Zero Day Exploit Found in Windows Media Player

← Back to Stories (view on slashdot.org)

Zero Day Exploit Found in Windows Media Player

Posted by CowboyNeal on Thursday December 7, 2006 @03:34PM from the back-to-old-tricks dept.

filenavigator writes "Another zero day flaw has been reported in Windows Media player. It comes only one day after a serious zero day flaw was found in word. The flaw is dangerous because it involves IE and Outlook's ability to automatically launch .asx files. No fix from Microsoft has been announced yet."

22 of 177 comments (clear)

Finding holes in a MS product.... by TJ_Phazerhacki · 2006-12-07 15:36 · Score: 5, Insightful

Seems to be a bit like finding holes in swiss chese... inevitable....

--
Physics is nothing like religion. If it was, we'd have an easier time trying to raise money!
1. Re:Finding holes in a MS product.... by telchine · 2006-12-07 16:01 · Score: 5, Funny
  
  Is anyone else getting a feeling of Deja Vu?
2. Re:Finding holes in a MS product.... by jpetts · 2006-12-07 16:17 · Score: 4, Funny
  
  Who said that?
  
  --
  Call me old fashioned, but I like a dump to be as memorable as it is devastating - Bender
3. Re:Finding holes in a MS product.... by VitaminB52 · 2006-12-07 22:04 · Score: 5, Funny
  Seems to be a bit like finding holes in swiss chese... inevitable....
  Please stop insulting the Swiss. Swiss cheese is completely unlike MS security:
  
  Swiss cheese is cheese with holes in it, not holes with cheese around it.
  
  Swiss cheese is a quality product.
  
  If you insists on comparing MS security with a cheese product, then compare it with foam-cheese :-)
Another 0-day? by gregleimbeck · 2006-12-07 15:37 · Score: 5, Funny

Must be Thursday.

--
P.S.,

This is what part of the alphabet would look like if Q and R were eliminated.
How is this dangerous? by JanusFury · 2006-12-07 15:37 · Score: 4, Interesting

I know overflows are bad, but I honestly don't know much about how the allocator in a typical OS or RTL works. Could such a small (2-4 byte) overflow be used to execute arbitrary code? Is it actually possible to use that small of an overflow to screw up the allocator so badly that it'll execute arbitrary code? Or is this just a potential denial of service?

--
using namespace slashdot;
troll::post();
1. Re:How is this dangerous? by LO0G · 2006-12-07 16:49 · Score: 5, Informative
  
  It depends on your heap allocator. IIRC, on the Windows XP heap (without service packs) an application could be owned with just a 1 byte heap overflow (if the phase of the moon was right). On XP SP2's heap it's WAY harder to exploit overflows, because the heap was hardened against this kind of attack. On Vista, it's even harder, the heap was hardened well beyond what was done in XP SP2.
  
  I have no idea of how exploitable the various *nix or OSX heap implementations are - I'm sure that some are even more exploitable than XP's heap was (the original 4.2 BSD heap was very exploitable, IIRC), and I'm also sure that some of them are hardened as well as Vista's.
  
  But heap hardening just makes exploitation harder (this is true of ALL defense-in-depth techniques). Even if your platform has a hardened heap and NX protection and stack canaries and ASLR, it's still possible to successfully exploit a vulnerability - it's many many orders of magnitude harder than if those features weren't present, but it's still possible to attack the system.
2. Re:How is this dangerous? by Anonymous Coward · 2006-12-07 19:33 · Score: 4, Insightful
  
  MS makes quick and dirty shortcuts, to get better performance, bypassing security in the process.
  
  Um, what quick and dirty shortcuts? MS uses the same protection model every other x86 OS I know of uses. Kernel runs in CPL 0, user processes in CPL 3. Drivers run mostly in CPL 0. In fact, with MS starting to try to push drivers to CPL 3, they're starting to get better than Linux AFAIK. (I think there are some userspace drivers for Linux, but very few. MS is trying to make that the standard for most types drivers I think.)
  
  MS's bugs come from a combination of a few things. One is what seems to be a prevalence of buffer overruns. Second is running in administrator mode by default (note that this is an entirely different animal than what privilege level code executes in), and what seem to be an abnormally large number of other misc design errors.
  
  But the memory model is solid.
  
  With NX protection it should be impossible
  
  If you think NX protection makes buffer overrun attacks impossible.. you're living in a dream world. I categorize the types of buffer overrun attacks I know into three types, and NX only solves one of them.
Does Not Affect WMP 11 or Vista by ThinkFr33ly · 2006-12-07 15:42 · Score: 4, Informative

FYI, this does not seem to affect Windows Media Player 11, which is available via Windows Update or the WMP site.

It also does not affect Vista, both because Vista comes with WMP 11, and thanks to IE7 running in protected mode. This would likely cause the browser to crash, however.
It's not an exploit ... by jfclavette · 2006-12-07 15:42 · Score: 4, Insightful

..., it's a flaw. I'll be impressed if someone can do anything with a 4 bytes heap overflow that happens at a single spot in the program they don'T control. Under ideal circumstances, they'll be able to tamper an integer in WMP.
Re:4 bytes IS ENOUGH by EvanED · 2006-12-07 15:55 · Score: 5, Interesting

It's a heap buffer (assuming TFA is right), which means the return address will be nowhere near it. There *could* still be neighboring security-sensitive code, but it's extremely unlikely. Worst case that's remotely likely would be that you corrupt the header that markes the beginning of the next heap block and wreak havoc with future malloc calls. Probably nothing controllable though. This *really* isn't that big of a deal, and calling it a zero-day exploit is downright libel.
Hmm... by Anonymous Coward · 2006-12-07 15:59 · Score: 4, Funny

Nah.
All it takes is a jump instruction. by Anonymous Coward · 2006-12-07 16:02 · Score: 5, Informative

x86 processors have a local jump instruction that is 4 bytes long. If the exploiter is able to get his code loaded within range of that jump instruction, you're fucked. And really, getting code loaded like that is not a difficult thing to do.

