Worm Transcodes MP3s To Infect PCs

snydeq writes "Kaspersky Labs has discovered malware that inserts links to malicious Web pages within ASF media files, posing a danger to Windows users who download music files from P2P networks. Infected files launch IE and load a page that asks the user to download a codec. The download, a Trojan horse, installs a proxy program to route other traffic through the PC. The malware also has worm-like qualities, according to Secure Computing. It searches for MP3s, transcodes them to WMA format, wraps them in an ASF container, and adds links to further copies of the malware, all without modifying the .MP3 extension."

wow, that's evil

[brunascle]

It searches for MP3s, transcodes them to WMA format, wraps them in an ASF container

Wow, that's evil, even for malware authors.

Re:wow, that's evil

[Z00L00K]

Maybe it's the RIAA that wants us to get rid of all our MP3:s downloaded from various sources?

Re:wow, that's evil

[morgan_greywolf]

Wow, that's evil, even for malware authors.

That's nothing. I heard the next version will automatically go out the Web, sign up for an e-Trade account, and then proceed to buy stocks like GOOG, AAPL, RHAT, etc., and automatically sell them short.

Re:wow, that's evil

[oahazmatt]

It searches for MP3s, transcodes them to WMA format, wraps them in an ASF container

Wow, that's evil, even for malware authors.

That's nothing. You should see the fix. Your anti-virus program will update its definitions, and if it identifies any of these files prior to download, it makes them appear in a Real Audio format so your never tempted to download them to begin with.

Re:wow, that's evil

[hyperz69]

No, Evil is if it transcodes them to Real Media. Though I don't even think Satan himself could do that to anyone!

Re:wow, that's evil

[millwall]

Well, Kapersky labs tells us that the MP3 files are in fact turned into WMA format and not ASF format:

The worm, which was named Worm.Win32.GetCodec.a, converts mp3 files to the Windows Media Audio (WMA) format (without changing the .mp3 extension)

Re:wow, that's evil

[colmore]

It searches for MP3s, transcodes them to WMA format, wraps them in an ASF container

Dammit. That sounds more interesting than any programming job I've gotten in the last 5 years.

Re:wow, that's evil

[omeomi]

Well, Kapersky labs tells us that the MP3 files are in fact turned into WMA format and not ASF format

The summary already says that: "It searches for MP3s, transcodes them to WMA format, wraps them in an ASF container"

Re:wow, that's evil

That's nothing. You should see the fix. Your anti-virus program will update its definitions, and if it identifies any of these files prior to download, it makes them appear in a Real Audio format so your never tempted to download them to begin with."

As if the transcode to wma wasn't enough quality degradation. Hell, even if it just encoded losslees to wma, people would clasp their hands tightly over their ears and run for the hills shrieking "Help me! My ears are burning!!"

Re:wow, that's evil

[Per+Wigren]

WMA, WMV and ASF are the very same container format. The only difference is the filename extension.

Re:wow, that's evil

[szelus]

That's nothing. I heard the next version will automatically go out the Web, sign up for an e-Trade account, and then proceed to buy stocks like GOOG, AAPL, RHAT, etc., and automatically sell them short.

Well, I wish you were kidding...

Re:wow, that's evil

[flyneye]

I want the RIAA to be DEEPLY investigated,prosecuted with a fair trial and a decent hangin'.
          The music industry is terminal.It's lashing out in its dying breath.
          Just run your antivirus over your downloads before playing.
          Let's just go ahead and keep killing the industry so musicians can have a level playing field and we can do away with the corruption and misdirection to mediocre talent it provides.

Re:wow, that's evil

haha! wow. great stuff.

Re:wow, that's evil

[DickBreath]

>Just run your antivirus over your downloads before playing.

Do you really believe this would be effective?

Wouldn't it be more important to run your antivirus on your codecs before installing?

Re:wow, that's evil

[clone53421]

ASF is the container, WMA is the codec.

WMA can be used to refer to the container, but it's actually an ASF container with a WMA track inside.

That's confusing, and basically the file extension refers to the codec, not the container. The WMA or WMV files you download are actually ASF files. It's about as logical as having the DIVX extension for AVIs with DIVX encoding, but hey... who's going to try to change it?

Re:wow, that's evil

[FlyingBishop]

Why would Microsoft transcode mp3's to Real Media?

Re:wow, that's evil

Just a thought.

Here's one just for you.

Re:wow, that's evil

[Spy+der+Mann]

It searches for MP3s, transcodes them to WMA format, wraps them in an ASF container

Wow, that's evil, even for malware authors.

I think the summary missed a paragraph.

It searches for MP3s, transcodes them to WMA format, wraps them in an ASF container and holds them hostage for One Million Dollars!

Re:wow, that's evil

[razorh]

Or you could, y'know, stop being a thieving scumbag and support music by buying from the artists.

How do you buy music from artists that are represented by the RIAA? Seems to me that most of the money you spend when buying most of the music the RIAA cares about isn't going to the artist in the first place.

Re:wow, that's evil

[afidel]

Technically WMA and WMV are a family of codecs and they use the ASF container format for metadata and DRM.

Re:wow, that's evil

[thePowerOfGrayskull]

So what you're saying is that it's better that the artist gets /no/ money instead of just a little bit?

Re:wow, that's evil

[sempernoctis]

Worms I can deal with. Defiling my MP3 collection with WMA/ASF? That's harsh.

Re:wow, that's evil

[clone53421]

If the OP goes to a concert, the artist doesn't get "/no/" money. Assuming the OP has a limited budget, which would benefit the artist more, buying 5 cds or going to their concert?

Re:wow, that's evil

[sempernoctis]

Does the transcoded WMA/ASF file play in Linux? Microsoft could have helped out on this one to get all the evil cross-platform MP3 files out there transcoded into their proprietary formats :)

Re:wow, that's evil

[flyneye]

Or we could you know,take music back from the evil empire.Music is sound ,sound is free.Performance is work,work is rewarded monetarily.There is no use for a music "industry" except to rip off everyone from the artist all the way to you.
        Stealing implies ownership.Music exists as energy independent of ownership.Music uses humans as a gateway to this dimension.Humans may be rewarded for acting as gatways not as owners of intangibles.Copyright is such a joke due to it's distortion through legislation that this also counts as an act of revolution permissible constitutionally.
      Get over yourself and quit regurgitating buzz-phrases about "supporting the artists" which has nothing to do with the RIAA as they would have you believe.You are a sucker and not a very good one.

 

Re:wow, that's evil

[flyneye]

well that too,lol

Re:wow, that's evil

[Adriax]

So, how about this heat?

Re:wow, that's evil

[garaged]

If done in windows, I can think on a 10 lines script that would do the job

Re:wow, that's evil

[garaged]

Dr Evil is priceless !

Re:wow, that's evil

[g0bshiTe]

Very interesting argument.

Re:wow, that's evil

[thePowerOfGrayskull]

Where did concerts come into this? GP posted:

ow do you buy music from artists that are represented by the RIAA? Seems to me that most of the money you spend when buying most of the music the RIAA cares about isn't going to the artist in the first place.

Nothing to do with concerts. However put your straw man to rest... buy one or two cds and go to a concert. The artist gets even /more/ money that way than if you went to a concert but downloaded the songs. Funny how that works, isn't it?

Re:wow, that's evil

[pdusen]

Ooh, here's an idea: Pirate music until the industry dies (supporting the artists through concert attendance in the meantime), then when artists go independent, buy their music THEN! That way they make even MORE money! What a novel idea! See: Nine Inch Nails.

