Slashdot Mirror
DirectX Flaw Leaves Windows Vulnerable
cryonic*angel writes "Just when you thought it was safe to start buying music from BuyMusic, another another Windows security flaw is found, in DirectX this time, that basically affects every possible windows configuration that is still supported. I wonder, will they indemnify me for this?"
Direct download for 9.0b (not for nt4.0). Strangely it isn't on the main directx page yet considering the critical nature of the problem. Here is the technet article with patches for existing directx versions.
Let's see, pay for music and get F'ed... download for free and be fine (as long as you don't share).
"With sufficient thrust, pigs fly just fine." -- RFC 1925
My Win2k solution already downloaded and installed the update last night automatically via WindowsUpdate.com. Nice system.
move along now folks... nothing new here...
mind you... the particular buffer overflow is unusual...MIDI files... who'd have thought???
Donald 'Duck' Dunn: We had a band powerful enough to turn goat piss into gasoline.
So what you're saying is Windows, without proper patches & updating us unsecure?
Sounds like every other OS out there! : )
Nah, thanks for calling attention to this, I'm going to be patching my clients to 9.0b tonight.
I assert that my comment is only my opinion, not that of any employer, past, present or future.
If I remember/understand correctly someone has to be logged onto the machine to take advantage of this exploit. If they are allready logged on they could do lots of other stuff anyways? Hmmmm...doesn't sound too serious.
FoundNews.com - get paid to blog.,
From what I read, the exploit comes in the form of a weird MIDI file. Are you buying MIDI files from BuyMusic, or...?
Mike.
Mmmm......sacrelicious.
I'd like to. Could you recommend an alternative operating system that hasn't had a single security problem in a year, and has been adding new functionality over that period?
++ Say to Elrond "Hello.".
Elrond says "No.". Elrond gives you some lunch.
Only every single supported version of Windows has this flaw? Thank God, I thought I was in trouble here.
""They'd have to come up with some way to get the user to click on that file," said Stephen Toulouse of Microsoft's Security Response Center, noting that default security settings in recent versions of Microsoft Outlook e-mail software and the Internet Explorer Web browser prevent automatic launching of such files. " Last I checked, as annoying as the feature is, the ability to have IE play MIDI files autonomyously is still there; a friend sent a link to me last night with a lovely display of world architecture and sappy MIDI music playing in the background... This is not a matter of downloading, not a matter of clicking, MIDI files have always been thought harmless, and its that feeling of complacency which threatens to make this dangerous for common users...
Windows Update on Win2k Pro told me of the problem before Slashdot.
It's already been fixed on my machine.
Har Har Har! Yeah, they'll indemnify up to the price you paid for DirectX...
You have to give M$ some credit though... finally, a security flaw where you don't have to care if you are using Win95a, win98blah, Win2k, Win2k SP1e92, WinXP, WinYP, whatever. A *cross-platform* security issue, if you will. ;)
for over 2.5 years!
No going back for me....
Now to get application vendors to support multiple platforms. Ugh. Nothing disgusts me more than a 'server' application that needs to run on 95/98. Yes, this still exists.
Don't pick up the pho*(@)$*@&@!@ NO CARRIER
A MIDI overflow? That means no more visits to most Geocities pages.
Trolling is a art,
Huh? What the fuck does this have to do with BuyMusic.com? The flaw, as the article says, affects MIDI, not WMA.
I don't like Windows or BuyMusic.com, either, but this flaw doesn't seem to affect BuyMusic.com directly.
What'd I miss? (Seriously. If I missed something, tell me.)
Mikey-San
Karma: +Eleventy billion (mostly affected by watching Celebrity Jeopardy)
For those who couldn't infer the word..
Indemnify -
Main Entry: indemnify
Pronunciation: in-'dem-n&-"fI
Function: transitive verb
Inflected Form(s): -fied; -fying
Etymology: Latin indemnis unharmed, from in- + damnum damage
Date: circa 1611
1 : to secure against hurt, loss, or damage
2 : to make compensation to for incurred hurt, loss, or damage
-
ping -f 255.255.255.255 # if only
Yeah, I wish slashdot would pick up on this whole SCO thing. I cannot understand why SCO is being completely and uttely ignored here.
I love how they downplay that, like it's such a stretch to get a user who doesn't know any better to click a link in an email or webpage. Hell, my father just agrees to every ActiveX install that happens to come up on his screen, and clicks on any banner ad saying he's got a potential security risk on his computer. Irony is a harsh mistress indeed.
"I'm a leaf on the wind. Watch how I soar."
-Hoban Washburn
LSD has produced two proof of concept exploit codes (which they have not released)which they were able to get to work even with Server 2003 and it's new buffer overflow prevention mechanism. The nature of the flaw makes it ripe for exploitation by a worm.
As discussed here, the reports are unusually embarrassing as they affect Server 2003, Microsoft's most powerful and safest software yet. It is ironic that the announcement comes one day after the Homeland Security Department announced that it awarded a five-year, $90-million contract for Microsoft to supply all its most important desktop and server software for about 140,000 computers inside the new federal agency.
So, what did the patch automatically break for you.
What EULA change did it automatically agree to for you?
Oh, and dont forget the option of faking out your machine and letting it automatically download a trojan..
Automatic NOTICES are a good thing, automatic INSTALLS are not..
---- Booth was a patriot ----
It would have been nice if the poster posted a link to the actual microsoft security bulletin, which also links to the patch for your particular DirectX. Also nice would have been a link to this article at eEye security, which goes into much more technical information. What also would have been nice is if the poster specified that the attack only affected MIDI files, instead of implying that all downloads of online music were at risk. The link to the random and not-really-related article about Microsoft protecting its users from legal hassles could probably have been left out, as it just confused the issue.
(Maybe I'm just bitter that my submission of the same story got rejected)
The following sentence is true. The preceding sentence was false.
From the MSNBC article (which is all most people will see)...
"They'd have to come up with some way to get the user to click on that file," said Stephen Toulouse of Microsoft's Security Response Center, noting that default security settings in recent versions of Microsoft Outlook e-mail software and the Internet Explorer Web browser prevent automatic launching of such files."
HOWEVER, from the TechNet article on the flaw...
