Slashdot Mirror

← Back to Stories (view on slashdot.org)

.ANI Vulnerability Patch Breaks Applications

Posted by CmdrTaco on from the this-is-only-gonna-hurt-twice dept.

Jud writes "Microsoft's fix for the .ANI vulnerability was part of Patch Tuesday yesterday. However, all is not well with the update. Reportedly, installing the patch will break applications such as Realtek HD Audio Control Panel and CD-Tag, which mentions they are affected by the problem on their main page. A hotfix is currently available from Microsoft, however their current position is this is an isolated problem and the fix is not planned to be pushed out through Microsoft Update. "

21 of 164 comments (clear)

  1. Other affected programs: Tugzip... by semifamous · · Score: 4, Informative

    My archiving application of choice, Tugzip is also affected by this update and the mentioned fix took care of the problem.

  2. Anyone's surprised? by keisar · · Score: 3, Funny

    Microsoft breaks something when patching something else? I'm surprised. Really. I am. No, really. I am.

    1. Re:Anyone's surprised? by cheater512 · · Score: 4, Insightful
      Uh...Ever heard of not playing a corrupt ANI file? Theres no need to have exploits there nor is there a reason to break existing functionality.

      If you read the hotfix page you'd see this:

      The Hhctrl.ocx file that is included in security update 928843 and the User32.dll file that is included in security update 925902 have conflicting base addresses. This problem occurs if the program loads the Hhctrl.ocx file before it loads the User32.dll file. So yes it is Microsoft's fault that they screwed up.
    2. Re:Anyone's surprised? by pilgrim23 · · Score: 4, Funny

      Cursor's Foiled AGAIN!

      --
      - Minutus cantorum, minutus balorum, minutus carborata descendum pantorum.
  3. This was not patch Tuesday by Anonymous Coward · · Score: 5, Informative

    Patch Tuesday is the second Tuesday of each month. This was an out of cycle patch released.

    1. Re:This was not patch Tuesday by Opportunist · · Score: 3, Funny

      So this was "break Tuesday" then?

      --
      We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
  4. Re:Hehe by mwvdlee · · Score: 4, Interesting

    They released a patch yesterday, discovered problems with it since yesterday then fixed it today. Yet you've been hearing about these problems for weeks?

    --
    Slashdot social media options: AIM, ICQ, Yahoo, Jabber and Mobile Text. Why no MySpace?
  5. Before all the lame bashing.. by madsheep · · Score: 4, Insightful

    I just wanted to make a quick post before I see all the standard lame M$ bashing gets out of hands from a ton of idiots that are most likely using Windows while posting.

    This is exactly why it takes Microsoft so long to put out patches sometimes. Unlikely all these free and open source packages, Microsoft Windows is actually used by tons of users at home and in the business world. People need their machines to do their daily activities and jobs. This is why so much testing is needed before something can just be shoved out there. This is why you tend to see this sort of thing from patches released out of cycle. It obviously has not and could not have been tested as much (and yes sometimes problems occur with patch Tuesday patches).

    You might not see as many issues with *nix based systems. Why? Well, there just are as many users. This might sound like a cliche but it is a fact. Look at when official Redhat patches and other updated packages actually come out. They come out days, weeks, and months later. Sure there is some patch that some random guy hatched together -- the power of open source!! However, if you were to apply that untested P.O.S. across the world in tons of real environments, you'd probably have a shitton of problems.

    This does not excuse problems with patches, but at least it came quicker. Remember, M$ has to release stuff that fortune 1000, government, home users, and everyone else can live with. Pushing some patch 30 minutes later for an OSS package that 2000 rag tag home users use.. just isn't the same.

    1. Re:Before all the lame bashing.. by camcorder · · Score: 5, Insightful

      It's not time taking releasing the patch, it's the design decition done by a software company with its flagship product used by millions. You put a useless feature like handling .ani in HTML with your renderer, you also embed this renderer everywhere throughout your "OS", then for sure it would take lots of time to test for problems for such a single fix in .ani file handler. We saw same scenerio in past dozens of times.

