Image Causes Exploitable Overflow in Microsoft Products

Em Adespoton writes "Core Security researchers discovered that by electing a specially-crafted graphic as the user's display picture in MSN Messenger, an attacker could trigger a buffer overflow vulnerability on the chat partner's computer. Through this, it is possible to covertly take over machines running instant messaging software. Windows Messenger and Windows Media Player are also affected by this vulnerability. The story is also available at Newsfactor.com and SearchSecurity.com."

That's genius...

[Assmasher]

Use the old security notification for image library overflows and do nothing new with it except use the image code running in messenger. WOW, that's news...

Re:That's genius...

[robslimo]

Is this one at all related to the previous image library flaws (the vulnerability for which the GDI detection tool was released to identify any Windows apps that were affected)?

Oh, wait, I think I found it! A patch was released for PNG processing flaws on Tuesday this week; among the affected software: Microsoft MSN Messenger.

Re:That's genius...

[dsginter]

A friend of mine used the goatse image for his MSN person icon and I had a buffer overflow of my own.

When did I ever eat corn?

Re:That's genius...

[halivar]

A friend of mine used the goatse image for his MSN person icon and I had a buffer overflow of my own.

This begs the question... is he really your friend, after all?

Re:That's genius...

[laplandsix]

Heck yeah! Dueling disgusting photos is what friends do best! BTW, tinyurl works great for stuff like this. One friend of mine burned me so badly that I wrote a perl script to strip off all image attachments, and scale them down to 10x10 for previewing before I opened them. It doesn't take too many times of seeing goatse, tubgirl, and their ilk to make it worth the effort.

Re:That's genius...

[Hognoxious]

And risk getting sued for copyright infringement?

Re:That's genius...

[glib909]

Yes, that's quite an egregious security hole ...

Re:That's genius...

[iwantabettrsn]

Can I see it?

MS loss...

[LazyPhoenix]

Microsofts loss is my GAIM.

ha.

Re:MS loss...

[DrEldarion]

Out with the old, Trillian with the new.

Re:MS loss...

[superpulpsicle]

But I use Trillion, which opens a simultaneous tunnel to aol, msn, yahoo, ICQ etc. Does that mean I am absolutely screwed thru the ass?!

Re:MS loss...

[BorgCopyeditor]

Are you the Electrician?

Re:MS loss...

[beelsebob]

You can take a windows user to Mac OS and Adium, but you can't make them use it.

Re:MS loss...

[XMyth]

No, it means you didn't get the joke. :)

Re:MS loss...

[hoppo]

Provided Trillian doesn't leech off of Messenger's image processing, that is.

Regardless, I really dig the Wikipedia mouseovers in Trillian.

Re:MS loss...

[cd_serek]

Bah! Trillion is just as bloated as MSN Messenger. I opt for the slim and open source Miranda-IM anyday. It's less resource intensive and has the same necessary features as Trillion.

Where are the Cherubs?

[Speare]

I think I heard of this method of attack in a security book I read once. Where the image of an avatar's identification turned out to be a computer-infecting virus. Oh, wait, it was a novel. "Snow Crash" by Neal Stephenson.

Re:Where are the Cherubs?

[jgoemat]

The images wouldn't only affect your computer, but your brain as well. I hope virus writers never figure that one out!

Re:Where are the Cherubs?

[br0ck]

??SPOILER?? Cheers for trying to make this exploit fit the story, but unless I'm forgetting something, it wasn't the avatar doing the infecting. It was an assassin killing key hackers within the metaverse. The attacker showed a screen to intended victims which displayed 'snow'--like a TV tuned with no signal--which contained a message that crashed the victims brain turning them into a useless vegetable. More Info

Re: Where are the Cherubs?

[Black+Parrot]

> Never read Snow Crash, but the proper pluralization of cherub is cherubim. (::seraph:seraphim::nephil:nephilim, etc.)

::virus:viriim:: ?

Re:Where are the Cherubs?

[ultranova]

The images wouldn't only affect your computer, but your brain as well. I hope virus writers never figure that one out!

Don't worry; after a lifetime of constant exposure to ads, it would take one hell of a picture virus to even make you sneeze :).

Seriously: the purpose of ads is to reprogram our behaviour, either permanently or temporarily. They do this by exploiting various psychological weaknesses of human minds - such as the need to associate with (imitate) what is perceived as succesfull people, the need to take care of children (add a little kid to the ad and the viewer becomes far more vulnerable), the fear of growing old and unwillingness to give up youth, etc. These can certainly be classified as "unchecked input" -bugs: they (try to) bypass rational thinking to make the viewer associate something positive with the product being advertised.

Fortunately, the human brain has shown itself to be self-calibrating; after being deceived once or twice (or twenty times), it develops the firewall of cynicism. However, if we ever develop artificial intelligence, I truly feel sorry for any robots produced by Microsoft ;).

So in short, don't worry about the picture-based brain viruses; they exist right now, are called ads, and human beings are capable of developing resistance against them.

Re:Where are the Cherubs?

[k96822]

However, if we ever develop artificial intelligence, I truly feel sorry for any robots produced by Microsoft ;).

Oh, that's just peachy. An army of Microsoft Robots (TM), all with their security holes, easily programmed to destroy humanity. Good thing they won't work long enough before a reboot to do too much damage!

Re:Where are the Cherubs?

[Dr+Caleb]

The images wouldn't only affect your computer, but your brain as well.

So instead of Cherubs, they have Tub Girl.

Did I really just write that? :P

Re:Where are the Cherubs?

[The+Tyrant]

We also have audio viri... next time your in a university lecture or open plan office, try quietly humming Tetris tune B, after a while, stop, and its nearly gaurenteed someone else will pick it up and carry on without even being consiously aware of it.

Yes, I've tried it, many times, yes it works, no you dont have to believe me, try yourself.

Re:Where are the Cherubs?

[FuzzyBad-Mofo]

These are examples of memes. A lot of people misuse that word, but it really is "an infectous idea." Regigion has got to be the most effective meme of all.

Re:Where are the Cherubs?

[MrDoh!]