"If the file was embedded in a page the vulnerability could be exploited when a user visited the Web page."
Meaning that at BEST, Stephen Toulouse of Microsoft's Security Response Center is incompetent. At WORST he is a lying scuzzball.
Learning HOW to think is more important than learning WHAT to think.
This is not the first time DirectX has had security issues. Here's another issue from a year ago:
a ctivex.microsoft.com/activex/controls/directx/xweb .htm
Overview:
Risk: High
Distribution: Low-Medium
Patch available from vendor: True
Systems Affected:
Systems having Microsoft DirectX Files Viewer
xweb.ocx (2,0,16,15 and possibly older)
Impact:
A remote attacker may be able to execute arbitrary code with the privileges of the current user.
Description:
A buffer overflow exists in the "File" parameter of the Microsoft DirectX Files Viewer ActiveX control that may permit a remote attacker to execute arbitrary code on the system with the privileges of the current user. This vulnerability affects users visited ActiveX samples galery at activex.microsoft.com. Since the control is signed by Microsoft, users of Microsoft's Internet Explorer (IE) who accept and install Microsoft-signed ActiveX controls are also affected. This control was also available for direct download from the web, but can be uploaded on any website.
The tag could be used to embed the ActiveX control in a web page. If an attacker can trick the user into visiting a malicious site or the attacker sends the victim a web page as an HTML-formatted email message or newsgroup posting then this vulnerability could be exploited. This acceptance and installation of the control can occur automatically within IE for users who trust Microsoft-signed ActiveX controls. When the web page is rendered, either by opening the page or viewing the page through a preview pane, the ActiveX control could be invoked. Likewise, if the ActiveX control is embedded in a Microsoft Office (Word, Excel, etc.) document, it may be executed when the document is opened.
Vendor Information:
secure_at_microsoft.com was informed on
9.May.2002.
MSRC 1149cb ticket was opened and finaly resolved on 25.Jun.2002
Solution:
Apply a latest IE/OS patches available from Microsoft:
Setting kill bit expected to be included in latest IE Service pack.
Windows 2000 SP3 and Windows XP SP1 expected to solve this problem.
Links:
ActiveX control still available for retrieval from Global Internet "backup copy":
http://web.archive.org/web/20010410194632/http://
Why do I h8 apple?
You know, that's EXACTLY why the other non-Microsoft operating systems are better. Oh wait...
"I'm a leaf on the wind. Watch how I soar."
-Hoban Washburn
Cool, Then you can construct some kind of hacked MIDI keyboard that just plugs into the computer you want to compromise. Press B# three times and you get the admin password.
Ciryon
the particular buffer overflow is unusual...MIDI files... who'd have thought???
Hey, a 208k MIDI file! I bet it's... extra long! =)
Actually, worse is that IE seems to just play any midi file off any webpage, unless you specifically tell it not to. I can't actually tell if that's vulnerable or not, though.
I find it amazing that a graphics API update is 11mb...let alone the "runtime" which is 164237 KB...although I don't know how big OpenGL's program was....
the answer is very simple. it's the M$ marketing model.
make a product first and sell it and worry about the bugs later.
why would you spend $$$ bedugging something that works while you can wait for others to find the bugs for you. that saves $$$. and look at their market share. this approach works fine.
Privacy is terrorism.
Let's look at the evidence:
Flaw in DirectX allows code embedded in a malformed MIDI file to be executed on machine (read more)
Patch from MS available before news "broke" on slashdot
Article submitter somehow tries to tie this to buymusic.com
Looks like a case of a rapid fix from MS and a kneejerk editor at Slashdot. How about this spin? "Notified of critical bug, MS immediately issues fix". Nah, wouldn't play to this crowd.
To answer your question, cryonic*angel, MS won't indemnify you but level headed readers may excoriate you...
I get the same feeling while using Microsoft OS's, but my on-line sign says... "Exploit Me"!
Windows XP, Sharing your Data with the world!!
It said "windows 98 or better" so I installed Linux
Yeah, cos everyone knows the best language for high perfomance gaming APIs is Perl.
That's the idea: Make everything potential harmful. That's the Microsoft philosophy of advanced security.
I'll go back to considering the possibility of using Microsoft profucts when I haven't heard a single security problem for ... a year.
What OS can give you that now? None that have anything installed, or communicate on a network of some sort. All machines are vulnerable. I would have figured that a user ID as low as yours would imply something... apparently not.
Maybe security "flaws" in multimedia software are not a bug. They may be a wonderful Quality Protection feature brought to you by your good friends at Macrovision. Paid for by the RIAA.
Now the RIAA can put poisioned files onto P2P. But instead of just being annoying audio admonishing you not to steal, they can own your computer.
All they need is for it to be legal for them to hack your computer.
Those who would give up liberty in exchange for security and DRM should switch to Microsoft Palladium!
Is WineX affected by any chance? After all, aren't they supposed to be recreating the API exactly, bugs and all? Besides, it isn't fair that Linux users have to miss out on all the really cool highly publicized bugs. ;)
When you lose something irreplaceable, you don't mourn for the thing you lost, you mourn for yourself. - Harpo Marx
OK, 'scuse my ignorance... but why are we still seeing buffer overflow attacks? If I understand correctly, it's just a matter of checking for valid input before accepting the data.
Hell, I'm no programmer, just a Win Admin, but even I learned to check inputs and handle bad data after the first time I wrote a script that crashed.
It's time outlaw gets(3) . Seriously, shouldn't any data-reading C library function that doesn't have a maximum buffer size parameter be deprecated, or better yet, removed ?
yup no longer a m$ user...got bored of the interface and it's 'clean cut image'...speaking of security advisories, check out FreeBSD, the last major advisory was back in April 8th...now damn...thats impressive...
Uhh...I don't know what musical scale you learned, but there is no B#. B# is C.
Remind me to never be in a band with you.
Correct me if I'm just ignorant on this, but how does a DirectX flaw affect an ActiveX control? If it's possible, then fine, call me whatever, but if not, why take the cheap shot at buymusic.com?
Ah, I've been moderated down for simply asking why you feel the need to inform us that you don't care! So I'll try again, only maybe with a bit of attempted humor...
