Slashdot Mirror
.ANI Vulnerability Patch Breaks Applications
Jud writes "Microsoft's fix for the .ANI vulnerability was part of Patch Tuesday yesterday. However, all is not well with the update. Reportedly, installing the patch will break applications such as Realtek HD Audio Control Panel and CD-Tag, which mentions they are affected by the problem on their main page. A hotfix is currently available from Microsoft, however their current position is this is an isolated problem and the fix is not planned to be pushed out through Microsoft Update. "
"their current position is this is an isolated problem"
Weird, 'cause I hear about one of these stories almost every week. Isolated in what sense?
My turnips listen for the soft cry of your love
My archiving application of choice, Tugzip is also affected by this update and the mentioned fix took care of the problem.
Microsoft breaks something when patching something else? I'm surprised. Really. I am. No, really. I am.
Patch Tuesday is the second Tuesday of each month. This was an out of cycle patch released.
I just wanted to make a quick post before I see all the standard lame M$ bashing gets out of hands from a ton of idiots that are most likely using Windows while posting.
This is exactly why it takes Microsoft so long to put out patches sometimes. Unlikely all these free and open source packages, Microsoft Windows is actually used by tons of users at home and in the business world. People need their machines to do their daily activities and jobs. This is why so much testing is needed before something can just be shoved out there. This is why you tend to see this sort of thing from patches released out of cycle. It obviously has not and could not have been tested as much (and yes sometimes problems occur with patch Tuesday patches).
You might not see as many issues with *nix based systems. Why? Well, there just are as many users. This might sound like a cliche but it is a fact. Look at when official Redhat patches and other updated packages actually come out. They come out days, weeks, and months later. Sure there is some patch that some random guy hatched together -- the power of open source!! However, if you were to apply that untested P.O.S. across the world in tons of real environments, you'd probably have a shitton of problems.
This does not excuse problems with patches, but at least it came quicker. Remember, M$ has to release stuff that fortune 1000, government, home users, and everyone else can live with. Pushing some patch 30 minutes later for an OSS package that 2000 rag tag home users use.. just isn't the same.
Lucky I didn't install the patch!
This looks like something vendors could fix without a "hotfix" from MS.
seems to be affecting calc.exe and avg on my computer and the patch dosnt seem to fix either but still gotta love that its affecting microsofts own stuff
Anybody know if this Realtek problem is an issue on Win 2003? My personal/development/tinkering machine is running 2003, and just so happens to have Realtek audio hardware, with their control panel that's specifically mentioned. The hotfix to remedy the issue refuses to run on 2003. (Side note: I hate that crap. Why the hell shouldn't I be able to install XBox 360 controller drivers on Windows 2003 if I jolly well want to?) I don't want to jump in and install this security patch if it's going to break stuff on my OS...
A lot of machines have the Realtek HD Audio thing in them to provide audio - notably most of the Core/Core2 based ones (HD Audio is a standard by Intel, Realtek being one of the first to offer it).
Seems like this isn't really an "isolated" problem, but a fairly common one if you own a desktop made in the last year or a recent laptop...
... and all I had to do to solve it was go to Realtek's site and download the latest version of their driver. Problem solved (knock on wood).
So.. If the fix is that simple, is this issue really an issue or is this issue blown out of proportion?
This is my opinion. To make sure you don't steal it, it's covered by the DMCA.
Perhaps you have not noticed that a majority of fortune 500 companies are using Linux in some capacity.
Rag Tag home users? You don't have a job, do you?
"You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
Now - forget the dazzling array of hardware and software to check against. This .ani thingy is a UI issue that should --at worst-- munge the way an app's mouse cursor animation looks, but not munge the app itself, or even think of touching OS stability.
C'mon... we're not talking about patching the TCP/IP stack, or patching against ntldr here... it's a mouse cursor. How piss-poor does an OS design have to be in order to have a tiny subset of a tiny subset the UI... break stuff!?
Quo usque tandem abutere, Nimbus, patientia nostra?
Or does it seem like no matter what MS does, they have people on their back? Ok, so there's a major flaw in animated cursors. They fixed it. IN ONE DAY. Now, there's a problem with the fix. Ok? Anyone here doubt that they'll have a hotfix in under two days for this too? Aside from the fact that Windows is the only OS that lets me do whatever I want on my computer (n atively, for that matter), they're the only company that actually gets things done quickly. When something's broke, you fix it. You don't say "well, it's not that bad, let's just hope the users don't notice it." I'm just tired of hearing everyone bash Windows, when I still haven't found a better OS for my needs. Fanyboys: Stop telling me to get Linux. Stop telling me to get OSX. Go back to your gameless computers and leave me the hell alone.