I've not read the book, but how would anyone ever create a program todo this? Surely it would be a bugger to debug...
"Send in more programmers, and someone clean up that gray goo leaking onto the keyboards. oh, and train the new batch to use F5* to step through the brain crash code"

*(this is of course assuming that any code able to crash people's brains is written in VB. Too far a stretch of the imagination one hopes)

Re:Where are the Cherubs?

[necro2607]

Okay, well that is now about the sixth time the book Snow Crash has been either recommended to me, or else mentioned in some manner that made me want to read it.

Why don't I have this freakin book yet? ;)

Article left out significant information...

[bigtallmofo]

Animated pictures of shiny pocketwatches moving back and forth were found to be the most effective at taking control of other people's computers.

Still think

[Threni]

it's safer using an OS which has less security updates per year than Linux?

Re:Still think

Don't worry, I've sent everyone the patch via a .png file.

Re:Still think

[NaruVonWilkins]

Not safer, but more useful for time spent.

Re:Still think

[ultranova]

it's safer using an OS which has less security updates per year than Linux?

Yeah, but MS-DOS v1.0 is even safer; no security updates ever! That's right folks, DOS 1.0 has never had a single security related patch released!

Already fixed

[dreamt]

After RTFMing, this was part of this week's Microsoft patches.

Re:Already fixed

[inteller]

this is fixed and your classmate is a dumbass. please move along there is nothing else to see here.

Re:Already fixed

[malfunct]

Each app had its own patch. There were 10 of them that downloaded to my machine recently.

Re:Already fixed

[stinky+wizzleteats]

After RTFMing, this problem has been known since August of last year

I RTFMed, too. Seems like vulnerability was fixed in August of last year by Gentoo, Red Hat, andMandrake.

Nothing compares MS security to that of the rest of the world better than seeing how they fix the same damn vulnerability. Let this be a lesson to you. Never astroturf with facts. A quality 'turf would have been to say: "Yes, but Linux has a history of at least three times as many security problems with PNG as Microsoft"

MS Security Chief Says Windows is Safer Than Linux

[hoggoth]

Hello? Didn't you get the memo?

MS Security Chief Says Windows is Safer Than Linux

Now stop trying to spread FUD.

What???

[Jeffery]

I can't belive that.. but i love all my microsoft products.. they must be wrong, microsoft doesn't have security flaws!! and my MSN messanger is totally safe, and all my WMA and WMV files are so totally secure! /sarcasm

Re:What???

[hoggoth]

Phwew. I was about to go BALLISTIC on your post... but then thank goodness I saw the '/sarcasm' at the end. I mean, I was stoked up to spew some hellfire on you for your outrageous statements. They seemed... almost... too extreme to believe. Now that I see you clearly labelled it as 'sarcasm' I took a step back, and I'm cooling off. Shaking my arms, letting the anger go.

Good thing you clearly labelled it as sarcasm.

'cause otherwise I wouldn't have known.

Really good sarcasm, too.

Got me, there.

Phwew.

Bill Gates

[kai.chan]

If only I had Bill Gate's MSN . . .

Re:Bill Gates

[tussey]

Haven't you heard? Willy uses a mac.

Re:Bill Gates

[necro2607]

Dude, Bill Gates probably runs Linux on his PC...

Re:Worst internet worm ever?

[PapaBoojum]

By spreading to everyone in your buddy list, a worm based on this exploit could infect 90% of the world in a couple hours.

I'm doing my part. I don't have any friends.

In other news...

[Dutchmaan]

IT: MS Security Chief Says Windows is Safer Than Linux....

Re:In other news...

[Stephen+Samuel]

IT: MS Security Chief Says Windows is Safer Than Linux....

I think that's because it's generally so full of worms, that you can't fit any more exploits into your average box. In that respect this actually makes Windows more secure because it makes it more likely that you box will be too infected for any given virus to be able to do anything.

Am I the only one

[mr.newt]

who finds it funny that the Google ads for the article show an advert for MSN Messenger?

He said safer* not safer.

There is a huge difference.

Question

[Spy+der+Mann]

Is this why today my MSN asked me to upgrade to a new version? Or is the new version still vulnerable to this? I'm using version 6.2.0205

Re:Question

[zerocommazero]

yes, you wouldn't be able to connect without it.

Re:Question

[sabernet]

also, is trillian affected by this?

This is the picture...

http://blog.monkeymethods.org/images/billgates01.j pg Enough to make any buffer quit really...

Re:This is the picture...

[quanticle]

This pic caused a buffer overflow in my mind...

Re:Worst internet worm ever?

[VeryApt]

It was implied that it pertains to those having the things listed. Dumbass.

Re:MS Security Chief Says Windows is Safer Than Li

[Leknor]

Anyone ever done a study to determine the mean time between when MS claims their products are secure and when the next exploit is announced?

Re:Worst internet worm ever?

[somethinghollow]

The someone better hurry and write a "white-hat" worm that installs an update that patches the exploit. Then we could patch "90% of the world" in a couple hours.

Buffer overflow errors/vulnerabilities

[KiltedKnight]

Anyone notice how they seem to be all over Windows?

I'll bet the guy who used gets() is long gone, so they're still searching for each of his hidden calls to it. It's either that, or he won't admit to ever having used it.

Stupid question:

[JayJay.br]

Looks like the problem is with PNG handling. Could it be then exploited through web pages? Or is it only the use those applications make of the format?

Re:Stupid question:

[noselasd]

Mod thisone up. Important question !

--
Stuff.. http://asgaard.homelinux.org/

Re:Stupid question:

[l3v1]

Thing is, it is a sad day when handling images (PNG or else) can be so dumbly done so as to give room for such exploits - again.

Re:Stupid question:

[dadefatsax]

The MS Security bulletin says no. Affected software:
- Microsoft Windows Media Player 9 Series (when running on Windows 2000, Windows XP Service Pack 1 and Windows Server 2003)
- Microsoft Windows Messenger version 5.0
- Microsoft MSN Messenger 6.1
- Microsoft MSN Messenger 6.2
- Microsoft Windows 98, Microsoft Windows 98 Second Edition (SE), and Microsoft Windows Millennium Edition (ME)

Although, if you are looking for freshly patched browser based security issues:
http://www.microsoft.com/technet/security/bulletin /MS05-013.mspx;
http://www.microsoft.com/technet/security/bulletin /MS05-014.mspx; and
http://www.microsoft.com/technet/security/bulletin /MS05-015.mspx

Re:Stupid question:

[pavon]

Yes, the flaw is actually in the open source library libpng. It was discovered and fixed back in August. Any application that uses an old version of this library is affected. This included mozilla and firefox, which both released fixed versions within a day of the libpng patch. Internet Explorer is not affected by this exploit as it doesn not use libpng.

