Slashdot Mirror
Zero Day Exploit Found in Windows Media Player
filenavigator writes "Another zero day flaw has been reported in Windows Media player. It comes only one day after a serious zero day flaw was found in word. The flaw is dangerous because it involves IE and Outlook's ability to automatically launch .asx files. No fix from Microsoft has been announced yet."
Seems to be a bit like finding holes in swiss chese... inevitable....
Physics is nothing like religion. If it was, we'd have an easier time trying to raise money!
Must be Thursday.
P.S.,
This is what part of the alphabet would look like if Q and R were eliminated.
I know overflows are bad, but I honestly don't know much about how the allocator in a typical OS or RTL works. Could such a small (2-4 byte) overflow be used to execute arbitrary code? Is it actually possible to use that small of an overflow to screw up the allocator so badly that it'll execute arbitrary code? Or is this just a potential denial of service?
using namespace slashdot;
troll::post();
FYI, this does not seem to affect Windows Media Player 11, which is available via Windows Update or the WMP site.
It also does not affect Vista, both because Vista comes with WMP 11, and thanks to IE7 running in protected mode. This would likely cause the browser to crash, however.
..., it's a flaw. I'll be impressed if someone can do anything with a 4 bytes heap overflow that happens at a single spot in the program they don'T control. Under ideal circumstances, they'll be able to tamper an integer in WMP.
as people have commented, then why is it zero day? Doesn't zero day mean there is an exploit already?
Since when did a "potentially exploitable heap buffer overflow" become a zero-day exploit?
Um, depending on what's in the data you overflow into, there's still *potentially* plenty you can do. (They're all very unlikely, but the potential is there.) There's other security-sensitive data besides the return address, and other buffer overflow exploits than overwriting that to jump into malicious code.
It's a heap buffer (assuming TFA is right), which means the return address will be nowhere near it. There *could* still be neighboring security-sensitive code, but it's extremely unlikely. Worst case that's remotely likely would be that you corrupt the header that markes the beginning of the next heap block and wreak havoc with future malloc calls. Probably nothing controllable though. This *really* isn't that big of a deal, and calling it a zero-day exploit is downright libel.
Nah.
>>>>Anybody know of any four-byte long spyware programs?
/F /S /Q " might fit if you squeeze it.
No, but "del
x86 processors have a local jump instruction that is 4 bytes long. If the exploiter is able to get his code loaded within range of that jump instruction, you're fucked. And really, getting code loaded like that is not a difficult thing to do.
In fact, many x86 operating systems have used such a technique to dynamically patch kernel code. They insert a couple of nop operations after a function prologue. These operations normally do nothing, but can be replaced with a jump instruction at runtime. This allows for the instructions of the existing function to be replaced with ease.
Doesn't affect my Vista machine. Nor my XP Pro machine running IE7 + WMP 11.
Seeing things like this, I can't help but wonder what it might look like if every time a flaw was discovered in *Nix, and a security advisory (even if barely remotely applicable, as in this case) were released,and slashdotted. Maybe this post is flamebait too (seems to be my trend as of late), maybe not. But the title of this particular post, is pretty misleading.
0 day flaw! Congratulations. It's software. I still play games that if they run for more than 2 hours I'm lucky. The real problem is the testing, and the coding that goes into these. You fix one thing, and something else inevitably breaks.
How often does a kernel update in Linux break something that you now have to update, or sometimes roll back alltogether because they won't work.
This post is as Overdramatic as going nuts every single time something in Linux broke or didn't work right. Sometimes MS deserves to be thumped on the head. This time though, seriously, come on. Tell you what, run your 4 byte program that is gonna hax0r my computer. I invite it, might give me something to do.
Umm, do you know what you're talking about? All you do is jump over to your NOOP slide or whatever embedded in the data that slides all the way down to the program disguised as some part of the ASX file.
I don't know how large they are in x86 assembly, but the 86HC11 I used to write for didn't have any instructions bigger than four bytes unless I sadly misremember. Four bytes would've been plenty.
Don't laugh. Plenty of exploits have been coded that have more difficult requirements for the exploit to work.
A buffer overflow is a buffer overflow, but if you RTFA... you discover that the maximum overflow of the buffer is four bytes. Anybody know of any four-byte long spyware programs?
Are you a moron?
The code which is executed need not fit into the 4 bytes.
Worst case that's remotely likely would be that you corrupt the header that markes the beginning of the next heap block and wreak havoc with future malloc calls. Probably nothing controllable though.
Alter the next heap header to point to a location on the stack as the next free block, and send another chunk of data so malloc() is called and allocates from there. Then write your code/retp change and wait. (Or something equally bizarre)
A couple bytes overflow in the heap is abusable enough to screw with pointers; and in some cases it suddenly turns into a big overflow in situations we didn't predict (this happened with an old libpng CVE, and with an Apache flaw where the overflow was always exactly "k`" until someone figured out how to do better).
Support my political activism on Patreon.
Actually, this isn't the second Zero Day Exploit. The first one was a Nullity Day Exploit. But we don't have to worry about that one.
Paul Grosfield - the quicker picker upper.
Microsoft have just given advance notification of what their bundle of patches to be released next Tuesday will contain. There are five general Windows bulletins there - no surprise that the most severe is 'critical' - but I'm kind of surprised to see they have no intention of shipping any Office-related fixes.
But it is not a flaw in the DRM, ao why ahould Microsoft care?
