Slashdot Mirror
DirectX Flaw Leaves Windows Vulnerable
cryonic*angel writes "Just when you thought it was safe to start buying music from BuyMusic, another another Windows security flaw is found, in DirectX this time, that basically affects every possible windows configuration that is still supported. I wonder, will they indemnify me for this?"
Direct download for 9.0b (not for nt4.0). Strangely it isn't on the main directx page yet considering the critical nature of the problem. Here is the technet article with patches for existing directx versions.
Let's see, pay for music and get F'ed... download for free and be fine (as long as you don't share).
"With sufficient thrust, pigs fly just fine." -- RFC 1925
My Win2k solution already downloaded and installed the update last night automatically via WindowsUpdate.com. Nice system.
move along now folks... nothing new here...
mind you... the particular buffer overflow is unusual...MIDI files... who'd have thought???
Donald 'Duck' Dunn: We had a band powerful enough to turn goat piss into gasoline.
So what you're saying is Windows, without proper patches & updating us unsecure?
Sounds like every other OS out there! : )
Nah, thanks for calling attention to this, I'm going to be patching my clients to 9.0b tonight.
I assert that my comment is only my opinion, not that of any employer, past, present or future.
If I remember/understand correctly someone has to be logged onto the machine to take advantage of this exploit. If they are allready logged on they could do lots of other stuff anyways? Hmmmm...doesn't sound too serious.
FoundNews.com - get paid to blog.,
From what I read, the exploit comes in the form of a weird MIDI file. Are you buying MIDI files from BuyMusic, or...?
Mike.
Mmmm......sacrelicious.
I'd like to. Could you recommend an alternative operating system that hasn't had a single security problem in a year, and has been adding new functionality over that period?
++ Say to Elrond "Hello.".
Elrond says "No.". Elrond gives you some lunch.
Only every single supported version of Windows has this flaw? Thank God, I thought I was in trouble here.
""They'd have to come up with some way to get the user to click on that file," said Stephen Toulouse of Microsoft's Security Response Center, noting that default security settings in recent versions of Microsoft Outlook e-mail software and the Internet Explorer Web browser prevent automatic launching of such files. " Last I checked, as annoying as the feature is, the ability to have IE play MIDI files autonomyously is still there; a friend sent a link to me last night with a lovely display of world architecture and sappy MIDI music playing in the background... This is not a matter of downloading, not a matter of clicking, MIDI files have always been thought harmless, and its that feeling of complacency which threatens to make this dangerous for common users...
Windows Update on Win2k Pro told me of the problem before Slashdot.
It's already been fixed on my machine.
Har Har Har! Yeah, they'll indemnify up to the price you paid for DirectX...
You have to give M$ some credit though... finally, a security flaw where you don't have to care if you are using Win95a, win98blah, Win2k, Win2k SP1e92, WinXP, WinYP, whatever. A *cross-platform* security issue, if you will. ;)
A MIDI overflow? That means no more visits to most Geocities pages.
Trolling is a art,
Huh? What the fuck does this have to do with BuyMusic.com? The flaw, as the article says, affects MIDI, not WMA.
I don't like Windows or BuyMusic.com, either, but this flaw doesn't seem to affect BuyMusic.com directly.
What'd I miss? (Seriously. If I missed something, tell me.)
Mikey-San
Karma: +Eleventy billion (mostly affected by watching Celebrity Jeopardy)
For those who couldn't infer the word..
Indemnify -
Main Entry: indemnify
Pronunciation: in-'dem-n&-"fI
Function: transitive verb
Inflected Form(s): -fied; -fying
Etymology: Latin indemnis unharmed, from in- + damnum damage
Date: circa 1611
1 : to secure against hurt, loss, or damage
2 : to make compensation to for incurred hurt, loss, or damage
-
ping -f 255.255.255.255 # if only
Yeah, I wish slashdot would pick up on this whole SCO thing. I cannot understand why SCO is being completely and uttely ignored here.
I love how they downplay that, like it's such a stretch to get a user who doesn't know any better to click a link in an email or webpage. Hell, my father just agrees to every ActiveX install that happens to come up on his screen, and clicks on any banner ad saying he's got a potential security risk on his computer. Irony is a harsh mistress indeed.
