Slashdot Mirror
DirectX Flaw Leaves Windows Vulnerable
cryonic*angel writes "Just when you thought it was safe to start buying music from BuyMusic, another another Windows security flaw is found, in DirectX this time, that basically affects every possible windows configuration that is still supported. I wonder, will they indemnify me for this?"
My Win2k solution already downloaded and installed the update last night automatically via WindowsUpdate.com. Nice system.
From what I read, the exploit comes in the form of a weird MIDI file. Are you buying MIDI files from BuyMusic, or...?
Mike.
Mmmm......sacrelicious.
Windows Update on Win2k Pro told me of the problem before Slashdot.
It's already been fixed on my machine.
I love how they downplay that, like it's such a stretch to get a user who doesn't know any better to click a link in an email or webpage. Hell, my father just agrees to every ActiveX install that happens to come up on his screen, and clicks on any banner ad saying he's got a potential security risk on his computer. Irony is a harsh mistress indeed.
"I'm a leaf on the wind. Watch how I soar."
-Hoban Washburn
So, what did the patch automatically break for you.
What EULA change did it automatically agree to for you?
Oh, and dont forget the option of faking out your machine and letting it automatically download a trojan..
Automatic NOTICES are a good thing, automatic INSTALLS are not..
---- Booth was a patriot ----
Let's see, pay for music and get F'ed... download for free and be fine (as long as you don't share).
So, let me see if I have this right - you think that files off a pay-for-music download site are more likely to be infected vs. files on Kazaa?
Seriously?
Unless you running Linux, then make sure you have the latest mpg123 (and libmpg123, which powers xmms) or one of those mp3 files could be evil and 0wn3z your ass.
Nobody is 100% safe these days. I used to be confident and tell people to 'hit me with their best shot' because I wouldn't be running untrusted executables and data files couldn't carry nasties. Now we have mpg123 and in the past we had a buffer overflow in libtiff. Pine could get you owned with a bogus header once. Sendmail of course has been a security nightmare.
Yes *NIX is safer, sendmail in it's worst year never matched the horrors of Outlook, but never feel safe. Which sucks major ass because we shouldn't have to just accept as a given that the only safe computing is a sealed box with no external media or network connection. Personally I'd like to see a whole year set aside to making software SAFE instead of adding features.
Democrat delenda est
Can you name another OS that exposes a security flaw via the BGSOUND tag? How about one where simply previewing or opening an email will cause security problems? How about one where scripts can be run and have access to your address books for mass emailing. How about one where browsing the web with certain active x controls causes security problems? How about one where the mime encoding is ignored or misrepresented and arbitrary local programs can be run via email or web browsing? How about one where the help system can run arbitrary code in the background? How about embedding viruses and macros into documents that can run arbitrary code and start any program automaticially?. I can keep going if you'd like. Can you even name a single OS that has ANY of these issues of data and code combined into one? Getting a perfect bugfree OS is unrealistic, getting one that is swiss cheese and a complete security clusterf**k should not be acceptable either.
Bad boys rape our young girls but Violet gives willingly.
I can't decide if this is a troll or not. How is this a big vulnerability? Well, take a second and think how easy it is to be exposed to a midi file compared to an executable in an email or a malformed packet on one of Windows many default listening ports.
.exe,.src,.com,etc... extensions from ever making it to your double click happy hand.
Newer versions of outlook and many mail servers can block
A $35 personal firewall from your local computer store can protect you from port based attacks.
But when was the last time you saw security software/hardware that blocked midi files? An exploit of this in the wild would mean any webpage, any HTML email, any midi file download would be an attack vector. How is this a small problem?
While /. has been known to indulge in a little over-the-top microsoft bashing when bugs like these come out, there's a reason they (especially ones like this) make the front page.
Windows has a huge installed base, and windows machines tend to be targeted by kiddies looking for DDoS zombies.
And of course this is a big bug. Run arbitrary code through a midi file? That's huge, and deserves to be on the front page. Apache security holes of much less import make the front page, and they probably belong there too.
What's so special about this flaw?
Are you brainwashed by how many flaws like this we see? This allows a malicious adversary to craft a web page (for IE) or e-mail (for OE / Outlook) that would allow the adversary to execute arbitrary programs in that users context.
The point isn't that an update is out already, it's that there will remain god knows how many tens of millions of computer vulnerable to this flaw for a long time. Not only will those machines be hacked and taken down, but someone will most likely produce and exploit that turns the machines into a DDoS client, or an SMTP relay for spam, or...You get the idea. In the end it pisses over the rest of the Internet community.
And it's all thanks to shite security engineering in MS and non-conformance to standards (the MIDI playing is caused by a non-W3c HTML tag "BGSOUND").
"Mary had a crypto key, she kept it in escrow, and everything that Mary said, the Feds were sure to know."
How the fuck did a gaming API ever get enough priveleges in a "modern" operating system to be able to cause any kind of problems beyond resource starvation?