Re:Um, yeah

[internetdarwin]

Right, you mean this buffer over-flow protection?

Ah HA!

[MrFreshly]

The image that triggers it is an inverted picture of Bill Gates playing cards with Sadam, Satan, and Celine Dion.

Re:Ah HA!

[droopycom]

What is Satan doing in there ?

Re:Ah HA!

[TheDauthi]

Satan would never lower himself to the level of playing cards with Celine Dion.

Re:Ah HA!

[sharkey]

He's Saddam's bitch, remember?


"Heyyyy, Satan! I got a new set of chips for our poker game. Let's fuck to celebrate!"

Re:Ah HA!

[FuzzyBad-Mofo]

I agree that Satan would never appear with Celine Dion, but only because Celine is his avatar.

Well, that and the fact that he doesn't actually exist, of course. But if he did, it would be Celine. ;)

Defeating the Borg?

[bokmann]

Isn't this the same technique Geordie LaForge came up with for introducing a virus into the Borg collective? Remember Hugh?

Maybe the image of Bill Gates-as-Borg was a little more prophetic than we all realized.

Re:Defeating the Borg?

[Swamii]

Yawn. I don't know about a virus, but you've just put me to sleep like Data did to the Borg in episode 128 where he issues a low-priority regeneration command to the Borg collective and then they revive Captain Picard who was actually named Locutus of Borg when he was merged into the Borg identity as he was captured on the Borg Cube after a mission of reconaissance in the ... zzzzzzzz

Re:Defeating the Borg?

[Triv]

Picard wasn't captured on the cube - the borg stole him off of his own bridge. Like Riker'd let Picard beam over to a Borg cube anyway. I mean, what universe do YOU live in? Whichever it is, it sure ain't canon.

(oh, and he was captured in ep. 127, not 128. Not that you SAID that, just clarifying).

Triv

(twajs)

Re:This is the picture... NSFW!

[duguk]

AAAAAAAAAAARGHHHHHHH! NSFW! Not safe for anything! That's way too scary. Dug

When will this stop being "news?"

[gearmonger]

Wow....another exploit found in Microsoft software? That's Page 1 news, right along with:

News Update: Woman Gives Birth

Breaking Story: Actor Turns Politician

Headline: Sun Rises in East...AGAIN!

*sigh*

Re:When will this stop being "news?"

[Strudelkugel]

The patch was released on Feb 8, the story comes out on Feb 11. Right, not much to see here.

Maybe the RAF has a big PowerPoint that's of interest on web server somewhere...

Re:When will this stop being "news?"

[BrookHarty]

Reminds me of the local nightly news at 6pm.

Things you need to know RIGHT NOW that will save your life! Tonight at News at 11

Re:When will this stop being "news?"

[catalupus]

"Maybe the RAF has a big PowerPoint that's of interest on web server somewhere..." Are the RAF hosting it now because the Royal Navy website is down?

Re:When will this stop being "news?"

[legirons]

"The patch was released on Feb 8, the story comes out on Feb 11. Right, not much to see here."

Not much to see at all, if you haven't been cracked between the discovery of the bug (hint: that was before the patch was released) and the publishing of this story.

Hope you weren't storing any sensitive information on that Windows machine...?

*Proprietary* Network Graphic?

[TomorrowPlusX]

What? I thought all this time they were *Portable* Network Graphics. Well, the article says "Proprietary" so they must be right.

Re:*Proprietary* Network Graphic?

[dannannan]

"Proprietary" isn't too far off, given those non-standard extensions for encoding executable code that weren't in the original standard... It's a feature!

D

Re:WHAT THE FUCK?!

[manifoldronin]

That's because somebody else figured out a way to buffer overflow the Windows' WAV processing code.

They're wrong about PNG

[BluhDeBluh]

They've said that PNG stands for "Proprietary Network Graphics". In fact, this is very wrong - it's not proprietary at all. The idea of the format is that it _ISN'T_ proprietary - it's free as in speech, free as in beer, free as in patents.

PNG really stands for Portable Network Graphics. And I hope that people don't get confused and start blaming the PNG file format for a bug that is MS's fault.

Re:They're wrong about PNG

[Thud457]

These bitch-ass "journalists" we have these days don't understand the fuckin' First Amenedment, how the hell do you expect them to grasp a more abstract concept like Open Standards?!!!

B is just a superset of A here.

Re:They're wrong about PNG

[Trillan]

Microsoft wrote LibPNG?

Re:They're wrong about PNG

[magefile]

How exactly don't they understand the First Amendment? I know about the 36% of HS students who think journalists should be required to get government approval before publishing, but how do you think journalists don't understand it?

Re:They're wrong about PNG

[Thud457]

Err, sorry, I was factually inaccurate. When I said "First Amendment" I meant "Journalistic Integrity". Those are two distinct concepts.

Re:They're wrong about PNG

[strider44]

no

Re:They're wrong about PNG

[Trillan]

Woosh. ;)

Before anyone goes off bashing MS...

[k98sven]

Perhaps one should take note that this overflow bug is not in MS code, but in the open-source LibPNG, which MS used.

And it's also included in most Linux distros.

If MS is to blame, it's for their lousy reaction speed. This vunerability has been known for months.

Re:Before anyone goes off bashing MS...

[Nintendork]

I just verified this and you're right. Here's some info on the vulnerability.

I wonder though why Microsoft didn't update to a newer version of libPNG when the vulnerability was addressed last August.

-Lucas

Re:Before anyone goes off bashing MS...

[Saige]

Shhh... quiet!

Don't you realize you've said two things that will get you lynched by the Slashdot crowd? First, you point out that the vunerability isn't in MS code. Second, you mention that they're using an open source library!

You're probably marked for death now by the Slashdot enforcers. Hope you had fun living.

Re:Before anyone goes off bashing MS...