"I'm a leaf on the wind. Watch how I soar."
-Hoban Washburn
LSD has produced two proof of concept exploit codes (which they have not released)which they were able to get to work even with Server 2003 and it's new buffer overflow prevention mechanism. The nature of the flaw makes it ripe for exploitation by a worm.
As discussed here, the reports are unusually embarrassing as they affect Server 2003, Microsoft's most powerful and safest software yet. It is ironic that the announcement comes one day after the Homeland Security Department announced that it awarded a five-year, $90-million contract for Microsoft to supply all its most important desktop and server software for about 140,000 computers inside the new federal agency.
So, what did the patch automatically break for you.
What EULA change did it automatically agree to for you?
Oh, and dont forget the option of faking out your machine and letting it automatically download a trojan..
Automatic NOTICES are a good thing, automatic INSTALLS are not..
---- Booth was a patriot ----
It would have been nice if the poster posted a link to the actual microsoft security bulletin, which also links to the patch for your particular DirectX. Also nice would have been a link to this article at eEye security, which goes into much more technical information. What also would have been nice is if the poster specified that the attack only affected MIDI files, instead of implying that all downloads of online music were at risk. The link to the random and not-really-related article about Microsoft protecting its users from legal hassles could probably have been left out, as it just confused the issue.
(Maybe I'm just bitter that my submission of the same story got rejected)
The following sentence is true. The preceding sentence was false.
From the MSNBC article (which is all most people will see)...
"They'd have to come up with some way to get the user to click on that file," said Stephen Toulouse of Microsoft's Security Response Center, noting that default security settings in recent versions of Microsoft Outlook e-mail software and the Internet Explorer Web browser prevent automatic launching of such files."
HOWEVER, from the TechNet article on the flaw...
"If the file was embedded in a page the vulnerability could be exploited when a user visited the Web page."
Meaning that at BEST, Stephen Toulouse of Microsoft's Security Response Center is incompetent. At WORST he is a lying scuzzball.
Learning HOW to think is more important than learning WHAT to think.
This is not the first time DirectX has had security issues. Here's another issue from a year ago:
a ctivex.microsoft.com/activex/controls/directx/xweb .htm
Overview:
Risk: High
Distribution: Low-Medium
Patch available from vendor: True
Systems Affected:
Systems having Microsoft DirectX Files Viewer
xweb.ocx (2,0,16,15 and possibly older)
Impact:
A remote attacker may be able to execute arbitrary code with the privileges of the current user.
Description:
A buffer overflow exists in the "File" parameter of the Microsoft DirectX Files Viewer ActiveX control that may permit a remote attacker to execute arbitrary code on the system with the privileges of the current user. This vulnerability affects users visited ActiveX samples galery at activex.microsoft.com. Since the control is signed by Microsoft, users of Microsoft's Internet Explorer (IE) who accept and install Microsoft-signed ActiveX controls are also affected. This control was also available for direct download from the web, but can be uploaded on any website.
The tag could be used to embed the ActiveX control in a web page. If an attacker can trick the user into visiting a malicious site or the attacker sends the victim a web page as an HTML-formatted email message or newsgroup posting then this vulnerability could be exploited. This acceptance and installation of the control can occur automatically within IE for users who trust Microsoft-signed ActiveX controls. When the web page is rendered, either by opening the page or viewing the page through a preview pane, the ActiveX control could be invoked. Likewise, if the ActiveX control is embedded in a Microsoft Office (Word, Excel, etc.) document, it may be executed when the document is opened.
Vendor Information:
secure_at_microsoft.com was informed on
9.May.2002.
MSRC 1149cb ticket was opened and finaly resolved on 25.Jun.2002
Solution:
Apply a latest IE/OS patches available from Microsoft:
Setting kill bit expected to be included in latest IE Service pack.
Windows 2000 SP3 and Windows XP SP1 expected to solve this problem.
Links:
ActiveX control still available for retrieval from Global Internet "backup copy":
http://web.archive.org/web/20010410194632/http://
Why do I h8 apple?
Cool, Then you can construct some kind of hacked MIDI keyboard that just plugs into the computer you want to compromise. Press B# three times and you get the admin password.