:)
Commodore-64 user *sneeze* *burp* no need for me to care *sneeze* *burp*
See how much fun it is to include bodily function sounds in your posts?
I do not have a signature
He doesn't know Microsoft very well, does he? :-)
--
Luck is just skill you didn't know you had.
The parent of this mess complemented the system on the fact it auto UPDATED his pc during the night.
Yes i realize you can turn it off ( for now.. That option will be eventually revoked. give it some time. ).
This was a direct comment about the auto UPDATE option he was so glad he had.. it sucks and is bad bad bad bad.
---- Booth was a patriot ----
Can you name another OS that exposes a security flaw via the BGSOUND tag? How about one where simply previewing or opening an email will cause security problems? How about one where scripts can be run and have access to your address books for mass emailing. How about one where browsing the web with certain active x controls causes security problems? How about one where the mime encoding is ignored or misrepresented and arbitrary local programs can be run via email or web browsing? How about one where the help system can run arbitrary code in the background? How about embedding viruses and macros into documents that can run arbitrary code and start any program automaticially?. I can keep going if you'd like. Can you even name a single OS that has ANY of these issues of data and code combined into one? Getting a perfect bugfree OS is unrealistic, getting one that is swiss cheese and a complete security clusterf**k should not be acceptable either.
Bad boys rape our young girls but Violet gives willingly.
OpenBSD did only have a single exploit in the last seven years. (In default install profile).
:)
But i'm not sure it was in the last year, if it's earlier then OpenBSD is your answer!
I'd love to see an operating system that didn't get a security problem in a year, regardless of it's state of feature accretion. But even OpenBSD has had one exploit now and they play some real funny games to get it down to only one. Bind, fr example, isn't counted because the minimal install doesn't include it. But if you run a nameserver on OpenBSD BIND is the one that gets installed. So by that logic RedHat shouldn't count BIND bugs either since they also don't install it by default.
I want an OS that can go a year without an exploit in ANY of the software they consider part of their 'distribution'. And still have enough functionality to be useful as a general purpose Internet server. I realize a secure desktop is going to be a lot harder, but lets at least shoot for a real secure server.
Democrat delenda est
So after it was mentioned in the intro to the story, I looked at this BuyMusic.com, and read their terms of sale....man, this is a shitty music service...
Who cares about the freaking security, did anyone read the TERMS OF SALE AGREEMENT?
Check this out:
Content Use Rules. All downloaded music, images, video, artwork, text, software and other copyrightable materials ("Content") are sublicensed to End Users and not sold, notwithstanding use of the terms "sell," "purchase," "order," or "buy" on the Site or this Agreement.
Your Digital Download sublicense is nonexclusive, nontransferable, nonsublicenseable, limited and for use only within the United States. End users may play the Digital Downloads an unlimited number of times on the same registered personal computer to which the Digital Download is originally downloaded.
So are you saying I don't actually own what I'm "buying" on their site?
How can you unlicense your computer too? So if I get a new machine, I lose all my songs!? I couldn't find any mention of switching "primary computers" so that I can keep my music when I upgrade my machine. What about the next time I have to install a fresh version of XP over my current install? Has anyone checked out this service?
It's only when we've lost everything, that we are free to do anything...
Where's Linux update? umm.. apt-get upgrade up2date etc..
Now if Microsoft could just get their phone support personnel to sit there and study code fragments (like the chunks of radio data from Seti@Home), they might be able to use the free time between the Umm's and Ahh's to catch more of their problems.
I don't know about you (which is why I'm asking), but does anyone here seriously still have the ability to have Internet Explorer play MIDI files off web pages turned on? Why would you do that?
I've never met a page where its been anything other than horribly annoying, but then I so rarely use a browser that hasn't got it turned off that I don't tend to look for them.
Its like trying to browse through a website sitting next to someone whose mobile phone keeps going off - eurgh!
So, can anyone list a site that actually gains something from this horrible phenomenon?
"I Know You Are But What Am I?"
http://www.debian.org/security/...
I beg to differ. It's lazy f---s who don't know how to code properly that shouldn't try to code in C. Don't blame the language, C was never intended to be a 4G language. Range checking is easy, and if someone is too friggen lazy to do it, they deserve to be whipped. Hell, just use the 'n' function variants and C does most of it for you. As for punishment, I think they should be FORCED to program in COBOL, and on punch cards to make it really hurt.
Good people do not need laws to tell them to act responsibly, while bad people will find a way around the laws-Plato
I haven't run it since I built the computer 6 weeks ago, but here is the text of the page I got:
This is funny on so many levels:
- don't ya'll fix ie security?
- do ya'll trust ms automatically?
- ms's default setting are medium or lower?!?
"Karma can only be portioned out by the cosmos." -- Homer Simpson
I have to agree FULLY.
There was some IIS update for Windows XP a couple months back that caused OpenGL to stop functioning on my computer. After uninstallation of the IIS update, OpenGL started working again.
Trustworthy Computing, my balls. The more things change, the more they stay the same.
Slashdot still doesnâ(TM)t support Unicode after it was added to the HTML standard in 1997.
Don't know much about it, but how about OpenVMS?
The classic Coffee Cup exploit
Read reviews of shopping cart software
good thing Windows 2000 w/ DirectX 8.1 is NOT on the list of affected configurations
the history of the world
DirectX controls have been a problem in music notation software for years.
Maybe now someone will write a real piece of music notation software that doesn't use f'ing midi timing to set note placement. One of my main peeves with commercial notation software.
I have seen the possibility that midi could be used as a hack for years! In fact a little friend of mine has used this exploit to demonstrate a flaw in the whole concept of midi as a scripting control. He has written a replacement algorythm that directly generates wave at the processor level and then sends it to the sound card without the use of shitty DirectX. DirectX sucks for security and flexability always has and always will, because of its fork processes. I personaly do not care if my notation software can make sound, so I just have to put up with useless junk midi. Read my journal entry about more music #32862
OH THE SHAME I fell off the wagon and use sigs again!
What the hell does BuyMusic have to do with A DirectX problem? I must be losing it....
Is Microsoft being sued by InterTrust over intellectual property that doesn't work?
Fine. But as soon as you want to do something useful with OpenBSD, you need to go beyond the default install profile, which is set up to be as secure as possible by disabling everything. Once you start enabling even common and inoffensive services, you hit security problems.
