Slashdot Mirror
WinXP and WinAmp Vulnerable to Malicious MP3s
mypenwry writes "Foundstone, a Mission Viejo, CA security
services company, is reporting several vulnerabilities that would allow malicious
code embedded in MP3 and WMA files to be executed via WinXP and WinAmp. WinAmp
versions 2.81 and 3.0 are vulnerable
to buffer overflows via certain long ID3v2 tags when MP3 files are loaded.
More troubling is the WinXP
vulnerability: A buffer overflow exists in Explorer's automatic reading
of MP3 or WMA (Windows Media Audio) file attributes in Windows XP. An attacker
could create a malicious MP3 or WMA file, that if placed in an accessed folder
on a Windows XP system, would compromise the system and allow for remote code
execution. The MP3 does not need to be played, it simply needs to be stored in
a folder that is browsed to, such as an MP3 download folder, the desktop, or a
NetBIOS share. This vulnerability is also exploitable via Internet Explorer by
loading a malicious web site. Explorer automatically reads file attributes regardless
of whether or not the user actually highlights, clicks on, reads, or opens the
file. Windows XP's Explorer will overflow if corrupted attributes exist within
the MP3 or WMA file. Microsoft
has issued a fix for this vulnerability. Nullsoft has posted fixed version of WinAmp 2.81 and 3.0 on their web site."
I hope no one tells the RIAA about this. They will be putting landmines in P2P soon.
Jaysyn
There is a war going on for your mind.
...MP3s are harmful to business!
I just found a buffer with unchecked bounds in XMMS. This ain't no good. I should have a patch posted in a few minutes.
This is all part of the Berman Bill.
psmylie's dictionary: Godzillion (noun) Any number large enough to destroy Tokyo
So, now when the users are afraid because of having virii in their mp3s, they are not stupid anymore?
looks like listening to the newest Britney Spears album will result in more than just bad taste.
Mike
Makes me slowly wonder: is there a list of fileformats around there that are actually save on windows, or are they all corrupt nowadays...
The site where: "I'm right, as long as you ignore the things that prove me wrong", became a valid method of debate.
http://www.xmms.org
Why hasn't Microsoft just changed the way it handles buffers to eliminate the weekly discovery of yet another buffer overflow exploit that compromises security? It's obvious to just about everyone else that any buffer that doesn't ignore excessive input will be a problem in the future - why does Microsoft insist on treating each one of these issues as though it was a totally new problem instead of making a global change to secure the OS from this kind of hack?
This is more of a curiosity than any sort of danger. Most of us, when we get a new mp3 file, give it a listen to make sure it's not mislabeled, doesn't cut off in the middle of the song, and sounds okay. We throw out or fix the ones that aren't up to our standards. So the number of people who would let one of these dangerous mp3s just sit there and be scanned is probably pretty small. And as is usually the case when something like this is discovered, they probably deserve what they get for being such idiots.
Karma: Good (despite my invention of the Karma: sig)
Uhhh ... .txt files?
...a machine can be hacked through the mp3 player. This is all not so Windows centric either, many software developers need to get a clue.
Click the Windows Update button and reboot and you're fixed. Or if you're like many people, the fix has already installed during an automatic update check last night. This isn't really news unless Slashdot is merging with Bugtraq (Slashtraq? Bugdot?). Are we just posting this to bash Microsoft once again? Automatic updates were one of the best new features they added to Windows and they make life much easier. Oh and no, I don't wrap tinfoil around my head worrying whether Microsoft is going to invade my PC and lock me out of it.
Something tells me that my daily virus scan is gonna take a lot longer now...
Oh wait... it's a Windows problem... never mind...
RickTheWizKid
My purpose: to inject random comments...
we see a worm exploiting this, remember the last worm that was executed without even opening a file.
You guys are all supposed to be using Ogg anyways! That way you can act like you are a snooty audiophile anytime a MP3 story is posted...
Strange women lying in ponds distributing swords is no basis for a system of government.
...do we need all this flash & bell things in Explorer / whatever in the first place ? Sure it's nice to see tags of a file without opening, but is it really necessary ? Couldn't people live without it ?
As for the buffer overflows, that isn't exactly a new thing, you'd like people to take better attention on those sort of things...
Oh, and that's a trouble also because Explorer runs with high-level privileges, too (just can't help smacking ms, sorry), that this kind of exploits can be annoying...
Tsuyoikoto ha taisetsu da ne, dakedo namida mo hitsuyousa (Strength is an important thing, but tears too are necessary)
From Microsoft:
An attacker might attempt to exploit this in one of three ways:
* Host the file on a website. In this case, if a user were browsing the page containing the file and hovered over it with his or her mouse, the vulnerability could be exploited.
Eep!
* Host the file on a network share. In this case, if a user browsed to the network share and simply opened the folder which contained the file, it could cause the vulnerability to be exploited.
Gaah!
Also, it seems you can send an e-mail with the mp3 object in a frame (this is the third way of exploiting it) so you don't even need to click a link in Outlook / OE for it to be run. This shouldn't be possible on XP SP1 or a recently patched IE though.
Beware: In C++, your friends can see your privates!
From what it says, by then its to late.. As the act of verifying will let the malicious code take effect..
Unless i TOTALLY misunderstood....
---- Booth was a patriot ----
would be if they embedded these in Jon Bon Jovi MP3s.
--sdem
We all know what buffer overruns are, but why do they seem to be so common? It would seem like this is something that could be easily prevented in the compiler or at most with very basic programming procedures. As many of us are programmers, any advice how to prevent these in our code? Is it possible to accidently allow buffer overruns in other languages besides C(Java, C#, etc.)?
Oh, just kidding. :)
:)
I would like to ask for factually-based opinions whether these innumerable highly dangerous security holes in MS software are more the result of the ingenuity of the hackers or the incompetence of the Microsoft design and testing process, or about 50:50. I am inclined to be prejudiced against Microsoft, so I would be REALLY interested in hearing reasoned defenses of their predicament, if such exist.
So, please, no MICROSOFT RULZ!!! or MICROSOFT SUX!!! I'm not asking for a vote.
Microsoft provides the #1 small-system OS, for better or worse, which means Windows will immediately be the hot target for black-hat types intent on spreading misery or demonstrating their hatred for the leviathan.
I know, too, that half the problem has been MS's arguably foolhardy decisions in adding dubious extensions to their software, like default enabling scripting in Outlook and macros in Word. But I'm kind of curious about the mistakes in doing their core work, like handling MP3's.
Last, I have trouble understanding how so many of these bugs come from a company with many of the brightest programmers. Is it a largely problem of scale and bureaucracy?
Share your concise insightful informative nonprofane fact-based reactions from experience?
