Slashdot Mirror
WinXP and WinAmp Vulnerable to Malicious MP3s
mypenwry writes "Foundstone, a Mission Viejo, CA security
services company, is reporting several vulnerabilities that would allow malicious
code embedded in MP3 and WMA files to be executed via WinXP and WinAmp. WinAmp
versions 2.81 and 3.0 are vulnerable
to buffer overflows via certain long ID3v2 tags when MP3 files are loaded.
More troubling is the WinXP
vulnerability: A buffer overflow exists in Explorer's automatic reading
of MP3 or WMA (Windows Media Audio) file attributes in Windows XP. An attacker
could create a malicious MP3 or WMA file, that if placed in an accessed folder
on a Windows XP system, would compromise the system and allow for remote code
execution. The MP3 does not need to be played, it simply needs to be stored in
a folder that is browsed to, such as an MP3 download folder, the desktop, or a
NetBIOS share. This vulnerability is also exploitable via Internet Explorer by
loading a malicious web site. Explorer automatically reads file attributes regardless
of whether or not the user actually highlights, clicks on, reads, or opens the
file. Windows XP's Explorer will overflow if corrupted attributes exist within
the MP3 or WMA file. Microsoft
has issued a fix for this vulnerability. Nullsoft has posted fixed version of WinAmp 2.81 and 3.0 on their web site."
I hope no one tells the RIAA about this. They will be putting landmines in P2P soon.
Jaysyn
There is a war going on for your mind.
That average person does not notice when a backdoor app is covertly installed on their machine. As long as the mp3 is actually what they wanted, chances are they will keep sharing it.
The even more dangerous part is that someone could be downloading mp3s and LOOKING for these trojans. And as soon as they find one, they can just go back to the IP of the machine they got the file from and have an instant DDOS zombie!
Or even better, if I am an RIAA employed disturber-of-the-peace, I could create a bunch of these trojaned mp3s share them, and then whenever someone downloads it from my machine I could instantly use the backdoor to destroy their music collection. (But I'm sure the RIAA has already thought of that.)
I'm guessing that it require a retest of the entire OS (which isn't a half-bad idea).
Changing something THAT global could result in more harm than good.
Mind you, I think you are right, and that's what should be done; I'm just telling you what is (probably) on the architects/lead developers minds.
Good quote, too many chars. Seriously, the slashdot 120 char limit sucks!
All file formats are safe, it's just the programs that read them.
Oh, just kidding. :)
:)
I would like to ask for factually-based opinions whether these innumerable highly dangerous security holes in MS software are more the result of the ingenuity of the hackers or the incompetence of the Microsoft design and testing process, or about 50:50. I am inclined to be prejudiced against Microsoft, so I would be REALLY interested in hearing reasoned defenses of their predicament, if such exist.
So, please, no MICROSOFT RULZ!!! or MICROSOFT SUX!!! I'm not asking for a vote.
Microsoft provides the #1 small-system OS, for better or worse, which means Windows will immediately be the hot target for black-hat types intent on spreading misery or demonstrating their hatred for the leviathan.
I know, too, that half the problem has been MS's arguably foolhardy decisions in adding dubious extensions to their software, like default enabling scripting in Outlook and macros in Word. But I'm kind of curious about the mistakes in doing their core work, like handling MP3's.
Last, I have trouble understanding how so many of these bugs come from a company with many of the brightest programmers. Is it a largely problem of scale and bureaucracy?
Share your concise insightful informative nonprofane fact-based reactions from experience?
Most people don't use Ogg Vorbis for the quality. They use it for the license.
;)
In high bitrate modes, there is little difference between properly encoded MP3s and OGG files. And high bitrate is what really matters, unless you are streaming over a low bandwidth connection (in which OGG is the clear winner due to size).
Maybe your comment would make sense if you were referring to something like FLAC from http://flac.sourceforge.net/ . MP3 and OGG are both lossy, so you really can't be a snooty audiophile if you use them.
It can't be denied any longer. Back in the day the poor virus writer had to rely on his victims to carry the payload through meatspace on floppies.
M$ has been continually improving virus transmission methods, and now you might be infected just by moving your mouse.
But do we really need to worry? After all, how many kiddies are out there bragging that they '@dm1n1str@t0r3d' someone's XP box. No, it's just not as sexy as r00t3d.
