DirectX Flaw Leaves Windows Vulnerable 530
cryonic*angel writes "Just when you thought it was safe to start buying music from BuyMusic, another another Windows security flaw is found, in DirectX this time, that basically affects every possible windows configuration that is still supported. I wonder, will they indemnify me for this?"
patch me up baby! (Score:5, Informative)
Re:patch me up baby! (Score:3, Interesting)
Re:patch me up baby! (Score:5, Funny)
It's a Microsoft bug, it doesn't matter how important it is. You're supposed to be foaming at the mouth and making sweeping statements about how this proves open source is better! Don't you know what website you're on?
Re:patch me up baby! (Score:5, Funny)
Bugs Bunny says (Score:4, Funny)
Re:Bugs Bunny says (Score:3, Funny)
Re:patch me up baby! (Score:5, Insightful)
Windows has a huge installed base, and windows machines tend to be targeted by kiddies looking for DDoS zombies.
And of course this is a big bug. Run arbitrary code through a midi file? That's huge, and deserves to be on the front page. Apache security holes of much less import make the front page, and they probably belong there too.
Re:patch me up baby! (Score:5, Funny)
Hang on a second... it has been 30 seconds since I last checked Microsoft for another security update...
Ok, I now have another 90MB file I need to apply to the 200 NT boxes I have.... Like I was saying what the heck is the big deal? So what that most vendors release stuff on NT boxes that requires certain service packs, and won't work with others? Yeah this makes server consoldation impossible but who really cares? It isn't that big of a deal, just buy another box. Heck we plan on buying another hundred or so this year.
Hang on a second it has been another 5 min since my last check at Microsoft for another update...
Wow only two new updates! This is a first! Now, as I was saying, these open source "Quality is important" types are just zealots. They just don't understand that it isn't that big of a deal to support Windows.
Sorry, hang on a second... a new Worm just hit or email server...
Now where was I? Oh yeah, the advantages of running Windows... You have one consistant platform. Well we will when we finally get our 200 NT boxes upgraded to Win2k server. Dag gone it, I have to go and talk to our Microsoft rep again... be back in 15 min...
Ok I just found out that Windows 2003 server is out now and EVERYONE is going to it. The nice thing is that Microsoft will let us keep running our Win2k servers until the end of the year! Yeah I would like to see what you open source people say about that! See Microsoft isn't bad at all. They even told us that we could run 2003 Server for a full 3 years! Man that will make life great!
So let all the bitching begin about Microsoft over one SMALL bug! They just don't know what they are talking about...
Windows Update (Score:4)
I haven't run it since I built the computer 6 weeks ago, but here is the text of the page I got:
This is funny on so many levels:
- don't ya'll fix ie security?
- do ya'll trust ms automatically?
- ms's default setting are medium or lower?!?
Re:Windows Update (Score:3, Informative)
But how can it possible be otherwise? The whole purpose of Windows Update is to install core system software - precisely the kind of activity that you generally want to prevent any other web site from attempting.
Of course, I don't think Windows Update should be done through a web browser in the first place. The Software Update [apple.com] facility in MacOS [apple.com] is a standalone program that can't be used for anything other than fetching and ins
Re:patch me up baby! (Score:5, Insightful)
Newer versions of outlook and many mail servers can block
A $35 personal firewall from your local computer store can protect you from port based attacks.
But when was the last time you saw security software/hardware that blocked midi files? An exploit of this in the wild would mean any webpage, any HTML email, any midi file download would be an attack vector. How is this a small problem?
Re:patch me up baby! (Score:5, Insightful)
What's so special about this flaw?
Are you brainwashed by how many flaws like this we see? This allows a malicious adversary to craft a web page (for IE) or e-mail (for OE / Outlook) that would allow the adversary to execute arbitrary programs in that users context.
The point isn't that an update is out already, it's that there will remain god knows how many tens of millions of computer vulnerable to this flaw for a long time. Not only will those machines be hacked and taken down, but someone will most likely produce and exploit that turns the machines into a DDoS client, or an SMTP relay for spam, or...You get the idea. In the end it pisses over the rest of the Internet community.
And it's all thanks to shite security engineering in MS and non-conformance to standards (the MIDI playing is caused by a non-W3c HTML tag "BGSOUND").