This shouldn't be possible on XP SP1 or a recently patched IE though.
Or, of course, Mozilla, Eudora, or Opera.
Disturbing that it's in WinAmp too. Guess that llama's ass only holds so much.
Never confuse volume with power.
Thanks for nothing Nullsoft.
Linux is only free if your time has no value. Windows is only free if you threaten to use Linux.
Nullsoft has posted fixed version of WinAmp 2.81 and 3.0 on their web site."
Is there a reason they haven't released a new version with the bugfix instead of just uploading a new copy with the _same release number and date_? Both versions are listed as released in early or middle August, and there's no bugfixes listed anywhere on the site in regards to this. Site. Are they trying to hide that it's been fixed, or just don't want anyone to figure it out?
Interested in open source engine management for your Subaru?
It can't be denied any longer. Back in the day the poor virus writer had to rely on his victims to carry the payload through meatspace on floppies.
M$ has been continually improving virus transmission methods, and now you might be infected just by moving your mouse.
But do we really need to worry? After all, how many kiddies are out there bragging that they '@dm1n1str@t0r3d' someone's XP box. No, it's just not as sexy as r00t3d.
I don't think so. I know people who download a lot of stuff, and if you have it set up to download 100 MP3s overnight, your system could be compromised by morning. Are you going to listen to those 100 MP3s first thing in the morning?
The kicker is that the odds you get compromised go up greatly if someone seeds Kazaa, or even a web page, with an infected MP3 file. They can see who is downloading it so they know the IP to attack. On a web page, they could get your IP out of the logs. I never thought an MP3 file would leave a system vulnerable, but I guess that is why this is a pretty scary vulnerability - nobody else would either.
My beliefs do not require that you agree with them.
And as is usually the case when something like this is discovered, they probably deserve what they get for being such idiots.
One never deserves to be the victim of a crime.
Maybe the victim failed to be careful. Maybe the victim deserved to suffer. But it is the criminal who made the truly blameworthy decisions.
The only reason to blame the victim is laziness in identifying or punishing the culprit, or in some cases a tacit sympathy for same.
I was sent and installed the fix before I read about the vulnerability.
It's Christmas everyday with BitTorrent.
Tools->Folder Options
set Web View to "Use Windows Classic Folders"
I've always done this, having never trusted 'web content' in any folder I browse to (nor needing the extra overhead it causes drawing thumbnails of bitmaps and whatnot)
I believe any Windows that's upgraded to Media Player 7.1 and/or IE6 would be vulnerable, not just XP?
I don't need no instructions to know how to rock!!!!
This type of stuff blows my mind. What the heck is MS doing underneth there code. They are Music File When played if altered you should get static at the worse. You take the MP3 get the Lable information if it has it. Decodes the rest of the information makes converts it to your sound card and you here music. I see no good reason for the OS to really get involved except for opening and reading the file and allowing it to the sound card. I think MS should stop putting in these backdoors that hackers find and use.
If something is so important that you feel the need to post it on the internet... It probably isn't that important.
Long ago, I've decided that Windows 2000 was going to be my last mainline MS operating system. Since Linux is making great strides towards usability on the desktop, it looks like I'll never have to rely on having XP on my PC. Now, I just have to make sure I keep Winamp current along with all my other applications.
...
However, this brings up an interesting question. Short of modifying the registry entries in HKEY_CLASSES_ROOT, is there any way to avoid all the cutsie stuff MS has been doing with file associations? I seem to remember a Win95/NT/2k shell extension that did something similar to the MS code that's being exploited. It popped up an additional property sheet with all the ID3 tag info. Could someone use that instead of the Windows shell without severely hacking the registry?
It also reopens an old sore. If the Windows Media Player were installed as an "application," not as "part of the operating system," this shell code would not be needed until WMP is installed. Those smart enough to search for better media-playback solutions would not be subjected to this vulnerability. Thanks, Microsoft! DOJ, are you paying attention?
And one more observation: now that MP3 files can carry shellcode, the virus scanners will have to start scanning them too. More processor overhead, longer scantimes, moan, gripe,
Comment removed based on user account deletion
You're exactly right.
I think what the previous poster is thinking of is ID3v1 tags, which are located at the end of the MP3, so you don't get them until the MP3s finish downloading (and what's more, they have a fixed size so they're easy to check, but that's besides the point)
Now, this bug involves ID3v2 tags. ID3v2 tags are located at that start of the MP3, which is why when you add one to a MP3 playing in Winamp you get a brief pause, it has to add it to the start of the file. Therefore, any MP3 with an ID3v2 tag will already have the potential of compromising you by the time it's downloaded enough to play part of the song if you preview them using Winamp.
I don't know how Explorer checks file attributes on MP3s, but I'm assuming that you're already in danger by this time too.
"I won't mod you down - I feel the need to call you a twit explicitly, rather than by implication."
How long until the story gets duped:
A) 15 minutes
B) 1 hour
C) 2 hours
D) 6 hours
E) 1 day
[john@cobetoar][/usr/storage/public/w32/winamp] ls -l winamp3*
-rwxr-xr-x 1 john storage 3269351 Dec 16 18:48 winamp3_0-full.exe
-rwxr-xr-x 1 john storage 3510536 Aug 28 12:15 winamp3_0-full_org.exe
"Where do you want to buffer overflow today?"
Thanks to Boatboy for the explanation of buffer overflows, but what I've never understood about buffer overflows is how it allows you to execute arbitrary code? Can anyone explain?
If the RIAA use these tactics the solution is simple...
Wait a few months until the RIAA's trojanized files are well and truely spread throughout the P2P networks...
then use the thousands of trojanized nodes to DDOS the RIAA
*chuckle*
will now the MPAA and RIAA have a new weapon against pirates? :)
And if they do, executing remote code using a vulnerability will be legal?
[just provoking]
-- There are two kind of sysadmins: Paranoids and Losers. (adapted from D. Bach)
unless the malicious tag itself is has a virus
signature.
Your only real protection is backups incase of
data loss and something like zone alarm to tell
you if your machine has just become a zombie.
... this sort of thing never happens in MacOS X.
:)
I just had to say that
I swear by MacOS X. Although I use to swear *at* MacOS 9...
And I thought Nimda was bad.
.eml files anymore. you would just see a new MP3 in your read/write network share with thousands of other MP3's so you would never find it and it would infect all of your MP3's in your read/write network share. Once you open the folder to pick a song it runs and infects all of your mp3's on the PC, then goes out and proceeds to infect every mp3 it can write to on the network that has read/write shares and the process starts all over again while it formats your hard drive 7 days later.