Maybe because they were scared they might accidentally introduce 24-bit PNG with 8-bit transparency support into the system, and they wouldn't want to be seen to be making things better.

Re:Before anyone goes off bashing MS...

[Jahz]

Thats great!

I find it interesting that M$ is publically using FOSS developed by the same subculture of people they are in "competition" with (i.e. OSS developers).

Isnt the TCO of using a FOSS PNG library higher than a M$-developed solution?? ;-)

Re:Before anyone goes off bashing MS...

[Locke2005]

See!!! That bug is due to the viral nature of open source software, so pervasive that it has even made it's way into Microsoft code!

Re:Before anyone goes off bashing MS...

[rob_squared]

"I wonder though why Microsoft didn't update to a newer version of libPNG..."

...because it lets someone find the vulnerability, report it, and microsoft can blame open source software! Of course if you want to believe that, you also have to believe Microsoft is cleaver.

Isn't it worth mentioning

[apoplectic]

The Slashdot story blurb leaves out that this fix is already available. Certainly, if the fix hadn't already been made available you could count on that tidbit being mentioned....

Re:Isn't it worth mentioning

[cortana]

An apt-get upgrade fixed this (for _all_ my programs) last August. You have been vulnerable since then.

I think I understand Windows users now...

[crazyphilman]

I used to struggle with the "why do they keep using it, when there are so many (much better) alternatives" question. I see now how silly my confusion was. It's all so clear...

Windows... Is a video game!

Sure, think about it. Can you hack your friend Billy's computer before he hacks yours while you chat online? The suspense must be very exciting. Who has the better Script? Who has the better collection of vulnerabilities?

It must be almost like playing Magic: The Gathering, or one of the other card games kids are into now. "My hack trumps yours! I get all your pr0n!"

Suddenly I feel very boring. Sigh... It's okay, Slackware, I love you even IF you're secure. I'll just have to settle for being Rudolph, and not play in any Reindeer Games.

Oh! Look! My Microwave just beeped! Pea Soup!

Mmmm!

Re:I think I understand Windows users now...

[vmxeo]

Windows... Is a video game!

Wintendo?

Re:I think I understand Windows users now...

[crazyphilman]

Heh heh heh... I'd have answered "XBox" except my XBox works, and never gives me any trouble. ;)

The exploit.....

[FreshlyShornBalls]

.....is already out.

Already patched?

[a_nonamiss]

Am I reading this wrong, or are these exploits for vulnerabilities that are already patched? As much as I love to hate Microsoft, you can't really hold it against them once they've released a patch (even if it is only a number of days after the patch was released.)

I just need more solid ammunition if I'm going to get in arguments with my Cult-Of-Microsoft coworker zealots.

Re:Already patched?

[digidave]

the libpng patch was out in August and MS sat on their hands all that time before patching the version they shipped.

And I bet some independent report will become available claiming that MS patches quicker than OSS because they only awknowledged the libpng bug a few days before releasing the patch.

Re:Already patched?

[malfunct]

I'm sure its a case of pushing the change through the change and testing that there are no regressions. Just because a lib is claimed to be fully compatible doesn't mean it is.

Re:Already patched?

[PlusFiveTroll]

6 months later, wow thats a lot of testing. I really dont think thats the case, someone probably noticed that the old source was still being used a month back or so, and thought it was a good idea to update it.

Re:Already patched?

[legirons]

"Am I reading this wrong, or are these exploits for vulnerabilities that are already patched?"

yep! 6 months ago by linux, and 3 days ago by microsoft.

End user ease of use...

[BrynM]

Use Microsoft's simple instructions to remove messenger. Glad they made it so point-and-click for those end users!</sarcasm>They obfuscated it because Messenger is such an important part of the lock-i... er operating system. Never mind that editing your registry may void your tech support, destroy your install, burn your clothes, hit your dog. I guess I'll be getting more calls from my family if disabling Messenger gets recommended in the press. Whenever they see that "Warning If you use Registry Editor incorrectly, you may cause serious problems that may require you to reinstall your operating system. Microsoft cannot guarantee that you can solve problems that result from using Registry Editor incorrectly. Use Registry Editor at your own risk." they ask me to fix it. I guess I should put together a .reg and a.vbs file for them now.

Re:End user ease of use...

[spectecjr]

Use Microsoft's simple instructions to remove messenger. Glad they made it so point-and-click for those end users!They obfuscated it because Messenger is such an important part of the lock-i... er operating system. Never mind that editing your registry may void your tech support, destroy your install, burn your clothes, hit your dog. I guess I'll be getting more calls from my family if disabling Messenger gets recommended in the press. Whenever they see that "Warning If you use Registry Editor incorrectly, you may cause serious problems that may require you to reinstall your operating system. Microsoft cannot guarantee that you can solve problems that result from using Registry Editor incorrectly. Use Registry Editor at your own risk." they ask me to fix it. I guess I should put together a .reg and a.vbs file for them now.

You don't need to remove Messenger. It already has been fixed, and the patch was pushed out to all Messenger users two days ago. You can't log into Messenger without installing it.

Jeez... you people. Maybe if you actually used the systems you bitch about you wouldn't be so far off base all the time.

Re:End user ease of use...

[BrynM]

Jeez... you people. Maybe if you actually used the systems you bitch about you wouldn't be so far off base all the time.

That's my point though. I don't use MSN messenger. If there were an option for it at install, I wouldn't have installed it. So here I am learning about a patch for a peice of software that I never use, but have installed whether I like it or not (and the occasional Windows patch or Service Pack will re-install it).

From TFA: Proprietary Network Graphics (PNG)!?!

[denis-The-menace]

God damned stupid people!
It's Portable Network Graphics
http://en.wikipedia.org/wiki/Png

Re:From TFA: Proprietary Network Graphics (PNG)!?!

[iggymanz]

no, it's Pornographic Network Graphics, your definition is just a smoke screen so the religious right doesn't get all fired up

Re:From TFA: Proprietary Network Graphics (PNG)!?!

[Chandon+Seldon]

Isn't JPEG better for that?

Re:From TFA: Proprietary Network Graphics (PNG)!?!

[iggymanz]

ah, the Jolly Pornographic Encoding of Girlies standard

Basilisks, etc.

