Slashdot Mirror
WinXP and WinAmp Vulnerable to Malicious MP3s
mypenwry writes "Foundstone, a Mission Viejo, CA security
services company, is reporting several vulnerabilities that would allow malicious
code embedded in MP3 and WMA files to be executed via WinXP and WinAmp. WinAmp
versions 2.81 and 3.0 are vulnerable
to buffer overflows via certain long ID3v2 tags when MP3 files are loaded.
More troubling is the WinXP
vulnerability: A buffer overflow exists in Explorer's automatic reading
of MP3 or WMA (Windows Media Audio) file attributes in Windows XP. An attacker
could create a malicious MP3 or WMA file, that if placed in an accessed folder
on a Windows XP system, would compromise the system and allow for remote code
execution. The MP3 does not need to be played, it simply needs to be stored in
a folder that is browsed to, such as an MP3 download folder, the desktop, or a
NetBIOS share. This vulnerability is also exploitable via Internet Explorer by
loading a malicious web site. Explorer automatically reads file attributes regardless
of whether or not the user actually highlights, clicks on, reads, or opens the
file. Windows XP's Explorer will overflow if corrupted attributes exist within
the MP3 or WMA file. Microsoft
has issued a fix for this vulnerability. Nullsoft has posted fixed version of WinAmp 2.81 and 3.0 on their web site."
I hope no one tells the RIAA about this. They will be putting landmines in P2P soon.
Jaysyn
There is a war going on for your mind.
Why hasn't Microsoft just changed the way it handles buffers to eliminate the weekly discovery of yet another buffer overflow exploit that compromises security? It's obvious to just about everyone else that any buffer that doesn't ignore excessive input will be a problem in the future - why does Microsoft insist on treating each one of these issues as though it was a totally new problem instead of making a global change to secure the OS from this kind of hack?
You guys are all supposed to be using Ogg anyways! That way you can act like you are a snooty audiophile anytime a MP3 story is posted...
Strange women lying in ponds distributing swords is no basis for a system of government.
That average person does not notice when a backdoor app is covertly installed on their machine. As long as the mp3 is actually what they wanted, chances are they will keep sharing it.
The even more dangerous part is that someone could be downloading mp3s and LOOKING for these trojans. And as soon as they find one, they can just go back to the IP of the machine they got the file from and have an instant DDOS zombie!
Or even better, if I am an RIAA employed disturber-of-the-peace, I could create a bunch of these trojaned mp3s share them, and then whenever someone downloads it from my machine I could instantly use the backdoor to destroy their music collection. (But I'm sure the RIAA has already thought of that.)
Oh, just kidding. :)
:)
I would like to ask for factually-based opinions whether these innumerable highly dangerous security holes in MS software are more the result of the ingenuity of the hackers or the incompetence of the Microsoft design and testing process, or about 50:50. I am inclined to be prejudiced against Microsoft, so I would be REALLY interested in hearing reasoned defenses of their predicament, if such exist.
So, please, no MICROSOFT RULZ!!! or MICROSOFT SUX!!! I'm not asking for a vote.
Microsoft provides the #1 small-system OS, for better or worse, which means Windows will immediately be the hot target for black-hat types intent on spreading misery or demonstrating their hatred for the leviathan.
I know, too, that half the problem has been MS's arguably foolhardy decisions in adding dubious extensions to their software, like default enabling scripting in Outlook and macros in Word. But I'm kind of curious about the mistakes in doing their core work, like handling MP3's.
Last, I have trouble understanding how so many of these bugs come from a company with many of the brightest programmers. Is it a largely problem of scale and bureaucracy?
Share your concise insightful informative nonprofane fact-based reactions from experience?
Nullsoft has posted fixed version of WinAmp 2.81 and 3.0 on their web site."
Is there a reason they haven't released a new version with the bugfix instead of just uploading a new copy with the _same release number and date_? Both versions are listed as released in early or middle August, and there's no bugfixes listed anywhere on the site in regards to this. Site. Are they trying to hide that it's been fixed, or just don't want anyone to figure it out?
Interested in open source engine management for your Subaru?
I don't think so. I know people who download a lot of stuff, and if you have it set up to download 100 MP3s overnight, your system could be compromised by morning. Are you going to listen to those 100 MP3s first thing in the morning?
The kicker is that the odds you get compromised go up greatly if someone seeds Kazaa, or even a web page, with an infected MP3 file. They can see who is downloading it so they know the IP to attack. On a web page, they could get your IP out of the logs. I never thought an MP3 file would leave a system vulnerable, but I guess that is why this is a pretty scary vulnerability - nobody else would either.
My beliefs do not require that you agree with them.
So if NT SP4 had been automatically updating servers and workstations everywhere, that would have been a good thing?
You couldn't pay me to have my system automatically update itself with patches tested quite possibly only from the company that created it.
I would rather my system be vulnerable for a day or two than have the contents of my hard drive obliterated.
What if some patch disabled a computer's networking? What is Ma an Pa gonna do when that is the only computer they have? Download a fix using broken networking?
IMHO, automatic updating is a monumental disaster waiting to happen.
I was sent and installed the fix before I read about the vulnerability.
It's Christmas everyday with BitTorrent.
Like another poster I am very wary of updates to anything. Not needing a security patch in the first place is a heckuva lot better than beta testing a hastily written patch for free. Then there are th people who get nailed in the interim.