Re:patch me up baby! (Score:3, Informative)
I don't see how BGSOUND has anything to do with this. You can play MIDIs in webpages without that tag. The OBJECT tag, for example... or an embedded media player control... or a regular old link.
Re:patch me up baby! (Score:3, Informative)
Regular old links need the users to click on a link whereas BGSOUND doesn't require user interaction. Not sure if Object tag / embedded media player can embed in the same way for Outlook / OE based e-mails (I would hope that the users get some kind of prompt, but knowing MS...).
Re:patch me up baby! (Score:5, Funny)
What's so special is you actually *don't* have to reboot after applying the patch.
Re:patch me up baby! (Score:2)
Re:patch me up baby! (Score:3, Informative)
Put an HTTP proxy server [squid-cache.org] between your LAN and the Internet. The first download will take a while, but your proxy should cache it so that subsequent downloads on other systems on your LAN will be much faster.
Re:patch me up baby! (Score:5, Funny)
Well, you know what they say about downloading and applying Windows patches...
"They that can give up essential liberty to obtain a little temporary safety deserve neither liberty nor safety."
Re:patch me up baby! (Score:5, Informative)
Tough one... (Score:5, Funny)
Re:Tough one... (Score:5, Insightful)
So, let me see if I have this right - you think that files off a pay-for-music download site are more likely to be infected vs. files on Kazaa?
Seriously?
Re:Tough one... (Score:5, Funny)
For those of us who are running Mozilla and not IE, etc, buymusic.com's home page has a quite amusing message:
---
Thank you for visiting BuyMusic.com.
In order to take full advantage of BuyMusic.com's offerings you must be on a Windows Operating System using Internet Explorer version 5.0 or higher.
---
Re:Tough one... (Score:5, Insightful)
Nobody is 100% safe these days. I used to be confident and tell people to 'hit me with their best shot' because I wouldn't be running untrusted executables and data files couldn't carry nasties. Now we have mpg123 and in the past we had a buffer overflow in libtiff. Pine could get you owned with a bogus header once. Sendmail of course has been a security nightmare.
Yes *NIX is safer, sendmail in it's worst year never matched the horrors of Outlook, but never feel safe. Which sucks major ass because we shouldn't have to just accept as a given that the only safe computing is a sealed box with no external media or network connection. Personally I'd like to see a whole year set aside to making software SAFE instead of adding features.
Re:Tough one... (Score:3, Funny)
Received the Update Notification and Fixed (Score:4, Insightful)
Nice System My Ass (Score:3, Insightful)
What EULA change did it automatically agree to for you?
Oh, and dont forget the option of faking out your machine and letting it automatically download a trojan..
Automatic NOTICES are a good thing, automatic INSTALLS are not..
Re:Nice System My Ass (Score:2, Interesting)
Automatic notices are the default option, if memory serves. Certainly, thats what my XP Home machine is set to do. You can choose to have automatic install should you wish, but you don't have to. I left it on notify only, not because I find their EULA notices scary, but simply because I didn't want it deciding that I really shouldn't check my 3 items of email over a 56k connection without installing 20Mb of patches for unrelated things first
Re:MOD PARENT UP (Score:5, Funny)
It is trustworthy! You can trust it not to work!
Ba-dum-bup! (rimshot)
Thanks folks! I'll be here all week! Try the veal!
auto updaters deserve grief (Score:3, Insightful)
If you auto update you deserve all the grief and broken applications you get.
It has nothing to do with paranoia. its called being responsible. you DON'T automatically changes things because someone else says its new and improved.
You first see if you NEED the update, if the bug fixes effect you, then you TEST TEST TEST. If it doesnt then you DONT install it.
I'm glad you don't run any network I'm on.
And YES i knew it was optional in the first place, the p
Re:Received the Update Notification and Fixed (Score:5, Funny)
If that was the solution, what the heck was the problem?!
Re:Received the Update Notification and Fixed (Score:3, Funny)
>If that was the solution, what the heck was the problem?!
His computer wouldn't stop working properly.
Re:Received the Update Notification and Fixed (Score:2)
I sure hope that isn't a production environment.