:P
When all of the college students here on campus had read/write shares on the network, Nimda Spread at an alarming rate, Especially since WinXP Home decided that you SHOULD have your Shared Documents folder open for read/write access after running one of those networking wizards.
I could only imagine the hell a Modified Nimda would be if it can now infect mp3 files. It wouldn't even have to spread infected
It's the RIAA Dream come true
In Soviet Russia, Trojan exploits YOU!
This is absolutely pathetic that ID tags could be used in such a manner. Yes, that definitely qualifies under the "bug" heading. It amazes me how bugs of this caliber slip into something that simply plays a MUSIC FILE. None of it should be treated as executable.
Search the Web for the classic: Smashing the Stack for Fun and Profit.
All you ever wanted to know, and then some...
There's a running joke where I work that it is not officially Thursday until the Microsoft exploit of the week is released (of late this seems to happen on Thursday).
So, why not make it official - I propose
Operation: So Happy It's Thursday
What I recommend is that everybody who finds an exploit in Windows release it on Thursday.
NOTE: be fair - a bug in a Windows APP that is not a part of Windows doesn't count - so the bug in Winamp doesn't count, but the bug in the Windows shell does.
www.eFax.com are spammers
I'm doing the same thing on my work machine which
is running XP (hate all that crap also)
Look in a folder that contains only music files
(as most people usually have a folder just for
that).
At first, Windows treats it like any other folder
and displays only the filename, size, type and
mod date. After a while however, it seems to
figure out that it contains music files and starts
reading to ID tags. No idea how or why it
happens.
By overflowing a buffer on the stack, it's possible to maliciously change a particular piece of information (the function call return address) to cause the program to jump to a new piece of code: the code you just overflowed the buffer with!
Stack overflow exploits are very common because programmers often declare fixed-length buffers as stack variables and are too lazy to perform proper checking to make sure data never overflows the buffer. This problem in WinAmp is no different than any other buffer overflow, it's just much more severe due to its widespread use.
It's good that I have linux since it **never** has buffer overflows. Nor does any other open source software.
this is not a sig
Snooty audiophiles won't like FLAC, either.
A snooty audiophile sneers at any form of digitization - "You aren't getting all of the music - Yes, I know you are sampling a 1GHz, 64 bits per sample, but you aren't getting all the music! Only analog gets all the music! I don't care that what you are missing wouldn't amount to the width of a hydrogen atom on my beloved LP - YOU AREN'T GETTING ALL THE MUSIC"
That's what a snooty audiophile would say.
www.eFax.com are spammers
Shocking!
Apparently the current underground favorite audio player for Windows is foobar2000, which was written by a former Nullsoft developer (Peter P. aka zZzZzZz). It supports mp3, ogg, ape, flac, mpc, and relevant to the article has abandoned ID3V2 support in favor of APEV2 tags. (And it's been suggested that the source will be released in the near future.) Supposedly the audiophile geeks at hydrogenaudio.org can hear quality improvements over Winamp, although even the developer suggests that it's probably a placebo effect.
Just don't expect too much; it's a very minimalist GUI (what mean these "skinz" of which you speak?), and doesn't support Win9x/NT4.
There's also a support forum for the player.
OK class, has anyone figured this out yet?
Buffer overflows are bad.
It is easy to STOP buffer overflows just by using SAFE strcpy functions that don't blindly copy past the end of a buffer.
Since we've known this for many many years, why do programmers still USE dumb functions that allow buffer overflows?!
Hey Microsoft, since you are spending so much on improving security, I have a hint for you. Print this out and make all your programmers pin it on their cubicles walls:
BAD: strcpy
GOOD: strncpy
- For the complete works of Shakespeare: cat
This has to be the ONLY geek place in the world where people bash companies for coming out with new great features. Most places (and geeks) can't wait another day for the latest game, toy, enhancement, video card, gps receiver, mp3 player, etc.
Most of the comments on this site say "Why do then need to put these FEATURES in anyways".
Look it up. The word is "hypocrite"
I'm using Winamp 2.78. Let's hear it for outdated softare!Hooray!
Give me full disclosure...
Can't you see that everyone is buying station wagons?
20 Print "Bill Gates laughs as he rolls about with his concubines!"
30 Print "Prepare for judgement!"
40 Input "Press any key";A$
50 If A$="AnyKey" Then fucksomeshitup;
60 W00t: Poke InChest;
70 Run "BSOD.exe -Playfile BritneySpears,HitMeOneMoreTime"
80 Print "This is what it sounds like when doves cry! Bwahaha!"
90 Goto 10
You should be able to find this on SourceForge too.
http://www.dbpoweramp.com/
I don't mean to be a pain in the ass here...but if the code has been patched and rebuilt on a different day shouldn't we at least see a different minor version in the help? I can understand fine at 488 is the code freeze version for the 3.0 release however is a bug has been patched and a new release has been done should this be like 3.01(3.0.1) or 488a just so the its more immediately obvious this is an updated version from the 3.0 I have. If I didn't know about the bug, and I went to the site to see if there is a newer version, I wouldn't get the fixed version cause I still see 3.0! Build dates are meaningless...and even less so if they are not even posted on the download page....
Power Corrupts,Absolute Power Corrupts Absolutely, leaving one person(group)in charge is absolutely corrupt.
Most people don't use Ogg Vorbis for the quality. They use it for the license.
Speak for yourself - I use it for the quality, especially now that the audio artefacts that were so obvious in early development releases are fixed.
In high bitrate modes, there is little difference between properly encoded MP3s and OGG files. And high bitrate is what really matters, unless you are streaming over a low bandwidth connection (in which OGG is the clear winner due to size).
Personal blind testing between Ogg VBR 160kbit and MP3 192kbit was pretty even - very few people could tell the difference and where there were impressions of 'better' it fell on the Ogg side. Given that Ogg VBR 160kbit is about 25% smaller than the MP3 at 192kbit, that's pretty useful.
Cheers,
Toby Haynes
Anything I post is strictly my own thoughts and doesn't necessarily have anything to do with the opinions of IBM.
damn right.
/me imagines a slot-loading turntable in the dash...
I wonder how "audiophiles" listen to music in the car?
The Free desktop that Just Works
Okay, I'll try to make this as short as possible.
Let's say that you have an array, x[20]. It is 20 bytes long. This array starts at memory location 149300. This means that the bytes 149300 - 149319 are reserved as being part of the variable called x. Now, lets say that in this array, you decide to store a string of letters (an ID3 tag, for example). If you allow the user to input the letters into x, without checking the maximum length, then the user can start writing data past x[19]. For example, if the user inputs a string that is 30 characters long, data will be written from bytes 149300 - 149329 in memory, even though you only allocated the memory through location 149319. This means that the user has the ability to write to other data in the computer.