Ciryon
I find it amazing that a graphics API update is 11mb...let alone the "runtime" which is 164237 KB...although I don't know how big OpenGL's program was....
Let's look at the evidence:
Flaw in DirectX allows code embedded in a malformed MIDI file to be executed on machine (read more)
Patch from MS available before news "broke" on slashdot
Article submitter somehow tries to tie this to buymusic.com
Looks like a case of a rapid fix from MS and a kneejerk editor at Slashdot. How about this spin? "Notified of critical bug, MS immediately issues fix". Nah, wouldn't play to this crowd.
To answer your question, cryonic*angel, MS won't indemnify you but level headed readers may excoriate you...
Is WineX affected by any chance? After all, aren't they supposed to be recreating the API exactly, bugs and all? Besides, it isn't fair that Linux users have to miss out on all the really cool highly publicized bugs. ;)
When you lose something irreplaceable, you don't mourn for the thing you lost, you mourn for yourself. - Harpo Marx
He doesn't know Microsoft very well, does he? :-)
--
Luck is just skill you didn't know you had.
Can you name another OS that exposes a security flaw via the BGSOUND tag? How about one where simply previewing or opening an email will cause security problems? How about one where scripts can be run and have access to your address books for mass emailing. How about one where browsing the web with certain active x controls causes security problems? How about one where the mime encoding is ignored or misrepresented and arbitrary local programs can be run via email or web browsing? How about one where the help system can run arbitrary code in the background? How about embedding viruses and macros into documents that can run arbitrary code and start any program automaticially?. I can keep going if you'd like. Can you even name a single OS that has ANY of these issues of data and code combined into one? Getting a perfect bugfree OS is unrealistic, getting one that is swiss cheese and a complete security clusterf**k should not be acceptable either.
Bad boys rape our young girls but Violet gives willingly.
OpenBSD did only have a single exploit in the last seven years. (In default install profile).
:)
But i'm not sure it was in the last year, if it's earlier then OpenBSD is your answer!
I'd love to see an operating system that didn't get a security problem in a year, regardless of it's state of feature accretion. But even OpenBSD has had one exploit now and they play some real funny games to get it down to only one. Bind, fr example, isn't counted because the minimal install doesn't include it. But if you run a nameserver on OpenBSD BIND is the one that gets installed. So by that logic RedHat shouldn't count BIND bugs either since they also don't install it by default.
I want an OS that can go a year without an exploit in ANY of the software they consider part of their 'distribution'. And still have enough functionality to be useful as a general purpose Internet server. I realize a secure desktop is going to be a lot harder, but lets at least shoot for a real secure server.
Democrat delenda est
So after it was mentioned in the intro to the story, I looked at this BuyMusic.com, and read their terms of sale....man, this is a shitty music service...
Who cares about the freaking security, did anyone read the TERMS OF SALE AGREEMENT?
Check this out:
Content Use Rules. All downloaded music, images, video, artwork, text, software and other copyrightable materials ("Content") are sublicensed to End Users and not sold, notwithstanding use of the terms "sell," "purchase," "order," or "buy" on the Site or this Agreement.
Your Digital Download sublicense is nonexclusive, nontransferable, nonsublicenseable, limited and for use only within the United States. End users may play the Digital Downloads an unlimited number of times on the same registered personal computer to which the Digital Download is originally downloaded.
So are you saying I don't actually own what I'm "buying" on their site?
How can you unlicense your computer too? So if I get a new machine, I lose all my songs!? I couldn't find any mention of switching "primary computers" so that I can keep my music when I upgrade my machine. What about the next time I have to install a fresh version of XP over my current install? Has anyone checked out this service?
It's only when we've lost everything, that we are free to do anything...
I haven't run it since I built the computer 6 weeks ago, but here is the text of the page I got:
This is funny on so many levels:
- don't ya'll fix ie security?
- do ya'll trust ms automatically?
- ms's default setting are medium or lower?!?
"Karma can only be portioned out by the cosmos." -- Homer Simpson
Don't know much about it, but how about OpenVMS?
DirectX controls have been a problem in music notation software for years.
Maybe now someone will write a real piece of music notation software that doesn't use f'ing midi timing to set note placement. One of my main peeves with commercial notation software.
