by chrisgeleven (514645) on Thursday July 24, 2003 @09:19AM (#6521163) Homepage
    Only every single supported version of Windows has this flaw? Thank God, I thought I was in trouble here.
  • Wha... (Score:5, Informative)

    by mgcsinc (681597) on Thursday July 24, 2003 @09:19AM (#6521164)
    ""They'd have to come up with some way to get the user to click on that file," said Stephen Toulouse of Microsoft's Security Response Center, noting that default security settings in recent versions of Microsoft Outlook e-mail software and the Internet Explorer Web browser prevent automatic launching of such files. " Last I checked, as annoying as the feature is, the ability to have IE play MIDI files autonomyously is still there; a friend sent a link to me last night with a lovely display of world architecture and sappy MIDI music playing in the background... This is not a matter of downloading, not a matter of clicking, MIDI files have always been thought harmless, and its that feeling of complacency which threatens to make this dangerous for common users...
    • Re:Wha... (Score:5, Interesting)

      by chill (34294) on Thursday July 24, 2003 @09:23AM (#6521223) Journal
      Last I checked, as annoying as the feature is, the ability to have IE play MIDI files autonomyously is still there; a friend sent a link to me last night with a lovely display of world architecture and sappy MIDI music playing in the background...

      That's the kicker. I know a LOT of sites that do this. A couple of financial services sites I frequent have Registered Reps that seem to think a MIDI that runs in the background lends "ambiance" or some such to their site. They INSIST on it.
      • Argh! I hate those sites. If I ever happen to stumble into a site that has background music, I go back and never come again. They lost my business. Websites are for reading, not listening to some really crappy midi files.
        • Re:Wha... (Score:3, Funny)

          by vasqzr (619165)
          Argh! I hate those sites. If I ever happen to stumble into a site that has background music, I go back and never come again. They lost my business. Websites are for reading, not listening to some really crappy midi files.


          Right! Web sites are for animated GIF's and blinking text!
    • ... But I don't think IE uses DirectX to play those MIDI files, just like it doesn't use DirectX to blit JPEGs to the screen either.
    • Last I checked, as annoying as the feature is, the ability to have IE play MIDI files autonomyously is still there

      Yeah, and it's in Mozilla / Firebird, too. Every time I run across a page playing lousy MIDI music (or even good music) I go searching through the prefs panel, hoping some new setting came in with the last release.

      Does anyone know of a hidden preferences setting to disable auto-play of music?

      (I don't know if Moz would use the DirectX midiplayer, anyway, but I want to turn off this damned mu
  • by wayward_son (146338) on Thursday July 24, 2003 @09:20AM (#6521181)
    Windows Update on Win2k Pro told me of the problem before Slashdot.

    It's already been fixed on my machine.

  • by SoTuA (683507) on Thursday July 24, 2003 @09:20AM (#6521182)

    Har Har Har! Yeah, they'll indemnify up to the price you paid for DirectX...

    You have to give M$ some credit though... finally, a security flaw where you don't have to care if you are using Win95a, win98blah, Win2k, Win2k SP1e92, WinXP, WinYP, whatever. A *cross-platform* security issue, if you will. ;)

  • Great. (Score:5, Funny)

    by grub (11606) <slashdot@grub.net> on Thursday July 24, 2003 @09:21AM (#6521188) Homepage Journal

    A MIDI overflow? That means no more visits to most Geocities pages.
  • WTF, over (Score:3, Insightful)

    by Mikey-San (582838) on Thursday July 24, 2003 @09:21AM (#6521199) Homepage Journal
    Huh? What the fuck does this have to do with BuyMusic.com? The flaw, as the article says, affects MIDI, not WMA.

    I don't like Windows or BuyMusic.com, either, but this flaw doesn't seem to affect BuyMusic.com directly.

    What'd I miss? (Seriously. If I missed something, tell me.)
    • Don't you know as an anti-microsoft, andi-riaa zealot, you need to include all kinds of irrelevant slights to those afore mentioned organizations. It doesn't matter if they have nothing to do with the situation at hand.
    • Re:WTF, over (Score:2, Informative)

      by 7x7 (665946)
      You missed the Joke. Buymusic.com, in a fit of 1995 zeleousy, has designed the site to detect your browser and refuse to function with anything other than IE.
  • by sporty (27564) on Thursday July 24, 2003 @09:23AM (#6521226) Homepage
    For those who couldn't infer the word..