Now, here comes the fun part. If the user (a cracker, at this point), knows where the operating system code lives in memory, he can just input a string that is long enough and eventually overwrite the operating system code. He can carefully craft the string as his own little bits of code which can do nasty things. This is how a buffer overflow works.
I have always thought that this was more of a problem with C than a problem with Windows, since C should really check for stuff like this (or handle strings better). However, it might be kind of hard for the compiler to be able to check for this. The only way to really prevent these is good programming habits - but people make mistakes all the time.
Hope that helps!
Regards, Montag
I wonder if the EULA on the MS patch for this will be overreaching and invasive?
Playing any Celine Dion mp3 on any platform will cause pain.
--- Why are you wearing that stupid bunny suit? | Why are you wearing that stupid man suit?
The twitchy part is, even most people who rip their own music these days get the ID tags via some free database site, and those often take submissions. How hard would it be for somebody to just submit a bunch of malicious ID tags for popular albums?
but I really could have done without the mental image you just gave me! Worse than goatse. ugh.
the preceding comment is my own and in no way reflects the opinion of the Joint Chiefs of Staff
XP allows the showing of ID3 tag info when you do a "view details" in Explorer if you select them.
If I understand the bug properly, the exploit gets run because Windows Explorer will try to read the tags when you open the folder.
This leads me to my question. Do you have to have those attributes clicked (and view your files in Details mode) to be vulnerable?
call me crazy, but i'm not worried about tainted mp3s, even a little bit. has anyone ever been burned by one? it seems to me anyone savvy enough to be creating viruses probably has a large mp3 collection of their own, is probably sensitive to the mp3/RIAA controversy, probably considers folks listening to mp3s on "their team". i doubt a virus-maker would create evil mp3s, on the principle that one doesn't sh*%t where one eats. have been sharing mp3s for years now, have a collection of over 65,000, have never found a single one that adversely affected my machine. by the way, id3 tags are neat. i think it's great that one can create an mp3 with a link to one's website, or include a message to metallica & the RIAA on an mp3 of 'damage, inc.' but that's just me.
disponibile
They're called Silent Updates.
Microsoft has been doing these at least since Win95 days. Exact same file name, size, different contents. So if you downloaded office 97 SR-1 the day it was released, then again 2 years later, it would probably be different.
"Would it kill you to put down the toilet seat?" -- Maya Angelou
..how to check the buffer bounds?
How long before the RIAA uses this to, say, trash an MP3 downloader's hard drive? And how much do you want to bet that Congress will legalize this?
"Do I dare disturb the universe?"
Hint, this code is buggy:
char buf[1024];
strncpy(buf, big_ass_string, sizeof buf);
strncpy doesn't bother adding a null-terminator in the case where big_ass_string is too big. Most people don't realize that they have to do all of this to be safe with strncpy:
strncpy(buf, big_ass_string, sizeof buf - 1);
buf[sizeof buf - 1] = '\0';
The real solution is to use a function that doesn't have such crappy behavior: strlcpy
strlcpy(buf, big_ass_string, sizeof buf);
It always does null-termination. You never have to lie to it about the size of your string. Same goes for strncat (bad) and strlcat (good). Thank the OpenBSD developers for these. They are very useful in avoiding overflows when you don't have the option of using C++ and the string class.
Does anybody know if this vunerablity exist on older versions of Winamp? I remeber the older version had a simpler ID tag.
Why are any of these old issues still being discussed? Were all of Microsoft's new hires this year astroturfers?
An attacker could create a malicious MP3 or WMA file, that if placed in an accessed folder on a Windows XP system, would compromise the system and allow for remote code execution. The MP3 does not need to be played, it simply needs to be stored in a folder that is browsed to, such as an MP3 download folder, the desktop, or a NetBIOS share.
Anyone see the redundancy too?
"Some fight for law. Some fight for justice. What will you fight for? One day, you will see."
My advisor, DL Mills (the guy who invented NTP), said something a while back which this article somewhat reminds me of. He said that back in the day, people wrote operating systems in assembly. But the thing is, they just got way too f****** big and couldn't be maintained, even with the best of care. He said that today's operating systems are getting to that point as well, and maybe it's time for a new level of abstraction. Stuff like exception handling (amoung which automated buffer checking should be one), garbage collection, etc, should be built into the language, and leave the programmer to concentrate on more important things.
So my question is, does anyone have any idea what this "new level of abstraction" might be?
To make laws that man cannot, and will not obey, serves to bring all law into contempt.
--E.C. Stanton
Well, maybe for Microsoft and their love for bloatware, it is, but in general, interpreted languages are NOT the solution.
Interpreted = slow. Period. Even with nifty stuff like Java JIT compilers and such, Java is still slow and bloated. I remember the Java version of AOL Instant Messenger - It could drive a machine with 256M of RAM into swapspace without lifting a finger. Yes, that was a particularly badly coded craplet, but I have yet to see ANY Java applet/application that could compare in speed/small footprint to a C program (or even C++) program that did the same thing.
And in this day and age, we are returning to having to return to small, efficient code thanks to embedded devices such as PDAs.
All it takes is a little bit of competence and a few extra utilities to check (and even prevent) buffer overflow vulnerabilities from occuring. I don't remember the exact name, but there's even a preprocessor for GCC that will check for vulnerable code and fix it.
retrorocket.o not found, launch anyway?
I've said it before and I will say it again: the solution is for CS != DS. Those that know about PC O/Ss will understand. It's so easy, I don't get it why it isn't implemented yet!!!
Winamp doesn't belong to MS, so we're probably just warning people.
I'm not sure which is worse:
a) Those that imagine everything MS does is attempt to rule the world
b) Those that imagine every posting mentioning a bug in MS is a covert attack.
Considering the amount of geeks here that are into Mp3's, or those that maintain networks (with users who play downloaded Mp3's, permitted or not), this warning sounds like it fits well on slashdot.
Cough hack cough hack ogg cough ogg hack OGG!
Merry Christmas everyone. Have a good one.
makes it extremely easy to not enforce bounds checking when you do need it. Do you have a good example of where bounds checking is enforced but not needed in other programming languages?
Comment removed based on user account deletion
Think about that and visualize it in your head.
What is particularly nasty about this, is that the vulnerable data on the stack includes return addresses. Thus, the overflow can result in a return instruction not going back to the original caller. Instead, it can "go back" to some code that the attacker pushed onto the stack.
As copyright owner of this comment, I authorize everyone to defeat any technological measure which limits access to it.
The RIAA would rather not have computers exist, because that allows for trading of their precious songs. So by creating a virus that spreads through mp3 they're effectively cutting out a large amount of the piracy.
