DirectX Flaw Leaves Windows Vulnerable

cryonic*angel writes "Just when you thought it was safe to start buying music from BuyMusic, another another Windows security flaw is found, in DirectX this time, that basically affects every possible windows configuration that is still supported. I wonder, will they indemnify me for this?"

patch me up baby!

[Neophytus]

Direct download for 9.0b [microsoft.com] (not for nt4.0). Strangely it isn't on the main directx page yet considering the critical nature of the problem. Here is the technet article [microsoft.com] with patches for existing directx versions.

logged in

[dirvish]

If I remember/understand correctly someone has to be logged onto the machine to take advantage of this exploit. If they are allready logged on they could do lots of other stuff anyways? Hmmmm...doesn't sound too serious.

Wha...

[mgcsinc]

""They'd have to come up with some way to get the user to click on that file," said Stephen Toulouse of Microsoft's Security Response Center, noting that default security settings in recent versions of Microsoft Outlook e-mail software and the Internet Explorer Web browser prevent automatic launching of such files. " Last I checked, as annoying as the feature is, the ability to have IE play MIDI files autonomyously is still there; a friend sent a link to me last night with a lovely display of world architecture and sappy MIDI music playing in the background... This is not a matter of downloading, not a matter of clicking, MIDI files have always been thought harmless, and its that feeling of complacency which threatens to make this dangerous for common users...

'just cuz i had to look it up...

[sporty]

For those who couldn't infer the word..

Indemnify -

Main Entry: indemnify
Pronunciation: in-'dem-n&-"fI
Function: transitive verb
Inflected Form(s): -fied; -fying
Etymology: Latin indemnis unharmed, from in- + damnum damage
Date: circa 1611
1 : to secure against hurt, loss, or damage
2 : to make compensation to for incurred hurt, loss, or damage

More technical Info.

[PenguiN42]

It would have been nice if the poster posted a link to the actual microsoft security bulletin [microsoft.com], which also links to the patch for your particular DirectX. Also nice would have been a link to this article [eeye.com] at eEye security [eeye.com], which goes into much more technical information. What also would have been nice is if the poster specified that the attack only affected MIDI files, instead of implying that all downloads of online music were at risk. The link to the random and not-really-related article about Microsoft protecting its users from legal hassles could probably have been left out, as it just confused the issue.

(Maybe I'm just bitter that my submission of the same story got rejected)

SPIN SPIN SPIN

[chill]

From the MSNBC article (which is all most people will see)...

"They'd have to come up with some way to get the user to click on that file," said Stephen Toulouse of Microsoft's Security Response Center, noting that default security settings in recent versions of Microsoft Outlook e-mail software and the Internet Explorer Web browser prevent automatic launching of such files."

HOWEVER, from the TechNet article on the flaw...

"If the file was embedded in a page the vulnerability could be exploited when a user visited the Web page."

Meaning that at BEST, Stephen Toulouse of Microsoft's Security Response Center is incompetent. At WORST he is a lying scuzzball.

not the first time

[ih8apple]

This is not the first time DirectX has had security issues. Here's another issue from a year ago:

Overview:
Risk: High
Distribution: Low-Medium
Patch available from vendor: True

Systems Affected:
Systems having Microsoft DirectX Files Viewer
xweb.ocx (2,0,16,15 and possibly older)

Impact:
A remote attacker may be able to execute arbitrary code with the privileges of the current user.

Description:
A buffer overflow exists in the "File" parameter of the Microsoft DirectX Files Viewer ActiveX control that may permit a remote attacker to execute arbitrary code on the system with the privileges of the current user. This vulnerability affects users visited ActiveX samples galery at activex.microsoft.com. Since the control is signed by Microsoft, users of Microsoft's Internet Explorer (IE) who accept and install Microsoft-signed ActiveX controls are also affected. This control was also available for direct download from the web, but can be uploaded on any website.
The tag could be used to embed the ActiveX control in a web page. If an attacker can trick the user into visiting a malicious site or the attacker sends the victim a web page as an HTML-formatted email message or newsgroup posting then this vulnerability could be exploited. This acceptance and installation of the control can occur automatically within IE for users who trust Microsoft-signed ActiveX controls. When the web page is rendered, either by opening the page or viewing the page through a preview pane, the ActiveX control could be invoked. Likewise, if the ActiveX control is embedded in a Microsoft Office (Word, Excel, etc.) document, it may be executed when the document is opened.

Vendor Information:
secure_at_microsoft.com was informed on
9.May.2002.
MSRC 1149cb ticket was opened and finaly resolved on 25.Jun.2002
Solution:
Apply a latest IE/OS patches available from Microsoft:
Setting kill bit expected to be included in latest IE Service pack.
Windows 2000 SP3 and Windows XP SP1 expected to solve this problem.
Links:
ActiveX control still available for retrieval from Global Internet "backup copy":
http://web.archive.org/web/20010410194632/http://a ctivex.microsoft.com/activex/controls/directx/xweb .htm

Re:logged in

[spydir31]

Wrong, all you need is that someone view a webpage with the following tag
<BGSOUND SRC="exploit.MID" >
(assume the file exists :)
IE plays these by default.