    Indemnify -

    Main Entry: indemnify
    Pronunciation: in-'dem-n&-"fI
    Function: transitive verb
    Inflected Form(s): -fied; -fying
    Etymology: Latin indemnis unharmed, from in- + damnum damage
    Date: circa 1611
    1 : to secure against hurt, loss, or damage
    2 : to make compensation to for incurred hurt, loss, or damage
  • Downplay (Score:4, Insightful)

    by Winterblink (575267) on Thursday July 24, 2003 @09:24AM (#6521237) Homepage
    "They'd have to come up with some way to get the user to click on that file," said Stephen Toulouse of Microsoft's Security Response Center, noting that default security settings in recent versions of Microsoft Outlook e-mail software and the Internet Explorer Web browser prevent automatic launching of such files.

    I love how they downplay that, like it's such a stretch to get a user who doesn't know any better to click a link in an email or webpage. Hell, my father just agrees to every ActiveX install that happens to come up on his screen, and clicks on any banner ad saying he's got a potential security risk on his computer. Irony is a harsh mistress indeed.

  • by burgburgburg (574866) <splisken06.email@com> on Thursday July 24, 2003 @09:25AM (#6521249)
    The Last Stage of Delirium Research Group [lsd-pl.net] (LSD) has announced and Microsoft has confirmed [microsoft.com] and released patches for a critical flaw in the RPC Interface implementation in all recent versions of Windows. This includes NT 4.0, 2000, XP and Server 2003 (regardless of the service packs installed). As reviewed in this TechTarget [yahoo.com] article, the exploit creates a buffer overflow that could allow remote attackers to run commands with the highest system privileges. Applying the new patch and/or blocking port 135 (turned on by default on many Windows systems) are the solutions.

    LSD has produced two proof of concept exploit codes (which they have not released)which they were able to get to work even with Server 2003 and it's new buffer overflow prevention mechanism. The nature of the flaw makes it ripe for exploitation by a worm.

    As discussed here [yahoo.com], the reports are unusually embarrassing as they affect Server 2003, Microsoft's most powerful and safest software yet. It is ironic that the announcement comes one day after the Homeland Security Department announced that it awarded a five-year, $90-million contract for Microsoft to supply all its most important desktop and server software for about 140,000 computers inside the new federal agency.

  • More technical Info. (Score:5, Informative)

    by PenguiN42 (86863) <taylork@alum.m[ ]edu ['it.' in gap]> on Thursday July 24, 2003 @09:27AM (#6521279) Journal
    It would have been nice if the poster posted a link to the actual microsoft security bulletin [microsoft.com], which also links to the patch for your particular DirectX. Also nice would have been a link to this article [eeye.com] at eEye security [eeye.com], which goes into much more technical information. What also would have been nice is if the poster specified that the attack only affected MIDI files, instead of implying that all downloads of online music were at risk. The link to the random and not-really-related article about Microsoft protecting its users from legal hassles could probably have been left out, as it just confused the issue.

    (Maybe I'm just bitter that my submission of the same story got rejected)
  • SPIN SPIN SPIN (Score:5, Informative)

    by chill (34294) on Thursday July 24, 2003 @09:28AM (#6521294) Journal
    From the MSNBC article (which is all most people will see)...

    "They'd have to come up with some way to get the user to click on that file," said Stephen Toulouse of Microsoft's Security Response Center, noting that default security settings in recent versions of Microsoft Outlook e-mail software and the Internet Explorer Web browser prevent automatic launching of such files."

    HOWEVER, from the TechNet article on the flaw...

    "If the file was embedded in a page the vulnerability could be exploited when a user visited the Web page."

    Meaning that at BEST, Stephen Toulouse of Microsoft's Security Response Center is incompetent. At WORST he is a lying scuzzball.
    • Re:SPIN SPIN SPIN (Score:3, Informative)

      by Watcher (15643)

      Or he's very good at qualifying his statements. Note the article claims he says that recent versions have default settings to prevent automatic loading. In the MS security bulliten, they note that the default configuration of IE running under Windows Server 2003 is not affected due to its higher security settings. I can attest to that one, if you want to browse the web at all without seeing half the content locked off (like css headers, for example), you have to turn off all of the security lockdowns. I

  • not the first time (Score:5, Informative)

    by ih8apple (607271) on Thursday July 24, 2003 @09:30AM (#6521312)
    This is not the first time DirectX has had security issues. Here's another issue from a year ago:

    Overview:
    Risk: High
    Distribution: Low-Medium
    Patch available from vendor: True

    Systems Affected:
    Systems having Microsoft DirectX Files Viewer
    xweb.ocx (2,0,16,15 and possibly older)

    Impact:
    A remote attacker may be able to execute arbitrary code with the privileges of the current user.