We're all going to die. i intend to deserve it.
"There's been a little complication with my complication"
Developers, developers, developers
Many of them trying to keep afloat the bastardized zombie of a legacy project begun in DOS and ported to Win 3.1, Win32, Win64, .NET, Sun Java, MSJava, Sun Java again and Vista. None of them with Microsoft's preferred and undocumented internal APIs for any of those systems. Many of them with no clue how to write good code, managed by non-programmers who can't tell. Each of them insisting that each revision has slain their sacred cow. So many of them that any patch no matter how trivial breaks some critical application for some enterprise somewhere.
Working against a system that has to be so locked down a non-admin can't save a shortcut on the desktop, and still isn't secure.
They've built their house upon the sand and act surprised that it falls on them frequently. It's like a physical comedy where the same stupid ladder gag gets the laughs no matter how many times the audience has seen it.
Vista published in 2007 vulnerable to the functional equivalent of Comet Cursor, published in 1995. That's rich humor there, boy.
--- making a mint rolling back Vista "upgrades": priceless.
Help stamp out iliturcy.
I've read a number of news articles regarding the .ani problem, but none of them has described what the damned problem is. Do any of you know?
Fata viam invenient.
...unless you're in NZ or Australia, when Patch Tuesday is on Wednesday.
"It doesn't cost enough, and it makes too much sense."
But of course it's available if you do want it.
Naturally Linux Genuine Advantage is open source, and not to be outdone by Microsoft platform hackers a hack is available to auto-certify LGA without actually contacting the LGA server.
Help stamp out iliturcy.
I am very pro MS, but they have known about this issue for over 3 months now, it has just been 1-2 weeks since people have published the issue publicly, provided proof of concept code and it has been used in malware/virus attacks.
So they could have had a patch released months ago and avoided all of this.
I'm a developer for a software package that lots of automotive engineers use to do bus analysis. The patch broke our software, and we've gotten calls from lots of people at our smaller companies wondering what was going on. The bigger (think Big 3) customers have huge turn around times on Windows Update patches, but as of now we have lots of angry people wondering why our software won't work. Nothing like MS giving us bad rep for essentially us doing nothing.
Windows is a Operating system, how the hell can you compare those applications / languages to Windows for security issues?
Wtf is this modded as insightful? The poster just shows that he has his head buried in the sand if truly believes that no major corporations rely on open source every day. What a lame open source basher.
if (link.from == V1@GR@UNL1M3T3D) { ie.open() = false; }
You don't need WGA to receive Windows patches either. Automatic updates will work perfectly fine even if your serial is blatantly stolen; but 'upgrades' won't (IE7, WMP, and all that good fun).
Yeah, WGA sucks, but software updates will come either way.
Also, to say Linux is completely independently modular isn't entirely accurate either (although, in fairness it's not like I completely disagree). Upgrading kernels (due to 'serious' security vulns) will break more things than I'd like for instance - my (yes I know, proprietary) NVidia drivers will be the first victims.
Finally, you think MS don't feel your patch-pain? Just by working for them in one form or other you've subscribed your machine to every patch, patch-for-the-patch, and patch-for-the-hacked-patched-service-pack that gets tested; all before releasing to a unsuspecting public, almost every day, just so you get as little bother staying secure with as little hassle as possible. It's not a pretty sight sometimes.
throw new NoSignatureException();
The screw up is in Microsoft's release system allowing hhctrl.ocx and user32.dll to be shipped with the exact same "DLL Base Address". They both share address 0x7E410000. I'm sure Microsoft has a system to prevent this, but either someone didn't follow it, or the system has flaws.
Normally clashes of base addresses happen all the time. For most DLLs the base address is sort of a suggested location, the OS load the DLL to this area if it can, but will "relocate" DLLs to free memory area if that space is taken. User32.dll isn't allowed to be relocated for some reason (a very good reason, I'm sure). If it's space is already taken (by HHctrl) the program using it cannot load. HHCtrl.ocx has no problem being relocated, but this will only happen if it's loaded after user32.
I'm surprised that anyone could manage to make an application that would load these DLLs in this bad order - but that's not the point I guess. Usually you'd HAVE to call a function in User32.dll long before loading anything COM - esp an HTML help control (which is what hhctrl is).
This "important" update break compatibility to GTA San Andreas (PC Game) too :S
My favourite operating system is ReactOS; binary compatible to WinNT series
A hotfix is currently available from Microsoft it just includes some security hole related to .ani files....