Re:wow, that's evil

[damienl451]

Copyright is there because, believe it or not, people respond to incentives. Copyright provides just such a monetary incentive to write or perform new songs. Although as a songwriter or performer you're very likely never to make any real money, in the off-chance that you do make it big, copyright law ensures that part of the revenue that your song generates will go to you and, for instance, help you support your family.

It's ludicrous to think that, should copyright disappear, the music industry would immediately collapse. The most likely thing that would happen is that instead of signing new artists, they would just cruise the bars of Nashville or Austin, look for new songs, and get a cover band to play it before sending it to all the radio stations. Of course, since record companies have access to better facilities and have a lot more money they can devote to marketing, there is no way an unknown artist would be able to compete against them, internet or not.

If there truly was no need for a music industry, it wouldn't exist in the first place. I'm afraid that, like so many on Slashdot, you're suffering from the delusion that everyone behaves in exactly the same way as you do. You might enjoy browsing a website in search for a new sound that you like, but most people don't. What they want is quality music available anytime they want. They want to be able to turn on the radio and hear good music, not spend an hour separating the wheat from the chaff.

Right now, artist can already operate along the guidelines you suggest. Nobody is forcing them to sign with a major, they can release their songs on the internet and make money playing concerts.

Re:wow, that's evil

Because they're in on the joke.

Re:wow, that's evil

[colmore]

Is that 10 lines of automating some utilities? 10 lines in a scripting language that the target would have to install first?

Turning this theoretical exploit into a real threat sounds like interesting engineering.

Re:wow, that's evil

[MadnessASAP]

Wouldn't it be more important to run your antivirus on your codecs before installing?

Even better idea, Install VLC and CCCP and if it wont play with either of those then you probably don't want to watch it anyways.

Re:wow, that's evil

but hey... who's going to try to change it?

I will, in 10 years after I become batman.

Re:wow, that's evil

[Kiaser+Zohsay]

Where did concerts come into this?

GGGP wrote "support music by buying from the artists" which then led to a comparison of alternate methods of supporting the artists, ergo concerts. A legitimate (OT) point, and not a straw man. However, between the venues, concert promoters and TicketBastard, the concert business is ripping off artist almost as badly as the recording labels.

When voting with your dollars, deciding where *not* to spend is every bit as important as where to spend. There is no substitute for doing your homework.

Re:wow, that's evil

[Kiaser+Zohsay]

At the very least, don't play your MP3's with Windows Media Player.

Word does the same thing, opening files that are named with the wrong type, and not complaining about the mismatch. Rename a .DOC file with a .RTF extension, and double-click it. If RTF is associated with Word, then Word will open your file like a trooper, but won't say a word about the format not matching the name. Now, try opening it with a something that supports .RTF but not .DOC (there are a few out there) and hilarity ensues.

For a long time I have told people "Don't use Internet Explorer unless you absolutely have to, and don't use Outlook under any circumstances." It looks like I need to include WMP in that advice as well.

Re:wow, that's evil

[networkBoy]

how about we still protect their IP as you rail against, but bring the terms of protection back down to their original terms, or even better, shorten them? Would that be reasonable?

Think of the work that goes into making the studio recording. Those folks deserve a cut. They won't get a cut from the live performance, so buy the CDs and let them have a piece, don't just make it free.

Now, none of this is to defend the RIAA, they are evil, no doubt. But abolishing copyright all together would do more harm than keeping it as it is IMHO.
-nB

Re:wow, that's evil

Makes perfect sense. No one cares about the container except developers.

Like Office files (.DOC, .XLS, .PPT) all use the DocObj container format. Who gives a crap if the container is the same or not?

Re:wow, that's evil

[dna_(c)(tm)(r)]

Why would Microsoft transcode mp3's to Real Media?

Because "WOOSH" sounds better in that format?

Re:wow, that's evil

[clone53421]

However put your straw man to rest... buy one or two cds and go to a concert. The artist gets even /more/ money that way than if you went to a concert but downloaded the songs. Funny how that works, isn't it?

Of course, because I have an unlimited supply of money. In this hypothetical scenario, I can afford to buy CDs and go to concerts after I already said I couldn't.

Re:wow, that's evil

[clone53421]

lol. That's not a bad idea, except I doubt the MAFIAA will simply roll over and die...

Re:wow, that's evil

[gravis777]

wraps them in an ASF container, and adds links to further copies of the malware, all without modifying the .MP3 extension

So, if I get this right, it converts the MP3 file to a WMA (bad enough, you loose sound quality going from one format to another), puts it into an ASF container that has a link to download some malicious code, then renames the extension back to .mp3.

Windows Media Player will at least inform you if the media format is actually of a different format than the extension. I get those from time to time on P2P networks - something with a .mpg extension that is actually an AVI or, sometimes, even a JPEG.

My experience if you try opening up a file, a wma or asf, file in VLC, it actually will error out if it is trying to download a codec or something. In otherwords, VLC does not execute the code.

Not sure what WinAmp does, have not used it in years.

And then my virus scanner is usually pretty good at scanning on download, and sometimes even quarenteens files before the download finishes. I always scan the download directory before checking anything out in it, and then only open stuff in VLC.

Also, beware of any MPEG, AVI, or MP3 that is under a meg. And don't be stupid enough to download .zip, .rar, .exe, .scr, .wmv, .wma, .asv, or .asf files off of P2P networks.

Re:wow, that's evil

[mr_mischief]

Well, that trojan has a bug. When you sell short, you sell a stock then buy it. Yes, really.

That's what "short" means -- you don't have all the shares you need to cover the sale, so you're short. A "naked short" means you also don't have the funds set aside to buy and deliver the shares you sold or enough shares of the company in your portfolio to make up the difference.

The idea is that you sell at or just below the current price, expecting the stock to tank. Then you buy the shares before the agreed-upon transfer time for less than you're getting. Basically you're selling borrowed shares for more money than you're paying the guy you borrowed them from, if it works out as planned. If the stock goes up, you end up paying more for the shares than what you sold them for.

Theoretically there's a limit on what you can make and no limit on what you can lose. It's a useful tool in the market, though, if it's used correctly.

I know the explanation is overkill in response to your joke, but it seems many people do get confused with what the term means. I figured now was a teachable moment for people reading your post.

Re:wow, that's evil

[mr_mischief]

angry sea bass: $55 each
head-mounted lasers: $7500 each
giant aquarium: $37,499 ... for everything else, there's MasterCard.

Re:wow, that's evil

[ChienAndalu]

Yeah, and images, software, texts and movies are just ones and zeros. I'm not fond of the RIAA myself but ... try again.

Re:wow, that's evil

[sm62704]

I hate to say "I told you so" but... Ok, I don't hate telling you that, but I hate that I was right. Damn it, I'm not a security professional, why could I see this coming but the professionals couldn't?

I've been warning people about using WMA files and Windows Media Player for years, the first I said of it was back when I had my old Quake site, the Springfield Fragfest. A security researcher who played Quake II saw the post, realised that I was right, and we had a rather scary email conversation. I've been preaching about it ever since.

The first time I listened to a WMA file and my browser opened I knew this was coming.

The wrapper isn't even necessary! If you use Windows Media player (WiMP) an MP3 or OGG file can infect you. Here's how.