    Description:
    A buffer overflow exists in the "File" parameter of the Microsoft DirectX Files Viewer ActiveX control that may permit a remote attacker to execute arbitrary code on the system with the privileges of the current user. This vulnerability affects users visited ActiveX samples galery at activex.microsoft.com. Since the control is signed by Microsoft, users of Microsoft's Internet Explorer (IE) who accept and install Microsoft-signed ActiveX controls are also affected. This control was also available for direct download from the web, but can be uploaded on any website.
    The tag could be used to embed the ActiveX control in a web page. If an attacker can trick the user into visiting a malicious site or the attacker sends the victim a web page as an HTML-formatted email message or newsgroup posting then this vulnerability could be exploited. This acceptance and installation of the control can occur automatically within IE for users who trust Microsoft-signed ActiveX controls. When the web page is rendered, either by opening the page or viewing the page through a preview pane, the ActiveX control could be invoked. Likewise, if the ActiveX control is embedded in a Microsoft Office (Word, Excel, etc.) document, it may be executed when the document is opened.

    Vendor Information:
    secure_at_microsoft.com was informed on
    9.May.2002.
    MSRC 1149cb ticket was opened and finaly resolved on 25.Jun.2002
    Solution:
    Apply a latest IE/OS patches available from Microsoft:
    Setting kill bit expected to be included in latest IE Service pack.
    Windows 2000 SP3 and Windows XP SP1 expected to solve this problem.
    Links:
    ActiveX control still available for retrieval from Global Internet "backup copy":
    http://web.archive.org/web/20010410194632/http://a ctivex.microsoft.com/activex/controls/directx/xweb .htm
  • MIDI (Score:5, Funny)

    by ciryon (218518) on Thursday July 24, 2003 @09:31AM (#6521325) Journal
    Cool, Then you can construct some kind of hacked MIDI keyboard that just plugs into the computer you want to compromise. Press B# three times and you get the admin password.

    Ciryon
    • Re:MIDI (Score:2, Funny)

      by iainl (136759)
      "you can construct some kind of hacked MIDI keyboard that just plugs into the computer you want to compromise."

      Now this just has to be the next /. poll:

      Which tune should you have to play to get the admin password through MIDI? Personally, I vote for the Mission: Impossible theme, but I'm sure someone has a better idea.
  • DirectX Bloat... (Score:3, Interesting)

    by BJZQ8 (644168) on Thursday July 24, 2003 @09:33AM (#6521354) Homepage Journal
    I find it amazing that a graphics API update is 11mb...let alone the "runtime" which is 164237 KB...although I don't know how big OpenGL's program was....
    • Re:DirectX Bloat... (Score:2, Informative)

      by sithlord2 (261932)

      OpenGL is just graphics. DirectX is a lot more...

      DirectX Contains :
      - 3D API (DirectGraphics)
      - Sound and 3D Sound API (DirectSound)
      - Network play API (DirectPlay)
      - MIDI and music API (DirectMusic)
      - Various drivers for Sound- and graphic-cards)


  • the answer is very simple. it's the M$ marketing model.
    make a product first and sell it and worry about the bugs later.
    why would you spend $$$ bedugging something that works while you can wait for others to find the bugs for you. that saves $$$. and look at their market share. this approach works fine.
  • by Call Me Black Cloud (616282) on Thursday July 24, 2003 @09:37AM (#6521414)

    Let's look at the evidence:

    Flaw in DirectX allows code embedded in a malformed MIDI file to be executed on machine (read more [microsoft.com])

    Patch from MS available before news "broke" on slashdot

    Article submitter somehow tries to tie this to buymusic.com

    Looks like a case of a rapid fix from MS and a kneejerk editor at Slashdot. How about this spin? "Notified of critical bug, MS immediately issues fix". Nah, wouldn't play to this crowd.

