DirectX Flaw Leaves Windows Vulnerable

cryonic*angel writes "Just when you thought it was safe to start buying music from BuyMusic, another another Windows security flaw is found, in DirectX this time, that basically affects every possible windows configuration that is still supported. I wonder, will they indemnify me for this?"

patch me up baby!

[Neophytus]

Direct download for 9.0b (not for nt4.0). Strangely it isn't on the main directx page yet considering the critical nature of the problem. Here is the technet article with patches for existing directx versions.

Re:patch me up baby!

[GammaTau]

Well, you know what they say about downloading and applying Windows patches...

"They that can give up essential liberty to obtain a little temporary safety deserve neither liberty nor safety."

Re:patch me up baby!

[Chester+K]

I'm quite sure there is a patch up already on windows update. My computer was patched just hours ago. I really don't see anything special about this story. What's so special about this flaw?

It's a Microsoft bug, it doesn't matter how important it is. You're supposed to be foaming at the mouth and making sweeping statements about how this proves open source is better! Don't you know what website you're on?

Re:patch me up baby!

[Knightmare]

I can't decide if this is a troll or not. How is this a big vulnerability? Well, take a second and think how easy it is to be exposed to a midi file compared to an executable in an email or a malformed packet on one of Windows many default listening ports.

Newer versions of outlook and many mail servers can block .exe,.src,.com,etc... extensions from ever making it to your double click happy hand.

A $35 personal firewall from your local computer store can protect you from port based attacks.

But when was the last time you saw security software/hardware that blocked midi files? An exploit of this in the wild would mean any webpage, any HTML email, any midi file download would be an attack vector. How is this a small problem?

Re:patch me up baby!

[Entropius]

While /. has been known to indulge in a little over-the-top microsoft bashing when bugs like these come out, there's a reason they (especially ones like this) make the front page.

Windows has a huge installed base, and windows machines tend to be targeted by kiddies looking for DDoS zombies.

And of course this is a big bug. Run arbitrary code through a midi file? That's huge, and deserves to be on the front page. Apache security holes of much less import make the front page, and they probably belong there too.

Re:patch me up baby!

[FatherOfONe]

Man how true it is. I can't believe all the people here that bash Microsoft for their apparent lack of security. I mean whats the problem with checking for patches for your server every hour or so? Even if some of the patches are so bad they crash apps on your server and prevent others from starting. I mean, what is the big deal?

Hang on a second... it has been 30 seconds since I last checked Microsoft for another security update...

Ok, I now have another 90MB file I need to apply to the 200 NT boxes I have.... Like I was saying what the heck is the big deal? So what that most vendors release stuff on NT boxes that requires certain service packs, and won't work with others? Yeah this makes server consoldation impossible but who really cares? It isn't that big of a deal, just buy another box. Heck we plan on buying another hundred or so this year.

Hang on a second it has been another 5 min since my last check at Microsoft for another update...

Wow only two new updates! This is a first! Now, as I was saying, these open source "Quality is important" types are just zealots. They just don't understand that it isn't that big of a deal to support Windows.

Sorry, hang on a second... a new Worm just hit or email server...

Now where was I? Oh yeah, the advantages of running Windows... You have one consistant platform. Well we will when we finally get our 200 NT boxes upgraded to Win2k server. Dag gone it, I have to go and talk to our Microsoft rep again... be back in 15 min...

Ok I just found out that Windows 2003 server is out now and EVERYONE is going to it. The nice thing is that Microsoft will let us keep running our Win2k servers until the end of the year! Yeah I would like to see what you open source people say about that! See Microsoft isn't bad at all. They even told us that we could run 2003 Server for a full 3 years! Man that will make life great!

So let all the bitching begin about Microsoft over one SMALL bug! They just don't know what they are talking about...

Re:patch me up baby!

[ssimpson]

What's so special about this flaw?

Are you brainwashed by how many flaws like this we see? This allows a malicious adversary to craft a web page (for IE) or e-mail (for OE / Outlook) that would allow the adversary to execute arbitrary programs in that users context.

The point isn't that an update is out already, it's that there will remain god knows how many tens of millions of computer vulnerable to this flaw for a long time. Not only will those machines be hacked and taken down, but someone will most likely produce and exploit that turns the machines into a DDoS client, or an SMTP relay for spam, or...You get the idea. In the end it pisses over the rest of the Internet community.

And it's all thanks to shite security engineering in MS and non-conformance to standards (the MIDI playing is caused by a non-W3c HTML tag "BGSOUND").

