Slashdot Mirror

← Back to Stories (view on slashdot.org)

DirectX Flaw Leaves Windows Vulnerable

Posted by michael on from the windows-update-time-again dept.

cryonic*angel writes "Just when you thought it was safe to start buying music from BuyMusic, another another Windows security flaw is found, in DirectX this time, that basically affects every possible windows configuration that is still supported. I wonder, will they indemnify me for this?"

4 of 530 comments (clear)

  1. Re:Tough one... by Latent+IT · · Score: 5, Insightful

    Let's see, pay for music and get F'ed... download for free and be fine (as long as you don't share).

    So, let me see if I have this right - you think that files off a pay-for-music download site are more likely to be infected vs. files on Kazaa?

    Seriously?

  2. Re:patch me up baby! by Knightmare · · Score: 5, Insightful

    I can't decide if this is a troll or not. How is this a big vulnerability? Well, take a second and think how easy it is to be exposed to a midi file compared to an executable in an email or a malformed packet on one of Windows many default listening ports.

    Newer versions of outlook and many mail servers can block .exe,.src,.com,etc... extensions from ever making it to your double click happy hand.

    A $35 personal firewall from your local computer store can protect you from port based attacks.

    But when was the last time you saw security software/hardware that blocked midi files? An exploit of this in the wild would mean any webpage, any HTML email, any midi file download would be an attack vector. How is this a small problem?

  3. Re:patch me up baby! by Entropius · · Score: 5, Insightful

    While /. has been known to indulge in a little over-the-top microsoft bashing when bugs like these come out, there's a reason they (especially ones like this) make the front page.

    Windows has a huge installed base, and windows machines tend to be targeted by kiddies looking for DDoS zombies.

    And of course this is a big bug. Run arbitrary code through a midi file? That's huge, and deserves to be on the front page. Apache security holes of much less import make the front page, and they probably belong there too.

  4. Re:patch me up baby! by ssimpson · · Score: 5, Insightful

    What's so special about this flaw?

    Are you brainwashed by how many flaws like this we see? This allows a malicious adversary to craft a web page (for IE) or e-mail (for OE / Outlook) that would allow the adversary to execute arbitrary programs in that users context.

    The point isn't that an update is out already, it's that there will remain god knows how many tens of millions of computer vulnerable to this flaw for a long time. Not only will those machines be hacked and taken down, but someone will most likely produce and exploit that turns the machines into a DDoS client, or an SMTP relay for spam, or...You get the idea. In the end it pisses over the rest of the Internet community.

    And it's all thanks to shite security engineering in MS and non-conformance to standards (the MIDI playing is caused by a non-W3c HTML tag "BGSOUND").

    --
    "Mary had a crypto key, she kept it in escrow, and everything that Mary said, the Feds were sure to know."