I have seen the possibility that midi could be used as a hack for years! In fact a little friend of mine has used this exploit to demonstrate a flaw in the whole concept of midi as a scripting control. He has written a replacement algorythm that directly generates wave at the processor level and then sends it to the sound card without the use of shitty DirectX. DirectX sucks for security and flexability always has and always will, because of its fork processes. I personaly do not care if my notation software can make sound, so I just have to put up with useless junk midi. Read my journal entry about more music #32862
OH THE SHAME I fell off the wagon and use sigs again!
After uninstallation of the IIS update, OpenGL started working again. Trustworthy Computing, my balls.
It is trustworthy! You can trust it not to work!
Ba-dum-bup! (rimshot)
Thanks folks! I'll be here all week! Try the veal!
Fine. But as soon as you want to do something useful with OpenBSD, you need to go beyond the default install profile, which is set up to be as secure as possible by disabling everything. Once you start enabling even common and inoffensive services, you hit security problems.
OpenBSD security advisories from this year (for version 3.2):
# March 31, 2003: A buffer overflow in the address parsing in sendmail(8) may allow an attacker to gain root privileges.
# March 24, 2003: A cryptographic weaknesses in the Kerberos v4 protocol can be exploited on Kerberos v5 as well.
# March 19, 2003: OpenSSL is vulnerable to an extension of the ``Bleichenbacher'' attack designed by Czech researchers Klima, Pokorny and Rosa.
# March 18, 2003: Various SSL and TLS operations in OpenSSL are vulnerable to timing attacks.
# March 5, 2003: A buffer overflow in lprm(1) may allow an attacker to elevate privileges to user daemon..
# March 3, 2003: A buffer overflow in the envelope comments processing in sendmail(8) may allow an attacker to gain root privileges.
# February 25, 2003: httpd(8) leaks file inode numbers via ETag header as well as child PIDs in multipart MIME boundary generation. This could lead, for example, to NFS exploitation because it uses inode numbers as part of the file handle.
# February 22, 2003: In ssl(8) an information leak can occur via timing by performing a MAC computation even if incorrect block cipher padding has been found, this is a countermeasure. Also, check for negative sizes, in allocation routines.
# January 20, 2003: A double free exists in cvs(1) that could lead to privilege escalation for cvs configurations where the cvs command is run as a privileged user.
++ Say to Elrond "Hello.".
Elrond says "No.". Elrond gives you some lunch.
QNX.
But really, Linux and MacOS X are both better, and while there have been bugs found in each, if the bug isn't one in a component you use, or in the kernel, can you count it? When I update my system, many of the updates are for third-party packages. As if MS provided patches for Eudora.
When I was in college for programming, the teachers would *intentionally* try to crash our software, mainly by buffer overruns, if the software crashed, we would fail.
The class taught us about error checking ond control. Something MS seems to desperately need.
So rise up, all ye lost ones, as one, we'll claw the clouds.
Yeah, I like that. Let's spawn a division of /. called bashdot (b.) where the daily M$ flaws can be posted. That will free up a LOT of /. real estate for important matters like SCO scoops..
Dear Windows Users,
<EMBED SRC="h4x0r3d.mid" HEIGHT=200 WIDTH=55></EMBED>
Yours,
B. Overflow
How about: "Windows leaves Windows vulnerable?"
How the fuck did a gaming API ever get enough priveleges in a "modern" operating system to be able to cause any kind of problems beyond resource starvation?
"They'd have to come up with some way to get the user to click on that file," said Stephen Toulouse of Microsoft's Security Response Center
Such as a link saying "CLICK HERE!"?
"You tried your best and failed miserably. The lesson is...never try. Heh!" -Homer
Instead of posting every single security flaw in windows to slashdot (I mean seriously... we KNOW they exist don't we? It's not exactly "news" and there ARE other sites for them) to be flamed to pieces how about just have a little "counter" somewhere on the main page.. along with a date the user can set in his/her settings. Increment it everytime a new flaw is found so that it keeps a running tally. Number of Windows flaws since . Fun AND informative. Sorta.
FYI...
Windows 2000 machines running SP4 are not affected by this flaw. I suggest anyone running anything less than this starts deploying SP4 instead of this individual patch. Shavlik has excellent products to make your patch deployment easier.