Re:patch me up baby!

[drunk_as_in_beer]

What's so special about this flaw?

What's so special is you actually *don't* have to reboot after applying the patch.

Tough one...

[WD_40]

Let's see, pay for music and get F'ed... download for free and be fine (as long as you don't share).

Re:Tough one...

[Latent+IT]

Let's see, pay for music and get F'ed... download for free and be fine (as long as you don't share).

So, let me see if I have this right - you think that files off a pay-for-music download site are more likely to be infected vs. files on Kazaa?

Seriously?

Microsoft software has security flaw... what's new

[advocate_one]

move along now folks... nothing new here...
mind you... the particular buffer overflow is unusual...MIDI files... who'd have thought???

Re:Windows ...

[iapetus]

I'd like to. Could you recommend an alternative operating system that hasn't had a single security problem in a year, and has been adding new functionality over that period?

Hmmm...

[chrisgeleven]

Only every single supported version of Windows has this flaw? Thank God, I thought I was in trouble here.

Wha...

[mgcsinc]

""They'd have to come up with some way to get the user to click on that file," said Stephen Toulouse of Microsoft's Security Response Center, noting that default security settings in recent versions of Microsoft Outlook e-mail software and the Internet Explorer Web browser prevent automatic launching of such files. " Last I checked, as annoying as the feature is, the ability to have IE play MIDI files autonomyously is still there; a friend sent a link to me last night with a lovely display of world architecture and sappy MIDI music playing in the background... This is not a matter of downloading, not a matter of clicking, MIDI files have always been thought harmless, and its that feeling of complacency which threatens to make this dangerous for common users...

Will they indemnify me?

[SoTuA]

Har Har Har! Yeah, they'll indemnify up to the price you paid for DirectX...

You have to give M$ some credit though... finally, a security flaw where you don't have to care if you are using Win95a, win98blah, Win2k, Win2k SP1e92, WinXP, WinYP, whatever. A *cross-platform* security issue, if you will. ;)

Great.

[grub]

A MIDI overflow? That means no more visits to most Geocities pages.

SPIN SPIN SPIN

[chill]

From the MSNBC article (which is all most people will see)...

"They'd have to come up with some way to get the user to click on that file," said Stephen Toulouse of Microsoft's Security Response Center, noting that default security settings in recent versions of Microsoft Outlook e-mail software and the Internet Explorer Web browser prevent automatic launching of such files."

HOWEVER, from the TechNet article on the flaw...

"If the file was embedded in a page the vulnerability could be exploited when a user visited the Web page."

Meaning that at BEST, Stephen Toulouse of Microsoft's Security Response Center is incompetent. At WORST he is a lying scuzzball.

Re:logged in

[spydir31]

Wrong, all you need is that someone view a webpage with the following tag
<BGSOUND SRC="exploit.MID" >
(assume the file exists :)
IE plays these by default.

MIDI

[ciryon]

Cool, Then you can construct some kind of hacked MIDI keyboard that just plugs into the computer you want to compromise. Press B# three times and you get the admin password.

Ciryon

Re:Windows ...

OpenBSD did only have a single exploit in the last seven years. (In default install profile).

But i'm not sure it was in the last year, if it's earlier then OpenBSD is your answer! :)

I won't EVER be buying music from BuyMusic....

[NetCurl]

So after it was mentioned in the intro to the story, I looked at this BuyMusic.com, and read their terms of sale....man, this is a shitty music service...

Who cares about the freaking security, did anyone read the TERMS OF SALE AGREEMENT?

Check this out:

Content Use Rules. All downloaded music, images, video, artwork, text, software and other copyrightable materials ("Content") are sublicensed to End Users and not sold, notwithstanding use of the terms "sell," "purchase," "order," or "buy" on the Site or this Agreement.
Your Digital Download sublicense is nonexclusive, nontransferable, nonsublicenseable, limited and for use only within the United States. End users may play the Digital Downloads an unlimited number of times on the same registered personal computer to which the Digital Download is originally downloaded.

So are you saying I don't actually own what I'm "buying" on their site?

How can you unlicense your computer too? So if I get a new machine, I lose all my songs!? I couldn't find any mention of switching "primary computers" so that I can keep my music when I upgrade my machine. What about the next time I have to install a fresh version of XP over my current install? Has anyone checked out this service?

Dear Windows Users

[Letter]

Dear Windows Users,

<EMBED SRC="h4x0r3d.mid" HEIGHT=200 WIDTH=55></EMBED>

Yours,
B. Overflow