[Black+Parrot]

Ah, see and die. Check out the Wikipedia article on harmful sensation motif.

Don't worry guys!!!

[RootsLINUX]

Remember Microsoft produces LESS security patches than Linux distros so Windows is safer!!! You can not deny the facts! [/extreme sarcasm]

erm...

[7-Vodka]

Are other programs vulnerable? I would assume messenger uses shared library to deal with immages.

hmm. What picture could possibly cause a program to crash and burn and the computer to be PWNT?
Does goatse strike again? *grin*

Re:but its more secure than linux!

[Manip]

1. This has been patched.
2. GAIM has had exploits patched.
3. Linux has had exploits patched.
4. I remember reading people defending Linux by saying that a lot of the distribution patches are not for the OS but instead for tools/apps... Yet you don't hold the same true for Microsoft?
5. People need to be a little more objective, even on /.
6. This is old news.

6 months to patch a known vulnerability

[hweimer]

The vulnerability is described in MS05-009 which refers to CAN-2004-0597. This is a buffer overflow in libpng which was fixed in early August last year. So Microsoft needed six months to fix a publicly known vulnerability.

Re:6 months to patch a known vulnerability

[jpostel]

Wasn't there a similar vulnerability in AIM last year? I think it was with JPEG though.

Re:6 months to patch a known vulnerability

[hikerhat]

That's an astoundingly good bit of logic there. So all logic on slashdot is astoundingly good. I wish I could bump it up to "+6, kneel before my powerful logic."

Re:6 months to patch a known vulnerability

[wolf31o2]

That's because Microsoft software is more secure than Linux. They were just waiting for the right time to release the patch, that's all. Yeah...

Re:6 months to patch a known vulnerability

[Jacco+de+Leeuw]

Perhaps they were already scrubbing PNG pictures on the MSN server (assuming you cannot send pictures directly from one Messenger client to another) so there was no particular hurry?

Re:MS Security Chief Says Windows is Safer Than Li

[BrynM]

Anyone ever done a study to determine the mean time between when MS claims their products are secure and when the next exploit is announced?

Measuring negative time is moot.

Bad Image Causes Exploitable Overflow

Exploitable Overflows Cause Bad Image

(A day like every day in Redmond)

Re:Bad Image Causes Exploitable Overflow

[WhatAmIDoingHere]

In Monopolist Redmond?

Re:but its more secure than linux!

[harley_frog]

And here he is on TV telling everyone how much more secure Windows is.

MOD PARENT UP

[DaHat]

This one seems to be one of the few level headed persons posting on this article.

Yes, it's bad that there is a flaw in MSFT software, but they have released a patch, now move on.

Re:MOD PARENT UP

[GigsVT]

If they had fixed it months ago when it was fixed in libpng, it would be fine.

Re:but its more secure than linux!

[TFGeditor]

But, have you ever tried to uninstall MS Messenger? http://www.theregister.co.uk/2002/04/02/windows_me ssenger_trojan_update/

Those not blessed with geekiness cannot do it, so are stuck.

Boring!

[ChiralSoftware]

When oh when are we going to learn, you cannot handle untrusted data (data from unknown hosts on the net) using software written with tools that allow dangerous memory access? These exploits have happened once a month for the past twenty years... let's see, in Sendmail, in BIND, in a bunch of browsers, in image processing libraries, in chat programs, in Outlook, on and on. Once a month for TWENTY YEARS! What these vulnerabilities all have in common is that they work on programs written in C. What C has is the ability to overflow buffers because buffers don't know their own size. What the solution is is to only use tools that have safe buffers, where buffer size constraints are enforced at the compiler or execution level. There's no performance penalty inherent in such tools and they make the programmer's job easier. The other component that is needed is a tool-level enforcement that prevents the programmer from directly altering the stack. Finally, all programs should run under the constraints of a capabilities system, so that even if the program is 100% malicious, it can only take actions which are pre-defined by a user. For example a chat program should not have the capability to write sectors on a disk, access network ports beyond its allocated port, execute other code, or write or delete files outside of its directory.

Until things start getting fixed at the tool and OS level we're going to continue having these types of exploits once a month for the NEXT twenty years. If we don't switch from using C this is going to be the Slashdot headline in 2025: "Vulnerability on Microsoft HoloChat allows attackers to take over your nervous system."

Re:Boring!

[jonastullus]

What the solution is is to only use tools that have safe buffers, where buffer size constraints are enforced at the compiler or execution level. There's no performance penalty inherent in such tools and they make the programmer's job easier.

well, depending on the implementation bounds checking can actually incur quite a noticeable performance penalty for huge arrays! the question is whether you'll accept your image loading .001 seconds longer for the certainty(?) of not getting buffer overflows.

bounds checking alone will eliminate a huge number of exploits, but will certainly not do away with the issue of general exploitability! there can always be weaknesses in the language implementation (even in the bounds checking at that). but getting rid of buffer overflows would certainly be a huge improvement.

apart from that, FULL ACK ;-)

Re:Boring!

[pclminion]

When oh when are we going to learn, you cannot handle untrusted data (data from unknown hosts on the net) using software written with tools that allow dangerous memory access?

Never, because it isn't true. These tools which do not allow dangerous memory accesses, what language do you think they are written in?

Take a memory-secure language like Python or Java. What are these languages implemented in? Right, C. So clearly it is possible to use C to implement secure systems. The problem is that most people are not skilled enough to do so.

Luckily there are a few people on the planet who can do it, and they use that skill to produce safer tools for the rest of us to use. But a blanket statement like "It's impossible to write secure code in a language like C" just isn't correct.

Re:Boring!

[discord5]

What these vulnerabilities all have in common is that they work on programs written in C.

Sure, I'll take the bait...

What the solution is is to only use tools that have safe buffers, where buffer size constraints are enforced at the compiler or execution level. There's no performance penalty inherent in such tools and they make the programmer's job easier.

Lies, lies, damned out lies... Checking your boundaries does cost time, it's not much, but it does cost time. Checking the length of your buffer at compiletime is impossible if you're dealing with a users input (unless you want to limit the length of a string a user can input, or filesize). Checking at execution level means keeping something like an internal counter and throwing an exception. Guess what... That costs CPÜ time. Granted, it's negligable, but it still costs time.