Say you have a DRMed music file named VIRUS.WMA. You take your DRMed WMA file and have the "drm key" or whatever you call it send the victim to your malicious web site. You simply rename the file to "Outkast_Tribute.MP3" (or other popular tune) and put it in your "share" folder. For bonus points have the file be a recording of you saying "you've been pwned, n00b!" (or better, Maddonna saying "WTF are you doing?") with the same length as the outkast song.

People running any other player except WiMP that I tested (and lets hope that Winamp et al haven't "upgraded" the players to allow this infection) will not be vulnerable; I tested several different players (this was several years ago, Winamp was one) and none would open the file renamed like that except WiMP. You get an error message saying it is an unknown format.

WiMP will recognise the renamed file, however, and happily run the trojan. Note to Microsoft developers: PLEASE FIX THIS HORRIBLE DESIGN FLAW. Users: DON'T USE WINDOWS MEDIA PLAYER! There are dozens out there.

Mac and Linux users aren't immune to wrapped WMA files unless DRMed files or WMA files won't play. Getting your files legally won't protect you, either, as Sony's rootkit proved. However, you CAN protect yourself.

One way is to put on your tinfoil hat and never play a music file you didn't rip yourself. A better way is, when you get a new music file, simply disable networking temporarily by unplugging the ethernet or shutting off your router, and play the file. If your browser doesn't start, the file is clean. If it starts, delete the file, empty the trash and thank yourself for remembering to do it.

DRM is what allows this exploit to work! This is one more example of why DRM itself is pure evil. All DRM does is inconvinience your honest customers without hampering commercial copyright infringers at all, and gives your customers another way to get infected.

If your company in any way, shape, or form has anything to do with DRM, it's evil. If you personally develop DRM, you know damned well DRM won't work and you are a thief who is conning the stupid evil companies who buy your evil garbage.

Sorry for the rant but I hate seeing evil disguised as good. DRM is evil pure and simple. PLEASE STOP USING DRM!

Re:wow, that's evil

[sm62704]

Though I don't even think Satan himself could do that to anyone!

I asked her, she said you're fuX0red.

Re:wow, that's evil

[sm62704]

How about since you can't possibly buy a CD from every artist out there, stop buying material from RIAA artists? If they lose sales because they're stupid enough to sign a contract with theiving scumbags, it's their own fault.

You have dozens of very talented independant musicians in your own city. Support them. Go to theie shows and buy their CDs. For every RIAA CD you buy, that's three or four independants' CDs you can't.

Re:wow, that's evil

In addition to your informative post on short selling ...

The stocks mentioned in the OP are just too massive to effect any sort of market manipulation. Hedge funds, mutual funds, and pension plans have hundreds of billions of dollars invested in these well known companies.

A "better" way to implement this scheme would be to buy "penny" stocks and then create the automated distributed bidding war; then sell for profit.

Of course, a trivial investigation would land you in pump-you-up-the-butt prison ...

Re:wow, that's evil

[sobachatina]

"Install CCCP"

It's a good thing we no longer live in the 60's. Saying something like that would find you blacklisted.

Re:wow, that's evil

[mpeskett]

"Infected files launch IE and load a page that asks the user to download a codec"

I'd know there was something severely wrong at the point when IE opened all by itself... I doubt I'd get as far as actually downloading a codec to run an antivirus on it.

Re:wow, that's evil

[clone53421]

Also, beware of any MPEG, AVI, or MP3 that is under a meg. And don't be stupid enough to download .zip, .rar, .exe, .scr, .wmv, .wma, .asv, or .asf files off of P2P networks.

Fairly good advice, but I'd modify it slightly...

First, use VLC; if you drag-drop a file into VLC you'll remain pretty safe even if the file is malicious. MPEG/AVI/MP3 files that are under a meg are still likely adverts, but they can't hurt you if you open them with VLC. WMV, WMA, and ASF are also likely adverts, but they can't launch their slew of popup windows if you open them with VLC. Also, VLC won't do anything bad if you drop "awsums0ng.mp3.exe" into it, it'll just say it can't play that. Double-clicking on that file would have been bad.

As you know, running EXE, COM, SCR, or JS/VBS (Limewire blocks VBS files by default I think) that you download from P2P is dumb. I haven't seen HTA files on P2P, but they're executable so if you happen across one, don't risk those either. In short, Just Don't. (If you have a really kickin' antivirus, you might risk an unverified executable after it's passed the scan, but you're still playing with fire.)

ZIP/RAR files aren't dangerous themselves, it's the files that may be inside them. If you don't know what that meant, just avoid them altogether. What is inside them should be treated the same as anything else you download: see the previous 2 paragraphs.

Re:wow, that's evil

[clone53421]

People running any other player except WiMP that I tested (and lets hope that Winamp et al haven't "upgraded" the players to allow this infection) will not be vulnerable; I tested several different players (this was several years ago, Winamp was one) and none would open the file renamed like that except WiMP. You get an error message saying it is an unknown format.

Reason being, $other_player won't play DRM-protected files. Did you try changing the extension on a non-DRM-protected WMA? It should play...

Not saying you're wrong; you're dead-on correct. I'm just clarifying some details.

Also, although your recommendation of unplugging the network will work, I'd recommend just dropping the file into VLC. VLC won't connect to the network to verify the DRM (it'll just look like garbage), and it won't launch the web shortcuts embedded in an ASF (it'll play the file and ignore the shortcuts).

Re:wow, that's evil

[BronsCon]

For the time being, yes. Once the RIAA breathes its final breath, those artists will have a chance to negotiate a better contract with another company; or use what money they did make as RIAA slaves to make and market their music themselves.

Then, they'll make money. Lots more than they currently do.

Re:wow, that's evil

[BronsCon]

Yes, the artist gets 5 or 10 cents from the CD sales, while the RIAA and label split the remaining $15-40.

When you go to a concert, the artist has paid for the venue and gets every cent of ticket sales (ticket vendors tack on their own fee, but it's the buyer who pays that, not the artist). Most of the time, the RIAA gets nothing in such a situation. This is how we want it to work, until the RIAA is no more.

Once the RIAA is gone, their slaves^H^H^H^H^H^Hartists can negotiate better contracts with other labels or spend their concert earnings to create, market and distribute their music themselves. They'd surely make more than a nickel on each sale that way.

Re:wow, that's evil

[Thaelon]

They bands still make far more money from touring than albums sold. To quote Maynard Keenan from Tool:

You make a lot more money touring or selling shirts, yeah, but that's when you get to a certain level. That in-between spot is tough.

Seen here.

I included that last bit for the sake of honesty. But the fact is they, and other big bands make more from touring than albums. I believe he also once said that they could simply tour and not do albums at all, and get along fine. But I couldn't find that quote.

Re:wow, that's evil

[PunkOfLinux]

Er... the radio? Good music? Where do you live, and do you live in the same dimension as the rest of us?

Re:wow, that's evil

[sm62704]

When I tested, it was several years ago, but yes, I took a DRM file I'd downloaded from some promo site, and took a wav I converted to WMA. None of the players played the file with the renamed extension except WiMP.

I fear they may have added the same design flaw as WiMP.

Re:wow, that's evil

Good lord I want a hit from what you're smoking.

You're a tool, and a bent one at that.

Re:wow, that's evil

[Reziac]

So ... what happens is that I sell someone 12 apples, but I really only have 10 apples, so before the buyer discovers this I have to go out and find two more apples somewhere?? My brain hurts.