OpenBSD security advisories from this year (for version 3.2):
# March 31, 2003: A buffer overflow in the address parsing in sendmail(8) may allow an attacker to gain root privileges.
# March 24, 2003: A cryptographic weaknesses in the Kerberos v4 protocol can be exploited on Kerberos v5 as well.
# March 19, 2003: OpenSSL is vulnerable to an extension of the ``Bleichenbacher'' attack designed by Czech researchers Klima, Pokorny and Rosa.
# March 18, 2003: Various SSL and TLS operations in OpenSSL are vulnerable to timing attacks.
# March 5, 2003: A buffer overflow in lprm(1) may allow an attacker to elevate privileges to user daemon..
# March 3, 2003: A buffer overflow in the envelope comments processing in sendmail(8) may allow an attacker to gain root privileges.
# February 25, 2003: httpd(8) leaks file inode numbers via ETag header as well as child PIDs in multipart MIME boundary generation. This could lead, for example, to NFS exploitation because it uses inode numbers as part of the file handle.
# February 22, 2003: In ssl(8) an information leak can occur via timing by performing a MAC computation even if incorrect block cipher padding has been found, this is a countermeasure. Also, check for negative sizes, in allocation routines.
# January 20, 2003: A double free exists in cvs(1) that could lead to privilege escalation for cvs configurations where the cvs command is run as a privileged user.
++ Say to Elrond "Hello.".
Elrond says "No.". Elrond gives you some lunch.
leave it microsoft to find a way to turn a midi file into a security hole.
!(^((ri)|(mp))aa$)
Already sorted... SuSEWatcher.
got a nice little icon in my panel that changes colour if there are any updates from SuSE. It goes amber for bugfixes and ordinary programs updates, and goes red for security updates... automatically logs itself on and check with the SuSE site when I log in on my box.
It can be configured to do the installation automatically as well, but I do like to manually examine the list of applicable files myself first.
Donald 'Duck' Dunn: We had a band powerful enough to turn goat piss into gasoline.
www.colorforth.com
I've had this sig for three days.
QNX.
But really, Linux and MacOS X are both better, and while there have been bugs found in each, if the bug isn't one in a component you use, or in the kernel, can you count it? When I update my system, many of the updates are for third-party packages. As if MS provided patches for Eudora.
I don't think there has been any security problems with OS/2 in the last year. Besides, it is so obscure, who would bother to figure out how to exploit it.
A new version of eComStation, a distrabution of OS/2, was released May 24, 2003.
Of all these bugs that have been found in MS's products, how many of them have actually been exploited? No one seems to care anymore. Until some real disastor strikes, like a virus that actually deletes files and trashes a system, few people are going to care about these patches.
I'm waiting for the 911 of computer attacks to happen so people realize how bad these security holes are in MS. I'm not saying that would be a good MS-bashing thing to happen, but with all the vulnerabilities it's just a matter of time.
Outdoor digital photography, mostly in New Engl
When I was in college for programming, the teachers would *intentionally* try to crash our software, mainly by buffer overruns, if the software crashed, we would fail.
The class taught us about error checking ond control. Something MS seems to desperately need.
So rise up, all ye lost ones, as one, we'll claw the clouds.
I wouldn't mind so much if these were subtle bugs in a complex part of the OS, but a buffer overrun when playing a MIDI file?? MIDI isn't exactly rocket science: Play this note on this channel at this volume for this long. How could they mess that up? So much for trust in their software.
One line blog. I hear that they're called Twitters now.
I would like, just one day out of the year, to fire up slashdot in the morning and not find news of yet another Windows security hole. This is getting very tiresome, and I wish Microsoft, for all I dislike them, would take some real responsibility.
I have no tag line
Any UNIX-Like OS. Fortunately, most people don't run as root most of the time, so mostly just their home dirs are vulnerable to alteration. But with a local root exploit or a keystroke logger | grep "su -"...
apt-get and cron? emerge and cron?
sorry...
MS-DOS hasn't had an exploit for, umm.... years!
:)
Doesn't mean it's secure though
There is one minor problem with the implied/obvious solution to C buffer overflows. The "obvious" fix is to write that code in Java, but often as not, interesting "Java" functionality is instead implemented with native libraries, which are usually written in C or C++.
Other alternatives (Lisp, ML, Perl, Smalltalk) suffer similarly -- until we have decoders for all the various formats and protocols written in the safe languages themselves, there's still a risk.
Can't you set the MIDI file as a backround music for a webpage? If so you would not have to make the user click on anything. This could be nasty. What I want to know is WHY DOES SERVER 2003 HAVE DIRECTX!!!!!!
Isn't DirectX mainly for games and multimedia? Why would a server have it installed as a default? Can you uninstall it If you do not need it?
See my blog http://ilovecookes.blogspot.com/ for light hearted technical information.
Yeah, I like that. Let's spawn a division of /. called bashdot (b.) where the daily M$ flaws can be posted. That will free up a LOT of /. real estate for important matters like SCO scoops..
Dear Windows Users,
<EMBED SRC="h4x0r3d.mid" HEIGHT=200 WIDTH=55></EMBED>
Yours,
B. Overflow
As if a Windows flaw doesn't leave something vulnerable.
Although it probably never happens, the stereotypical script kiddie break-in/website defacement displays some childish "you have been pwned by BobTheLeet" message.
Now, since it's a malicious midi file that does the damage, you can notify them in full stereo! It should be possible to make crude synthesized speech over MIDI, using combinations of instruments whose spectra resemble various vowels, with percussion for consonants. MIDI cards do vary, but it should be possible.
Actually, since 1) the first 10-15 harmonics are easily enough to distinguish vowels, 2) midi has 16 channels, 3) the ocarina sample on most midi banks has both a quick attack and is very close to a pure sine wave, you can construct realistic vowel spectra from scratch!
Now for the greater challenge: how exactly do you pronounce "pwned"?
How about: "Windows leaves Windows vulnerable?"
What kind of a moron would download and play a midi file on a server? This is only a security issue on a server that is used as a workstation too. If your administrator is a moron then you have bigger security problems already.
Bah!