    To answer your question, cryonic*angel [slashdot.org], MS won't indemnify you but level headed readers may excoriate you...

    • Looks like a case of a rapid fix from MS and a kneejerk editor at Slashdot. How about this spin? "Notified of critical bug, MS immediately issues fix". Nah, wouldn't play to this crowd.

      New slashdot poll:

      A flaw is announced in MS products, what happens next and why?

      a) Microsoft release a fix slowly - that would never happen in open source!
      b) Microsoft release a fix quickly - they must have known about it already and not told anyone!
      c) MS product are a flaw in themselves, recursion not allowed.
      d) The

  • Maybe security "flaws" in multimedia software are not a bug. They may be a wonderful Quality Protection feature brought to you by your good friends at Macrovision. Paid for by the RIAA.

    Now the RIAA can put poisioned files onto P2P. But instead of just being annoying audio admonishing you not to steal, they can own your computer.

    All they need is for it to be legal for them to hack your computer.
  • WineX? (Score:4, Funny)

    by Laur (673497) on Thursday July 24, 2003 @09:43AM (#6521472)
    Is WineX [transgaming.com] affected by any chance? After all, aren't they supposed to be recreating the API exactly, bugs and all? Besides, it isn't fair that Linux users have to miss out on all the really cool highly publicized bugs. ;)
  • by thepacketmaster (574632) on Thursday July 24, 2003 @09:46AM (#6521525) Homepage Journal
    He doesn't know Microsoft very well, does he? :-)
  • by NetCurl (54699) on Thursday July 24, 2003 @09:49AM (#6521550)
    So after it was mentioned in the intro to the story, I looked at this BuyMusic.com, and read their terms of sale....man, this is a shitty music service...

    Who cares about the freaking security, did anyone read the TERMS OF SALE AGREEMENT [buymusic.com]?

    Check this out:

    Content Use Rules. All downloaded music, images, video, artwork, text, software and other copyrightable materials ("Content") are sublicensed to End Users and not sold, notwithstanding use of the terms "sell," "purchase," "order," or "buy" on the Site or this Agreement.
    Your Digital Download sublicense is nonexclusive, nontransferable, nonsublicenseable, limited and for use only within the United States.
    End users may play the Digital Downloads an unlimited number of times on the same registered personal computer to which the Digital Download is originally downloaded.


    So are you saying I don't actually own what I'm "buying" on their site?

    How can you unlicense your computer too? So if I get a new machine, I lose all my songs!? I couldn't find any mention of switching "primary computers" so that I can keep my music when I upgrade my machine. What about the next time I have to install a fresh version of XP over my current install? Has anyone checked out this service?
    • It is simply not worth it. You only lease it (can they even stop you from listening to them songs at their whim?), you get it in WMA (Why?) probably with some DRM slapped on.

      If I buy a CD (which I won't, because they are too expensive nowdays, I own about 600 of them thus far though) I can play it in my computer (technically my old stereo), in my surround system, in my car, in mine or my girlfriends portable CD player, at work, or at a friends place.

      If I could buy the music legally in high quality ogg for
    • OK, I'll admit - I bought a CD off of buymusic.com (specifically "Gutterflower" by the Goo Goo Dolls) and downloaded the protected WMA files. Most licenses on BuyMusic.com allow you to burn the music to an audio CD a few times (mine allowed for up to 3 burns). So, I burned the album to a standard Audio CD... and then I figured, well, lets try ripping them in CDex and making them MP3s. Worked perfectly - no distortion or loss in sound quality. Time to share these bitches on Kazaa. :-P
  • by mabu (178417) on Thursday July 24, 2003 @10:03AM (#6521744)
    ..deleting me softly with his song..
  • by IWantMoreSpamPlease (571972) on Thursday July 24, 2003 @10:09AM (#6521817) Homepage Journal
    When I was in college for programming, the teachers would *intentionally* try to crash our software, mainly by buffer overruns, if the software crashed, we would fail.

    The class taught us about error checking ond control. Something MS seems to desperately need.
  • Bashdot? (Score:3, Funny)

    by pair-a-noyd (594371) on Thursday July 24, 2003 @10:18AM (#6521955)
    Yeah, I like that. Let's spawn a division of /. called bashdot (b.) where the daily M$ flaws can be posted. That will free up a LOT of /. real estate for important matters like SCO scoops..