I find myself unable to bake apples into a "naked short" shaped pie at all; please elucidate, in terms an old farm boy can grok. :)

Re:wow, that's evil

[ObsessiveMathsFreak]

Absolutely! Give the Lord of Darkness some credit. He transcodes to AAC and plays them backwards on his Mac.

Re:wow, that's evil

[everett]

It's more like this, apples cost $2.50 each (ridiculous price, you're sure the price of apples are going to fall) so you get Farmer Jones, who runs an orchard, to loan you 10 of his apples. You then take them over to the farmer's market at sell them all (making a nice $25.00) When the prices of apples falls back to a more reasonable $0.90 per apple, you buy 10 apples and return them to Farmer Jones.

Close enough you financial people, I'm know to produce low quality analogies.

Re:wow, that's evil

[drx]

Hey kids, if you don't know what the parent commenter is talking about, search for some hours in the Windows Explorer menus and setup dialogs to display "file extensions". They're awesome!

Re:wow, that's evil

[clone53421]

They'd be a lot safer if they did, and took the effort to learn what they mean... but they don't have to spend hours looking for the option.

Open My Computer. Open the Tools menu and click Folder Options. Click the View tab.

Now, here are a bunch of options. Find the one that says "Hide extensions for known file types" and turn it off. The only thing you'll have to do differently is make sure, when you rename a file, not to change the extension (everything after the last dot in the filename). Windows warns you if you do it, though, so if you accidentally do, just click "cancel" and rename the file again without changing the extension.

It's also not a bad idea to tell it not to show the contents of system folders, show hidden files, and not hide protected system files, but if you do that then you need to learn what those things are. There's a reason they are hidden and protected; you can get yourself in trouble if you delete, move, or rename some of them.

Re:wow, that's evil

[Reziac]

I see, I think....

So how does this benefit Farmer Jones?? He still has 10 unsold apples, and no profit.

And how does this benefit the market as a whole??

Juggle me some more apples if I'm wrong, but I see upside for the speculator, and downside for everyone else.

Re:wow, that's evil

[thePowerOfGrayskull]

BUt I wasn't replying to GGP, I was replying directly to someone else's rather stupid statement. I agree 100% with voting not to spend - but it's not-so-subtly different than voting to download instead of spending.

Re:wow, that's evil

[thePowerOfGrayskull]

However put your straw man to rest... buy one or two cds and go to a concert. The artist gets even /more/ money that way than if you went to a concert but downloaded the songs. Funny how that works, isn't it?

Of course, because I have an unlimited supply of money. In this hypothetical scenario, I can afford to buy CDs and go to concerts after I already said I couldn't.

Most times, when people can't afford to do things, they must choose between them. Why should it be different in this case?

Re:wow, that's evil

[thePowerOfGrayskull]

Ooh, here's an idea: Pirate music until the industry dies (supporting the artists through concert attendance in the meantime), then when artists go independent, buy their music THEN! That way they make even MORE money! What a novel idea!

Ooh, here's an idea: don't buy music until the industry dies (supporting the artist through concert attendance in the mean time). How does 'pirating' (ridiculous term if there ever was one) benefit the artist in any way? Just do without if you're not going to spend the money anyway. What a novel idea!

Re:wow, that's evil

[mr_mischief]

Well, it wouldn't effect the market, but it sure as hell could negatively effect the guy who's signed in and shorting Google without knowing it.

Re:wow, that's evil

[mr_mischief]

Well, I'm not a broker but I know that you'll pay fees for the buying and selling, and usually dividends on the borrowed stock if they are paid while you hold the shares.

The guy buying from you hopes you're wrong and that the shares will actually go up.

The guy who's letting you borrow the shares is in a more complex situation. If the stock rises before you cover your position, then he makes money. If the stock does go down, it would have gone down anyway. He wasn't planning to sell it, or he wouldn't have let you borrow it. Therefore, if it really does go down he's no more hurt than otherwise. If it's going down for a while, he'll want you to cover quickly though so he can sell what he gets back before it falls more.

Re:wow, that's evil

It's about as logical as having the DIVX extension for AVIs with DIVX encoding, but hey... who's going to try to change it?

.divx is not really AVI, it's a propietary container format based on AVI that can include proprietary Divxnetworks stuff like their weird non-decodable subtitle format. But nobody's using it anyway, so it's a moot point.

Re:wow, that's evil

[clone53421]

the hell? it ISN'T different. that's my point. that post was sarcasm. the point being, if I must choose between buying several cds or going to the concert, the artist benefits more if I go to the concert.

in the hypothetical situation, I have limited funds. I can either spend it buying several cds, or I can spend it going to a concert. I don't have enough to buy cds and go to the concert. if I had enough to buy 2 cds and go to a concert, the artist would still get more money if I just saved the money I could have spent on 2 cds until I had enough to go to another concert.

if "whooosh" is for when someone completely misses the a joke, what's the word for when someone completely misses sarcasm?

Re:wow, that's evil

[pdusen]

How will I know whether I want to support the artist by attending a live show if I never hear their work? I'm determined to support them in SOME way.

Re:wow, that's evil

Hey fuckwad, the word you were looking for was "AFFECT" not "EFFECT". Like most people who make this mistake and other stupid, idiotic mistakes, you are almost certainly a native English speaker. It's not because grammar is so important; it isn't. It's because not being so careless is so important and grammar is just one form of expression.

Re:wow, that's evil

[MadnessASAP]

I live in Canada, we're more communist then the commies will ever be (at least in BC)

Re:wow, that's evil

[Flambergius]

He wasn't planning to sell it, or he wouldn't have let you borrow it.

I think this is the main part of it. Our Farmer Jones, whether he had apples or stock to borrow, is sitting tight on something valuable. He benefits in two ways.

1) You pay him. He's not going to borrow his stuff for free. The exact amount and conditions of the payment can vary greatly, but it'll be there.

2) What you are doing will result in more accurate the price for the stuff the Farmer has. Markets are in large part about setting the correct price for each item. This is often called generating a price signal and it is the main tool for making economic decisions in free-market economies.

Re:wow, that's evil

[drx]

Sorry i was cynical. But there is no reason i can think of for the file extensions to be hidden. If they wouldn't be so important i wouldn't care, but to hide them in today's Windows, where many programs, including the OS itself, solely have to rely on extensions to find out what kind of file is coming along, WTH are they hidden by default?

I think to show them by default would put half of the anti-virus industry out of business.

Re:wow, that's evil

[Ilgaz]

I bet it is stolen code, there was a mp3 to wma transcoder (free) from MS which they heavily advertised hoping a mp3less future. There was no ASF involved though.

Funny is they copy everything Apple but not good ones. There is a reason for Quicktime looking to a single, central server at Apple to download additional codecs.

Re:wow, that's evil

[Ilgaz]

There is one, single thing that can truly replace Wmedia along with its Framework. It is Quicktime from Apple. If they keep insisting on that God damn taskbar icon, mail asking page, bundling iTunes and forcing people to dig Apple FTP site on some versions just to get Quicktime alone, the replacement can't work.

Things would be very different if Quicktime windows didn't ask for money to do full screen in earlier versions, a way different than today. That basic difference would change shape of things.

Re:wow, that's evil

[clone53421]

Well hey - don't apologise. You're probably right. I wish more people would take the effort to learn about them too.

Like someone said elsewhere on this page, when someone doesn't know something that they haven't learned, it's due to ignorance, not stupidity. However, I'd personally have to conclude that anyone who doesn't learn some basics of how to safely use their computer does exhibit a certain level of stupidity because, with as much as you hear about viruses, common sense dictates that you at least learn some basics.