The title says it all ( and will be modded down ).
If you auto update you deserve all the grief and broken applications you get.
It has nothing to do with paranoia. its called being responsible. you DON'T automatically changes things because someone else says its new and improved.
You first see if you NEED the update, if the bug fixes effect you, then you TEST TEST TEST. If it doesnt then you DONT install it.
I'm glad you don't run any network I'm on.
And YES i knew it was optional in the first place, the parent of this chose autoUPDATE, thus prompted comments.
Sheesh.
---- Booth was a patriot ----
...is why would Microsoft distribute drawing and music libraries in what is essentially a server operating system? (WinServer2k3) Why these aren't optional components that an administrator could choose to include at install time is a good question, and should be asked of Microsoft.
The reader with 200 NT/2K boxes to patch would probably be grateful if he didn't have to worry about patching whatever bogus components MS includes by default.
I say we take 'em back to court and get them to rip out ALL the unnecessary functionality from the kernel.
"He treats objects like women, man!"
- The Dude, The Big Lebowski
It's great to see Microsoft treating a threat of this severity appropriately. When I booted up my machine this morning (long before this Slashdot article was posted) I was greeted with a Windows Update message offering me a patch to this vulnerability. I didn't even know it existed! I was able to patch first, and ask questions later.
My only complaint is that MS seems less concerned with many less severe vulnerabilities. You'd think a corporation of their size would have a whole department devoted solely to fixing all security (and other) flaws.
And what if I'm:
I think music playing without me specifically requesting it is ALWAYS a bad idea. Same as I don't want my browser to open unrequested windows EVER.
Greetings,
Project Manager of Crystal Space (http://www.crystalspace3d.org). Support CS at http://tinyurl.com/cb3x4
I should have taken a left a 17.254.3.183
There is Transgaming's WineX, you know. I hear it's pretty good for playing games under Linux.
OK, I'll admit - I bought a CD off of buymusic.com (specifically "Gutterflower" by the Goo Goo Dolls) and downloaded the protected WMA files. Most licenses on BuyMusic.com allow you to burn the music to an audio CD a few times (mine allowed for up to 3 burns). So, I burned the album to a standard Audio CD... and then I figured, well, lets try ripping them in CDex and making them MP3s. Worked perfectly - no distortion or loss in sound quality. Time to share these bitches on Kazaa. :-P
MS already knows you were going to say that by analyzing your surfing habits. Psh, amateurs.
Trolls dont like to be Flamebait, because they burn so well. Protect our Troll heritage!
I'm running Windows 2000 Professional with DirectX 8.1. Seems like I'm immune as, on this OS, only 7.0 and 9.0a are effected.
The complete list of effected Windows/DirectX combinations are as follows:
Microsoft DirectX® 5.2 on Windows 98
Microsoft DirectX 6.1 on Windows 98 SE
Microsoft DirectX 7.0a on Windows Millennium Edition
Microsoft DirectX 7.0 on Windows 2000
Microsoft DirectX 8.1 on Windows XP
Microsoft DirectX 8.1 on Windows Server 2003
Microsoft DirectX 9.0a when installed on Windows Millennium Edition
Microsoft DirectX 9.0a when installed on Windows 2000
Microsoft DirectX 9.0a when installed on Windows XP
Microsoft DirectX 9.0a when installed on Windows Server 2003
Microsoft Windows NT 4.0 with either Windows Media Player 6.4 or Internet Explorer 6 Service Pack 1 installed.
Microsoft Windows NT 4.0, Terminal Server Edition with either Windows Media Player 6.4 or Internet Explorer 6 Service Pack 1 installed.
Not every possible Windows configuration but probably a majority of them.
Check the relevant technical bulletin for more info.
"Accept that some days you are the pigeon, and some days you are the statue." - David Brent, Wernham Hogg
Alot of people are acting as though this particular bug is no big deal and isn't worthy of being posted on the main page. But consider this, how many people are running thier browsers with the default configurations? And Both IE and Mozilla will automatically play MIDI files embedded in webpages with this configurations. So this exploit could theoretically allow any website you visit to run arbitrary code on your system. . . I'd say that's pretty serious.