Finally, all programs should run under the constraints of a capabilities system, so that even if the program is 100% malicious, it can only take actions which are pre-defined by a user.

Ah yes, capabilities. Capabilities would most likely run at kernel level, and kernels are typically written (unlike the link you provided) in C or C++. Oh dear, those languages have pointers and the *gasp* unsafe buffers.

For example a chat program should not have the capability to write sectors on a disk, access network ports beyond its allocated port, execute other code, or write or delete files outside of its directory.

So, if I store logs under "my documents\msn logs\" and decide that I want to keep them from now on in "my documents\flying monkeypoo\" I'd have to adjust the capabilities for this program, etc. Most people that use MSN don't even know the difference between chat logs and flying monkeypoo and will happily complain that favourite feature X is too difficult. The "allow MSN Messenger to do X" dialog box gets added, and well, you know the drill...

Switching to new languages with their own set of libraries and perhaps interpreters or VMs won't really solve the problem. These things will be written in C or C++, and some programmer will create a bug, and the floodgates will open again.

Software written in no matter what language will contain bugs, and some bugs allow attackers to do nasty things. The only way to prevent this sort of thing is to submit your programs source to peer review (eg. open source it, allow other trusted companies to review the source under an NDA) and testing, and even then you can never be 100% sure. The only alternative is to fix bugs as soon as they are known, and make it easy for the masses to upgrade.

Re:Boring!

[legirons]

"When oh when are we going to learn, you cannot handle untrusted data (data from unknown hosts on the net) using software written with tools that allow dangerous memory access?"

Well, think of the duct tape test

"A program is good if it can be used in ways never imagined by its creator"

It's hardly surprising that programs whose authors expected to be used on well-formed documents in a secure and benign environment, are now being used to open documents transferred across the internet. It's actually pretty hard to read a standard format and *not* trust any data from the network, especially when the same code could be written in one tenth the time if you assume valid data (and everyone's pushing for the program to be finished this evening) - think of all the attacks used against programs - changing their environment variables, using timing attacks, sniffing their packets, negative data lengths... you just want to make the program work don't you? And we'd all laugh at a program that couldn't read 100MB PNG files, just as harshly as we'd laugh at a program which crashed a 200MB computer when it tried to load a PNG file.

Of course, this is why I wouldn't trust any software written "at work" or "by a company", just because I know the processes involved. Take your time, KDE people, and it's okay if one person writes the cool image-handling code while 5 others check it.

Re:Boring!

[hacker]

"What the solution is is to only use tools that have safe buffers, where buffer size constraints are enforced at the compiler or execution level."

A famous quote comes to mind...

"Only a bad architect blames his hammer."

The problem isn't "bad" languages, its unseasoned developers.

Re:Worst internet worm ever?

[njko]

you have a lot of buddies, i have more contact in the address book than buddies online in my msn, it think that the mail is still more dangerous than the IM

Re:Hmmmm

[Rosco+P.+Coltrane]

there should be a RTFRPFYM (Read the F* Redundant posts first, you moron) acronym.

What do you think, guys?

IMHO, WADR, STFU.

Re:Worst internet worm ever?

[Queer+Boy]

By spreading to everyone in your buddy list, a worm based on this exploit could infect 90% of the world in a couple hours.

You mean there are people using MSN Messenger?

once upon a time...

[ultramk]

a friend of mine used to work for MS on a version of IE... one bug they were trying to track down involved jpg (or was it gif) images of a certain--very large--dimension that could in some circumstances cause boot-block overwrite on the boot drive as it was being cached... (this was a few years back...)

when this bug was being discussed in a meeting, the first thing that was said was something to the effect of "oh, and if you tell anybody--anybody--about this, you might as well look for a new job at the same time, and a good lawyer."

of course, this was a few years ago, and from what i understand it was fixed right away, but still...

m-

Re:once upon a time...

[t_allardyce]

He should have said 'oh, and if you pay me anything -- anything less than $300,000 for this fix, you might as well look for a new job too, and a good PR team to cover up the leak i spill.'

Re:once upon a time...

[ultramk]

Considering he was making a (very) good living, and mostly liked his job... It's a lot easier to suggest that you hold your employer for ransom than it is to actually do it. Besides, he wasn't the only one on this team, or the only one who could find it and fix it.

Nobody's indispensable, and $300k isn't that much to a lead dev at MS.

I would also tend to be wary of tweaking any corporation who employs more lawyers than most state governments.

m-

Re:once upon a time...

[t_allardyce]

Its called a jo.. ah this is /. never mind

Re:once upon a time...

[justins]

when this bug was being discussed in a meeting, the first thing that was said was something to the effect of "oh, and if you tell anybody--anybody--about this, you might as well look for a new job at the same time, and a good lawyer."

The only odd thing about that statement was that someone felt it needed to be said. Normally it would be understood.

Remember that this "exploit" doesn't count

[Corellon+Larethian]

Against Windows, because Messenger isn't part of the "core" functionality of Windows.

However...

The mailman exploit counts against Redhat Enterprise, because it ships with the distribution.

(just squint really hard, and you'll be able to clearly see what I'm talking about)

Re:Remember that this "exploit" doesn't count

[CockblockTheVote]

then why is is so difficult to get rid of it? "cannont uninstall MSMessenger because other programs are using services that messenger provides"

Re:Worst internet worm ever?

[caramelcarrot]

Many people in the UK certainly do. I believe it's the main IM program here.

How ironic

[Karem+Lore]

On the same day as slashdot reports Mike Nash, Microsoft's Chief Security Executive, has made claims that Windows is more secure than Linux

HAHAHAH GRABOULOUS!

[Thud457]

So Microsoft's use of FOSS directly led to this problem? The mind boggles at the interpertations people will draw from that!!!

Re:HAHAHAH GRABOULOUS!

[Lehk228]

Microsofts use of old vulnerable versions of OSS tools led to this problem.

Re:HAHAHAH GRABOULOUS!

I'd say Microsoft's use of FOSS led to the vunerability being found.

The untimely speed at which it was fixed is all their own work though.

Re:MS Security Chief Says Windows is Safer Than Li

[NanoGator]

"Now stop trying to spread FUD."