:-)
What's next for the RIAA? A virus on music CD's that is executed when played in computers. Obviously, allowing a CD to be played in a computer is the first step to it being pirated. Instead they'll allow it to play only in DRM CD players that will play 20 hours of music per license bought (each license will cost $20).
Please don't mod me down, I'm not trying to be flamebait, I'm being sarcastic
Cyde Weys Musings - Scrutinizing the inscrutable
Feeding this to Google produced 11,000 hits, with over half of the first ten being for commercial or academic systems that claim to detect potential buffer overflow code automatically. I doubt any of them is 100% accurate, but even 50% combined with "shut-up-this-code-is-safe" pragmas would be an improvement over the current situation.
Buying or installing one of these tools and running all their source code through it as part of development would cost Microsoft less than they spend on caffeinated liquids, and would pay for itself with the first potential exploit caught before shipment.
I can only ascribe people's refusal to try these tools to programmer hubris - "MY code can't be understood by a mere code analyzer".
I am rashly assuming here that Microsoft doesn't use tools like this. If anyone out there knows differently, please reply.
To a Lisp hacker, XML is S-expressions in drag.
Thanks for your insightful in-joke about CPU registers, but I think we're all here to actually learn, or at least I am. Would you care to actually explain what you were talking about a little more, or are you just a troll? It probably hasn't been implemented yet because you never explained it. Ideas don't come to fruition by being carried around in your head.
There is no EULA on the patch either.
A Brit named William Tyndale had the same idea, he printed 50 copies of the Bible *in English*, the establishment was that shocked at this idea, they burnt him at the stake. Probably because they thought the idea of the common people having direct access to the 'holy writ' would lead to them thinking for themselves and having dangerous ideas.
How like the current debate between open source and closed source this all sounds. Just substitute operating system for Bible, money for God, the stock market for the Holy Roman Empire and Bill Gates as the Pope and it all lines up!
Britney Spears listens to YOU!!!
Thank you, Sloppy. The part about the stack growing downward was key to understanding the buffer overflow. Thanks also, of course, to everyone else who replied.
I don't wear the tinfoil hats either, but I find it a little unnerving that people let their system be updated automatically. There's just so many things wrong with that concept. Some updates I don't want, others I defintiely do. All of them I want to see before they get installed so I know what is going to be done. Although I suppose figuring out what an MS update will do can be pretty hard, since they tend to bundle lots of fixes into sinlge packages.
On the other hand, we're not talking about a dedicated SQL Server machine or anything, so maybe auto updates for desktops isn't a bad idea after all...
-B
Ash and Hickory, straight-grained and true, make excellent bludgeons, dandy for the cudgeling of vegetarians.
The foundstone advisory is amazing considering what that company has gone through
Within the security community, they have been criticized for their treatment of the their people and their general lack of ethics.
Doing a search in Kazaa I found a strange file called "!!Download me if you like REM!1Kewl new band.mp3". It came out to be a completely malicious mp3.. It's ID3 tag said something like NSYNC... yulk!
__
Sig: Marine Stock Photos
Ok, I read the blurb, and I'm left unsure. Is the winamp vulnerability only existant in Windows ex pee, or is it a general thing that anyone using WinAmp (I think there's even a linux version), or every windows user running WinAmp needs to fix?
Thanks in advance.
One buffer overflow exists in Winamp 2.81 (latest 2.x release) and two buffer overflows exist in Winamp 3.0 (latest 3.x release). The Winamp 2.81 overflow is with the handling of the Artist ID3v2 tag upon immediate loading of an MP3. The two Winamp 3.0 overflows are present in Media Library's handling of the Artist and Album ID3v2 tags.
There is often the flawed assumption in these reports that people always use the latest version of a particular app. Yes, I know that it would be hard to get and test all versions, but they could at least find out from Nullsoft and indicate what range of versions might be vulnerable.
Nullsoft (bless them - I love Winamp) has an annoying habit of removing or changing features that I like in the minor rev's, which is why I stick to certain versions. I use Winamp 2.50e and 2.78 on various machines. I also have 2.09, 2.70, 2.72 and 2.81 (and a 1.xx and probably others), but don't use them for this reason. Winamp 3 was too buggy as of the build I got a couple of months ago.
Anyway, I often wonder, when I see vulnerability warnings and a version of something that I use is not specifically excluded, is it:
a) Not vulnerable?
b) Not tested for vulnerability ?
Winamp2.5 doesn't handle ID3v2, so it's probably OK. The ID3v2 handling was added somewhere around 2.72, IIRC, so I'll have to do some checking. You might want to check yours as well.
I'd hate be forced to abandon my beloved older Winamps because there's no fix, but that may happen.
Sigs are bad for your health.
A long time ago, you could destroy your files and have a very bad day by using that floppy from your friend that had creeping crud on it.
Shortly thereafter, your files were potentially at risk from files that you spent all day downloading from a BBS. Fairly soon after that, a malicious file could sneak onto your hard drive and cause mischief once FTPed from the Internet at a bit higher of a rate. In each case, you pretty much had to type the name of the file to run it.
Enter the world of Windows. Now running the file gets a hell of a lot easier, just a few points and clicks. And obtaining those lovely infected files gets a lot easier with the faster Internet connections and new "killer apps" like Usenet, e-mail, and the World Wide Web gaining in popularity. In less than a year, these files gain literally thousands of new vectors.
Then it becomes possible to pick up an infection by receiving a file via e-mail inside a program that loves to muck about with files before you run them by, er... running them. The only user interaction required is hitting the "send/recieve" button.
After that, malicious files no longer need to be files. They can be specially formatted e-mails, and all you need to do is preview them -- you don't even have to read them -- in order to get smacked by the latest nasty bug.
Don't feel e-mail is safe? Well, it wouldn't matter if you stopped using it entirely, the creeping crud will still get in if you click on a link on the Web. And as if the front door didn't put up a paper-thin defense, the back door will allow malware to slip in via Web server software, file shares, file transfer servers, and even instant messaging.
Now what do we have?
A malicious file you only have to point at for a moment to get an infection.
You've come a long way, baby.
They just annoy me for some reason.
My operating system has a vulnerability. It executes code I ask it to. Can someone please issue a fix?
What he's saying is that if the code and data segment selectors point to different memory areas, a buffer overflow becomes impossible because a data segment can be set such that code cannot execute from it.
While correct, the idea is bad because it assumes that all platforms have a concept of segmentation (definitely not the case), and that there are no impacts of setting the CS != DS. On Linux, for example, the segment registers are set to global descriptors at boot time, and are mostly unused from then on. Linux is a paging based system, not a segmentation based one.
