Slashdot Mirror

← Back to Stories (view on slashdot.org)

Image Causes Exploitable Overflow in Microsoft Products

Posted by Zonk on from the that's-a-spicy-picture dept.

Em Adespoton writes "Core Security researchers discovered that by electing a specially-crafted graphic as the user's display picture in MSN Messenger, an attacker could trigger a buffer overflow vulnerability on the chat partner's computer. Through this, it is possible to covertly take over machines running instant messaging software. Windows Messenger and Windows Media Player are also affected by this vulnerability. The story is also available at Newsfactor.com and SearchSecurity.com."

6 of 291 comments (clear)

  1. Still think by Threni · · Score: 3, Insightful

    it's safer using an OS which has less security updates per year than Linux?

  2. Isn't it worth mentioning by apoplectic · · Score: 5, Insightful

    The Slashdot story blurb leaves out that this fix is already available. Certainly, if the fix hadn't already been made available you could count on that tidbit being mentioned....

  3. Re:but its more secure than linux! by Manip · · Score: 3, Insightful

    1. This has been patched.
    2. GAIM has had exploits patched.
    3. Linux has had exploits patched.
    4. I remember reading people defending Linux by saying that a lot of the distribution patches are not for the OS but instead for tools/apps... Yet you don't hold the same true for Microsoft?
    5. People need to be a little more objective, even on /.
    6. This is old news.

  4. Re:Already patched? by digidave · · Score: 3, Insightful

    the libpng patch was out in August and MS sat on their hands all that time before patching the version they shipped.

    And I bet some independent report will become available claiming that MS patches quicker than OSS because they only awknowledged the libpng bug a few days before releasing the patch.

    --
    The global economy is a great thing until you feel it locally.
  5. Re:once upon a time... by t_allardyce · · Score: 4, Insightful

    He should have said 'oh, and if you pay me anything -- anything less than $300,000 for this fix, you might as well look for a new job too, and a good PR team to cover up the leak i spill.'

    --
    This comment does not represent the views or opinions of the user.
  6. Re:Already fixed by stinky+wizzleteats · · Score: 4, Insightful

    After RTFMing, this problem has been known since August of last year

    I RTFMed, too. Seems like vulnerability was fixed in August of last year by Gentoo, Red Hat, andMandrake.

    Nothing compares MS security to that of the rest of the world better than seeing how they fix the same damn vulnerability. Let this be a lesson to you. Never astroturf with facts. A quality 'turf would have been to say: "Yes, but Linux has a history of at least three times as many security problems with PNG as Microsoft"