DirectX Flaw Leaves Windows Vulnerable

cryonic*angel writes "Just when you thought it was safe to start buying music from BuyMusic, another another Windows security flaw is found, in DirectX this time, that basically affects every possible windows configuration that is still supported. I wonder, will they indemnify me for this?"

...So?

[Jonsey]

So what you're saying is Windows, without proper patches & updating us unsecure?

Sounds like every other OS out there! : )

Nah, thanks for calling attention to this, I'm going to be patching my clients to 9.0b tonight.

Windows ...

[torpor]

... flaws ... whats next?

Hey, it isn't news any more. Windows security, that is.

I'll go back to considering the possibility of using Microsoft profucts when I haven't heard a single security problem for ... a year.

In the meantime, I've completely stopped using all Microsoft products. For good. Anyone else?

Re:patch me up baby!

[Krilomir]

I'm quite sure there is a patch up already on windows update. My computer was patched just hours ago. I really don't see anything special about this story. What's so special about this flaw?

Re:Windows ...

[iapetus]

I'd like to. Could you recommend an alternative operating system that hasn't had a single security problem in a year, and has been adding new functionality over that period?

Re:Wha...

[chill]

Last I checked, as annoying as the feature is, the ability to have IE play MIDI files autonomyously is still there; a friend sent a link to me last night with a lovely display of world architecture and sappy MIDI music playing in the background...

That's the kicker. I know a LOT of sites that do this. A couple of financial services sites I frequent have Registered Reps that seem to think a MIDI that runs in the background lends "ambiance" or some such to their site. They INSIST on it.

Why was there no mention of the RPC flaw?

[burgburgburg]

The Last Stage of Delirium Research Group [lsd-pl.net] (LSD) has announced and Microsoft has confirmed [microsoft.com] and released patches for a critical flaw in the RPC Interface implementation in all recent versions of Windows. This includes NT 4.0, 2000, XP and Server 2003 (regardless of the service packs installed). As reviewed in this TechTarget [yahoo.com] article, the exploit creates a buffer overflow that could allow remote attackers to run commands with the highest system privileges. Applying the new patch and/or blocking port 135 (turned on by default on many Windows systems) are the solutions.

LSD has produced two proof of concept exploit codes (which they have not released)which they were able to get to work even with Server 2003 and it's new buffer overflow prevention mechanism. The nature of the flaw makes it ripe for exploitation by a worm.

As discussed here [yahoo.com], the reports are unusually embarrassing as they affect Server 2003, Microsoft's most powerful and safest software yet. It is ironic that the announcement comes one day after the Homeland Security Department announced that it awarded a five-year, $90-million contract for Microsoft to supply all its most important desktop and server software for about 140,000 computers inside the new federal agency.

DirectX Bloat...

[BJZQ8]

I find it amazing that a graphics API update is 11mb...let alone the "runtime" which is 164237 KB...although I don't know how big OpenGL's program was....

Re:Nice System My Ass

[iainl]

"Automatic NOTICES are a good thing, automatic INSTALLS are not.."

Automatic notices are the default option, if memory serves. Certainly, thats what my XP Home machine is set to do. You can choose to have automatic install should you wish, but you don't have to. I left it on notify only, not because I find their EULA notices scary, but simply because I didn't want it deciding that I really shouldn't check my 3 items of email over a 56k connection without installing 20Mb of patches for unrelated things first.

Re:Windows ...

[jmorris42]

I'd love to see an operating system that didn't get a security problem in a year, regardless of it's state of feature accretion. But even OpenBSD has had one exploit now and they play some real funny games to get it down to only one. Bind, fr example, isn't counted because the minimal install doesn't include it. But if you run a nameserver on OpenBSD BIND is the one that gets installed. So by that logic RedHat shouldn't count BIND bugs either since they also don't install it by default.

I want an OS that can go a year without an exploit in ANY of the software they consider part of their 'distribution'. And still have enough functionality to be useful as a general purpose Internet server. I realize a secure desktop is going to be a lot harder, but lets at least shoot for a real secure server.

Re:Windows ...

[KillerHamster]

Don't know much about it, but how about OpenVMS [hp.com]?