Microsoft software has security flaw... what's new (Score:5, Funny)
mind you... the particular buffer overflow is unusual...MIDI files... who'd have thought???
Re:Microsoft software has security flaw... what's (Score:2)
Hey, a 208k MIDI file! I bet it's... extra long! =)
Actually, worse is that IE seems to just play any midi file off any webpage, unless you specifically tell it not to. I can't actually tell if that's vulnerable or not, though.
:Actually its been known for a long time ago, but (Score:4, Interesting)
DirectX controls have been a problem in music notation software for years.
Maybe now someone will write a real piece of music notation software that doesn't use f'ing midi timing to set note placement. One of my main peeves with commercial notation software.
I have seen the possibility that midi could be used as a hack for years! In fact a little friend of mine has used this exploit to demonstrate a flaw in the whole concept of midi as a scripting control. He has written a replacement algorythm that directly generates wave at the processor level and then sends it to the sound card without the use of shitty DirectX. DirectX sucks for security and flexability always has and always will, because of its fork processes. I personaly do not care if my notation software can make sound, so I just have to put up with useless junk midi. Read my journal entry about more music #32862
...So? (Score:2, Interesting)
Sounds like every other OS out there! : )
Nah, thanks for calling attention to this, I'm going to be patching my clients to 9.0b tonight.
logged in (Score:2, Informative)
Re:logged in (Score:5, Informative)
<BGSOUND SRC="exploit.MID" >
(assume the file exists
IE plays these by default.
Huh? BuyMusic? (Score:4, Insightful)
Mike.
Re:Huh? BuyMusic? (Score:4, Funny)
Hmmm... (Score:5, Funny)
Wha... (Score:5, Informative)
Re:Wha... (Score:5, Interesting)
That's the kicker. I know a LOT of sites that do this. A couple of financial services sites I frequent have Registered Reps that seem to think a MIDI that runs in the background lends "ambiance" or some such to their site. They INSIST on it.
Re:Wha... (Score:2)
Re:Wha... (Score:3, Funny)
Right! Web sites are for animated GIF's and blinking text!
Re:I prefer streaming Real or MP3 (Score:3, Insightful)
And what if I'm:
I think music playing without me specifically requesting it is ALWAYS a bad idea. Same as I don't want my browser to open unrequested windows EVER.
Greetings,
Re:Wha... (Score:2)
Re:Wha... (Score:2)
Yeah, and it's in Mozilla / Firebird, too. Every time I run across a page playing lousy MIDI music (or even good music) I go searching through the prefs panel, hoping some new setting came in with the last release.
Does anyone know of a hidden preferences setting to disable auto-play of music?
(I don't know if Moz would use the DirectX midiplayer, anyway, but I want to turn off this damned mu
Downloaded the patch this morning. (Score:3, Insightful)
It's already been fixed on my machine.
Will they indemnify me? (Score:5, Funny)
Har Har Har! Yeah, they'll indemnify up to the price you paid for DirectX...
You have to give M$ some credit though... finally, a security flaw where you don't have to care if you are using Win95a, win98blah, Win2k, Win2k SP1e92, WinXP, WinYP, whatever. A *cross-platform* security issue, if you will. ;)
Great. (Score:5, Funny)
A MIDI overflow? That means no more visits to most Geocities pages.
WTF, over (Score:3, Insightful)
I don't like Windows or BuyMusic.com, either, but this flaw doesn't seem to affect BuyMusic.com directly.
What'd I miss? (Seriously. If I missed something, tell me.)
Re:WTF, over (Score:2)
Re:WTF, over (Score:2, Informative)
Re:WTF, over (Score:3, Informative)
'just cuz i had to look it up... (Score:3, Informative)
Indemnify -
Main Entry: indemnify
Pronunciation: in-'dem-n&-"fI
Function: transitive verb
Inflected Form(s): -fied; -fying
Etymology: Latin indemnis unharmed, from in- + damnum damage
Date: circa 1611
1 : to secure against hurt, loss, or damage
2 : to make compensation to for incurred hurt, loss, or damage
Downplay (Score:4, Insightful)
I love how they downplay that, like it's such a stretch to get a user who doesn't know any better to click a link in an email or webpage. Hell, my father just agrees to every ActiveX install that happens to come up on his screen, and clicks on any banner ad saying he's got a potential security risk on his computer. Irony is a harsh mistress indeed.