Second, a lot of code assumes that the data segment is executable. GCC sometimes emits "trampoline" code which actually places code on the stack and executes it! There are legitimate uses of executable stack pages. Trying to change this would break too many things.
You could also prevent stack overflows by causing the stack to grow upward in memory instead of downward (because function return addresses would come before buffers in memory, not after), but nobody does this either because of some deeply ingrained assumptions in all modern operating systems.
There is no easy fix-all solution to the problem. The real way to avoid buffer overflows is to write code that isn't vulnerable to them.
What's neat about this approach is
- If a segment overflows (i.e. you try to reference an offset that is larger than the size of the segment) then an exception is generated. Really neat for debugging.
- You can have a segment be non-executable. So if you attempt to execute code in, oh say, the stack segment or some other data segment, an exception is generated. Really neat for security.
- If a reference is made to a segment that isn't in memory right now, an exception is generated. Useful for virtual memory.
The 386 and later also implement segmentation, but people don't really use it because segmentation is a major pain in the ass to deal with. The 386 added paging, which is an easier and simpler way of doing vm, so having different segments for everything was no longer very useful. Also, the 386 made segments bigger, 32 bits (4 gig) instead of 16 bits (64k), so shoving everything (code, heap, stack) into one segment became feasible for most projects. This became known as the "flat" memory model, where pointers are just simple 32-bit values (all offsets within the same segment). This is very easy for programmers to deal with, compared to the earlier x86 days, where a pointer was a kind of compound object consisting of both a segment and an offset.The thing is, using segments could still be useful. If you were to put up with some extra complexity and have your stack be in a different segment than your code, then you could set the stack segment to be non-executable, so that if someone puts malicious code on the stack (or somewhere else in "data" memory) then it still can't get executed w/out generating an exception.
Anyway, I think that's what he meant by CS!=DS.
As copyright owner of this comment, I authorize everyone to defeat any technological measure which limits access to it.
I agree.
Smashing the Stack for Fun and Profit is certainly a classic.
Also, if you want to know about more obscure heap based overflows, look at http://www.w00w00.org/files/articles/heaptut.txt
You mean for once the Antivirus companies are going to HELP us?
Big difference from selling virus code to China.
Someone here has alluded that you can't scan for this malicious file. I'm curious why not?
Saskboy's blog is good. 9 out of 10 dentists agree.
The article was interesting, though: (Emphasis is mine)
What I really wanna know is why the fuck Explorer is "automatically reading" an MP3 or WMA when it's not playing it?
Building thumbnails for JPEGs, OK, I can understand that. But examining the content of a fucking audio file during a copy/move operation? What the fuck?
Ironically, the only possible use I can see for that behavior would be DRM. The OS sees "MP3" or "WMA" and says "I know you asked me to just copy some files full of bits from one directory to another, but I'm going to examine the bits in the files and process whatever metadata I find, because you might not be allowed to copy these special bits."
If that's the rationale, I can see a whole new market opening up: "Norton Copy! Works just like COPY.EXE used to do in DOS 1.0!" competing against "GNU CP! Has a few more command line switches, a 2GB file size limit, but unlike paying $49.99 for Norton you get the source code to /bin/cp!")
No registry hacking necessary. Just delete the file association. Open any Explorer window. Tools, Folder Options, File Types. Then delete the MP3 one. Voila. No more MP3 associations.
With all of the bugs they keep finding, is anyone else besides me tempted to create these on purpose just to f'up ms? I've got your .mp3 right here: www.microsoftisforidiots.com/damagedos.mp3
Winamp 2.09 ... "Preliminary ID3v2 support (tag is skipped reliably)"
Winamp 2.24 ... "Better support for invalid ID3v2 tags (for people putting invalid tags on)"
Winamp 2.666 (ha, ha) ... "ID3v2 support"
Winamp 2.71 ... (in_mp3 decoder) ... "Fixed id3v2 rare writing bug"
This one reminds me that one of the annoying (albeit sometimes necessary for legal and/or technical reasons) things that they did was switch decoders in various versions. My guess is that it is the actually decoder dll that has the vulnerability, and you can sometimes swap those between versions, but using the 2.81 version may lose some 'features' that certain powers found distressing :-(
Winamp 2.79 ... "Fix to id3v2+unicode support"
So, I'm not sure what to make of where the vulnerability really enters, although it may be in any version after (ironically) 2.666. Are there any folks from Llamaland around here to comment?
Sigs are bad for your health.
If you don't understand the technical content of a post, mod it down as 'Offtopic' or 'Redundant', not 'Flamebait'.
'Flamebait' is for jokes which go over your head.
That is because you are a fucking idiot blinded by anti-MS FUD (note how I use the term FUD correctly rather than as a general insult?)
How do we know what a file contains? Well, by its filename. Except if it's a Word doc, when we can get author, title and a few other stats by letting Windows peek inside. Then there's the example you gave yourself - images. We can display a thumbnail which can describe an image very accurately. So how do we get extra info on an MP3? Well, we could play it, or we could view the info in the ID3 tag.
Oh, wait a fucking minute, that's exactly where the vulnerability is. Now, do you see a more rational reason why Windows would automatically gather info from the MP3 upon mouseover? Good.
Uh-oh. Guess I better delete all my mp3s of this guy.
Does anyone know if there is a way to disable this annoying feature-not-bug in windows explorer?
I mean, I don't need windows to tell me all the info on a file that I have just clicked on unless I open the properties page (and even that I could live without). The real problem is when you click on large media files and/or media files stored on a network drive, and you try to rename/delete them, windows usually has half of the files locked because IT is using them (and shouldnt be, IMNSHO).
Any help on disabling this feature would be really appreciated, as it is a royal pain in the ass.
ELiTeUI Out.
In *nix, everything is a file.
In Windows, everything is a virus.
www.eFax.com are spammers
It seems that no operating system or file type is safe! But, can anyone actually tell me of an example where this exploit or type of exploit actually happened to them? Are the things that are being bandied about as serious security breaches something that has actually happened "in the wild". If anyone has some personal stories to tell, I'd love to hear them, because we are getting lots of people crying wolf, and soon no one is going to be listening!
jds
Windows XP Explorer vulnerable? Never!
When I click a WMA file in explorer when/if it loads (fancy a coffee anyone?) I have already given up and booted Linux anyway. Problem solved.
Apparenly, Explorer (when it shows a "preview" of the file) has the flaw, but Windows Media Player doesn't.
No sweat, an update was already posted on http://windowsupdate.microsoft.com last night. The real problem is people don't apply updates!
The automatic update thing for Windows is neat, but it still doesn't do what it's supposed to do. It automatically DOWNLOADS (but doesn't install) updates! What good is that? If you want to have your system take care of itself, wouldn't it be beneficial to automatically apply the updates.
