DirectX Flaw Leaves Windows Vulnerable

cryonic*angel writes "Just when you thought it was safe to start buying music from BuyMusic, another another Windows security flaw is found, in DirectX this time, that basically affects every possible windows configuration that is still supported. I wonder, will they indemnify me for this?"

Received the Update Notification and Fixed

[NoCoward]

My Win2k solution already downloaded and installed the update last night automatically via WindowsUpdate.com. Nice system.

Huh? BuyMusic?

[mhore]

From what I read, the exploit comes in the form of a weird MIDI file. Are you buying MIDI files from BuyMusic, or...?

Mike.

Downloaded the patch this morning.

[wayward_son]

Windows Update on Win2k Pro told me of the problem before Slashdot.

It's already been fixed on my machine.

WTF, over

[Mikey-San]

Huh? What the fuck does this have to do with BuyMusic.com? The flaw, as the article says, affects MIDI, not WMA.

I don't like Windows or BuyMusic.com, either, but this flaw doesn't seem to affect BuyMusic.com directly.

What'd I miss? (Seriously. If I missed something, tell me.)

Downplay

[Winterblink]

"They'd have to come up with some way to get the user to click on that file," said Stephen Toulouse of Microsoft's Security Response Center, noting that default security settings in recent versions of Microsoft Outlook e-mail software and the Internet Explorer Web browser prevent automatic launching of such files.

I love how they downplay that, like it's such a stretch to get a user who doesn't know any better to click a link in an email or webpage. Hell, my father just agrees to every ActiveX install that happens to come up on his screen, and clicks on any banner ad saying he's got a potential security risk on his computer. Irony is a harsh mistress indeed.

Nice System My Ass

[nurb432]

So, what did the patch automatically break for you.

What EULA change did it automatically agree to for you?

Oh, and dont forget the option of faking out your machine and letting it automatically download a trojan..

Automatic NOTICES are a good thing, automatic INSTALLS are not..

Re:Tough one...

[Latent IT]

Let's see, pay for music and get F'ed... download for free and be fine (as long as you don't share).

So, let me see if I have this right - you think that files off a pay-for-music download site are more likely to be infected vs. files on Kazaa?

Seriously?

Re:Tough one...

[jmorris42]

Unless you running Linux, then make sure you have the latest mpg123 (and libmpg123, which powers xmms) or one of those mp3 files could be evil and 0wn3z your ass.

Nobody is 100% safe these days. I used to be confident and tell people to 'hit me with their best shot' because I wouldn't be running untrusted executables and data files couldn't carry nasties. Now we have mpg123 and in the past we had a buffer overflow in libtiff. Pine could get you owned with a bogus header once. Sendmail of course has been a security nightmare.

Yes *NIX is safer, sendmail in it's worst year never matched the horrors of Outlook, but never feel safe. Which sucks major ass because we shouldn't have to just accept as a given that the only safe computing is a sealed box with no external media or network connection. Personally I'd like to see a whole year set aside to making software SAFE instead of adding features.

Re:Windows ...

[nolife]

Can you name another OS that exposes a security flaw via the BGSOUND tag? How about one where simply previewing or opening an email will cause security problems? How about one where scripts can be run and have access to your address books for mass emailing. How about one where browsing the web with certain active x controls causes security problems? How about one where the mime encoding is ignored or misrepresented and arbitrary local programs can be run via email or web browsing? How about one where the help system can run arbitrary code in the background? How about embedding viruses and macros into documents that can run arbitrary code and start any program automaticially?. I can keep going if you'd like. Can you even name a single OS that has ANY of these issues of data and code combined into one? Getting a perfect bugfree OS is unrealistic, getting one that is swiss cheese and a complete security clusterf**k should not be acceptable either.

Re:patch me up baby!

[Knightmare]

I can't decide if this is a troll or not. How is this a big vulnerability? Well, take a second and think how easy it is to be exposed to a midi file compared to an executable in an email or a malformed packet on one of Windows many default listening ports.

Newer versions of outlook and many mail servers can block .exe,.src,.com,etc... extensions from ever making it to your double click happy hand.

A $35 personal firewall from your local computer store can protect you from port based attacks.

But when was the last time you saw security software/hardware that blocked midi files? An exploit of this in the wild would mean any webpage, any HTML email, any midi file download would be an attack vector. How is this a small problem?

Re:Why was there no mention of the RPC flaw?

[verbot]

Perhaps it wasn't mentioned because it was already announced and discussed last week [slashdot.org]?

Re:Windows ...

[WNight]

QNX.

But really, Linux and MacOS X are both better, and while there have been bugs found in each, if the bug isn't one in a component you use, or in the kernel, can you count it? When I update my system, many of the updates are for third-party packages. As if MS provided patches for Eudora.