Yes.
Sincerely,
Linus
Definitely one of the more insightfull comments in a while. Exploits like this really speak volumes about the current state of software development, both at the application and O/S levels.
If VISTA is the answer, you didn't understand the question
So if NT SP4 had been automatically updating servers and workstations everywhere, that would have been a good thing?
You couldn't pay me to have my system automatically update itself with patches tested quite possibly only from the company that created it.
I would rather my system be vulnerable for a day or two than have the contents of my hard drive obliterated.
What if some patch disabled a computer's networking? What is Ma an Pa gonna do when that is the only computer they have? Download a fix using broken networking?
IMHO, automatic updating is a monumental disaster waiting to happen.
Long ago, I've decided that Windows 2000 was going to be my last mainline MS operating system. Since Linux is making great strides towards usability on the desktop, it looks like I'll never have to rely on having XP on my PC. Now, I just have to make sure I keep Winamp current along with all my other applications.
...
However, this brings up an interesting question. Short of modifying the registry entries in HKEY_CLASSES_ROOT, is there any way to avoid all the cutsie stuff MS has been doing with file associations? I seem to remember a Win95/NT/2k shell extension that did something similar to the MS code that's being exploited. It popped up an additional property sheet with all the ID3 tag info. Could someone use that instead of the Windows shell without severely hacking the registry?
It also reopens an old sore. If the Windows Media Player were installed as an "application," not as "part of the operating system," this shell code would not be needed until WMP is installed. Those smart enough to search for better media-playback solutions would not be subjected to this vulnerability. Thanks, Microsoft! DOJ, are you paying attention?
And one more observation: now that MP3 files can carry shellcode, the virus scanners will have to start scanning them too. More processor overhead, longer scantimes, moan, gripe,
Now that is the true difference between open source & the other guys.
Jaysyn
There is a war going on for your mind.
Like another poster I am very wary of updates to anything. Not needing a security patch in the first place is a heckuva lot better than beta testing a hastily written patch for free. Then there are th people who get nailed in the interim.
Also, on my [platform] I have seen only a few security updates a year on a young OS, some addressing obscure services I don't even use. What's the deal with MS? Why sweep this under the rug?
I don't buy that automatic bandaids are the answer to hemmoraging code.
Thats a feeble excuse for switching to Vorbis regardless of the merits of this format. It's like saying "They found vulnerabilities in Apache so i'm gonna change my webserver to something else"
I'm sure there are exploitable buffer overflows in Vorbis too but as the format is so little used (relatively), hackers ain't looking for them. The day Vorbis is more popular than mp3 is the day the hackers change what they're targeting.
seany
This is absolutely pathetic that ID tags could be used in such a manner. Yes, that definitely qualifies under the "bug" heading. It amazes me how bugs of this caliber slip into something that simply plays a MUSIC FILE. None of it should be treated as executable.
Since you don't manage your own memory on Java or C#, the concept of buffer overflow doesn't really apply. While the array construct still exists in both languages, you can't overflow an array without going out of bounds.
It is critical that the software industry start to adopt VM's for managing applications, especially code that runs on a server. The emergence of a user-mode kernel for Linux is a critical development in this regard, but ultimately it makes more sense to modernize your codebase to Java, C# or any of the interpretive languages that can intercept/manage memory allocation checks for you.
Eric Sarjeant
eric[@]sarjeant.com
Which brings me to a slightly off-topic question (but not that far off-topic): won't it take just a single compomised DRM file on whatever platform to completely send the whole DRM concept -- at least the generation with the single compromised file -- down the toilet?
I mean, it would seem to me that Microsoft's DRM -- or DRM in general -- is based somewhat on "human" trust. Once that trust is abrogated -- just once -- the whole thing spirals into a "well, it's still pretty secure" type of situation -- and then sprials into "wait'll next generation's DRM. It'll be secure as hell."
I know no cryto scheme is 100% -- at least in theory -- but because the consumer/DRM stuff is being built up and hyped so much lately, it seems that its potential -- potential for complete security, potential for complete failure -- far outstrips the more practical, usability/crackability aspects.
And then I wonder: once this sort of consumer/DRM is launched mainstream, it'll become -- eventually -- embedded into the economic model for distribution. But once this DRM stuff is cracked or broken or whatever happens, the DRM itself will fall apart, as well the economic model. And companies who go balls-out to invest in this stuff -- and work hard to secure the "human" trust aspect of it -- will be in dire, dire straits -- economically, technologically, you name it.