With that in mind, it would be cool if you could schedule your updates to download at a certain time of night (for computers that stay on) and install / reboot / whatever else they need to do automatically when it's more convenient for the user (unless you leave your computer on downloading stuff all night, then you could be screwed!).
XP is vulnerable to MP3's? I don't know if I should be in awe or laugh my head off.
I make these: http://beatseqr.com
involving a buffer flow in the old Epic Games "ZZT" that will allow malicious ZZT-OOP code to be executed behind the scene while your playing! Epic Games is[1] offering a patch for download!
[1]not!
Bahahaha!!!
I make these: http://beatseqr.com
There is a kernel level patch so that nothing can be executed in the stack, but a lot of people don't seem to want it. Actually, I think there are two competing patches. One of them is called Openwall.
There are also libraries to combat this sort of problem as well. Such as the one another poster listed...
I stand by my assertion, Windows (name you version) is trash.
What scares me to death is that while watching the news they were showing off a brand new "state of the art" command center from where they plan to wage war against Iraq.
In this tented command center they showed many dozens of computers with soldiers sitting at them. Every single one of them was running Winbloz..
The security of this country and the free world is resting in the hands of the most irreparably broken OS on the planet??
Windows itself is a virus and trojan, all rolled into one huge, hoggish, ill behaved package.
I would rather sand paper a bobcat's ass in a phone booth than use ANY M$ products....
.. if only those functions (strlcpy, strlcat) were part of the standard C library. They are of little use on platforms where they are not available.
In the interim, it is more productive to make sure that developers are more clueful when it comes to the standard string-handling facilities in C. It is really not that much of a chore to write safe string-handling code in C; the problem is that most C programmers aren't taught how to do so. That's an education problem, not a language problem.
We're going down, in a spiral to the ground
Windows XP constantly monitors all files writen to an local parition, or to a mounted network share.
it will generate thumbnails in the background on 'new' image files (or try to, that features is broken, as it always tries to see if the file has changed, and somehow decideds the old thumbnails aren't good enough and makes new ones Very annoying when you have 1000 images in one directory on a slow HD -- the thumbs.db file is supposed to Eliminate the lag time in generating thumbnails on the fly isn't it?) the finder/WMP tool in windows also keeps a database of files, for finder it needs to open text files and id3 tags so you can search for files 'containing' whatever. it does this in the backrground, not on 'mouseover' it does it all the time. for WMP it adds the files to the 'media library' if it's in a directory you specified, but I suspect it keeps track of all media files, not just the ones you've told it to tell you it's monitoring.
That's right With windows XP not only do you not have to open the folder you just have to finish downloading it -- and then windows goes "oh look a new file! let's see what we can monitor about it! *HD grinds as XP reads metadata*"
if you want to disable the service that does this go to http://blkviper.com/ he lists all the XP services and what they do.
https://www.gnu.org/philosophy/free-sw.html
That is why audiophiles use "oxygen-free copper wires with authentic virgin yak wool insulation, cryogenicly treated to release signal-distorting sub-micron strain! A steal at $300/ft! Act now, and we will throw in our patented Feng Shui turntable stones - five of these will disgronificate your turntable! Normally $150 each, but a steal at $800 for a set!"
Bah, $300/ft? Are you kidding?
From Purist Audio Design:
-------
Dominus Speaker Cables (1.5 Meter)
Stereo pair of Speaker cables with fluid jacket. For more information on product, see the Product Page. Item weight per pair is 14.0 lbs.
Price each: $10,460.00
-------
So, that's about $2500/ft.
Bwhaahaahahahaha!! /me wipes eyes.
And for the record, I am not an "audiophile". I'm an audio and broadcasting engineer.
-T
... the 2.80 that came with Netscape 7 is safe? HAH HAH! :)
I guess it also depends on the meaning of the word "use". If by "use" you mean "they pass code through it, then pass their eyes over the report", that's not particularly useful. "Use" should mean "they pass code through it, and code with warnings of severity level X or worse does not ship".
It's the same craftsmanly drive that keeps you from shipping code that generates compiler warnings. Oh dear -- I suspect you're now going to tell me they ship code that compiles with compiler warnings. Yecch...
To a Lisp hacker, XML is S-expressions in drag.
There are two interesting points to touch on.
First is that awareness of security issues is not automatic. I used to believe infosec issues were just a part of being a good system admin. Then I found myself working for a very forward-thinking IT company. And also found my group (corporate infosec) in constant struggle with the internal IT group over various issues - even basic infosec procedures. Its not that the IT group didn't have good admins - many were far better sysadmins than I ever was. Its that being familiar with a system does not mean one understands how to maliciously fail a system... or appreciate that people will seek to do just that. Infosec involves a healthy dose of paranoia. Not everyone has that.
Secondly, Microsoft is simply not geared to handle infosec issues. Microsoft is not run by developers and code quality is, at best, a minor focus point.
There was an article in Slate a few years back from an inside developer involved with Outlook (or Office - I forget which). One of the interesting tidbits of insight was that bugfix cycles always take a back seat to feature additions. The article noted that it wasn't too uncommon to be in the middle of a bughunt and have Marketing come down with a must-have feature to be added in. Bughunting would stop. Feature would be added. And now there was even less time to an already time-crunched bughunt cycle (and possibly new bugs generated by the new feature code).
There is also another intersting insider article that talks, amoung other things, the pace that Microsoft keeps. Its a fast pace, to say the least.
Is it any suprise that, under the pressure of this ultra-fast pace... one being driven by marketing, not development... that bugs make it to the final release? That there may be a fairly high number of bugs? And that these bugs may be exploited in a security context?
Which is what makes this exploit so important. A malicious virus could easily connect to gnutella or kazza and start replying to mp3 queries and claim 'oh i have that mp3' and only accept downloads for the 'start' of the mp3, and give them a bogus id3v2 tag, complete with self-propigating code. It then cuts off the user so they have to finish thier DL elsewhere, and they end up with a valid mp3 with an invalid id3v2 tag that auto-infects and self replicates.
Good thing there are patches out there... so we don't have to have a repeat situation like code-red of the various outlook virus. Doh, there were patches for almost all of those virus when they propigated too!
https://www.gnu.org/philosophy/free-sw.html
winamps site still says the current version of winamp3 was posted in august. is that the fixed version this post is referring to or am i missing something?
..that this thing is not called WinAmp but Winamp?! It's even in the Winamp FAQs!
I just uninstalled my old winamp 2.81
after checking the version history,
and d/l'd the one on the winamp site,
installed it and checked its version history.