I want an OS that can go a year without an exploit in ANY of the software they consider part of their 'distribution'.
So, you aren't looking for an OS then... you're looking for better software. Good luck. In all honesty, openBSD is your best bet. They do reviews of all of their software to make it much more secure (even if it's not 'feature rich'). That's why you get openBSD BIND when you install it. Granted, you won't have absolute security, but that's impossible.
And, if you don't like the OpenBSD style, NetBSD,known primarily for it's portability has excelent security (though, not as good as OpenBSD, in my oppinion)
I realize a secure desktop is going to be a lot harder, but lets at least shoot for a real secure server.
You realize that your security is only as strong as you make it... Heck, even windows can be secured as well as linux, it just takes time.
Not Free(as in beer). Free(as in "I'm free to beat you over the head for being a dumbass")
If I understand the problem, this is bug in the MIDI interpreter that seriously jeopardizes the health of the computer. One can therefore imagine a firm that now must waste person-hours corrected a problem for which there is absolutely no business need. Why a machine, which really only need to run MS Office, a vertical market ported from Unix, and an email client, needs a MIDI subsystem would be beyond me. In fact, why Outlook needs to renders HTML is also beyond me.
Which is just to say that MS needs to be more responsive to customer needs, not the compulsive efforts to satisfy advertisers and spammers. MS can be responsive. We say this when they started shipping an OS with most services turn off.
And, of course, OSS already do this. We can add functionality as we need it, but the default system is generally bare bones.
"She's a scientist and a lesbian. She's not going to let it slide." Orphan Black
"MS issues quick fix for security flaw - they learned how to quickly patch from the OSS community."
I have to give MS credit for their recent bout of quick patches. They haven't fixed all the problems, but I have noticed that their turnaround time has greatly improved. If they are able to incorporate some of the better points that OSS has to offer, they can spin the bejezus out of it. Quick patching used to be one of OSS's advantages over MS. Maybe they are learning.
Nahh, they're still a ruthless, evil business more interested in control and money.
My beliefs do not require that you agree with them.
True, should have been clearer, scripts that are automatically installed and run by opening or 'previewing' an email that can access your address book or whatever it is written to do.
Bad boys rape our young girls but Violet gives willingly.
Actually, Windows XP Pro has IIS6, but it's limited to just one website.
Also, Windows 2003 Server is out now, and it is (for all intents and purposes) Windows XP Server
How the fuck did a gaming API ever get enough priveleges in a "modern" operating system to be able to cause any kind of problems beyond resource starvation?
Why... oh why are you doing this manually?
There is no longer anything that can be done with computers that is nontrivial and clearly legal. -- Paul Phillips
MS was notified by eEye on April 16th.
I guess you're right, that is pretty rapid for MS.
Freedom Is Universal
Linux-Universe
"They'd have to come up with some way to get the user to click on that file," said Stephen Toulouse of Microsoft's Security Response Center
Such as a link saying "CLICK HERE!"?
"You tried your best and failed miserably. The lesson is...never try. Heh!" -Homer
Instead of posting every single security flaw in windows to slashdot (I mean seriously... we KNOW they exist don't we? It's not exactly "news" and there ARE other sites for them) to be flamed to pieces how about just have a little "counter" somewhere on the main page.. along with a date the user can set in his/her settings. Increment it everytime a new flaw is found so that it keeps a running tally. Number of Windows flaws since . Fun AND informative. Sorta.
The reality is that most times a fix ( regardless of from whom ) contain their own bugs and often break existing applications. Its a fact of life.
By agreeing to auto update you do in effect approve changes in EULAs.
There have been some question of the forging of signing of updates. I don't have the exact links here, but it has been discussed, even on TechNet. " don't just assume its from Microsoft " was the jist of the discussion. but if you are set to auto update, you are automatically 'trusting' whom ever claims to be them.. If its automatic it isn't going to ask if you are sure..
And as a side note, this was NOT a Microsoft oriented statement, I think ANY automatic update from ANY company, be it an OS, an application, free or commercial, has the same implications. ( but the auto notify is a great feature )
You get a service pack, then you TEST it.. ( and test it again ) you never install it automatically.. Hell you dont even install it unless you NEED it, if you are a responsible sysadmin..
---- Booth was a patriot ----
Any transaction that looks like a sale, is described as a sale, and is generally regarded as a sale, most courts are very likely to treat as a sale.
Merely stating that "this is not a sale" is not enough. Courts can and will look beyond mere form and look to the substance of a particular transaction. Here, like most "licensed" music and software, the substance of the transaction is very similar to a sale. Moreover, the law heavily favors sales as opposed to licenses, unless it is very clear to all parties that it is not a sale. Lets look at the evidence in this case:
It seems clear that Buymusic.com's intent is to obfuscate the form of transaction to the average comsumer, thus making one think it is a sale, while Buymusic considers it a license. Not withstanding this provision in the TOS agreement, the substance of the transaction dramatically favors it being designated a sale. At best, the confusion it creates probably runs afoul a number of state's consumer protection laws.
I suggest Buymusic.com reconsider its policies in this regard.
FYI...
Windows 2000 machines running SP4 are not affected by this flaw. I suggest anyone running anything less than this starts deploying SP4 instead of this individual patch. Shavlik has excellent products to make your patch deployment easier.
The title says it all ( and will be modded down ).
If you auto update you deserve all the grief and broken applications you get.
It has nothing to do with paranoia. its called being responsible. you DON'T automatically changes things because someone else says its new and improved.
You first see if you NEED the update, if the bug fixes effect you, then you TEST TEST TEST. If it doesnt then you DONT install it.
I'm glad you don't run any network I'm on.
And YES i knew it was optional in the first place, the parent of this chose autoUPDATE, thus prompted comments.
Sheesh.
---- Booth was a patriot ----
Future IT professional at work. Your technical prowess astounds me.
Have you ever looked in Add / Remove Programs > Windows Components?
Oh yeah, there's IIS...
Oh, and if you would have read ANY of the books out there on Windows XP Professional, you would have seen whole chapters devoted to it, AND it's on the MCP test.
And here is the update I mentioned.
Why don't YOU try again.
Slashdot still doesnâ(TM)t support Unicode after it was added to the HTML standard in 1997.
