DirectX Flaw Leaves Windows Vulnerable 530
cryonic*angel writes "Just when you thought it was safe to start buying music from BuyMusic, another another Windows security flaw is found, in DirectX this time, that basically affects every possible windows configuration that is still supported. I wonder, will they indemnify me for this?"
Received the Update Notification and Fixed (Score:4, Insightful)
Huh? BuyMusic? (Score:4, Insightful)
Mike.
Downloaded the patch this morning. (Score:3, Insightful)
It's already been fixed on my machine.
WTF, over (Score:3, Insightful)
I don't like Windows or BuyMusic.com, either, but this flaw doesn't seem to affect BuyMusic.com directly.
What'd I miss? (Seriously. If I missed something, tell me.)
Downplay (Score:4, Insightful)
I love how they downplay that, like it's such a stretch to get a user who doesn't know any better to click a link in an email or webpage. Hell, my father just agrees to every ActiveX install that happens to come up on his screen, and clicks on any banner ad saying he's got a potential security risk on his computer. Irony is a harsh mistress indeed.
Nice System My Ass (Score:3, Insightful)
What EULA change did it automatically agree to for you?
Oh, and dont forget the option of faking out your machine and letting it automatically download a trojan..
Automatic NOTICES are a good thing, automatic INSTALLS are not..
Re:Tough one... (Score:5, Insightful)
So, let me see if I have this right - you think that files off a pay-for-music download site are more likely to be infected vs. files on Kazaa?
Seriously?
Re:Tough one... (Score:5, Insightful)
Nobody is 100% safe these days. I used to be confident and tell people to 'hit me with their best shot' because I wouldn't be running untrusted executables and data files couldn't carry nasties. Now we have mpg123 and in the past we had a buffer overflow in libtiff. Pine could get you owned with a bogus header once. Sendmail of course has been a security nightmare.
Yes *NIX is safer, sendmail in it's worst year never matched the horrors of Outlook, but never feel safe. Which sucks major ass because we shouldn't have to just accept as a given that the only safe computing is a sealed box with no external media or network connection. Personally I'd like to see a whole year set aside to making software SAFE instead of adding features.
Re:Windows ... (Score:3, Insightful)
Re:patch me up baby! (Score:5, Insightful)
Newer versions of outlook and many mail servers can block
A $35 personal firewall from your local computer store can protect you from port based attacks.
But when was the last time you saw security software/hardware that blocked midi files? An exploit of this in the wild would mean any webpage, any HTML email, any midi file download would be an attack vector. How is this a small problem?
Re:Why was there no mention of the RPC flaw? (Score:1, Insightful)
Re:Windows ... (Score:3, Insightful)
But really, Linux and MacOS X are both better, and while there have been bugs found in each, if the bug isn't one in a component you use, or in the kernel, can you count it? When I update my system, many of the updates are for third-party packages. As if MS provided patches for Eudora.
Re:patch me up baby! (Score:5, Insightful)
Windows has a huge installed base, and windows machines tend to be targeted by kiddies looking for DDoS zombies.
And of course this is a big bug. Run arbitrary code through a midi file? That's huge, and deserves to be on the front page. Apache security holes of much less import make the front page, and they probably belong there too.
Re:patch me up baby! (Score:5, Insightful)
What's so special about this flaw?
Are you brainwashed by how many flaws like this we see? This allows a malicious adversary to craft a web page (for IE) or e-mail (for OE / Outlook) that would allow the adversary to execute arbitrary programs in that users context.
The point isn't that an update is out already, it's that there will remain god knows how many tens of millions of computer vulnerable to this flaw for a long time. Not only will those machines be hacked and taken down, but someone will most likely produce and exploit that turns the machines into a DDoS client, or an SMTP relay for spam, or...You get the idea. In the end it pisses over the rest of the Internet community.
And it's all thanks to shite security engineering in MS and non-conformance to standards (the MIDI playing is caused by a non-W3c HTML tag "BGSOUND").
Re:Wha... (Score:2, Insightful)
Once everyone gets broadband and they use background mp3's or oggs... bah.
WTF! (Score:5, Insightful)
Re:Received the Update Notification and Fixed (Score:2, Insightful)
auto updaters deserve grief (Score:3, Insightful)
If you auto update you deserve all the grief and broken applications you get.
It has nothing to do with paranoia. its called being responsible. you DON'T automatically changes things because someone else says its new and improved.
You first see if you NEED the update, if the bug fixes effect you, then you TEST TEST TEST. If it doesnt then you DONT install it.
I'm glad you don't run any network I'm on.
And YES i knew it was optional in the first place, the parent of this chose autoUPDATE, thus prompted comments.
Sheesh.
Re:patch me up baby! (Score:2, Insightful)
Or is there some other purpose for DX?
Re:patch me up baby! (Score:2, Insightful)
How many people actually play MIDI files on a regular basis? Show of hands here.
No?
The only time Joe Average encounters a MIDI file is on Jane's Shitty Geocities Webpage.
While the vulnerability is potentially dangerous, the exploit is uncommon enough that the actual threat level is pretty low IMO.
Re:patch me up baby! (Score:2, Insightful)
I really can see this being a HUGE problem for millions.
Re:I prefer streaming Real or MP3 (Score:3, Insightful)
And what if I'm:
I think music playing without me specifically requesting it is ALWAYS a bad idea. Same as I don't want my browser to open unrequested windows EVER.
Greetings,
Yet another Buffer Overrun problem (Score:1, Insightful)
1. This is a stupid programming trick and automatic code inspection tools to catch the majority (many cases cannot be caught this way) of these already exist,
2. There are solutions to prevent buffer overruns even in poorly written code from compromising the operating system (STFW, there are many white papers out there),
3. Microsoft has been bitten by these many, many, many times before,
Then:
Just what in the fsck has Microsoft's security program done in the last 2 years? This is a known security problem with known solutions and a history of having been a Windows problem in the past. Why in the hell wasn't this addressed in the last two years since Bill Gates made security a prime focus at Microsoft?
Possible answers:
a. M$ programmers are incompetent
b. silly! did you really think Bill's "security initiative" was about anything except marketing press?
c. M$ really just doesn't give a fsck about the security of your data or your computer system
d. all of the above
Re:patch me up baby! (Score:2, Insightful)