There really is no difference; its not 2.81c or anything; its identical.
Their site contains no references to this bug (that I could find).
In the free world the media isn't government run; the government is media run.
..."Britney Spears listens to YOU!!!"
:)
Now THAT, that I could work with
--> Fight tyranny and repression.... read
Explorer automatically reads file attributes regardless of whether or not the user actually highlights, clicks on, reads, or opens the file.
Which isn't a bad thing in itself. AFAIK, Nautilus does this too (the first bit of text files is displayed in their icons), and I actually think it's a nice feature.
The real problem of course is that a maliciously formed file can compromize the entire system. Nautilus couldn't do that if it tried.
Look out honey, 'cause I'm using technology; Ain't got time to make no apology
Further, you know an AWFUL lot re: windows for someone "Running Linux since '96", and then you BLAST people who criticize Windows, and you reply primarily insults and technical points of dubious validity, and...
WAIT A MINUTE! You're a - a - a Troll in penguin's clothing!. Nice touch though, I especially like the sig...
Computer Science is Applied Philosophy
You cause n+1 iterations through the entire string.
Assuming str isn't dynamically allocated:
If it is dynamically allocated, you know how big it is. If it's passed in via pointer, require a length argument. Then i < len rather than strlen(str) every time through the loop.
The "original" and "fixed" versions of Winamp 2.81 have the same name and are the same file size, but did anyone notice that Agent has been removed?
If they bump the version number, 50 zillion retards will immediately be alerted to the update and download it, overloading WinAmp's web site.
I'm a shareware author. I hate VersionTracker.
I've been a winamp user since windows 95 -> I've been a Micro$oft user since DOS -> I still use winamp because it's small, takes up nearly no memory and doesn't tax my processor with the right settings. It doesn't surprise me that this [vulnerability] was discovered, I knew that I could download an mp3 and it could harm my computer back in the day so I guess that someone finally decided to announce that they were unsafe??
If the name Micro$oft appears on a product, it's guaranteed unsafe... if you are running a product on a Micro$oft product, it's guaranteed unsafe.
I know Linux isn't perfect[to some it is], I know MAC OS isn't[to some it is], I know Windows isn't perfect[If anyone thinks it is, get informed then talk to me] Each have their own good and bad points but one of these takes the bad points from the other two, multiplies them by 10 and puts a price tag on it that is insane compared to the other two... GUESS WHO?
Informative implies that I think that people should go out and buy these cables.
-T
The proper plural is BEEEEOTCHIDAE, if you're talking about several categories of BEEEEOTCHES.
People who write "virii" need to be killed.
So if someone had one of these malicious sound files, would the extra long ID info appear in the window of Winamp or Media Player when the file is played?
My blog can kick your blog's ass
What I really wanna know is why the fuck Explorer is "automatically reading" an MP3 or WMA when it's not playing it?
.mp3 or .wma in an Exploder window. Up pops the ID tag info.
.zip backup archive. The machine locks up while listing the contents to display a summary. If the .zip is on a slow network share, you're fscked.
Rest your mousepointer over an
What I wanna know is if/how this "feature" can be disabled. It's horribly annoying when you accidentally leave your mouse pointer for too long (one second or so) over a huge
Hey, this buffer overflow vulnerability could theoretically be exploited in just about every type of file that Windows recognises and has a "preview" action for, right?! Scary.
Help savingAmigaOS and a free PowerPC market
Does anyone remember the MP3 virus hoax a few years ago? I was surprised how many people fell for that one. Looks like this one is no joke though.
Foobar2000 has a new homepage. Version 0.3 has also been released.
For those wondering what to expect, foobar2000 has a minimalist interface, but it does the job. CPU usage is very frugal and your MP3s can sound noticeably better. Why? Because clipping prevention is built-in, removing any distortion induced by overly loud signals.
I am currently running 0.3, and it's a beautiful piece of work. If you want a multi-format player that runs unobtrusively in the background while you do your other stuff, then foobar2000 is for you. At 168 KB, it's worth trying out.
Use ISO 8601 dates [YYYY-MM-DD]
I don't know why they had to go so crazy with V2 tags I mean the limit on v1 was 128 bytes, on V2 it is freaking 256mb, I would be just fine with the basic artist/title/album/tracks/comment/year/genre, V2 can have over like 30 differrent things including pictures. I mean is their a program out their that actually reads that all in?
So, what you are saying, is that by coverting from MP3 to Ogg saved your 600MB of space on your hard drive. With 7200rpm, 80 gig IDE drives costing around $100, you just saved yourself 50 cents! Equiv to the cost of one CD from Staples in the generic 50 CD spindle.
Rock On!
Strange women lying in ponds distributing swords is no basis for a system of government.
And why should a compiler place code in the stack ?
GCC Trampolines
I know. It was a rhetorical question. My purpose was to make you think why trampolines are needed.
In my opinion, every piece of code that resides in data areas should be eliminated. There is no gain from using 'trampolines' or whatever!!!
You used Linux utils to analyse a Windows program? You have too much time ;).
(I know, it's on a share for Windows boxes...)
I think C is a clean language when the programmer know how to program cleanly --- but so many C language teachers and books encourage poor programming styles, like making a 256-byte string buffer here and there.
I hope new systems will have functions like asprintf() or getline() or xstrdup() easily accessible (so you won't need to write one yourself even for a small program), and teachers will encourage use of such functions (and tell the students how to write one in case the system don't have it), and make them understand what they are doing before strcat()'ing, strlen()'ing, strncpy()'ing, or allocating a 256-byte string buffer.
(Of course xstrdup() with out-of-memory protection should be better).
BTW, has there been any exploits that rely on the program not checking the return value of malloc()'alikes? This seems to be the thing that everyone cares, but missing the check is not usually as harmful on modern systems --- it is mostly a cleanness and user-friendliness issue now.
This is an especially good time for you vacationers who plan to fly, because
the Reagan administration, as part of the same policy under which it
recently sold Yellowstone National Park to Wayne Newton, has "deregulated"
the airline industry. What this means for you, the consumer, is that the
airlines are no longer required to follow any rules whatsoever. They can
show snuff movies. They can charge for oxygen. They can hire pilots right
out of Vending Machine Refill Person School. They can conserve fuel by
ejecting husky passengers over water. They can ram competing planes in
mid-air. These innovations have resulted in tremendous cost savings which
have been passed along to you, the consumer, in the form of flights with
amazingly low fares, such as $29. Of course, certain restrictions do apply,
the main one being that all these flights take you to Newark, and you must
pay thousands of dollars if you want to fly back out.
-- Dave Barry, "Iowa -- Land of Secure Vacations"
- this post brought to you by the Automated Last Post Generator...