Zero Day Exploit Found in Windows Media Player

← Back to Stories (view on slashdot.org)

Zero Day Exploit Found in Windows Media Player

Posted by CowboyNeal on Thursday December 7, 2006 @03:34PM from the back-to-old-tricks dept.

filenavigator writes "Another zero day flaw has been reported in Windows Media player. It comes only one day after a serious zero day flaw was found in word. The flaw is dangerous because it involves IE and Outlook's ability to automatically launch .asx files. No fix from Microsoft has been announced yet."

9 of 177 comments (clear)

Finding holes in a MS product.... by TJ_Phazerhacki · 2006-12-07 15:36 · Score: 5, Insightful

Seems to be a bit like finding holes in swiss chese... inevitable....

--
Physics is nothing like religion. If it was, we'd have an easier time trying to raise money!
1. Re:Finding holes in a MS product.... by telchine · 2006-12-07 16:01 · Score: 5, Funny
  
  Is anyone else getting a feeling of Deja Vu?
2. Re:Finding holes in a MS product.... by VitaminB52 · 2006-12-07 22:04 · Score: 5, Funny
  Seems to be a bit like finding holes in swiss chese... inevitable....
  Please stop insulting the Swiss. Swiss cheese is completely unlike MS security:
  
  Swiss cheese is cheese with holes in it, not holes with cheese around it.
  
  Swiss cheese is a quality product.
  
  If you insists on comparing MS security with a cheese product, then compare it with foam-cheese :-)
Another 0-day? by gregleimbeck · 2006-12-07 15:37 · Score: 5, Funny

Must be Thursday.

--
P.S.,

This is what part of the alphabet would look like if Q and R were eliminated.
Re:4 bytes IS ENOUGH by EvanED · 2006-12-07 15:55 · Score: 5, Interesting

It's a heap buffer (assuming TFA is right), which means the return address will be nowhere near it. There *could* still be neighboring security-sensitive code, but it's extremely unlikely. Worst case that's remotely likely would be that you corrupt the header that markes the beginning of the next heap block and wreak havoc with future malloc calls. Probably nothing controllable though. This *really* isn't that big of a deal, and calling it a zero-day exploit is downright libel.
All it takes is a jump instruction. by Anonymous Coward · 2006-12-07 16:02 · Score: 5, Informative

x86 processors have a local jump instruction that is 4 bytes long. If the exploiter is able to get his code loaded within range of that jump instruction, you're fucked. And really, getting code loaded like that is not a difficult thing to do.

In fact, many x86 operating systems have used such a technique to dynamically patch kernel code. They insert a couple of nop operations after a function prologue. These operations normally do nothing, but can be replaced with a jump instruction at runtime. This allows for the instructions of the existing function to be replaced with ease.
GG Misleading Post by PixieDust · 2006-12-07 16:17 · Score: 5, Insightful

Ok, so this flaw is there. It's a bug.
Doesn't affect my Vista machine. Nor my XP Pro machine running IE7 + WMP 11.
Seeing things like this, I can't help but wonder what it might look like if every time a flaw was discovered in *Nix, and a security advisory (even if barely remotely applicable, as in this case) were released,and slashdotted. Maybe this post is flamebait too (seems to be my trend as of late), maybe not. But the title of this particular post, is pretty misleading.
0 day flaw! Congratulations. It's software. I still play games that if they run for more than 2 hours I'm lucky. The real problem is the testing, and the coding that goes into these. You fix one thing, and something else inevitably breaks.
How often does a kernel update in Linux break something that you now have to update, or sometimes roll back alltogether because they won't work.
This post is as Overdramatic as going nuts every single time something in Linux broke or didn't work right. Sometimes MS deserves to be thumped on the head. This time though, seriously, come on. Tell you what, run your 4 byte program that is gonna hax0r my computer. I invite it, might give me something to do.
Re:How is this dangerous? by LO0G · 2006-12-07 16:49 · Score: 5, Informative

It depends on your heap allocator. IIRC, on the Windows XP heap (without service packs) an application could be owned with just a 1 byte heap overflow (if the phase of the moon was right). On XP SP2's heap it's WAY harder to exploit overflows, because the heap was hardened against this kind of attack. On Vista, it's even harder, the heap was hardened well beyond what was done in XP SP2.

I have no idea of how exploitable the various *nix or OSX heap implementations are - I'm sure that some are even more exploitable than XP's heap was (the original 4.2 BSD heap was very exploitable, IIRC), and I'm also sure that some of them are hardened as well as Vista's.

But heap hardening just makes exploitation harder (this is true of ALL defense-in-depth techniques). Even if your platform has a hardened heap and NX protection and stack canaries and ASLR, it's still possible to successfully exploit a vulnerability - it's many many orders of magnitude harder than if those features weren't present, but it's still possible to attack the system.
Re:This must be by CyborgWarrior · 2006-12-07 21:14 · Score: 5, Funny

And that's how black holes came about. Read your bibles people!! I quote from it:

"And God saith, I shall divide by zero.

And big black things did appear.

And God saith, I shall not do that again."

--
If you can't say something nice, make sure you have something heavy to throw.