      Having millions of users might be an excuse, but having a bad design can't, if you claim to be developing best software.

      I really find it just plain spreading FUD to compare open source software equivalent microsoft software with those metrics. Blah, blah, but it's used by millions, see what happens when open source is used by millions. Just wondering how many in those millions compare design decisions taken during software development of product they use. What's lame is not seeing how broken design of some parts of the software, not bashing due to these flaws.

    2. Re:Before all the lame bashing.. by CowTipperGore · · Score: 4, Insightful

      However, if you were to apply that untested P.O.S. across the world in tons of real environments, you'd probably have a shitton of problems. At least we know this doesn't happen with Microsoft patches.
    3. Re:Before all the lame bashing.. by lenski · · Score: 4, Insightful

      Pushing some patch 30 minutes later for an OSS package that 2000 rag tag home users use.. just isn't the same.


      2000 ragtag home users? You are smarter than that, I can tell by the quality of your writing and sentence structure alone. While some OSS packages serve small communities, there are lots of packages that serve large and diverse communities. (PostgreSQL, Apache, the Linux kernel, Firefox, the list goes on). Those packages have, on occasion introduced vulnerabilities due to the natural vicissitudes of software development. And when their vulnerabilities are discovered, they get fixed quickly. (And this one hit me this morning: I don't need Linux Genuine Advantage for permission to receive updates to my damn software!!!)

      It is worth noting, however, that such vulnerabilities are nearly always limited in scope due the inherently modular nature of the OSS world. Microsoft built a highly integrated system to support its business model. They are welcome to their high integration approach. And those of use who do not appreciate the effects of that way of doing business are welcome to complain when it wacks the shit out of our families' productivity when we are trying to get some proprietary fix.
    4. Re:Before all the lame bashing.. by afidel · · Score: 3, Interesting

      Useless feature??!?

      Uh, several of our enterprise webapps used animated cursors to let the user know that something is being processed. Maybe to a clueless geek user feedback is a useless feature, but to anyone who knows about UI design it is a requirement. The real sin with this patch is that this bug was already patched TWO years ago, but they meerly patched the codepath for the known vulnerability and left it at that, they did not look at the actual cause of the problem and so we have the same vulnerability with a twist come out two years later.

      --
      There are 4 boxes to use in the defense of liberty: soap, ballot, jury, ammo. Use in that order. Starting now.
    5. Re:Before all the lame bashing.. by phasm42 · · Score: 4, Insightful

      How about an hourglass? The animation is merely for looks, the animation is not necessary for feedback. It's not like the animation is actually tied to the progress anyways. It's like those sites that use animated GIFs as a "progress bar" -- there is nothing tying progress of the task to progress of the animation.

      --
      "No one likes working in a hamster wheel, and your shop smells of cedar shavings from here." - TaleSpinner
  6. Re:Hehe by t0tAl_mElTd0wN · · Score: 4, Insightful

    You know, it's really starting to get to me, everyone beating on MS all the time. I mean, when you're the biggest, a lot of times your flaws stand out easier. Really, so what if a bunch of geeks on their spare time can write a 3D interface which performs better, and existed much earlier than the product of ten times as many full-time professionals? So what if you can do awesome things like formatting an empty file with its own filesystem? I mean, a huge security vulnerability in animated mouse cursors, and then releasing a patch that breaks more than it fixes... that's a mistake anyone can make, right? Well... apparently except for Linux, Apple, Amgia, Palm, BSD, or... well, pretty much anyone else.

    Sarcasm aside, how exactly did it come to pass that the guy who wrote the code for animated mouse cursors managed to open an "extremely critical" security vulnerability in the process... and then how did it become so important that fixing it breaks applications which relied on said bug?

