Microsoft Discloses Security Flaws in XP and WMPlayer

An anonymous reader writes: "Salon is running a story on Microsoft's disclosure of a number of security flaws in WinXP and Windows Media Player, versions 6.4 and 7.1. The story also states that there are 2 critical vulnerabilities in Commerce Server 2000. Will I ever get the bang for my MS buck?"

Cue Microsofties, stage left

[Anarchofascist]

"Yeah, we may have four new security holes (two critical) in our flagship secure commerce server, and three new holes in WMP, but YOU guys had a possible exploit (with a simple workaround) in OpenSSH! HA! Nyer nyer. Thhhhhpt."

Better update options?

[Saggi]

Most software is expected to have bugs. But when it comes to OS great care should be taken into removing these, especially those involving security. But bug tracking is an art form. You can never remove bugs 100% as the difficulty in finding the bug increases dramatically as you approach 100%.

When it comes to software like the media player, this is much more serious. This goes into much more than just one single OS. I run Win95, Win98 and Win2000, and all these may be affected. On top of that the media player keep posting me to update the software. Wouldn't it be nice if the system gave me the option to update to the most stable and secure version or the latest version? You might think I have that option, as I may choose not to download the latest, but make my way through the download jungle to find an earlier version. But this jungle is impossible to move through for ordinary people.

I understand that Microsoft wait with disclosure of the bug until they have a patch. This is often criticized, but in some cases it make sense.

Anyone read Cringley's Pulpit this week?

Maybe Cringley's right ...

Re:Yet more unwarranted MS bashing

[bludstone]

one of my XP-running friends went through this upgrade.. It compleatly trashed all his funky video codecs.. He currently cant watch about 2/3rds of the stuff hes downloaded. Most of them being independant music videos.

has anyone else experienced this?

Trojan End User License Agreement

[eswan]

Has any body else actually read the EULA that comes with the media player 6.4 patch?

Digital Rights Management (Security). You agree that in order to protect the integrity of content and software protected by digital rights management ("Secure Content"), Microsoft may provide security related updates to the OS Components that will be automatically downloaded onto your computer. These security related updates may disable your ability to copy and/or play Secure Content and use other software on your computer. If we provide such a security update, we will use reasonable efforts to post notices on a web site explaining the update.

Security update? Who's security are they protecting? There is no option to uninstall media player. Your choices (if you wish to continue using Windows) are

A: Leave your system open to bugs that give system level access to the next worm (imagine nimda with a malicious /default.htm)

B: Bite the bullet and install the patches. But if Microsoft releases an update that silently and without notification installs itself and 'disable(s) your ability to ... use other software', you're SOL. But hey, it's ok. Don't you know Microsoft is supporting 'Trustworthy Computing'?

Re:Trojan End User License Agreement

[Chris+Johnson]

Oh, that's _really_ cute. Operative word being 'other software'. I am so glad I'm not a Windows developer right about now....

Legally, this means "I agree to allow Microsoft to make updates, that will be automatically downloaded, and that may break any non-Microsoft software for any reason, or for no reason". There's absolutely no limitation on the 'disable your ability to ... use other software' clause. 'And' applies the 'disable' part to the 'other software' part, nowhere is 'other software' defined. Also note it's up to Microsoft what they consider 'reasonable efforts'!

They're getting to be sneakier than the music industry contract lawyers. That is rather disturbing...

Just got this in my inbox?

[oliverthered]

i'm waiting for someone to do a dns hijack of update.microsost.com and load a
nice new trojan on everyone's box that their av software doesn't detect. if
these morons were serious about security, they'd use ssh, not http, for
updates (and let you turn off html rendering in your email client).

What if you're not online?

[nullard]

One thing that's always bugged me about these kinds of updates? What do you do if the machines don't have internet access? I know that that invalidates most of the vulnerabilities (except inside the lan), but what happens someday in the future when the machine finally goes online and tries to download 3000 security updates?

Maybe vendors should have to release these updates on CD as well.

NOTE: I'm not focusing on MS here, other vendors should be asked to do the same.