Why was there no mention of the RPC flaw? (Score:4, Interesting)
LSD has produced two proof of concept exploit codes (which they have not released)which they were able to get to work even with Server 2003 and it's new buffer overflow prevention mechanism. The nature of the flaw makes it ripe for exploitation by a worm.
As discussed here [yahoo.com], the reports are unusually embarrassing as they affect Server 2003, Microsoft's most powerful and safest software yet. It is ironic that the announcement comes one day after the Homeland Security Department announced that it awarded a five-year, $90-million contract for Microsoft to supply all its most important desktop and server software for about 140,000 computers inside the new federal agency.
More technical Info. (Score:5, Informative)
(Maybe I'm just bitter that my submission of the same story got rejected)
Re:More technical Info. (Score:5, Funny)
SPIN SPIN SPIN (Score:5, Informative)
"They'd have to come up with some way to get the user to click on that file," said Stephen Toulouse of Microsoft's Security Response Center, noting that default security settings in recent versions of Microsoft Outlook e-mail software and the Internet Explorer Web browser prevent automatic launching of such files."
HOWEVER, from the TechNet article on the flaw...
"If the file was embedded in a page the vulnerability could be exploited when a user visited the Web page."
Meaning that at BEST, Stephen Toulouse of Microsoft's Security Response Center is incompetent. At WORST he is a lying scuzzball.
Re:SPIN SPIN SPIN (Score:3, Informative)
Or he's very good at qualifying his statements. Note the article claims he says that recent versions have default settings to prevent automatic loading. In the MS security bulliten, they note that the default configuration of IE running under Windows Server 2003 is not affected due to its higher security settings. I can attest to that one, if you want to browse the web at all without seeing half the content locked off (like css headers, for example), you have to turn off all of the security lockdowns. I
not the first time (Score:5, Informative)
Overview:
Risk: High
Distribution: Low-Medium
Patch available from vendor: True
Systems Affected:
Systems having Microsoft DirectX Files Viewer
xweb.ocx (2,0,16,15 and possibly older)
Impact:
A remote attacker may be able to execute arbitrary code with the privileges of the current user.
Description:
A buffer overflow exists in the "File" parameter of the Microsoft DirectX Files Viewer ActiveX control that may permit a remote attacker to execute arbitrary code on the system with the privileges of the current user. This vulnerability affects users visited ActiveX samples galery at activex.microsoft.com. Since the control is signed by Microsoft, users of Microsoft's Internet Explorer (IE) who accept and install Microsoft-signed ActiveX controls are also affected. This control was also available for direct download from the web, but can be uploaded on any website.
The tag could be used to embed the ActiveX control in a web page. If an attacker can trick the user into visiting a malicious site or the attacker sends the victim a web page as an HTML-formatted email message or newsgroup posting then this vulnerability could be exploited. This acceptance and installation of the control can occur automatically within IE for users who trust Microsoft-signed ActiveX controls. When the web page is rendered, either by opening the page or viewing the page through a preview pane, the ActiveX control could be invoked. Likewise, if the ActiveX control is embedded in a Microsoft Office (Word, Excel, etc.) document, it may be executed when the document is opened.
Vendor Information:
secure_at_microsoft.com was informed on
9.May.2002.
MSRC 1149cb ticket was opened and finaly resolved on 25.Jun.2002
Solution:
Apply a latest IE/OS patches available from Microsoft:
Setting kill bit expected to be included in latest IE Service pack.
Windows 2000 SP3 and Windows XP SP1 expected to solve this problem.
Links:
ActiveX control still available for retrieval from Global Internet "backup copy":
http://web.archive.org/web/20010410194632/http://
MIDI (Score:5, Funny)
Ciryon
Re:MIDI (Score:2, Funny)
Now this just has to be the next
Which tune should you have to play to get the admin password through MIDI? Personally, I vote for the Mission: Impossible theme, but I'm sure someone has a better idea.
DirectX Bloat... (Score:3, Interesting)
Re:DirectX Bloat... (Score:2, Informative)
OpenGL is just graphics. DirectX is a lot more...