Re:wow, that's evil

Why would Microsoft transcode mp3's to Real Media?

Because "WOOSH" sounds better in that format?

He was implying that Microsoft was Satan. Woosh.

Re:wow, that's evil

[thePowerOfGrayskull]

How do you know if you like a restaurant before you eat there for the first time? Why should this be different?

Re:wow, that's evil

[flyneye]

Beethoven once said "Do not write music unless not doing so bothers you to distraction."(well maybe not those exact words,but thats the gist)It is sound philosophy and one that weeds out half-baked forced music.So now we can do away with that silly copyright b.s. argument.
          Buddy,if you're relying on music to feed your family,you got stupid issues.Time to get a real job.
        My point is the music industry hampers rather than helps.When their profit goes away so do they.
A middleman is unnecessary for music to proceed.In fact we can all benefit from their demise.Only a small number of artists benefit from signing and that takes lots of time and business saavy.
          The future of radio sans industry allows for open programming and choosing any artist who puts their music out there open.It is far more important to level the playing field for artist than to line the pockets of a middleman.If there is a need for separation of wheat from chaff a solution will appear.
          Open your mind a little and see the possibilities instead of clinging to a rotting corpse.

Re:wow, that's evil

[adavidw]

That's not how it works. When you go to a concert, a promoter has paid for the venue. The promoter basically pays all of the expenses for the venue and promotion and what not, then contracts with the artist to appear at the concert that they've set up.

The artist more often than not will get a fixed fee for this performance with the promoter then pocketing all of the money they've collected from ticket sales minus the expenses of paying the venue, paying the artist the fixed fee, paying the promotional costs, etc.

Another common arrangement is where the artist and promoter negotiate a percentage of ticket sales backed up by a fixed guarantee for the artist in case ticket sales aren't all that. But, for a lot of smaller artists, it's way more common for them to be appearing in that rock club for $1000 and that case of beer left in the dressing room.

That's why if you really want to support the artist, you'll by a shirt or cd or some other merchandise at the concert. That money's usually all theirs, and is the sweetest plum.

Re:wow, that's evil

[BronsCon]

I was referring to big-name artists at large venues. My brother-in-law is the lead singer in Voice of Addiction (http://www.voiceofaddiction.com). I know very well how it works for smaller bands, most of whom are not signed by the RIAA and, thus, are unaffected by the RIAA's low payout for CD sales.

Re:wow, that's evil

[flyneye]

Apples and oranges.
I would say the same if the internet didn't exist.
You try again.

Re:wow, that's evil

[Technician]

Wow, that's evil, even for malware authors.

Wow, that's evil, even for Windows malware authors.

There fixed it for you. Other OS'es does better with WMA files in an ASF container with an MP3 extension. The inability to launch Internet Explorer is an added bonus. Remember to not browse as root. Delete broken files, and don't share them. This noise can be filtered.

Scary Thought

[filesiteguy]

Ouch!

Next thing you know the infected MP3 files will be loaded onto and playing on cell phones everywhere and we'll be running from crazied people who are addicted to You Light Up My Life....

Richard Stallman Says...

If you'd just used OGG, this never would have happened! ;-)

Re:Richard Stallman Says...

[Z00L00K]

The basic format wouldn't make any difference. The problem is with formats that are incorporating extra features and functionality. If it's MP3 or OGG that's encapsulated is really not an issue.

We are moving into darker and darker times when it comes to malware. It seems to me that they are trying every evil alternative to make us and our computers to zombies.

How to remember the good old days when we could get the "Your computer is now stoned" or an east german ambulance with sound passing over the screen. Pretty annoying but relatively harmless.

Re:Richard Stallman Says...

Unfortunately, Ogg Frog hasn't been released yet :(

Re:Richard Stallman Says...

Yeah, pretty harmless. Like Jerusalem and its variants. Harmless.

Like the virus which could actually physically destroy certain hard drives. Harmless.

The damage potential is still very much the same, it's just that we store so much more information on computers now, and viruses have the capability of spreading further.

Re:Richard Stallman Says...

[paradxum]

Yes, I too remember the days when there was little if any monetary gain to be had from writing a virus or hacking in general.

But those days are gone, there is money to be made... now that it pays to hack, the onslaught will only get worse.

Re:Richard Stallman Says...

I don't know, viruses haven't been so kind for a while now. As an example, ten years ago there was this virus from 98' that intended nothing but harm to the infected computer. It would trash the hard drive and attempt to flash the bios to make your computer unbootable. Nowadays the viruses seem to be more about making money than inflicting damage.

Re:Richard Stallman Says...

yeah but... stallman is a smelly git. :(

Re:Richard Stallman Says...

The basic format wouldn't make any difference. The problem is with formats that are incorporating extra features and functionality. If it's MP3 or OGG that's encapsulated is really not an issue.

We are moving into darker and darker times when it comes to malware. It seems to me that they are trying every evil alternative to make us and our computers to zombies.

How to remember the good old days when we could get the "Your computer is now stoned" or an east german ambulance with sound passing over the screen. Pretty annoying but relatively harmless.

This is exactly how i got infected. Its been nightmare. My wife got it downloading stuff from Kazza.

Having so much trouble trying to get it off. Trying every trick in the hot possible cuz Im NOT trying to format.

Re:Richard Stallman Says...

[Sfing_ter]

CDEX works beautifully for Winders users. Nice and fast and ogg is one of the default formats.

Re:Richard Stallman Says...

[Spy+der+Mann]

I think GP meant to say "OGG/Theora", and not just OGG.

Re:Richard Stallman Says...

[Spy+der+Mann]

A lot of people share music and download them P2P around the world. Considering that most of those users are Windows users, the disease - er, virus - will spread quite fast.

Now we'll have to be careful not only about executing files on the machine - but also about playing mp3 files. A USB collection with *one* infected "mp3" file and your machine's screwed.

I'm afraid this is the new "storm".

Re:Richard Stallman Says...

[thePowerOfGrayskull]

"...A USB collection with *one* infected "mp3" file and your machine's screwed."

Assuming that you download the requested trojan to play an MP3, which you never before needed a codec for...

Hmm. Actually, you're right. Most people won't think twice before installing it.

Re:Richard Stallman Says...

[clone53421]

Is WinAmp vulnerable to this? I don't think it will launch the executable bits of the ASF, but please correct me if I'm mistaken...

Re:Richard Stallman Says...

[clone53421]

Task manager... if you can kill the viral process... (maybe take a look at the sysinternals suite, particularly I'm thinking AutoRuns, ProcessExplorer and RootkitRevealer might be useful (haven't actually had to use them yet).

Also Regedit... you might be able to remove the viral startup entries... but after you've killed the process or it might just add itself back.

After you've killed the process and removed its startup entries, rebooting might get you a clean environment and you can hopefully delete the infected files. It worked for me when I got infected from a P2P virus (dumbassed thing to do, I know...)

Anyway, hope you don't have to format, that would suck. Maybe my tricks weren't already up your sleeve. If they help, great. If those fail, I'd probably have to fall back to something drastic like booting from a safe disk and running antivirus, or taking out the hard disk and virus scanning it... that's a hasssle, though, and I'd be worried about breaking the OS.

Re:Richard Stallman Says...