:Actually its been known for a long time ago, but

[ratfynk]

Actually its been known for a long time, but the software writers just have to put up with it, use DirectX or your midi interface will not work, or worse still it might until some user goes and loads the newest MS DirectX. So you play along with the DirectX game or your software will not work. The usual MS bullshit.
DirectX controls have been a problem in music notation software for years.
Maybe now someone will write a real piece of music notation software that doesn't use f'ing midi timing to set note placement. One of my main peeves with commercial notation software.

I have seen the possibility that midi could be used as a hack for years! In fact a little friend of mine has used this exploit to demonstrate a flaw in the whole concept of midi as a scripting control. He has written a replacement algorythm that directly generates wave at the processor level and then sends it to the sound card without the use of shitty DirectX. DirectX sucks for security and flexability always has and always will, because of its fork processes. I personaly do not care if my notation software can make sound, so I just have to put up with useless junk midi. Read my journal entry about more music #32862

Re:I won't EVER be buying music from BuyMusic....

[forgoil]

It is simply not worth it. You only lease it (can they even stop you from listening to them songs at their whim?), you get it in WMA (Why?) probably with some DRM slapped on.

If I buy a CD (which I won't, because they are too expensive nowdays, I own about 600 of them thus far though) I can play it in my computer (technically my old stereo), in my surround system, in my car, in mine or my girlfriends portable CD player, at work, or at a friends place.

If I could buy the music legally in high quality ogg format, and then put it whereever I want (except trading to people) I would be happy. Very much so even. It would appeal to my sense of fairness (yes they made the music, I should pay them and not pirate) and my laziness (*burn* and it goes into the car).

Hell, wasn't OGG even made just for this? When are they going to stop thinking about the tech stuff and give ogg some more uses than for us hackers?

On another note, I have patched all the windows computers I use before this story came on slashdot and I don't find this worse than a new Linux kernel corrupting the filesystem. This is a piece of non news!

*Another* buffer overrun?

[IWantMoreSpamPlease]

When I was in college for programming, the teachers would *intentionally* try to crash our software, mainly by buffer overruns, if the software crashed, we would fail.

The class taught us about error checking ond control. Something MS seems to desperately need.

Re:Turn to Slashdot for breaking news!

[Troed]

The vulnerability was disclosed to Microsoft on the 16:th of April. I don't know what's "rapid" about the fix appearing today.

Windows security hole counter

[forgetmenot]

Instead of posting every single security flaw in windows to slashdot (I mean seriously... we KNOW they exist don't we? It's not exactly "news" and there ARE other sites for them) to be flamed to pieces how about just have a little "counter" somewhere on the main page.. along with a date the user can set in his/her settings. Increment it everytime a new flaw is found so that it keeps a running tally. Number of Windows flaws since . Fun AND informative. Sorta.

At the root of the problem

[krinje]

...is why would Microsoft distribute drawing and music libraries in what is essentially a server operating system? (WinServer2k3) Why these aren't optional components that an administrator could choose to include at install time is a good question, and should be asked of Microsoft.

The reader with 200 NT/2K boxes to patch would probably be grateful if he didn't have to worry about patching whatever bogus components MS includes by default.

I say we take 'em back to court and get them to rip out ALL the unnecessary functionality from the kernel.

Well done Microsoft

[enneff]

It's great to see Microsoft treating a threat of this severity appropriately. When I booted up my machine this morning (long before this Slashdot article was posted) I was greeted with a Windows Update message offering me a patch to this vulnerability. I didn't even know it existed! I was able to patch first, and ask questions later.

My only complaint is that MS seems less concerned with many less severe vulnerabilities. You'd think a corporation of their size would have a whole department devoted solely to fixing all security (and other) flaws.

Comment removed

[account_deleted]

Comment removed based on user account deletion

Re:Tough one...

[Anonymous Coward]

Jesus... What the hell is so hard about doing proper dynamic allocation or buffer bounds checking on data of unknown length? Or access logic for that matter?

Just don't do stupid shit like:
char buf[1024];
sprintf(buf, string_of_unknown_length);

Use the proper function: snprintf

Code can be mathematically proven to be safe. The problem is that most coders do not have the time, inclination, or neccessary expertise to do so.