...is why would Microsoft distribute drawing and music libraries in what is essentially a server operating system? (WinServer2k3) Why these aren't optional components that an administrator could choose to include at install time is a good question, and should be asked of Microsoft.
The reader with 200 NT/2K boxes to patch would probably be grateful if he didn't have to worry about patching whatever bogus components MS includes by default.
I say we take 'em back to court and get them to rip out ALL the unnecessary functionality from the kernel.
"He treats objects like women, man!"
- The Dude, The Big Lebowski
I had a job where I had to do many updates manually. I blocked windowsupdate and downloaded the "critical update" for Internet Explorer or whatever the update was at the time which measured like 60Mb. Rather than have all users downloading this file over & over via the poor little T1 hosting hundreds of users I downloaded it once & pushed it out. Then I opened windowsupdate back up for use.
Two roads diverged in a wood, and I - I took the one the bus load of girls just went down.
It's great to see Microsoft treating a threat of this severity appropriately. When I booted up my machine this morning (long before this Slashdot article was posted) I was greeted with a Windows Update message offering me a patch to this vulnerability. I didn't even know it existed! I was able to patch first, and ask questions later.
My only complaint is that MS seems less concerned with many less severe vulnerabilities. You'd think a corporation of their size would have a whole department devoted solely to fixing all security (and other) flaws.
www.recycledrussianbrides.com uses pop-under "technology" to have some Russian music I picked up at MP3.com playing in the background. It's full length and only plays once. It also contains an ad with a link to the artist's page. With the pop-under you can go anywhere on the site and it won't start and stop.
You can easily close the window if you don't like it. At a cookie is set to make sure it only loads once per browser session.
Embedding music in a page with actual content is just annoying. Every time you click on something it stops, and when you go back it starts again. And if you're not nice enough to display the controls there's little way to make it stop.
It's not necessarily a bad idea. With proper music and implementation it adds to the site. Most sites fail on both accounts though.
Ben
Work Safe Porn
Why are you surfing to random sites on your sever? I only go to OEM sites to download drivers/updates on my servers. They never see any other web pages.
Since the bug is ALL supported versions of Windows the statment was more about workstations than Servers.
The Question about DirectX and servers is more along the lines of why in the name of heavens do you have a system for games and multimedia on a server to start with?
See my blog http://ilovecookes.blogspot.com/ for light hearted technical information.
Ever been to a web page where cheesy electro synth just started playing? Guess what, you were playing a midi file...
--- It is not the things we do which we regret the most, but the things which we don't do.
If Microsoft developers are overlooking these issues intentionally, all in the name of "job security" but then again it could have the opposite result too....too many bugs in your code and you get axed.
I have a WinXP desktop i use mostly for games sitting beside a 12" powerbook laptop I use mostly for work. I'm constantly amazed that in the last 6 months there's been maybe 1 or 2 security patches for OSX, while my Windows box gets what seems like at least 1 per week. Makes me worry about even turning on my WinXP box...I wish you could play games on Linux :)
At WORST he is a lying scuzzball.
<translate language="Microsoftese">
</translate>!#@%*)anks for hanging up the phone, dear.
Oh Jesus Christ! Comparing any of those bugs and security flaws to this one is ridiculous! For god's sake, this is a security flaw that allows execution of arbitrary code after viewing a goddamn MIDI file!!! You can compare notes on security flaws, but get some perspective on their severity!
"I think we should tax people who stand in water! " - Mr. Gumby
I should have taken a left a 17.254.3.183
"Yeah, I wish slashdot would pick up on this whole SCO thing. I cannot understand why SCO is being completely and uttely ignored here."
humorix
When I update my system, many of the updates are for third-party packages.
Okay, but if Linus & Co. also wrote a window manager, web browser, email client, etc., you would see less "third-party" fixes, and more "Linux" fixes. If you're going to compare kernel to kernel, do it. If you're going to compare overall product to product, do that. Don't compare Linux Kernel to Windows Product.
Note: I understand the issues raised with regards to minor application exploits causing whole system hacks. That's not what I'm talking about here.
Before implying someone doesn't know what they are talking about, you may want to reread the post:
How's that Einstein? ;-)
Forget the whales - save the babies.
What I want to know is WHY DOES SERVER 2003 HAVE DIRECTX!!!!!!
It's an essential Windows component, you know... the whole integration thing. Why would a server have a web browser? Maybe people would use one for some reason. Who knows. When you go with a Microsoft solution, you basically take what they give you - you're the one that gives them the power to make that decision when you chose to use their software.
Besides which a lot of video cards now days seem to require Direct X in order to function at all.
I can name an OS that completely corrupted my filesystem when I downloaded its latest kernel.
A lot of your gripes are with applications anyway.
Next.
"Sufferin' succotash."
I never said what OS I use, or don't use. Don't make assumptions.
.... if they cant at least follow sensible maintenance procedures, give them a terminal instead.. .
My statements were generic, towards anyone who is that irresponsible with their system, regardless of its source..
And before you say ' Joe user doesn't understand these issues like trained sysadmin does..... bla bla ' then perhaps they should own a pc
---- Booth was a patriot ----
Do you have JS disabled? The check is being done in JS, so turning it off will allow non-IE users in. Of course, if you were interested in the truth rather than just assuming the parent was making it up, you could've done a simple check of the page source/headers for signs of redirection.
It's right there in the <head>Not the first site to be dumb enough to shut out the non-IE/Win crowd, and it won't be the last either. Hell, even MSN's tried it.
Does anyone know whether websites that insist on the vile practice of background music are liable to the same perfomance charges that (eg) radio stations are? It would seem that such music could qualify as a "public performance". It would be nice if the charges were sufficient to dissuade deluded web-designers from thinking background music is a neat idea.
My next sig will be ready soon, but subscribers can beat the rush
Given:
1. This is a stupid programming trick and automatic code inspection tools to catch the majority (many cases cannot be caught this way) of these already exist,
2. There are solutions to prevent buffer overruns even in poorly written code from compromising the operating system (STFW, there are many white papers out there),
3. Microsoft has been bitten by these many, many, many times before,
Then:
Just what in the fsck has Microsoft's security program done in the last 2 years? This is a known security problem with known solutions and a history of having been a Windows problem in the past. Why in the hell wasn't this addressed in the last two years since Bill Gates made security a prime focus at Microsoft?