DRM is like a massive WMD waiting to be let loose. It's failure -- assuming it fails at least once a generation -- will sink more companies than I think anyone realizes.
Just some thoughts.
How long before the RIAA uses this to, say, trash an MP3 downloader's hard drive? And how much do you want to bet that Congress will legalize this?
"Do I dare disturb the universe?"
Feeding this to Google produced 11,000 hits, with over half of the first ten being for commercial or academic systems that claim to detect potential buffer overflow code automatically. I doubt any of them is 100% accurate, but even 50% combined with "shut-up-this-code-is-safe" pragmas would be an improvement over the current situation.
Buying or installing one of these tools and running all their source code through it as part of development would cost Microsoft less than they spend on caffeinated liquids, and would pay for itself with the first potential exploit caught before shipment.
I can only ascribe people's refusal to try these tools to programmer hubris - "MY code can't be understood by a mere code analyzer".
I am rashly assuming here that Microsoft doesn't use tools like this. If anyone out there knows differently, please reply.
To a Lisp hacker, XML is S-expressions in drag.
A Brit named William Tyndale had the same idea, he printed 50 copies of the Bible *in English*, the establishment was that shocked at this idea, they burnt him at the stake. Probably because they thought the idea of the common people having direct access to the 'holy writ' would lead to them thinking for themselves and having dangerous ideas.
How like the current debate between open source and closed source this all sounds. Just substitute operating system for Bible, money for God, the stock market for the Holy Roman Empire and Bill Gates as the Pope and it all lines up!
I don't wear the tinfoil hats either, but I find it a little unnerving that people let their system be updated automatically. There's just so many things wrong with that concept. Some updates I don't want, others I defintiely do. All of them I want to see before they get installed so I know what is going to be done. Although I suppose figuring out what an MS update will do can be pretty hard, since they tend to bundle lots of fixes into sinlge packages.
On the other hand, we're not talking about a dedicated SQL Server machine or anything, so maybe auto updates for desktops isn't a bad idea after all...
-B
Ash and Hickory, straight-grained and true, make excellent bludgeons, dandy for the cudgeling of vegetarians.
I remember back in the days of BBSes people around here would always put ANSI bombs in readme files.
So, no.
In Java:
int a[] = new int[10];
for (int i = 0; i < a.length; i++) a[i] = i++;
Each access a[i] is needlessly bounds-checked.
A long time ago, you could destroy your files and have a very bad day by using that floppy from your friend that had creeping crud on it.
Shortly thereafter, your files were potentially at risk from files that you spent all day downloading from a BBS. Fairly soon after that, a malicious file could sneak onto your hard drive and cause mischief once FTPed from the Internet at a bit higher of a rate. In each case, you pretty much had to type the name of the file to run it.
Enter the world of Windows. Now running the file gets a hell of a lot easier, just a few points and clicks. And obtaining those lovely infected files gets a lot easier with the faster Internet connections and new "killer apps" like Usenet, e-mail, and the World Wide Web gaining in popularity. In less than a year, these files gain literally thousands of new vectors.
Then it becomes possible to pick up an infection by receiving a file via e-mail inside a program that loves to muck about with files before you run them by, er... running them. The only user interaction required is hitting the "send/recieve" button.
After that, malicious files no longer need to be files. They can be specially formatted e-mails, and all you need to do is preview them -- you don't even have to read them -- in order to get smacked by the latest nasty bug.
Don't feel e-mail is safe? Well, it wouldn't matter if you stopped using it entirely, the creeping crud will still get in if you click on a link on the Web. And as if the front door didn't put up a paper-thin defense, the back door will allow malware to slip in via Web server software, file shares, file transfer servers, and even instant messaging.
Now what do we have?
A malicious file you only have to point at for a moment to get an infection.
You've come a long way, baby.
Really? Where's the bug report? I don't see anything on bugs.xmms.org.
Sorry for sounding like an a-hole, but an AC exclaiming a bug in a product, no follow up on the product's web site, and no other info sounds very suspect to me.
-Ducky
I hate postings like this, because I never know whether I should mod it +1 Funny or -1 Clueless.