    I'm sorry, I'm not entirely 100% anti-MS (XBox Live owns, Visual Studio .NET is one of the best IDEs that I've ever used, etc.) but really, these are some mighty clumsy mistakes to be making considering the magnitude of some of their more powerful clients...

    --
    Not So Random
  7. Realtek HD Audio exists on a lot of PCs... by tlhIngan · · Score: 3, Informative

    A lot of machines have the Realtek HD Audio thing in them to provide audio - notably most of the Core/Core2 based ones (HD Audio is a standard by Intel, Realtek being one of the first to offer it).

    Seems like this isn't really an "isolated" problem, but a fairly common one if you own a desktop made in the last year or a recent laptop...

  8. Re:Hehe by Anonymous+Conrad · · Score: 3, Informative

    They released a patch yesterday, discovered problems with it since yesterday then fixed it today. Yet you've been hearing about these problems for weeks? Actually, no, they did know about this ahead of time. From the MSRC blog:

    The result of our comprehensive testing is that at the time of release, only one minor quality issue was known and guidance as well as a hotfix was ready for customers at the same time of release. I'd guess they haven't had time to put the hotfix through the full test cycle yet but still needed to release the general fix.
  9. I don't need Linux Genuine Advantage... by symbolset · · Score: 3, Funny

    But of course it's available if you do want it.

    Naturally Linux Genuine Advantage is open source, and not to be outdone by Microsoft platform hackers a hack is available to auto-certify LGA without actually contacting the LGA server.

    --
    Help stamp out iliturcy.
  10. Re:Hehe by adisakp · · Score: 3, Interesting

    "their current position is this is an isolated problem"

    I have a fairly new Dell XPS600 (1 year old) and the update borked my machine due to the realtek program. I got some obscure message about how rtdcpl.exe was performing an illegal access trying to move some OCX DLL.

    I was able to solve the problem by Google Searching and installing the MS hotfix. The only problem now is that "hotfix" makes it so I have to wait about 1 minute longer after I log in before I can access the internet. I used to be able to pop-up IE right away and surf but now if I do that, I get the error page for site not found for about 1 minute before things start working normally.

    I don't know how isolated it can be since Dell alone has sold millions of PC's with realtek audio chipsets.

  11. Re:Hehe by 140Mandak262Jamuna · · Score: 4, Funny
    I used to be able to pop-up IE right away

    That is your root cause of the problem. Stop using IE, all your problems will go away.

    --
    sed -e 's/Chuck Norris/Rajnikant/g' joke > fact
  12. MS build/release system? by Aardvark99 · · Score: 4, Informative

    The screw up is in Microsoft's release system allowing hhctrl.ocx and user32.dll to be shipped with the exact same "DLL Base Address". They both share address 0x7E410000. I'm sure Microsoft has a system to prevent this, but either someone didn't follow it, or the system has flaws.

    Normally clashes of base addresses happen all the time. For most DLLs the base address is sort of a suggested location, the OS load the DLL to this area if it can, but will "relocate" DLLs to free memory area if that space is taken. User32.dll isn't allowed to be relocated for some reason (a very good reason, I'm sure). If it's space is already taken (by HHctrl) the program using it cannot load. HHCtrl.ocx has no problem being relocated, but this will only happen if it's loaded after user32.

    I'm surprised that anyone could manage to make an application that would load these DLLs in this bad order - but that's not the point I guess. Usually you'd HAVE to call a function in User32.dll long before loading anything COM - esp an HTML help control (which is what hhctrl is).

  13. Was the DLL base address ALL they changed!? by Anonymous Coward · · Score: 3, Interesting

    What bothers me is that it makes me feel like this "fix" may not even patch the real problem.

    You see, moving where a DLL is stored in memory might break the proof of concept, but it might not actually fix the vulnerability. Sure, the code it hooked into before in order to hack the machine won't be in the same place, but it might well be possible to fix the exploit to point to the code's new location.

    In short, I wonder if they're playing tricks to make it more difficult to exploit without actually fixing the underlying problem?