[SirCowMan]

In line with that AC says above, old viruses were much worse that todays 'malware' trend. This one reminds me of a script my sister ran off IRC on her system, which replaced all pictures on C: drive with a text string. Today, they use up a bit of your bandwidth and hunt out your credit card numbers or whatever, slowing your system down. However, many of the old boot-sector viruses would make a system unbootable, routinely erasing or replaced data.

There were no 'good old days' when it comes to idiots playing with code.

Re:Richard Stallman Says...

[pxc]

OGG is the wrapper format. Vorbis is the audio format.

Re:Richard Stallman Says...

[Spy+der+Mann]

I hope not, I use winamp on my job. But after rereading the article, it says that it only launches the webpage. The problem is, the default browser is set to be IE (job policies, go figure). What happens if the webpage in question exploits a browser vulnerability?

I hate Windows. It's like a long chain of installations and executions without asking permission to the user. Everything's broken.

Re:Richard Stallman Says...

I need to take you out, because this is very dangerous.

Encapulation is very dangerous in this situation. I can tell that this conversion is extremely slow.

Encapulation is a Java idea, and only Java does this. I do not like what you put here, because illicit Java in a browser is ripe for danger.

I know that a Perl script can take this out worldwide, because what these people have done is extremely dangerous.

- The Demetrius

Re:Richard Stallman Says...

[Darkk]

I recently ran into this at my aunt's workshop. One of their PCs been infected with 9 or so viruses / trojans that I said the only true way to get rid of them all is just reformat the hard drive. I've tried removing them all but a couple kept reappearing and making a strange SMTP mail connection to some server in Australia owned by some Asian company..odd? I was like screw it..just reformat it to be 100% sure it's gone. I even ran a DOD disk eraser program to be 100% sure it's totally gone. I know reformatting the MBR would have fixed it but wanted to be sure.

Yes reformatting sucks but when it comes to sensitive data on the PC I couldn't chance it.
 

Re:Richard Stallman Says...

[xehonk]

Using tools from inside an infected system is pointless. How can you tell that your system is not a zombie right now, if you havent used any tools from a known-good system?

Re:Richard Stallman Says...

[Dr_Barnowl]

Depends on your definition of "worse".

Old viruses provided you with an education ; you suffered the consequences of being lax about backups and developed a healthy attitude to safe hex. Many of the early ones weren't even very destructive - they just told you that you'd been infected, and reproduced. If they got onto a disk with a custom boot sector, like a game, they'd destroy it, but most legitimate game disks had the write-enable tab missing. The worst that could happen is that you'd lose work, or have to replace some software.

These days, viruses can lose you money, screw with your credit rating, lose you your job, or even get you banged up on kiddy-porn charges if you are unlucky.

Re:Richard Stallman Says...

The problem is with ... incorporating extra features and functionality.

Yep. Plain and simple is the way to go. These "cram everything you can into one thing" bandwagons don't die soon enough for me. It is a dangerous tendency that, it seems, all industries and all people are afflicted with. It's like a behavioral problem. Very little good ever comes from it. Please don't lecture me about the conveniences of hardware convergence...it doesn't exist. Instead, everything is a small PC. The "convergence" is an illusion created by software that is trying to pack in every bell and whistle and do everything under the sun. The unix architecture of small tools glued together by GUIs is a superior and wise philosophy already established in other engineering disciplines. I hope it catches on in software engineering soon.

Re:Richard Stallman Says...

It's not pointless. A really nasty virus might do that, but it doesn't mean that you can't remove any viruses without pulling the hard drive and scanning it in a good system. (I've done it before.) That's the last alternative short of wiping it, but less extreme measures are preferable when they work.

In particular, RootkitRevealer is designed to be run from inside the system in suspect. I recommend you visit the sysinternals page and read up on it.

Re:Richard Stallman Says...

[QRDeNameland]

Well, technically Vorbis is *one* audio codec compatible with the Ogg container, though it is by far the most common. But FLAC, Speex, and OggPCM are also audio codecs which are supported by the Ogg container.

Re:Richard Stallman Says...

[Nullav]

It's like a long chain of installations and executions without asking permission to the user. Everything's broken.

You are coming to a sad realization. Cancel or Allow?

Gentlemen,

I must applaud the RIAA on this occasion. I may have mocked their efforts in the past, but this is truly an impressive piece of work, worthy to be called a hack.

Re:Gentlemen,

[Pvt_Ryan]

Indeed.

The question that does remain is were they smart enought to protect their personal collections???
*Imagines face of RIAA Admin when he realises that the RIAA network is infected with its own creation*

See what happens if you download illegal songs....

Re:Gentlemen,

[HolyCrapSCOsux]

Even if they aren't behind it, some liability should lie with them. They want teenagers (aka internet idiots) to be rabid (insert todays hot band here) fans. Their inpressionable and largely uninformed minds will then succumb to peer pressure to have all the "cool" stuff thier friends have. They blew all their allowance on an iphone, now can't afford to buy CDs. Kazaa to the rescue! Add another PC to the botnet, all because the RIAA wanted to sell another pop act.

Re:Gentlemen,

[thrillseeker]

Next up ... how DRM protects you from virus laden mp3s

Re:Gentlemen,

[MPAB]

After that, from ".bin-laden" mp3s?

'cause we knew from the start that pirates and terrorists work together (along with child abusers, of course)!

Re:Gentlemen,

[kootsoop]

In Soviet Russia, you protect DRM from virus laden mp3s... wait a minute, isn't that what the US DMCA does?

Re:Gentlemen,

[msimm]

Haha. You mean we use DRM to protect our friends from our dirty possible malware laden music stash?

The part I don't see in TFA is how the .mp3 file comes to be handled as an ASF container in the first place and I'm assuming since it manages a call to download this is Windows Media Player feature? Anyone?

Re:Gentlemen,

[Drakonik]

Hear hear. Heaven forbid that a company like a record label promote their products, much less to people who might want to buy said products.

Seriously, though. I believe it's possible the RIAA engineered it. It's certainly slimy enough. But parent is just stupid. The RIAA is a business, and even though some of their practices (lawsuits mostly) are objectionable, they are a business, whose sole purpose is to create profits for the owners, not raise teenagers to be intelligent, critically thinking individuals. That's the job of the parents. As a capitalist, I can't object to them trying to make money (when they're selling albums, at least. Lawsuits aren't so hot with me).

Nice

Way to go Microsoft!

Is there anything these morons can't fuck up?

Re:Nice

[pxc]

For those of you who think this is just a troll, or are just unfamiliar with ASF:

Advanced Systems Format is a Microsoft-defined container format for audio and video streams that can also hold arbitrary content such as images or links to Web resources.

If a user plays an infected music file, it will launch Internet Explorer and load a malicious Web page which asks the user to download a codec, a well-known trick to get someone to download malware.

It's like the ActiveX of multimedia wrapper files. A security nightmare? You bet. Does it still depend on user stupidity? Well, yes.

Re:Nice

[UnknowingFool]

That explains a lot. A few years ago before youtube was popular, a friend linked a website with a funny clip and as soon as the clip opened, it launched IE. Now I had my firewall set to prompt on IE so nothing happened unless I allowed it. I wondered how it was able to do that. Maybe I'm too set in my old school thinking but I think a media file should not have arbitrary content. Or at least limit what could be used.