So, if a single security problem turns up in Linux, can I cry FUD when it's claimed that Linux is more secure?

Removing MSN Messenger doesn't actually remove it

[EnronHaliburton2004]

So anyone else notice that if you remove MSN Messenger and Outlook Express via the Control Panel's "Add/Remove Programs", the programs aren't actually removed from "C:\Program Files\Messenger" and "C:\Program Files\Outlook Express" ?

WindowsUpdate still asks you to install patches for Messenger and OE, even though they are supposedly "uninstalled".

IE still somtimes shows a Messenger icon on one of the toolbars.

I still occasionally find the the MSN Messenger icon in the status tray, even though it is supposedly "uninstalled", and the users on my network aren't smart enough to run MSN Messenger from the commandline.

What gives?

same old story

[rabbit78]

Hey that is boring. Everybody knows that MS is the incarnation of a security flaw. No need to repeat that again and again.

Re:Removing MSN Messenger doesn't actually remove

[MrP-(at+work)]

Yeah that never uninstalls it

You have to manually call the uninstall section of the msn messenger INF file.. ive done it so many times i type it from memory..

go to start>run, and type

rundll32 advpack.dll,LaunchINFSection %windir%\inf\msmsgs.inf,BLC.Remove

make sure msn messenger is closed first so it wont error when it unregisters the dll files

Secutiry

[Efialtis]

But you gotta admit, Microsoft is more secure than Linux...

At least according to that fool from this morning...

Mike Nash at http://it.slashdot.org/article.pl?sid=05/02/11/141 3208&threshold=1&tid=109&tid=218&tid=106

Maybe...

[game+kid]

...the guys who wrote TFA at Techtree are from the JPEG. They might be jealous since PNG is Turbo-Studly(tm).

(Side note: Why doesn't Slashdot show character entities like &trade; in "HTML Formatted" comments?

At least...

[jd]

...it's not the JPEG flaw again. If they'd fixed it in one place, but left it broken in another, it would be pretty bad. Well, mind you, this is still pretty bad. MS' PNG library has been stale for some time, which is why PNGs don't always show correctly on IE. Stale code won't develop new bugs, that is true, but it isn't being checked for old bugs either.

This is not the only MS security flaw under review, at the moment. It was shown recently that MS Office documents are weakly encrypted using the password directly. It has been shown that there is a way of recovering the key in a relatively short timeframe if you have two versions of the same file. (This isn't actually too hard to achieve, as most people keep backups.)

Instead of boasting how they've "only" released a few mega-patches over the last year, Microsoft really needs to sit down and do a thorough code audit. Hell, if that would be too expensive, just run the standard libraries through "splint" or the Stanford Code Validator. Even if Microsoft were to just fix those bugs one of those code auditing tools reported, I flat-out guarantee confidence in the security of their products will increase far beyond their wildest imagination.

The problem is neither inevitable nor insoluble. And boasting about Windows over Linux eliminates neither the problem nor the growing awareness of it. Addressing the problem, with a firm determination, would.

Re:Worst internet worm ever?

[l3v1]

By spreading to everyone in your buddy list, a worm based on this exploit could infect 90% of the world in a couple hours.

ROTFLMAO :D So now 90% of the world uses MSN Messenger
That should be on the front page up ahead :)

Re:Worst internet worm ever?

[drunken+dash]

Does that imply that 90% of the world is using MSN Messenger?

Re:Mac classic

[jericho4.0]

No, I think he meant emacs. Emacians know no limits, after all.

You're mostly right about MacOS. Where did you get the 'ties with openBSD' bit from, though?

If only I was smarter...

[lcde]

I remember years ago I had the idea of embedding viruses in gif and jpg's. I just couldn't figure out how I would get it to execute the code.

Thanks Microsoft.

Elbonia & Irony

[catdevnull]

Well, I think it's ironic (funny ironic and sad ironic at the same time) that this article appears the same day as this one. It's difficult to be taken seriously about security when you're getting busted like this all the time.

Re:Removing MSN Messenger doesn't actually remove

[electronym]

Mod parent up, this is actually useful.... Or is it really true that NOBODY here uses Windows?

Re:WHAT THE FUCK?!

[jericho4.0]

I second that. Sound is totally unacceptable. If my browser runs into sound, it plays on the X client in the other room through the stereo, which is often turned up loud. Not cool.(especially on porn sites :-)

I refreshed a few times and saw a few vonage ads, but none played sound for me...

Re:Removing MSN Messenger doesn't actually remove

[ad0gg]

Really? Removing MSN messenger is simple go, to add/remove files click uninstall. Simple and easy. Maybe if you were smart enough to realize that you're actually trying to remove Windows Messenger not MSN messenger, you wouldn't have have issues. Next are you going to complain about not being able to remove Oulook Express by trying to uninstall Outlook XP?

Re:MS Security Chief Says Windows is Safer Than Li

[XMyth]

I don't think you understand.

1. Claim Linux is more secure than windows.
2. Someone finds exploit in Linux
3. Cry FUD
4. Profit

Re:Start the clock

[jerw134]

One of those 12 security patches was for... wait for it... this problem! You can stop your clock now.

Re:but its more secure than linux!

[jproudfo]

...which was patched on Tuesday. IMHO, that qualifies old news.

Re:Removing MSN Messenger doesn't actually remove

[Daltorak]

"C:\Program Files\Messenger" contains the 'Windows Messenger' product, which is the IM client that is part of Windows XP... MSN Messenger is a different program altogether, and is installed in a different directory. You can run Windows Messenger and MSN Messenger at the same time.

Re:Removing MSN Messenger doesn't actually remove

[EnronHaliburton2004]

ok fine, I screwed up the names. I don't actually use the program.

The fact still remains that removing "Windows Messenger" via "Control Panel: Add/remove programs: Add/remove Windows components" doesn't remove C:\Program Files\Messenger .

At least...

[game+kid]

...he was right when he said "There are no weapons of mass destruction in Baghdad"--when we checked, anyway.

Re:MS Security Chief Says Windows is Safer Than Li

[jwsd]

Anyone ever done a study to determine the mean time between when OSS camp claims Linux is secure (which is constant and at every opportunity) and when the next security patch is released?

is it just me...