DirectX Contains :
- 3D API (DirectGraphics)
- Sound and 3D Sound API (DirectSound)
- Network play API (DirectPlay)
- MIDI and music API (DirectMusic)
- Various drivers for Sound- and graphic-cards)
simple (Score:2)
make a product first and sell it and worry about the bugs later.
why would you spend $$$ bedugging something that works while you can wait for others to find the bugs for you. that saves $$$. and look at their market share. this approach works fine.
Turn to Slashdot for breaking news! (Score:5, Informative)
Let's look at the evidence:
Flaw in DirectX allows code embedded in a malformed MIDI file to be executed on machine (read more [microsoft.com])
Patch from MS available before news "broke" on slashdot
Article submitter somehow tries to tie this to buymusic.com
Looks like a case of a rapid fix from MS and a kneejerk editor at Slashdot. How about this spin? "Notified of critical bug, MS immediately issues fix". Nah, wouldn't play to this crowd.
To answer your question, cryonic*angel [slashdot.org], MS won't indemnify you but level headed readers may excoriate you...
Re:Turn to Slashdot for breaking news! (Score:3, Funny)
Looks like a case of a rapid fix from MS and a kneejerk editor at Slashdot. How about this spin? "Notified of critical bug, MS immediately issues fix". Nah, wouldn't play to this crowd.
New slashdot poll:
A flaw is announced in MS products, what happens next and why?
a) Microsoft release a fix slowly - that would never happen in open source!
b) Microsoft release a fix quickly - they must have known about it already and not told anyone!
c) MS product are a flaw in themselves, recursion not allowed.
d) The
It's NOT a bug -- It's a FEATURE (Score:2)
Now the RIAA can put poisioned files onto P2P. But instead of just being annoying audio admonishing you not to steal, they can own your computer.
All they need is for it to be legal for them to hack your computer.
WineX? (Score:4, Funny)
"Unsually wide spread"?!?! (Score:4, Funny)
I won't EVER be buying music from BuyMusic.... (Score:5, Informative)
Who cares about the freaking security, did anyone read the TERMS OF SALE AGREEMENT [buymusic.com]?
Check this out:
Content Use Rules. All downloaded music, images, video, artwork, text, software and other copyrightable materials ("Content") are sublicensed to End Users and not sold, notwithstanding use of the terms "sell," "purchase," "order," or "buy" on the Site or this Agreement.
Your Digital Download sublicense is nonexclusive, nontransferable, nonsublicenseable, limited and for use only within the United States. End users may play the Digital Downloads an unlimited number of times on the same registered personal computer to which the Digital Download is originally downloaded.
So are you saying I don't actually own what I'm "buying" on their site?
How can you unlicense your computer too? So if I get a new machine, I lose all my songs!? I couldn't find any mention of switching "primary computers" so that I can keep my music when I upgrade my machine. What about the next time I have to install a fresh version of XP over my current install? Has anyone checked out this service?
Re:I won't EVER be buying music from BuyMusic.... (Score:3, Interesting)
If I buy a CD (which I won't, because they are too expensive nowdays, I own about 600 of them thus far though) I can play it in my computer (technically my old stereo), in my surround system, in my car, in mine or my girlfriends portable CD player, at work, or at a friends place.
If I could buy the music legally in high quality ogg for
Re: (Score:3, Interesting)
Roberta Flack is back (Score:4, Funny)
*Another* buffer overrun? (Score:3, Interesting)
The class taught us about error checking ond control. Something MS seems to desperately need.
Bashdot? (Score:3, Funny)
Dear Windows Users (Score:5, Funny)
<EMBED SRC="h4x0r3d.mid" HEIGHT=200 WIDTH=55></EMBED>
Yours,
B. Overflow
WTF! (Score:5, Insightful)
Windows security hole counter (Score:5, Interesting)
SP4 products are not affected by this flaw (Score:3, Informative)
Windows 2000 machines running SP4 are not affected by this flaw. I suggest anyone running anything less than this starts deploying SP4 instead of this individual patch. Shavlik [shavlik.com] has excellent products to make your patch deployment easier.
Re:SP4 products are not affected by this flaw (Score:3, Informative)
Ironically
Well done Microsoft (Score:3, Interesting)
My only complaint is that MS seems less concerned with many less severe vulnerabilities. You'd think a corporation of their size would have a whole department devoted solely to fixing all security (and other) flaws.