Re:Nice

[hairyfeet]

This may be a new variation,but believe me,this is a VERY old problem. I have worked in PC repair more years than I can count and I don't know how many times I have gone into a clueless users's "MP3" folder to back up before a wipe only to find after turning on "show file extensions" MP3.EXE,MP3.ASF,MP3.WMA,etc. If someone downloads strictly by name and opens anything they get without doing any kind of virus checks they ARE going to get bit. What we need is the guy from the actors studio in the Geico commercials to go "Stupid users behaving stupidly.....Brilliant!". But as always this is my 02c,YMMV. Oh,and the worst infected were always either on Kazaa,Limewire,or Bearshare. Don't know why,but those three always attracted the really clueless.

Re:Nice

[Trigun]

If there is one thing that is guaranteed in life, it is stupidity. Count on that, and remove the other vectors.
 

Re:Nice

[KlaymenDK]

I think it's fine that a file has arbitrary content.

That the data is able to surreptitiously start network connections? Not so much. At least, the application should have the decency to inform the user before acting on its own.

This is a good example of why don't at all mind not-so-integrated applications, as it means I'm less exposed to this kind of "multimedia experience".

Re:Nice

[geogob]

This is really clever. That way of using the file container to get the user to download false codecs.

I wonder if it could work with other wrappers, like AVI, Quicktime, etc. Maybe not in their original state, but with slight modifications that could fool the player.

I wasn't aware of all the capabilities of the ASF wrapper, but that sure was a ticking time bomb.

Re:Nice

Wouldn't the music play while this website is launching? It would be intuitive that a plugin or codec is not necessary to play the audio, as the ASF wrapper would just launch this at the beginning, no?

It's not like DRM in WMP where a user has a dialog box that must receive a DRM response in order to open it..

Re:Nice

[UnknowingFool]

True, maybe I need to clarify. A media file can have arbitrary data not arbitrary code.

Re:Nice

[Drakonik]

Although parent's word choice were pretty trollish, he makes a point.

Windows is flawed. In making things so damned easy for their users, Microsoft shafted themselves. Even on *nix-y systems with package managers, you have to click through several layers of dialogs to install something. When you have to install from source, it's even more involved. It's really hard to accidentally download a tarball, extract it, ./configure, and then make install it. But Microsoft has made it easy, as the article says, for you to mistake a media file for something it isnt', and provided a vehicle for that media file to install malicious software with a single click.

Yeah, if you're not stupid, Windows is as solid an OS as Linux/Unix/BSD/whatever. But how many people do you know that think 'The Internet' is that blue E on their desktop?

Re:Nice

[Drakonik]

Yeah, but if the user isn't smart enough to realize that a random codec install is unsafe, I don't think...hell, they wouldn't even know what a codec was. They'd just install the software because their computer told them to.

Re:Nice

[mr_mischief]

It's older than that. A specially crafted JPEG file used to smash the stack (or was it a buffer overrun ?) on a couple of DOS-based image viewing programs and execute arbitrary code.

Re:Nice

[sm62704]

Does it still depend on user stupidity? Well, yes

Noy user stupidity, but user ignorance. The differences betweeen stupidity and ignorace is ignorance is curable. We're all ignorant about more things than we're knowledgeable about.

Fool me once, shame on you. Fool me twice, shame on me.

Re:Nice

A. some of us who actually know something about media on the internet, have been using embedding content (including pulling content from the web) in Quciktime files since last century.

Don't cast this as a Microsoft thing when QT and ASF are practically identical in purpose. And QT is actually more flexible / dangerous.

B. some of us who aren't living in a reality distortion field remember that Apple had to patch QT 7.5 because of flaws that allowed (gasp) arbitrary code execution -- specifically downloading of trojans simply because a user views a tainted PICT file.

There's nothing Evil about Microsoft, and nothing Good about Apple. They are corporations (so if anything, they are both evil --ha!)

Re:Nice

[sjames]

I'm OK with arbitrary data, but this is a case of arbitrary code. It's a perfect continuation of a dreadful trend from MS.

In the beginning, the "email virus" was a mildly amusing urban legend/joke meme. It took Microsoft to turn it into reality.

Not satisfied with their wonderous new virus vector technology, they also introduced document viruses, web viruses, and now audio viruses.

To prevent all that virus FUD from blocking their new Active Vector technology, they made the user action for opening a harmless text file and running a deadly trojan identical. A few people got wise to that whole don't doubleclick .exe files, so they hid the extensions.

Now we have people happily double clicking AwsomePorn.mov.exe

Like all practical jokers (you see, a little over 10 years ago, a practical joking space alien ate Bill Gates' brain and replaced him), MS had to appear to be serious, so they added warning dialogs when you try to run things on the net. They had to, there just wasn't a plausible reason not to. The only way around it was to add so many stupid and meaningless click OK to continue dialogs all over the place that people would click OK and have no conscious recollection that the dialog was even there.

At last, the great practical joke was back on track. Sometime in the year 2015 (probably April first), the Bill Gates alien will announce on a world wide live news conference, "I got you all, HAHAHAHAHAHAHA. Now go download a real operating system you n000bs!".

But the joke's on him! When he tries to fly off to his next prank, he'll find that the OTHER pranking space alien filled his spaceship with free AOL install disks.

Re:Nice

[causality]

Noy user stupidity, but user ignorance. The differences betweeen stupidity and ignorace is ignorance is curable. We're all ignorant about more things than we're knowledgeable about.

The difference is that ignorant people know that they are ignorant, stupid people don't. I am ignorant about brain surgery; therefore, you don't see me cutting open skulls and attempting to remove brain tumors because I know that I am ignorant about brain surgery. I do not attempt to rebuild the engine in my car, because I know I do not have the skill to do it correctly. I do not try to build a rocket because I know I am ignorant about rocket science. I realize that trying to perform a complex task that I do not remotely understand is almost certainly going to be a disaster. I realize that my three choices are 1) do not perform the complex task or 2) ask/hire/beg the assistance of someone who does have the skill or 3) obtain information/education/training until I am knowledgable enough to correctly and confidently perform the complex task.

Stupid people assume that they know how to correctly administer a system (be it Windows, Linux, OSX, whichever) as evidenced by the fact that they choose to do so. They are stupid because it never occurs to them that perhaps they should educate and inform themselves about how the system should work and how it should be secured and what type of content should not be trusted. It does not cross their mind that until they reach a level of proficiency, perhaps they should seek advice or assistance from a reputable source or do some research. They are stupid because security warning after security warning, some of which even make the mainstream news, still does not instill in them a sense of caution. They are stupid because informing yourself can sometimes involve time and hard work, while satisfying their laziness and impatience and desire for instant gratification is more important to them than doing the job correctly. They are stupid because they can somehow manage to use a system for years without understanding the basic principles of how it works.

I am not necessarily disagreeing with you, at all. I just see a great deal of confusion that is causing many people to defend what amounts to gross negligence. Yes, ignorance is curable, but ignorance realizes it had choices to make. Stupidity doesn't.

Nothing New...

[mariofreak]

I don't think this is anything new... I've been caught out by it before. There was a site that claimed to provide mp3 downloads, made you install a codec that just redirected all your internet requests to their proxy. I wiped the system after that.

Re:Nothing New...

[dreamchaser]

You should turn in your geek card for falling for that one! Any site you don't 100% trust that asks you to install a codec for a file format you can play already screams 'malware' in a loud shrill voice.

Re:Nothing New...

[omeomi]

Any site you don't 100% trust that asks you to install a codec for a file format you can play already screams 'malware' in a loud shrill voice.

That's good advice, but just because you can play the file format doesn't mean you have the right codec...