Turn to Slashdot for breaking news!

[Call Me Black Cloud]

Let's look at the evidence:

Flaw in DirectX allows code embedded in a malformed MIDI file to be executed on machine (read more [microsoft.com])

Patch from MS available before news "broke" on slashdot

Article submitter somehow tries to tie this to buymusic.com

Looks like a case of a rapid fix from MS and a kneejerk editor at Slashdot. How about this spin? "Notified of critical bug, MS immediately issues fix". Nah, wouldn't play to this crowd.

To answer your question, cryonic*angel [slashdot.org], MS won't indemnify you but level headed readers may excoriate you...

Re:patch me up baby!

[BigBir3d]

9.0b has been available since Wednesday 7/23, that I know of. That is when I had to manually update the dozen or so machines in my office.

Re:DirectX Bloat...

[sithlord2]

OpenGL is just graphics. DirectX is a lot more...

DirectX Contains :
- 3D API (DirectGraphics)
- Sound and 3D Sound API (DirectSound)
- Network play API (DirectPlay)
- MIDI and music API (DirectMusic)
- Various drivers for Sound- and graphic-cards)

Re:WTF, over

[7x7]

You missed the Joke. Buymusic.com, in a fit of 1995 zeleousy, has designed the site to detect your browser and refuse to function with anything other than IE.

Re:Windows ...

[Anonymous Coward]

OpenBSD [openbsd.org] did only have a single exploit in the last seven years. (In default install profile).

But i'm not sure it was in the last year, if it's earlier then OpenBSD is your answer! :)

I won't EVER be buying music from BuyMusic....

[NetCurl]

So after it was mentioned in the intro to the story, I looked at this BuyMusic.com, and read their terms of sale....man, this is a shitty music service...

Who cares about the freaking security, did anyone read the TERMS OF SALE AGREEMENT [buymusic.com]?

Check this out:

Content Use Rules. All downloaded music, images, video, artwork, text, software and other copyrightable materials ("Content") are sublicensed to End Users and not sold, notwithstanding use of the terms "sell," "purchase," "order," or "buy" on the Site or this Agreement.
Your Digital Download sublicense is nonexclusive, nontransferable, nonsublicenseable, limited and for use only within the United States. End users may play the Digital Downloads an unlimited number of times on the same registered personal computer to which the Digital Download is originally downloaded.

So are you saying I don't actually own what I'm "buying" on their site?

How can you unlicense your computer too? So if I get a new machine, I lose all my songs!? I couldn't find any mention of switching "primary computers" so that I can keep my music when I upgrade my machine. What about the next time I have to install a fresh version of XP over my current install? Has anyone checked out this service?

Re:Windows ...

[iapetus]

Fine. But as soon as you want to do something useful with OpenBSD, you need to go beyond the default install profile, which is set up to be as secure as possible by disabling everything. Once you start enabling even common and inoffensive services, you hit security problems.

OpenBSD security advisories from this year (for version 3.2):

# March 31, 2003: A buffer overflow in the address parsing in sendmail(8) may allow an attacker to gain root privileges.

# March 24, 2003: A cryptographic weaknesses in the Kerberos v4 protocol can be exploited on Kerberos v5 as well.

# March 19, 2003: OpenSSL is vulnerable to an extension of the ``Bleichenbacher'' attack designed by Czech researchers Klima, Pokorny and Rosa.

# March 18, 2003: Various SSL and TLS operations in OpenSSL are vulnerable to timing attacks.

# March 5, 2003: A buffer overflow in lprm(1) may allow an attacker to elevate privileges to user daemon..

# March 3, 2003: A buffer overflow in the envelope comments processing in sendmail(8) may allow an attacker to gain root privileges.

# February 25, 2003: httpd(8) leaks file inode numbers via ETag header as well as child PIDs in multipart MIME boundary generation. This could lead, for example, to NFS exploitation because it uses inode numbers as part of the file handle.

# February 22, 2003: In ssl(8) an information leak can occur via timing by performing a MAC computation even if incorrect block cipher padding has been found, this is a countermeasure. Also, check for negative sizes, in allocation routines.

# January 20, 2003: A double free exists in cvs(1) that could lead to privilege escalation for cvs configurations where the cvs command is run as a privileged user.

Re:SPIN SPIN SPIN

[Watcher]

Or he's very good at qualifying his statements. Note the article claims he says that recent versions have default settings to prevent automatic loading. In the MS security bulliten, they note that the default configuration of IE running under Windows Server 2003 is not affected due to its higher security settings. I can attest to that one, if you want to browse the web at all without seeing half the content locked off (like css headers, for example), you have to turn off all of the security lockdowns. I wouldn't know for certain about the latest Outlook releases, as I'm not about to test that!