Possible answers:
a. M$ programmers are incompetent
b. silly! did you really think Bill's "security initiative" was about anything except marketing press?
c. M$ really just doesn't give a fsck about the security of your data or your computer system
d. all of the above
A lot of your gripes are with applications anyway
Applications that are so tightly integrated into the OS that they are not really seperate applications anymore. That was my point. A new version of DirectX comes out that allows Internet Explorer and ActiveX controls to open up a security hole that can manipulate the underlying OS. Try removing DirectX or finding a third party application with similar funcionality, try removing IE and see what else will no longer work. These items were integrated so tightly on purpose for increased convienence and to tie you into everything MS. The Mozilla Firebird browser for W32 is a zip equivelent of a tarball, unzip and double click the exe file and it is running, there is no OS modification at all. This integration was a major issue during the antitrust case. Another example is MS Windows update that REQUIRES a recent version of IE, I am sure MS could easily come up with a small standalone application like every other software company in the world uses to allow automated scheduling and downloading of updates. They choose to tie these together to limit the less technical from wandering for alternatives.
Applications or not, this and many other flaws are involved with the OS and functions outside of the at risk applications. Integrating data with application code and scripting and tying it all together with the core of the OS is a convienence but also a security risk.
Bad boys rape our young girls but Violet gives willingly.
OK, I'll admit - I bought a CD off of buymusic.com (specifically "Gutterflower" by the Goo Goo Dolls) and downloaded the protected WMA files. Most licenses on BuyMusic.com allow you to burn the music to an audio CD a few times (mine allowed for up to 3 burns). So, I burned the album to a standard Audio CD... and then I figured, well, lets try ripping them in CDex and making them MP3s. Worked perfectly - no distortion or loss in sound quality. Time to share these bitches on Kazaa. :-P
I was wondering ... would it be possible to remove the DRM and convert to MP3 by recording your new music file to a CD-RW and then ripping the song from the CD into an ordinary MP3 file? Has anyone tried this? Is some trick employed to prevent this?
If that were the case, I might actually buy music from BuyMusic.com. I've got no problem paying 79 cents for music I like, but I don't want to have to buy it again later if I change computers (which happens at least once every 2 or 3 years).
Send/track messages to 100K people: www.xPressAlert.com
Wow, you were answering my question just as I was writing it (see my other post). That's spooky ;p Thanks for your useful post!! If I were a moderator I would mod you up.
Send/track messages to 100K people: www.xPressAlert.com
We have a few Win2000 machines that are running 8.1, so accoring to Shavlik, the DLL is larger than what is anticipated.
Unless M$ expects to expand the permutations of OS and DX Versions, should I consider my machine safe (stop that laughing!) and this patch not relevant for Win2K+DX8.1?
Mod Karma -1: I sed bad wurds. If I cep my mouf shut, I wud be at riyses.
That is the most heinous sin of Micros**t's: you just can't do crap like turn on IIS for any random person that owns a computer.
I don't know if RedHat installs and turns on BIND by default -- if they don't, they shouldn't have to fall on their swords when a BIND vulnerability is found. For OpenBSD, since BIND is part of "the system" i.e. it's not in "the ports", it's audited and any bugs in it will get fixed by the OpenBSD developers if necessary. That is why until 3.3 (released a couple of months ago), BIND4 was the nameserver daemon that came with it. (3.3 comes with BIND 9.2.2.)
Unlimited growth == Cancer.
MS already knows you were going to say that by analyzing your surfing habits. Psh, amateurs.
Trolls dont like to be Flamebait, because they burn so well. Protect our Troll heritage!
Winamp 2.95? Lots of customizations for MIDI playback in the Decoder.
Trolls dont like to be Flamebait, because they burn so well. Protect our Troll heritage!
In your case its a home pc, but when your machine becomes an open portal for the latest virus, spammers or DOS'ers due to your lack of testing or 'who cares attitude' you effect everyone else.
Then it becomes my problem.
My 'attitude' as you call it, is my attempt to prevent people like you from effecting the rest of us that ARE diligent.
Ever thought of buying a terminal? That might be rather appropriate for your frame of mind.
---- Booth was a patriot ----
I like the way 30 seconds after I open this artical up and little bubble in the bottom right of my screen appears, with the text 'You have updates to install' ;)
--
Ok, your gripes with commercial notation software using the industry-wide, open, accepted MIDI standard: isn't this Slashdot? Isn't everyone supposed to be an open-standards advocate?
... whaaaa? Replacement algorithm that directly generates wave at the processor level? What the hell does that mean? You mean, the processor generates a wave, and then sends it to the sound card using DirectSound or the wave mapper? Your friend sounds pretty brilliant.
... because of its fork processes? What do fork processes have to do with *anything*? Did you know that Apache forks a process for every web page it processes? Does that make Apache insecure and inflexible? Besides, DirectX *doesn't* fork processes, it does 'fork' threads, though.
... If you're gonna bitch, at least have a clue about what you're bitching about.
Your gripes about developers having to 'use DirectX or your midi interface will not work:' there's MCI (IIRC - Media Control Interface, I believe) -- it works fine.
Your absolutely clueless rant about DirectX in general: Uh
DirectX sucks for security and flexability
My biggest gripe: how does incoherent, uninformed babbling like this get modded up to +5 interesting? Do moderators find it interesting that people spout off with no clues about what they're saying? The worst part is, people will read it and think it's *true*, and then use this guy's 'processor level wave' and 'DirectX forking processes' as another excuse to bash MS or whatever.
Damn
--Jeremy
Jesus was a liberal
The on-chip OS in my ZX81. ;-)
I'm running Windows 2000 Professional with DirectX 8.1. Seems like I'm immune as, on this OS, only 7.0 and 9.0a are effected.