NOT every possible Windows configuration... (Score:3, Informative)
The complete list of effected Windows/DirectX combinations are as follows:
Microsoft DirectX® 5.2 on Windows 98
Microsoft DirectX 6.1 on Windows 98 SE
Microsoft DirectX 7.0a on Windows Millennium Edition
Microsoft DirectX 7.0 on Windows 2000
Microsoft DirectX 8.1 on Windows XP
Microsoft DirectX 8.1 on Windows Server 2003
Microsoft DirectX 9.0a when installed on Windows Millennium Edition
Microsoft DirectX 9.0a when installed on Windows 2000
Microsoft DirectX 9.0a when installed on Windows XP
Microsoft DirectX 9.0a when installed on Windows Server 2003
Microsoft Windows NT 4.0 with either Windows Media Player 6.4 or Internet Explorer 6 Service Pack 1 installed.
Microsoft Windows NT 4.0, Terminal Server Edition with either Windows Media Player 6.4 or Internet Explorer 6 Service Pack 1 installed.
Not every possible Windows configuration but probably a majority of them.
Check the relevant technical bulletin [microsoft.com] for more info.
A bit more serious than the average bug (Score:3, Informative)
Re:Windows ... (Score:5, Interesting)
Re:Windows ... (Score:3, Insightful)
Re:Windows ... (Score:5, Informative)
But i'm not sure it was in the last year, if it's earlier then OpenBSD is your answer!
Re:Windows ... (Score:5, Informative)
OpenBSD security advisories from this year (for version 3.2):
# March 31, 2003: A buffer overflow in the address parsing in sendmail(8) may allow an attacker to gain root privileges.
# March 24, 2003: A cryptographic weaknesses in the Kerberos v4 protocol can be exploited on Kerberos v5 as well.
# March 19, 2003: OpenSSL is vulnerable to an extension of the ``Bleichenbacher'' attack designed by Czech researchers Klima, Pokorny and Rosa.
# March 18, 2003: Various SSL and TLS operations in OpenSSL are vulnerable to timing attacks.
# March 5, 2003: A buffer overflow in lprm(1) may allow an attacker to elevate privileges to user daemon..
# March 3, 2003: A buffer overflow in the envelope comments processing in sendmail(8) may allow an attacker to gain root privileges.
# February 25, 2003: httpd(8) leaks file inode numbers via ETag header as well as child PIDs in multipart MIME boundary generation. This could lead, for example, to NFS exploitation because it uses inode numbers as part of the file handle.
# February 22, 2003: In ssl(8) an information leak can occur via timing by performing a MAC computation even if incorrect block cipher padding has been found, this is a countermeasure. Also, check for negative sizes, in allocation routines.
# January 20, 2003: A double free exists in cvs(1) that could lead to privilege escalation for cvs configurations where the cvs command is run as a privileged user.
Re:Windows ... (Score:3, Interesting)
I want an OS tha
Re:Windows ... (Score:3, Interesting)
Re:Windows ... (Score:3, Insightful)
But really, Linux and MacOS X are both better, and while there have been bugs found in each, if the bug isn't one in a component you use, or in the kernel, can you count it? When I update my system, many of the updates are for third-party packages. As if MS provided patches for Eudora.
Re:Windows ... (Score:2)
You know, that's EXACTLY why the other non-Microsoft operating systems are better. Oh wait...
Re:Windows ... (Score:2)
What OS can give you that now? None that have anything installed, or communicate on a network of some sort. All machines are vulnerable. I would have figured that a user ID as low as yours would imply something... apparently not.
Re:SCO insiders sell, sell, sell. (Score:4, Funny)
Yeah, I wish slashdot would pick up on this whole SCO thing. I cannot understand why SCO is being completely and uttely ignored here.
Re:YABOP (Score:2)
Re:A MIDI file? (Score:2)
Active code should be possible to be integrated everywhere, and everything can mimic something totally different (an .exe file can mimic a .wav file, but the system will properly start it anyway).
That's the idea: Make everything potential harmful. That's the Microsoft philosophy of
Re:Frequency of Windows Patches (Score:3, Informative)