Zero Day Exploit Found in Windows Media Player

filenavigator writes "Another zero day flaw has been reported in Windows Media player. It comes only one day after a serious zero day flaw was found in word. The flaw is dangerous because it involves IE and Outlook's ability to automatically launch .asx files. No fix from Microsoft has been announced yet."

How is this dangerous?

[JanusFury]

I know overflows are bad, but I honestly don't know much about how the allocator in a typical OS or RTL works. Could such a small (2-4 byte) overflow be used to execute arbitrary code? Is it actually possible to use that small of an overflow to screw up the allocator so badly that it'll execute arbitrary code? Or is this just a potential denial of service?

Re:Danger: Four-byte programs could be launched?

[EvanED]

Um, depending on what's in the data you overflow into, there's still *potentially* plenty you can do. (They're all very unlikely, but the potential is there.) There's other security-sensitive data besides the return address, and other buffer overflow exploits than overwriting that to jump into malicious code.

Re:4 bytes IS ENOUGH

[EvanED]

It's a heap buffer (assuming TFA is right), which means the return address will be nowhere near it. There *could* still be neighboring security-sensitive code, but it's extremely unlikely. Worst case that's remotely likely would be that you corrupt the header that markes the beginning of the next heap block and wreak havoc with future malloc calls. Probably nothing controllable though. This *really* isn't that big of a deal, and calling it a zero-day exploit is downright libel.

Re:All it takes is a jump instruction.

[EvanED]

This is a heap buffer, assuming TFA's right. What programs execute instructions from the heap and so have the potential to be overwritten by a jump?

At absolute worst, you could do what at least one paper calls a non-control-data attack and corrupt some other piece of data that was next to it in the heap. Except every malloc implementation I know puts a header struct at the beginning of each block, so even if two pieces of heap data ended next to each other you wouldn't be able to reach the actual data with just a 4 byte overflow, and the best you could hope for is to corrupt the header. This is very unlikely to have any exploitable effects, and is just likely to kill the process.

Ever hear of the JUMP instruction?

[Anonymous Coward]

Umm, do you know what you're talking about? All you do is jump over to your NOOP slide or whatever embedded in the data that slides all the way down to the program disguised as some part of the ASX file.

I don't know how large they are in x86 assembly, but the 86HC11 I used to write for didn't have any instructions bigger than four bytes unless I sadly misremember. Four bytes would've been plenty.

Don't laugh. Plenty of exploits have been coded that have more difficult requirements for the exploit to work.

Re:4 bytes IS ENOUGH

[bluefoxlucid]

Worst case that's remotely likely would be that you corrupt the header that markes the beginning of the next heap block and wreak havoc with future malloc calls. Probably nothing controllable though.

Alter the next heap header to point to a location on the stack as the next free block, and send another chunk of data so malloc() is called and allocates from there. Then write your code/retp change and wait. (Or something equally bizarre)

A couple bytes overflow in the heap is abusable enough to screw with pointers; and in some cases it suddenly turns into a big overflow in situations we didn't predict (this happened with an old libpng CVE, and with an Apache flaw where the overflow was always exactly "k`" until someone figured out how to do better).

No plans to fix the Word flaw

[jginspace]

Microsoft have just given advance notification [microsoft.com] of what their bundle of patches to be released next Tuesday will contain. There are five general Windows bulletins there - no surprise that the most severe is 'critical' - but I'm kind of surprised to see they have no intention of shipping any Office-related fixes.

Re:WMP11 Has Serious Exploit

[Anonymous Coward]

With WMP11, both your DRMed music and your clear music will play. On other platforms, only your clear music will play. Well, on the Apple platform your Apple DRMed music will play. (Speaking of Apple, it should be known that their DRM is just as bad).

If you don't like DRM, don't buy DRMed music. WMP11 will play your clear music just fine. Meanwhile, people who are buying DRMed music will be able to play it in WMP11 without affecting the experience of those who refuse to buy DRMed music.

Also, it is not Microsoft that chooses when, where, and on what devices you may play your media. They merely provided the mechanisms that allow content providers to make those decisions. Content providers are free to let you do anything you want with your music, or provide clear content entirely. Again, if you think a content provider's policy is too restrictive, do not buy music from them.

In short, I fail to see where this is a failing of WMP11 or Vista.

Re:WMP11 EULA Time Bomb

[mpapet]

You're telling me that I've 'lost control' of the huge collection of Old Radio Program MP3s I have stuck in folder on the D:\ drive???

Uncertain. Hopefully you aren't getting the content from CD's. This is verbatim from the EULA:

"If the file is a song you ripped from a CD with the Copy protect music option turned on, you might be able to restore your usage rights by playing the file. You will be prompted to connect to a Microsoft Web page that explains how to restore your rights a limited number of times."

So, the CD you paid for unlimited rights to play where you want has been revoked. Permanently.
And you agreed to it. Can you go back to WMP10?

Re:All it takes is a jump instruction.

[tjcrowder]

And really, getting code loaded like that is not a difficult thing to do.

It's easy (in the context of attacking a computer via a media file) to load code into a data segment, sure. But not into a text (code) segment. So the jump instruction does a local jump to -- oops, access violation.

It is truly amazing, though, that six-seven years after Microsoft really started talking big about dealing with their security problems, they still haven't managed to complete a code review to deal with buffer overrun vulnerabilities. I'm sympathetic to their massive codebase, but in many cases finding buffer overrun vulnerabilities is trained monkey work -- and Microsoft has the money to contract a large number of monkeys, train them, and sic 'em on the code. Sure, there's also a lot of work there for skilled programmers and even engineers -- a lot of their stuff is written in languages like C and C++ where you can pass a buffer to a method without its bounding information -- but surely they could have the monkeys at least flag up what the more skilled people need to look at. It's been a long time, guys. Lots of code, sure, but lots of years, too.