In fact, many x86 operating systems have used such a technique to dynamically patch kernel code. They insert a couple of nop operations after a function prologue. These operations normally do nothing, but can be replaced with a jump instruction at runtime. This allows for the instructions of the existing function to be replaced with ease.
1. Re:All it takes is a jump instruction. by EvanED · 2006-12-07 16:16 · Score: 4, Interesting
  
  This is a heap buffer, assuming TFA's right. What programs execute instructions from the heap and so have the potential to be overwritten by a jump?
  
  At absolute worst, you could do what at least one paper calls a non-control-data attack and corrupt some other piece of data that was next to it in the heap. Except every malloc implementation I know puts a header struct at the beginning of each block, so even if two pieces of heap data ended next to each other you wouldn't be able to reach the actual data with just a 4 byte overflow, and the best you could hope for is to corrupt the header. This is very unlikely to have any exploitable effects, and is just likely to kill the process.
GG Misleading Post by PixieDust · 2006-12-07 16:17 · Score: 5, Insightful

Ok, so this flaw is there. It's a bug.
Doesn't affect my Vista machine. Nor my XP Pro machine running IE7 + WMP 11.
Seeing things like this, I can't help but wonder what it might look like if every time a flaw was discovered in *Nix, and a security advisory (even if barely remotely applicable, as in this case) were released,and slashdotted. Maybe this post is flamebait too (seems to be my trend as of late), maybe not. But the title of this particular post, is pretty misleading.
0 day flaw! Congratulations. It's software. I still play games that if they run for more than 2 hours I'm lucky. The real problem is the testing, and the coding that goes into these. You fix one thing, and something else inevitably breaks.
How often does a kernel update in Linux break something that you now have to update, or sometimes roll back alltogether because they won't work.
This post is as Overdramatic as going nuts every single time something in Linux broke or didn't work right. Sometimes MS deserves to be thumped on the head. This time though, seriously, come on. Tell you what, run your 4 byte program that is gonna hax0r my computer. I invite it, might give me something to do.
Ever hear of the JUMP instruction? by Anonymous Coward · 2006-12-07 16:22 · Score: 4, Interesting

Umm, do you know what you're talking about? All you do is jump over to your NOOP slide or whatever embedded in the data that slides all the way down to the program disguised as some part of the ASX file.

I don't know how large they are in x86 assembly, but the 86HC11 I used to write for didn't have any instructions bigger than four bytes unless I sadly misremember. Four bytes would've been plenty.

Don't laugh. Plenty of exploits have been coded that have more difficult requirements for the exploit to work.
Re:4 bytes IS ENOUGH by bluefoxlucid · 2006-12-07 16:35 · Score: 4, Interesting

Worst case that's remotely likely would be that you corrupt the header that markes the beginning of the next heap block and wreak havoc with future malloc calls. Probably nothing controllable though.

Alter the next heap header to point to a location on the stack as the next free block, and send another chunk of data so malloc() is called and allocates from there. Then write your code/retp change and wait. (Or something equally bizarre)

A couple bytes overflow in the heap is abusable enough to screw with pointers; and in some cases it suddenly turns into a big overflow in situations we didn't predict (this happened with an old libpng CVE, and with an Apache flaw where the overflow was always exactly "k`" until someone figured out how to do better).

--
Support my political activism on Patreon.
Re:This must be by mctk · 2006-12-07 16:38 · Score: 4, Funny

Actually, this isn't the second Zero Day Exploit. The first one was a Nullity Day Exploit. But we don't have to worry about that one.

--
Paul Grosfield - the quicker picker upper.
No plans to fix the Word flaw by jginspace · 2006-12-07 16:44 · Score: 4, Interesting

Microsoft have just given advance notification of what their bundle of patches to be released next Tuesday will contain. There are five general Windows bulletins there - no surprise that the most severe is 'critical' - but I'm kind of surprised to see they have no intention of shipping any Office-related fixes.
It could be fixed already by Anonymous Coward · 2006-12-07 16:45 · Score: 4, Funny

But it is not a flaw in the DRM, ao why ahould Microsoft care?
Slight difference by ZxCv · 2006-12-07 20:01 · Score: 4, Insightful

This flaw is not "barely remotely applicable".

The vast majority of Windows users do not run Vista, IE7, or WMP11, even though all are technically available.

So this particular flaw affects most Windows users, and is thus important to those that have to deal with these users and/or their computers.

--

Perl - $Just @when->$you ${thought} s/yn/tax/ &couldn\'t %get $worse;
Re:This must be by CyborgWarrior · 2006-12-07 21:14 · Score: 5, Funny

And that's how black holes came about. Read your bibles people!! I quote from it:

"And God saith, I shall divide by zero.

And big black things did appear.

And God saith, I shall not do that again."

--
If you can't say something nice, make sure you have something heavy to throw.