Danger Danger Danger

[Llywelyn]

>Perhaps it's too technical

*Exactly*.

In a world where we cannot convince people that MHz don't matter, and people believe that security is a product, attempting to convince them of the security issues with MS will prove fruitless.

MS will just release statistics and compare their OS with the number of security holes found in OS + Applications and people will believe it to show that Linux is less secure. They will turn up their marketing engines and hype that Open Source means Lower Security and people will believe it.

True Story: I was attempting to convince a certified MS XP technician that MS didn't understand security. Keep in mind this is someone deep within the ranks of the Microsoft Heresy (like the Cainite Heresy, but more Hideously Evil(TM)).

I cited Scheiner, cDc, L0pht, and a half-a-dozen others. I talked about how open source was a good thing, the reply I got back can be summarized:

1) Security is a product ("A firewall will make you secure")

2) He thought the only reason you would want to secure your system was to keep people from browsing the pr0n there (and seeing the other files).

3) The threat level is minimal--no one would want to break into *your* system.

4) Believing that security was a real issue was like believing everything anyone told you (down to "three headed big foots in Utah").

Of course this is absolutely absurd, but thats what he believed. While you may not be able to sell the general public on all of that, it gives an impression on how MS treats security and how their marketing department would convince their users to treat it.

Sad, but true.

Re:And what about more secure OSes? Mac?

Double check your facts and never say never.

And for that reason, you are a troll.

Successful hack of a Mac webserver during the Crack-A-Mac contest: http://www.zdnet.com/anchordesk/story/story_1189.h tml

Re:Yet more unwarranted MS bashing

[NanoGator]

"The difference is that Linux is open about their problems - and they make an effort to keep the public informed. If a critical problem is found, the code is changed (almost immediately).
Microsoft hides their bugs. So for them to come out and announce bugs (and patches) before the bugs become newsworthy issues is a step in the right direction. "

I see the problem a little differently. A lot of the vulnerabilities that have been mentioned in Windows are really features that MS implemented that people have found a way to exploit. The Melissa virus comes to mind.

So what'll happen is MS will add new features, and then somebody'll find a way to be a nuisance with them. Unfortunately, what'll happen is that the resolution to the problem isn't so clear. "Do we take out the feature, or do we put a rule in it and wait for somebody to find a loophole?"

Anybody used Office XP? (heh yah right, sorry) One of my coworkers is using Outlook XP. One of his coworkers tried to send him an .EXE (no, not one of those web games, it was a test build of some code he was writing) but Outlook refused to admit that it had it. What happened was Outlook XP had disabled the ability to recieve .EXE files. I don't mind this by default, but there wasn't a menu option to re-enable it. Result? A Google search and a clumsy registry hack.

I can't help but think that MS just got tired of people being hit with it and just removed it all together.

Just to be clear: I'm not arguing with you, just presenting another angle to the story. It's a big tangled mess. Windows has bugs, vulnerabilities, and features that can be used against you. I hope the Linux community is paying attention to this. I have a feeling they could develop a solution that allows the interesting features without allowing kiddie scripters to exploit them.

Did you read what it said?

[Erris]

Since when did WM's DRM remove the ability to use WinAmp? Just don't buy "secure crap" music.

Look at that EULA again:

These security related updates may disable your ability to copy and/or play Secure Content and use other software on your computer.

WinAmp is one of those "other software on your computer" which may be disabled. Duh.

Essentially, this is a backfit of their XP license and DRM technology for the 60% of WinSlaves that are using Win98.

Given that Windows Security is an oxmoron, there's no reason to "upgrade" your computer this way. Outlook, IE or some stupid piece of junk like a plug and play deamon that you never knew listened to the network will eat you anyway.

If you just must have M$ in your house, blind it to the network by NOT installing the network card drivers or pointing it to a bogus gateway IP number. Never use it to surf, read email or anything else that M$ will never do right. I admit that I have such a beast in the corner for talking to cameras and an old scanner. It's legal and I own it. But I'll never ever trust it. Red Hat's dual boot (GRUB) let's me get the information off of it.