Where's the "-1, Gay" modifier when you need it?
It got removed from slashcode at the same time the "-1, Nigger" mod went.
Just re-installed Windows on a computer and updated everything except WMP11.
Don't worry I installed Debian too.
Was a new version of Windows Media Player released today or something?
http://outcampaign.org/
You're telling me that I've 'lost control' of the huge collection of Old Radio Program MP3s I have stuck in folder on the D:\ drive???
Uncertain. Hopefully you aren't getting the content from CD's. This is verbatim from the EULA:
"If the file is a song you ripped from a CD with the Copy protect music option turned on, you might be able to restore your usage rights by playing the file. You will be prompted to connect to a Microsoft Web page that explains how to restore your rights a limited number of times."
So, the CD you paid for unlimited rights to play where you want has been revoked. Permanently.
And you agreed to it. Can you go back to WMP10?
http://www.maxineudall.com/2010/02/should-economists-be-sued-for-malpractice.html
This flaw is not "barely remotely applicable".
The vast majority of Windows users do not run Vista, IE7, or WMP11, even though all are technically available.
So this particular flaw affects most Windows users, and is thus important to those that have to deal with these users and/or their computers.
Perl - $Just @when->$you ${thought} s/yn/tax/ &couldn\'t %get $worse;
VideoLAN - VLC Media Player is an all-in-one open source and cross platform program which does much more than WMP: it's an user-friendly player, but also a powerful and flexible transcoder for almost every audio/video format and even a stream server supporting various network protocols.
Worth a try as a better replacement, especially for power users.
There's a browser safer than Firefox, it is Firefox, with NoScript
How surprising is this. MS have been sitting on this information for a long time and now it's the most profitable moment to announce them. "Yes, xp has these problems, just upgrade to vista and they'll go away."
And that's how black holes came about. Read your bibles people!! I quote from it:
"And God saith, I shall divide by zero.
And big black things did appear.
And God saith, I shall not do that again."
If you can't say something nice, make sure you have something heavy to throw.
The recent coverage of ASX Playlist issues seems somewhat strange. For the uninitiated, here is a quick wrapup:
.m3u method of exploiting the vulnerability) appears around the same time, and reporting is carried by the usual third parties. With no fix present, this remains an effective 0-day (plus, with existing malware targeting .asx files it could make for interesting real-world use).
.asx content, then they are potentially creating a much riskier environment than if they accept the current DoS risk against their platform.
.dmg file handling errors), and the way that information is flowing between, and being distributed by, third party reporting bodies in this case is showing similar patterns.
.asx (and other content types) data passed via 'ref href' that can lead to arbitrary code execution. .asx media type .asx filetype handler can lead to an increased security risk if the replacement application is XMPlay (accepting arbitrary code execution in an effort to avoid a DoS).
XMPlay ASX buffer overflow PoC code posted to milw0rm - 21 November
This PoC demonstrated an exploitable buffer overflow condition in the handling of 'ref href' URIs. A CVE entry (CVE-2006-6063 - though this only identifies the
Windows Media Player DoS code posted to BugTraq - 22 November
Oddly, this code represented an almost exact duplicate of the buffer overflow demonstrated the day before, only with the exploit payload removed and replaced with a bunch of 'A's, and fails to draw much interest from third parties. It isn't until eEye publishes data on this issue (and increases the perceived threat posed) on their 0-day reporting / information site that it attracts some attention from other reporting parties (such as FrSIRT on 7 December), though uptake is slow.
Leaving Chinese Soup's critique (BugTraq) of eEye's analysis aside (why they haven't identified on the XMPlay vulnerability is another question), users need to be aware that if they replace WMP with XMPlay as the default handler of
If this particular code release had appropriate accompanying documentation, it would be possible to work out whether it is a derivative of the earlier code, or fortuitous timing on something found independently.
Criticism has been recently levelled against third party reporting bodies for failing to adequately investigate reports (after one of the recent MoKB OS X corrupted
In summary:
- There is a known 0-day targeting a vulnerability in XMPlay's handling of malicious
- There is a known DoS targeting WMP that is exploited via a long string passed via 'ref href' and using the
- There has been no proven link between the two disclosures
- It has yet to be shown that the WMP vulnerability leads to arbitrary code execution
- The advice to replace WMP as the default
InfoSec that matters, when it counts.
Microsoft had two
Oh
So
Happy
It's
Thursday
moments this week so far: Tuesday's 0-day in Word (which has an exploit) and this one Friday (which currently does not have an exploit).
www.eFax.com are spammers
Could have sworn parent made this same comment a few moments ago...
The problem is that for more than a decade Microsoft's priorities have been:
1. Maintain their monopoly
2. Fool the government into thinking they don't have a monopoly
3. Enforce Microsoft lock-in to existing customers
4. Spreading FUD about Linux and Open Software in general
5. Band-aiding the constant stream of security flaws in their older products
6. Inventing more and more byzantine and fragile DRM schemes that are still hacked before they are even released
7. Making new software people actually want to use
As you can see, making good software gets trumped by everything else. As far as I'm concerned, they could have stopped with Windows 2000 and stuck to releasing new hardware support, bug fixes and security patches, and we would all be a lot better off.
Can you imagine how lean, mean, secure and smooth a "Windows 2000 Service Pack 11" would have been in 2006?
It would be everything Microsoft spend 5 years failing to deliver with Vista.
You are in a maze of twisty little passages, all alike.