Re:patch me up baby!

[Entropius]

While /. has been known to indulge in a little over-the-top microsoft bashing when bugs like these come out, there's a reason they (especially ones like this) make the front page.

Windows has a huge installed base, and windows machines tend to be targeted by kiddies looking for DDoS zombies.

And of course this is a big bug. Run arbitrary code through a midi file? That's huge, and deserves to be on the front page. Apache security holes of much less import make the front page, and they probably belong there too.

Re:patch me up baby!

[ssimpson]

What's so special about this flaw?

Are you brainwashed by how many flaws like this we see? This allows a malicious adversary to craft a web page (for IE) or e-mail (for OE / Outlook) that would allow the adversary to execute arbitrary programs in that users context.

The point isn't that an update is out already, it's that there will remain god knows how many tens of millions of computer vulnerable to this flaw for a long time. Not only will those machines be hacked and taken down, but someone will most likely produce and exploit that turns the machines into a DDoS client, or an SMTP relay for spam, or...You get the idea. In the end it pisses over the rest of the Internet community.

And it's all thanks to shite security engineering in MS and non-conformance to standards (the MIDI playing is caused by a non-W3c HTML tag "BGSOUND").

Re:Wha...

[Entropius]

I'm just glad it's midi music--midi is a separate mixer channel and can be killed without muting the mp3 player.

Once everyone gets broadband and they use background mp3's or oggs... bah.

WTF!

[mrseigen]

How the fuck did a gaming API ever get enough priveleges in a "modern" operating system to be able to cause any kind of problems beyond resource starvation?

Re:Received the Update Notification and Fixed

[isorox]

Yes, nice system, but why is this unusual enough to be modded up? I'd guess any OS worth its salt would have the option of auto-updating with the latest security patches. My laptop does when I connect to the internet via a network, my desktop does it every few hours, and I can alway mannually apt-get update && apt-get upgrade

auto updaters deserve grief

[nurb432]

The title says it all ( and will be modded down ).

If you auto update you deserve all the grief and broken applications you get.

It has nothing to do with paranoia. its called being responsible. you DON'T automatically changes things because someone else says its new and improved.

You first see if you NEED the update, if the bug fixes effect you, then you TEST TEST TEST. If it doesnt then you DONT install it.

I'm glad you don't run any network I'm on.

And YES i knew it was optional in the first place, the parent of this chose autoUPDATE, thus prompted comments.

Sheesh.

Re:patch me up baby!

[FroMan]

Where do you work that you get to play games?

Or is there some other purpose for DX?

Re:patch me up baby!

[poot_rootbeer]

Run arbitrary code through a midi file? That's huge, and deserves to be on the front page.

How many people actually play MIDI files on a regular basis? Show of hands here.

No?

The only time Joe Average encounters a MIDI file is on Jane's Shitty Geocities Webpage.

While the vulnerability is potentially dangerous, the exploit is uncommon enough that the actual threat level is pretty low IMO.

Re:patch me up baby!

[ClippyHater]

Don't be so sure. Think of the millions of Windows users launching executables from an e-mail they got. Now think of them clicking on a link to a webpage containing the exploit (of course they only see the "See my hot new photos" link in outlook). Page loads up, and that's all she wrote.

I really can see this being a HUGE problem for millions.

Re:I prefer streaming Real or MP3

[Jorrit]

It's not necessarily a bad idea. With proper music and implementation it adds to the site. Most sites fail on both accounts though.

And what if I'm:

• at work and not willing to disturbe my collegues.
  
• listening to other music (either on computer or my stereo).
  

I think music playing without me specifically requesting it is ALWAYS a bad idea. Same as I don't want my browser to open unrequested windows EVER.

Greetings,

Yet another Buffer Overrun problem

[Anonymous Coward]

Given:
1. This is a stupid programming trick and automatic code inspection tools to catch the majority (many cases cannot be caught this way) of these already exist,
2. There are solutions to prevent buffer overruns even in poorly written code from compromising the operating system (STFW, there are many white papers out there),
3. Microsoft has been bitten by these many, many, many times before,

Then:
Just what in the fsck has Microsoft's security program done in the last 2 years? This is a known security problem with known solutions and a history of having been a Windows problem in the past. Why in the hell wasn't this addressed in the last two years since Bill Gates made security a prime focus at Microsoft?

Possible answers:
a. M$ programmers are incompetent
b. silly! did you really think Bill's "security initiative" was about anything except marketing press?
c. M$ really just doesn't give a fsck about the security of your data or your computer system
d. all of the above

Re:patch me up baby!

[more fool you]

sounds good in theory. in practice it's a little unreasonable to have to set maximum_object_size to well over 50MB (IE 6 SP anyone?)