  • by Letter (634816) on Thursday July 24, 2003 @10:20AM (#6521970)
    Dear Windows Users,

    <EMBED SRC="h4x0r3d.mid" HEIGHT=200 WIDTH=55></EMBED>

    Yours,
    B. Overflow
  • WTF! (Score:5, Insightful)

    by mrseigen (518390) on Thursday July 24, 2003 @10:37AM (#6522204) Homepage Journal
    How the fuck did a gaming API ever get enough priveleges in a "modern" operating system to be able to cause any kind of problems beyond resource starvation?
  • by forgetmenot (467513) <.atsjewell. .at. .onebox.com.> on Thursday July 24, 2003 @10:59AM (#6522438) Homepage
    Instead of posting every single security flaw in windows to slashdot (I mean seriously... we KNOW they exist don't we? It's not exactly "news" and there ARE other sites for them) to be flamed to pieces how about just have a little "counter" somewhere on the main page.. along with a date the user can set in his/her settings. Increment it everytime a new flaw is found so that it keeps a running tally. Number of Windows flaws since . Fun AND informative. Sorta.
  • by jeeptj (463368) on Thursday July 24, 2003 @11:06AM (#6522513)
    FYI...

    Windows 2000 machines running SP4 are not affected by this flaw. I suggest anyone running anything less than this starts deploying SP4 instead of this individual patch. Shavlik [shavlik.com] has excellent products to make your patch deployment easier.
    • Unless of course you're running AutoCAD Architectural or Mechanical desktops (release 2000 or better) and trying to use StudioViz-3d. SP4 from Microsoft completely CORRUPTS the DATA FILES upon opening them now.

      Ironically ... AutoCAD is one of the only applications keeping the need for any Windows 2000 workstations to even exist anymore in my company. Everything else (servers to workstations) is running Netware, BSD, Linux or OS X.
  • Well done Microsoft (Score:3, Interesting)

    by enneff (135842) on Thursday July 24, 2003 @11:30AM (#6522772) Homepage
    It's great to see Microsoft treating a threat of this severity appropriately. When I booted up my machine this morning (long before this Slashdot article was posted) I was greeted with a Windows Update message offering me a patch to this vulnerability. I didn't even know it existed! I was able to patch first, and ask questions later.

    My only complaint is that MS seems less concerned with many less severe vulnerabilities. You'd think a corporation of their size would have a whole department devoted solely to fixing all security (and other) flaws.
  • by WIAKywbfatw (307557) on Thursday July 24, 2003 @04:04PM (#6526119) Journal
    I'm running Windows 2000 Professional with DirectX 8.1. Seems like I'm immune as, on this OS, only 7.0 and 9.0a are effected.

    The complete list of effected Windows/DirectX combinations are as follows:

    Microsoft DirectX® 5.2 on Windows 98
    Microsoft DirectX 6.1 on Windows 98 SE
    Microsoft DirectX 7.0a on Windows Millennium Edition
    Microsoft DirectX 7.0 on Windows 2000
    Microsoft DirectX 8.1 on Windows XP
    Microsoft DirectX 8.1 on Windows Server 2003
    Microsoft DirectX 9.0a when installed on Windows Millennium Edition
    Microsoft DirectX 9.0a when installed on Windows 2000
    Microsoft DirectX 9.0a when installed on Windows XP
    Microsoft DirectX 9.0a when installed on Windows Server 2003
    Microsoft Windows NT 4.0 with either Windows Media Player 6.4 or Internet Explorer 6 Service Pack 1 installed.
    Microsoft Windows NT 4.0, Terminal Server Edition with either Windows Media Player 6.4 or Internet Explorer 6 Service Pack 1 installed.

    Not every possible Windows configuration but probably a majority of them.

    Check the relevant technical bulletin [microsoft.com] for more info.
  • by Cyberllama (113628) on Thursday July 24, 2003 @05:46PM (#6527129)
    Alot of people are acting as though this particular bug is no big deal and isn't worthy of being posted on the main page. But consider this, how many people are running thier browsers with the default configurations? And Both IE and Mozilla will automatically play MIDI files embedded in webpages with this configurations. So this exploit could theoretically allow any website you visit to run arbitrary code on your system. . . I'd say that's pretty serious.

If it happens once, it's a bug. If it happens twice, it's a feature. If it happens more than twice, it's a design philosophy.

Working...