[Fuzzums]

or was this already fixed in last round of bugfixes, this tuesday?

Re:is it just me...

[Kehvarl]

... 6 months after the libPNG library that MS uses had this exploit patched.

yeah yeah, redundant reduntant...

Re:but its more secure than linux!

[LocoMan]

Actually, I did try a couple days ago (bought a new HD so installed windows XP again), and it was just a matter of going to control panel, add-remove programs, windows components and uncheck MSN Messenger.

Maybe that was added in SP2, though, since I remember having to execute a file (got the instructions from annoyances.org) in the command prompt to uninstall it last time I had installed XP (about a year ago, IIRC). The uninstaller was there, just that there was no shortcut to go to it.

I don't care

[iminplaya]

as long as solitare remains safe

Windows Messenger

[BinBoy]

Control Panel | Add/Remove Programs | Add/Remove Windows Components
Uncheck Windows Messenger
Click Next
Click Finish

Re:but its more secure than linux!

[joeljkp]

To add some sanity to this discussion, here's some facts:

The MS bulletin and patch: http://www.microsoft.com/technet/security/Bulletin /MS05-009.mspx

It's a vulnerability in libpng that was just patched by MS Tuesday, but was fixed by everyone else when it was discovered last June.

Re:Talk about Timing!

[joeljkp]

You're not making any sense. The issue was with libpng, which is used by pretty much every image-capable platform in existance. Everyone else patched it when it was discovered last summer, though.

The real question to ask is "Why did it take MS so long to remember it had used a vulnerable version in MSN Messenger?"

Re:Worst internet worm ever?

[A+beautiful+mind]

Is that you michael? Oh wait...he has piquepaille.

Re:Removing MSN Messenger doesn't actually remove

[Kashif+Shaikh]

To confuse you even more, there is a Windows Messenger and MSN Messenger. When you install MSN Messenger it simply disables start-up of Windows Messenger.

So when you uninstall MSN Messenger, it may be automatically enabled Windows Messenger. I don't know if that's what you are seeing.

Kashif

There is no news here...

[mysticgoat]

I got to this phrase in the article
"Proprietary Network Graphics (PNG)"
and decided that if there was any substance to the story, I wasn't going to find it in this guy's writing.

So, is the Microsoft policy of "embrace and extend" now being applied to common acronyms? Or is the writer too out of touch with the technology he is reporting about to know how to use dictionary.com or google to check a key definition in his story? And where were his editors??

Re:There is no news here...

[rob_squared]

"embrace and extend"

That's microsoft lingo for, "bend over, it's getting hard."

Corrections

[ChiralSoftware]

"Lies, lies, damned out lies... Checking your boundaries does cost time, it's not much, but it does cost time. Checking the length of your buffer at compiletime is impossible if you're dealing with a users input (unless you want to limit the length of a string a user can input, or filesize). Checking at execution level means keeping something like an internal counter and throwing an exception. Guess what... That costs CPÜ time. Granted, it's negligable, but it still costs time."

Actually, no, it does not necessarily take any CPU time. Modern CPUs have some very fancy methods of doing branch prediction, which means they can estimate what the likely outcome of an IF statement is, and if they guess correctly, that statement ends up taking no additional time; it just disappears from the loop. And if you are looping through a million values, the branch prediction performed on the array bounds check will probably be correct every time during normal use of the loop, so in fact, the array bounds check ends up being for free!

And, a simple bounds check like: if(pointer > limit) is a single CPU instruction. How long does a single CPU instruction take to execute these days? How much does a faster CPU cost? How much does a security hole cost?

Sit back and think about this...

[philml]

Don't you think that the idea of data being able to be executed is daft? It shouldn't be able to happen. Now I know how it can happen, overlapping code areas etc. etc., but shouldn't we be looking at whole architectures that stop this? (Is this what that new flag in the AMD processors does, I'm not up to speed on those). Can't we say "don't execute PNGs, they never contain executable code" at the lowest level possible in the system? Why not?

Re:but its more secure than linux!

[X0563511]

It was added in SP2. I remember reading it in the release notes.

Before, following the add-remove programs procedure would only remove shortcuts, it wouldn't even take it out of the RUN section of the registry.

Re:Removing MSN Messenger doesn't actually remove

[molo]

Dude, that rocks. I'm looking for a comprable section in msoe50.inf, for Outlook Express, but I don't see it. Any clues here?

Thanks.
-molo

Horray! another Windows flame war!

[GISGEOLOGYGEEK]

Problem has been fixed. Its a non-issue.

But what a great chance to re-iterate how much we all hate MS! hate hate hate! hate hate hate! woohhhh!

Get a frickin life!

Re:Horray! another Windows flame war!

[pembo13]

You do realise that this was a 6 month old bug, don't you?

Re:Horray! another Windows flame war!

[GISGEOLOGYGEEK]

That's my point.

And It's fixed.

And It's gone.

The problem wasn't even being exploited until a few days ago, as usual because the bastard hackers reverse engineered the patch itself to take advantage of the problem. That would have happened today, or 5 months ago ... as soon as the patch was available.

Why not complain about the pricks that exploit the system? huh? or are you one of them?

MS Robots

[cbr2702]

The robot's got my boot!

Reboot the robot, then.

Re:but its more secure than linux!

[TomServo]

In the meantime, I had it disabled in the registry, and installing the newest patches actually re-enabled it. It popped up and jacked the connection away from Gaim. I ended up setting a security policy to prevent it from running, we'll see if that works.

Re:Removing MSN Messenger doesn't actually remove

[Alsee]

This was part of the anti-trust settlement between the government and Microsoft. Microsoft broke the law repeatedly and the government nailed their ass to the wall in court for it, so the punishment against Microsoft was a settlement that they had to create an "uninstall" system that merely "hides" certain abusive Microsoft components from the owner, but still activates those "hidden" components whenever Microsoft wants to activate them.

The primary items that this applies to are the webbrowser and mediaplayer, but as you've noticed it applies to pretty much anything Microsoft wants it to apply to.

Just imagine how bad things would be if the government hadn't given Microsoft the smackdown for antitrust violations! We'd be in pretty much the exact same boat we're in now.

-

Comment removed

[account_deleted]

Comment removed based on user account deletion