The complete list of effected Windows/DirectX combinations are as follows:
Microsoft DirectX® 5.2 on Windows 98
Microsoft DirectX 6.1 on Windows 98 SE
Microsoft DirectX 7.0a on Windows Millennium Edition
Microsoft DirectX 7.0 on Windows 2000
Microsoft DirectX 8.1 on Windows XP
Microsoft DirectX 8.1 on Windows Server 2003
Microsoft DirectX 9.0a when installed on Windows Millennium Edition
Microsoft DirectX 9.0a when installed on Windows 2000
Microsoft DirectX 9.0a when installed on Windows XP
Microsoft DirectX 9.0a when installed on Windows Server 2003
Microsoft Windows NT 4.0 with either Windows Media Player 6.4 or Internet Explorer 6 Service Pack 1 installed.
Microsoft Windows NT 4.0, Terminal Server Edition with either Windows Media Player 6.4 or Internet Explorer 6 Service Pack 1 installed.
Not every possible Windows configuration but probably a majority of them.
Check the relevant technical bulletin for more info.
"Accept that some days you are the pigeon, and some days you are the statue." - David Brent, Wernham Hogg
Again, you completely missed the point. I am talking about using integration of applications into the OS and then allowing these applications to accept application data and software code (from anyone in the world that chooses to email you or from any web page you visit) and run files. That is completely different issue all together. That method is NOT safer by any stretch of the imagination.
Not one of the applications you mentioned above is required to be installed on a nix system, they can be installed at will and removed as easily. Adding or removing those applicatins only results in the loss or gain of that applications functions, not other systems or loss of major parts of the OS's functionality. These applications can be installed, removed, or replaced with any alternative or functionality that you desire. They do have holes but not a single one of them was triggered by viewing a web page with a BGSOUND tag, by opening an email, or by viewing a rouge porn site. Can you name me one hole on a *nix box that would be triggered the same way? You need to compare apples to apples here.
Bad boys rape our young girls but Violet gives willingly.
I stand corrected. Obviously a video card would function. I meant generally render with the correct drivers installed (not the default drivers on Windows). My mistake.
It seems like most ATI cards are made this way, and it's really annoying if you don't have the disk or a network connection to download direct X - you're stuck with 16 colors.
Guess what? If I do a
/usr/bin/telnet
sudo rm
my system still works fine. Same with sendmail, and BIND, and ftp. The point is that in a sane universe, individual components may be removed or even lost but the system will survive. Control is left to the administrator of the machine, not imposed by the vendor. Removal of apps is normal when securing any sort of machine that allows it.
With the MS 'solution' you have no options here. Internet Explorer is a buggy, messy browser, but is already mostly impossible to completely remove. Things are going on in the background which, while some may be turned off, you are quite likely to break shit by doing so! There is real evidence that MS is actually invading your privacy. Just thinking about the bugs in Windows and all MS products, and thinking about the time they spend coming up with new ways to invade your privacy instead of FIXING those bugs makes my mind boggle.
Which model do you choose: an environment of standards and decency, or one tailor-made for the lowest common denominator? At least with '*nix' you aren't sharecropping.
As far as DirectX and general midi the best way for a musician to notate and create music on a computer is to first add the new special (battering) type of ram. If music notation software did not use midi at all then it would be a real product. I have had nothing but trouble caused by midi when using notation software, and I have used most of them! I write music with my ears first and use paper.
I have also heard of midi files that can contain special sound font instructions that are actually a little MS special .exe from hell. So you can get a case of the worms from a midi file. This is what I meant by a forked up process. Of course a good cfdisk session can fix all that. Midi is fine for a toy and musically illiterate wantabees but as a music medium it sucks!
OH THE SHAME I fell off the wagon and use sigs again!
(this post is so fucking late, but it's here anyway, :D)
"if i'd known it was harmless, i'd have killed it myself"
Alot of people are acting as though this particular bug is no big deal and isn't worthy of being posted on the main page. But consider this, how many people are running thier browsers with the default configurations? And Both IE and Mozilla will automatically play MIDI files embedded in webpages with this configurations. So this exploit could theoretically allow any website you visit to run arbitrary code on your system. . . I'd say that's pretty serious.
With all the stories coming out in the last few weeks about how MS Windows is so insecure (see this, this, and this), why would anyone in their right mind still use it?
People like you is why we have machines all over the net that are hacked and causing issues.
Why viruii propagate.
Perhaps you need a terminal.. And i didnt mean a VT100, you can have your 'windows', just make sure that someone with some brains is running the terminal server.
---- Booth was a patriot ----
sort of like the RedHat equivalent of up2date
or apt-get upgrade depending on your trust and taste.
Yet Socrates himself is particularly missed.
A lovely little thinker but a bugger when he's pissed.
And I just spent the last two days downloading the DirectX 9.0a SDK over dial-up!!
Why, this is almost as bad as me buying VC#.NET and VC++.NET a mere moment before VS.NET 2003 came out.
Cheaper though.
"All machines are vulnerable."
Oh, fine then, that makes life much easier, LOL. I'll go back to Windows right away, Mr. Gates, Sir.
No OS can guarantee total security right now, but there are some OS'es that can guarantee that you won't be completely butt-raped by security problems every week... unlike M$ Windows.
; -- the corruption of government starts with its secrets. a truly free people keep no secrets. --
In some sense they do. Mutt isn't written by them, but it's the sysadmin's mail program, Tux is the web server kernel module.
Microsoft doesn't really write all that much, an OS, a browser, a media player, and an office suite. It's just the way they do it that ties them so closely together.
Of course, I think everyone, Linux and Windows, needs a much more fine-grained set of access controls, preferably application specific. There's no reason for an email program to write anything outside of a config directory and a download directory. There's no reason for an office suite to access any files that aren't of it's filetypes, especially in write mode. Browsers should be chrooted into a sandbox. I think we should start running everything chrooted actually. There's no reason for my browser to look at my office suite. If I really want it, I'll make a shared directory they can both access.
We need to recognize that the important thing to most everyone isn't the system, it's the data. If your data gets destroyed, it's over. If the system gets garbled, you reinstall. What we need to do is offer data integrity features so that you can barely lose data if you try, like backups that aren't owned by you, so a virus or trojan can't take them out.
Okay. There are no security bugs in Linux. Suuuuuure.
Could it be that Windows usage absolutely DWARFS Linux usage worldwide? Nooooo, it's that there are no security bugs. Right.
Anyway, OpenBSD kicks both their asses. Hard.
Chr0m0Dr0m!C