Also, on my [platform] I have seen only a few security updates a year on a young OS, some addressing obscure services I don't even use. What's the deal with MS? Why sweep this under the rug?
I don't buy that automatic bandaids are the answer to hemmoraging code.
You're exactly right.
I think what the previous poster is thinking of is ID3v1 tags, which are located at the end of the MP3, so you don't get them until the MP3s finish downloading (and what's more, they have a fixed size so they're easy to check, but that's besides the point)
Now, this bug involves ID3v2 tags. ID3v2 tags are located at that start of the MP3, which is why when you add one to a MP3 playing in Winamp you get a brief pause, it has to add it to the start of the file. Therefore, any MP3 with an ID3v2 tag will already have the potential of compromising you by the time it's downloaded enough to play part of the song if you preview them using Winamp.
I don't know how Explorer checks file attributes on MP3s, but I'm assuming that you're already in danger by this time too.
"I won't mod you down - I feel the need to call you a twit explicitly, rather than by implication."
There's a running joke where I work that it is not officially Thursday until the Microsoft exploit of the week is released (of late this seems to happen on Thursday).
So, why not make it official - I propose
Operation: So Happy It's Thursday
What I recommend is that everybody who finds an exploit in Windows release it on Thursday.
NOTE: be fair - a bug in a Windows APP that is not a part of Windows doesn't count - so the bug in Winamp doesn't count, but the bug in the Windows shell does.
www.eFax.com are spammers
It's good that I have linux since it **never** has buffer overflows. Nor does any other open source software.
this is not a sig
20 Print "Bill Gates laughs as he rolls about with his concubines!"
30 Print "Prepare for judgement!"
40 Input "Press any key";A$
50 If A$="AnyKey" Then fucksomeshitup;
60 W00t: Poke InChest;
70 Run "BSOD.exe -Playfile BritneySpears,HitMeOneMoreTime"
80 Print "This is what it sounds like when doves cry! Bwahaha!"
90 Goto 10
You should be able to find this on SourceForge too.
A buffer overflow means that you take a variable location, such as char songName[255], and put enough data into that buffer to reach into the executable portion of the code in memory. Then, when some function returns, or execution branches, or something loops, part of that data will be at the address of the code that formerly handled the return, branch, or loop, and will get executed as if it were the next instruction.
Any buffer lacking good bounds checking is subject to this.
Which brings me to a slightly off-topic question (but not that far off-topic): won't it take just a single compomised DRM file on whatever platform to completely send the whole DRM concept -- at least the generation with the single compromised file -- down the toilet?
I mean, it would seem to me that Microsoft's DRM -- or DRM in general -- is based somewhat on "human" trust. Once that trust is abrogated -- just once -- the whole thing spirals into a "well, it's still pretty secure" type of situation -- and then sprials into "wait'll next generation's DRM. It'll be secure as hell."
I know no cryto scheme is 100% -- at least in theory -- but because the consumer/DRM stuff is being built up and hyped so much lately, it seems that its potential -- potential for complete security, potential for complete failure -- far outstrips the more practical, usability/crackability aspects.
And then I wonder: once this sort of consumer/DRM is launched mainstream, it'll become -- eventually -- embedded into the economic model for distribution. But once this DRM stuff is cracked or broken or whatever happens, the DRM itself will fall apart, as well the economic model. And companies who go balls-out to invest in this stuff -- and work hard to secure the "human" trust aspect of it -- will be in dire, dire straits -- economically, technologically, you name it.
DRM is like a massive WMD waiting to be let loose. It's failure -- assuming it fails at least once a generation -- will sink more companies than I think anyone realizes.
Just some thoughts.
My advisor, DL Mills (the guy who invented NTP), said something a while back which this article somewhat reminds me of. He said that back in the day, people wrote operating systems in assembly. But the thing is, they just got way too f****** big and couldn't be maintained, even with the best of care. He said that today's operating systems are getting to that point as well, and maybe it's time for a new level of abstraction. Stuff like exception handling (amoung which automated buffer checking should be one), garbage collection, etc, should be built into the language, and leave the programmer to concentrate on more important things.
So my question is, does anyone have any idea what this "new level of abstraction" might be?
To make laws that man cannot, and will not obey, serves to bring all law into contempt.
--E.C. Stanton
All file formats are safe, it's just the programs that read them.
The correct phrasing of that is: File formats don't kill programs. Programs kill programs.
So close and yet so far from the world's perfect ID number
Really? Where's the bug report? I don't see anything on bugs.xmms.org.
Sorry for sounding like an a-hole, but an AC exclaiming a bug in a product, no follow up on the product's web site, and no other info sounds very suspect to me.
-Ducky
Rather my point - audiophiles are not rational individuals who are well versed in signal processing theory, they are rabid indiviuals who's sound systems are a penis substitute.
Hence why audiophiles hate modern sound systems - it is far too easy to get great sound reproduction nowadays, and how are you to demonstrate how large you are when a $19 CD player sounds as good as your $3000 turntable?
That is why audiophiles use "oxygen-free copper wires with authentic virgin yak wool insulation, cryogenicly treated to release signal-distorting sub-micron strain! A steal at $300/ft! Act now, and we will throw in our patented Feng Shui turntable stones - five of these will disgronificate your turntable! Normally $150 each, but a steal at $800 for a set!"
www.eFax.com are spammers