The MAFIAA is a bunch of mindless jerks who will be the first up against the wall when the revolution comes
A big HA-HA! goes out to the vendors who insist on using every imaginable gimmick and gee-wiz animation / transparency effect / irregular shaped window trick to try to make their product appeal to their target audience of 8 year olds. Stick with the basics, please! There's no reason for an audio control panel to require an animated cursor, for christsakes!!!
Reminds me of when I bought a little FM radio controlled by a serial link. The crapplet they sent on the CD-ROM was so annoying, the first thing I did was sniff the serial protocol and write my own little non-obtrusive applet. I asked the manufacturer for the proto specs first, but they delined, even after I pointed out how easy it was going to be to reverse engineer them... idiots!
Never thought I'd write something like this, but kudos to MS for saying we're not going to work around your crappy little app.
</rant>
What bothers me is that it makes me feel like this "fix" may not even patch the real problem.
You see, moving where a DLL is stored in memory might break the proof of concept, but it might not actually fix the vulnerability. Sure, the code it hooked into before in order to hack the machine won't be in the same place, but it might well be possible to fix the exploit to point to the code's new location.
In short, I wonder if they're playing tricks to make it more difficult to exploit without actually fixing the underlying problem?
I knew there was a reason I read Slashdot.
Logged in today to find the "Rthdcpl.exe - Illegal System DLL Relocation" message, went wtf? and turned off the Realtek audio control panel.
My machine's set up to automatically install all current MS patches for testing, so it's the only one applied this so far.
Sigh.
You are not a brain: http://books.google.com/books?id=2oV61CeDx-YC
Windows Genuine Advantage? Critical.
Broken applications? Eh... not so much.
I just installed this update, yep, it really does crash Realtek HD Audio Control Panel...
I happened to be at my parent's house when Microsoft pushed out this update. I saw the update wanted to install so I rebooted their machine and the error popped up immediately. Since I had been doing some work on their machine I originally thought it was something I did until I read the KB associated with the patch.
Good thing I happened to be there since there's no way they'd have figured out what had happened. I might have been able to figure it out eventually, but probably wouldn't have associated it with the patch right away without having had been there.
Microsoft should have just included the hhctrl.ocx update in the patch since from the KB, they know they are incompatible.
I had MMC crash after reboot, login when this patch on two 2003 servers (patched 6 servers on wednesday). Thought it was wierd til I read this thread.
m10
Blame Microsoft all you want for security holes in user32 and GDI, but don't blame them for these programs breaking.
The change that broke these applications was changing the base address of user32.dll (from 77D40000 to 7ED10000 I believe). The programs that broke were using the 7ED10000 range. When user32.dll can't load at its desired address, it will fail to start the process. DLLs hard-linked by an EXE will be loaded before user32 or kernel32 if they are the first in the import table. Once loaded, user32.dll can't load at its desired address and will get relocated. user32.dll doesn't like this and aborts starting the process. This happens even if the bad DLL is relocatable, because preferred addresses are first-come, first-serve.
The entire 60000000-7FFFFFFF address range is reserved for Microsoft DLLs and special memory. Don't stick your own DLLs in there! (This address range is true of Win64 as well: just add 8 zeros to the front.)
As for why user32.dll and kernel32.dll don't relocate like other DLLs: so many badly-coded programs that do DLL injection assume that the addresses of LoadLibraryW, etc. in other processes are the same as the ones in their own processes. Almost all DLL injection code snippets assume this, and it's just wrong. The proper way is to use either EnumProcessModules or CreateToolhelp32Snapshot to list all the DLLs in the target to find the one you want. The correct address to use is then remote_function = local_function - local_dll + remote_dll. The types HMODULE, HINSTANCE, and IMAGE_DOS_HEADER * are equivalent, so just cast to a DWORD_PTR.
"Screw Sun, cross-platform will never work. Let's move on and steal the Java language." - Visual J++ Product Manager
Seriously. We just moved al of our PE burn-in discs to Vista-based ones (we used XP) and now our productivity has dropped by nearly 40% just because Vista is that buggy.
What's worse? I've got an old windows 98 burn-in disc, that did more thorough testing and caught more bugs than either our XP or Vista discs do. And people wonder why every laptop I repair never fails - KISSER (Keep It Simple, Stupid, Every Revision.)
But, hey, if my company wants to move to Vista, lose profit, and put themselves out of a job, fine, let them. I'll take my tools and move to the next company with better brains.
Still waiting on Serviscope_minor to wake up to fucking reality and realize that Jessica Price isn't going to fuck him.