So, he wasn't a lying scuzzball, he just was very careful with how he couched what he said.

SP4 products are not affected by this flaw

[jeeptj]

FYI...

Windows 2000 machines running SP4 are not affected by this flaw. I suggest anyone running anything less than this starts deploying SP4 instead of this individual patch. Shavlik [shavlik.com] has excellent products to make your patch deployment easier.

Re:patch me up baby!

[ncc74656]

A big flaw with windows update is that you have to get the whone 11mb per computer.

Put an HTTP proxy server [squid-cache.org] between your LAN and the Internet. The first download will take a while, but your proxy should cache it so that subsequent downloads on other systems on your LAN will be much faster.

Re:SP4 products are not affected by this flaw

[krray]

Unless of course you're running AutoCAD Architectural or Mechanical desktops (release 2000 or better) and trying to use StudioViz-3d. SP4 from Microsoft completely CORRUPTS the DATA FILES upon opening them now.

Ironically ... AutoCAD is one of the only applications keeping the need for any Windows 2000 workstations to even exist anymore in my company. Everything else (servers to workstations) is running Netware, BSD, Linux or OS X.

Re:patch me up baby!

[JanusFury]

And it's all thanks to shite security engineering in MS and non-conformance to standards (the MIDI playing is caused by a non-W3c HTML tag "BGSOUND").

I don't see how BGSOUND has anything to do with this. You can play MIDIs in webpages without that tag. The OBJECT tag, for example... or an embedded media player control... or a regular old link.

Re:Windows Update

[shamino0]

Yeah, Windows Update requires you set Microsoft to medium or lower security.

But how can it possible be otherwise? The whole purpose of Windows Update is to install core system software - precisely the kind of activity that you generally want to prevent any other web site from attempting.

Of course, I don't think Windows Update should be done through a web browser in the first place. The Software Update [apple.com] facility in MacOS [apple.com] is a standalone program that can't be used for anything other than fetching and installing Apple's software updates. I think such a system is inherently more secure, because it can't be used to access third-party servers that may contain malicious software. (Yes, I'm aware that a malicious proxy server between yourself an Apple can redirect the request, but that's not something I expect to happen very often.)

Re:patch me up baby!

[ssimpson]

Regular old links need the users to click on a link whereas BGSOUND doesn't require user interaction. Not sure if Object tag / embedded media player can embed in the same way for Outlook / OE based e-mails (I would hope that the users get some kind of prompt, but knowing MS...).

Re:Frequency of Windows Patches

[Forkenhoppen]

There is Transgaming's [transgaming.com] WineX, you know. I hear it's pretty good for playing games under Linux.

Re:WTF, over

[kikta]

No, it's because he had JavaScript disabled. I tried faking the UA & it still wouldn't let me through. Turning off JavaScript let me in just fine, even with the true UA being sent (Mozilla 1.4). Once you're in, if you reenable JS, it'll dump you to the page you mentioned.

NOT every possible Windows configuration...

[WIAKywbfatw]

I'm running Windows 2000 Professional with DirectX 8.1. Seems like I'm immune as, on this OS, only 7.0 and 9.0a are effected.

The complete list of effected Windows/DirectX combinations are as follows:

Microsoft DirectX® 5.2 on Windows 98
Microsoft DirectX 6.1 on Windows 98 SE
Microsoft DirectX 7.0a on Windows Millennium Edition
Microsoft DirectX 7.0 on Windows 2000
Microsoft DirectX 8.1 on Windows XP
Microsoft DirectX 8.1 on Windows Server 2003
Microsoft DirectX 9.0a when installed on Windows Millennium Edition
Microsoft DirectX 9.0a when installed on Windows 2000
Microsoft DirectX 9.0a when installed on Windows XP
Microsoft DirectX 9.0a when installed on Windows Server 2003
Microsoft Windows NT 4.0 with either Windows Media Player 6.4 or Internet Explorer 6 Service Pack 1 installed.
Microsoft Windows NT 4.0, Terminal Server Edition with either Windows Media Player 6.4 or Internet Explorer 6 Service Pack 1 installed.

Not every possible Windows configuration but probably a majority of them.

Check the relevant technical bulletin [microsoft.com] for more info.

A bit more serious than the average bug

[Cyberllama]

Alot of people are acting as though this particular bug is no big deal and isn't worthy of being posted on the main page. But consider this, how many people are running thier browsers with the default configurations? And Both IE and Mozilla will automatically play MIDI files embedded in webpages with this configurations. So this exploit could theoretically allow any website you visit to run arbitrary code on your system. . . I'd say that's pretty serious.