Re:Nothing New...

[Obfuscant]

That's good advice, but just because you can play the file format doesn't mean you have the right codec...

It means you have A codec that works, and all the player cares is that you have A codec that claims to work. If you can play the file format, you have both a working codec and a codec that the player knows about, so the player isn't going to tell you that you need to download another one.

Any WEBSITE that tells you that you need to download a codec when you already have one for that format is screaming MALWARE, whether or not you want to get into an argument about which is the BEST codec or the fastest or the "right" one. "Right" is an opinion and irrelevant.

Re:Nothing New...

[Anonymous+Monkey]

I thought that was "Exterminate!" that it shouted. You know, those pepper pot guys...Joking aside, I did my share of stupid stuff long long ago. I remember installing snood because some one said it was the best game ever, and then needing to purge my system to get rid of gator and all of it's related slop. Yes, it was extremely stupid and I should have known better (I think I was 17 at the time) but I never made that mistake again. Quite frankly I think you should not get your Geek Card until after you make a few mistakes like that. It's not about making the stupid mistake, but about how you handle it that makes you a geek. End of rant (and btw, I do get that the the above post is part humor and sarcasm)

Re:Nothing New...

[mariofreak]

I was 14 at the time =]

Re:Nothing New...

[dedazo]

Did you blame Microsoft for this? It's usually indicated.

Re:Nothing New...

[omeomi]

It means you have A codec that works, and all the player cares is that you have A codec that claims to work. If you can play the file format, you have both a working codec and a codec that the player knows about, so the player isn't going to tell you that you need to download another one.

That's actually not true. It's less of an issue with audio file formats, but video file formats can contain video compressed with any number of codecs, and you need the correct codec to play them. For instance, if I can play raw .avi files, but don't have the DivX codec, I can't play DivX encoded .avi files at all. I need the DivX codec.

Any WEBSITE that tells you that you need to download a codec when you already have one for that format is screaming MALWARE,

You are correct that many malware websites use fake codecs to install their malware, but it's just not true that any codec will work for any given file format. Just because you can open the file doesn't mean you have the right codec to view the content. It has nothing to do with the "fastest" or "best" codec. If you don't have the right codec, the video won't play back at all.

Re:Nothing New...

[thePowerOfGrayskull]

But if you are going to a site that purports to allow you to download MP3s, and you know you can already play MP3s, there's just no excuse...

Re:Nothing New...

[Obfuscant]

That's actually not true. It's less of an issue with audio file formats, but video file formats can contain video compressed with any number of codecs, and you need the correct codec to play them.

Well, DUH! That's why it was important to notice that what I replied to said "a file format you can already play." That's why I wrote "if you can play the file..."

IF YOU CAN PLAY THE FILE, YOU ALREADY HAVE THE CODEC. That's a FACT. It's either built in or has already been installed, and the player already knows which codec to run. A player that has a codec for a certain format will NOT tell you that you need to download one. A website (not the player, the website) that tells you that you must download a codec is SCREAMING malware in BIG RED LETTERS. Period.

You are correct that many malware websites use fake codecs to install their malware, but it's just not true that any codec will work for any given file format.

Nobody said that any codec will work for any given file format.

Just because you can open the file...

You are the only one talking about opening a file. I specifically spoke about, and the person who made the initial statement is talking about, files you can PLAY, not just open.

If you don't have the right codec, the video won't play back at all.

Well, DUH again, and that's why this discussion was about the format of FILES YOU CAN PLAY.

I don't expect people here to RTFA, but at least read the comment you are replying to, ok?

Re:Nothing New...

[cbiltcliffe]

From your original post:

just because you can play the file format doesn't mean you have the right codec...

From your parent post:

For instance, if I can play raw .avi files, but don't have the DivX codec, I can't play DivX encoded .avi files at all. I need the DivX codec.
---snip---
Just because you can open the file doesn't mean you have the right codec to view the content. It has nothing to do with the "fastest" or "best" codec. If you don't have the right codec, the video won't play back at all.

I think you're confusing opening and playing. Or being deliberately obtuse. One or the other.

If you can open the file and see the video, you've got the right codec, which is exactly what the GP poster was getting at. You essentially agreed with them in the parent, but somehow still managed to argue.

Re:Nothing New...

[omeomi]

Well, DUH! That's why it was important to notice that what I replied to said "a file format you can already play." That's why I wrote "if you can play the file..."

You're confusing "file format" and "codec". AVI is a file format. DivX is a codec. I can be able to play a file format, but still not be able to play a file with a specific encoding in that format.

Re:Nothing New...

[omeomi]

If you can open the file and see the video, you've got the right codec, which is exactly what the GP poster was getting at.

That's true. What I'm saying is that just because I can play a given file format, like .avi or .mov, doesn't mean I have the right codec to play any given file that I download in that format.

Re:Nothing New...

[Obfuscant]

You're confusing "file format" and "codec".

No, I am not.

I can be able to play a file format, but still not be able to play a file with a specific encoding in that format.

Either you can play the file or you cannot. I'm not going to waste time with a meaningless differentiation between what you want to call a format and whether you think format includes encoding or not. It's irrelevant. The condition is "if you can play the file". That's what most people consider the important part. If someone asks me for an AVI file, and I give them one they cannot play, I don't say "I gave you what you asked for", I give them a different file they can play.

If you can play the file, you have the codec for whatever format (including encoding) that it contains. If you can already play the file (there's that same conditional clause again, ignore it at your peril), the player will not tell you that you need to download a codec for it. You may not have the "right" codec, but you have a working codec. That is a fact. You claimed I was wrong.

Now, if I am wrong, tell me how you can play the file and NOT have a working codec for it. (And when I say "play", I mean plays correctly. I don't consider garbage displays or half the content to be "playing" a file.) If you can play an AVI file, you have the codec for it. It is absolutely irrelevant WHAT codec it required or how you split the file contents up between "format" and "encoding", you must already have the codec or you could not play the file.

Further, if you can play the file (not just "open"), your player will not tell you to download another codec. It has already been configured to know what codec to use -- or else you wouldn't be able to PLAY THE FILE. So, when ANYTHING tells you that you MUST download a codec to play a file that you can already play, it is shouting MALWARE.

Re:Nothing New...

[omeomi]

Look, your initial comment was "if you can play the file format, you have both a working codec and a codec that the player knows about, so the player isn't going to tell you that you need to download another one.". If you had just left out the word format, I would have had no complaints.

Re:Nothing New...

You don't understand a thing about video files do you?

You said "If you can play the file format, you have both a working codec and a codec that the player knows about", which is incorrect. The file format (container) is not the same thing as video stream format and audio stream format.

AVI, MKV, etc are containers/file formats. These containers can encompass any number of video or audio streams in any video or audio format. For example, you might be able to play an AVI/MKV that contains an h.264 video stream(s) and MP3 audio stream(s) perfectly fine because you have the codec for those particular video/audio formats, but you might not be able to play an AVI/MKV that contains a ZMBV video stream(s) and AC3 audio stream(s) because you don't have the codecs for those video/audio formats. The playability of a video file format is absolutely no assurance that you will be able to play all videos using that same container type.

In addition, even if you can play a particular video, you still may not have the codec for it. For example, if you use VLC, MediaCoder or another player, converter or editor that has built in support or uses it's own codec plugins, your system may not have the same codecs installed. This is important for applications that require system/global codecs in order to function correctly (ie. VirtualDub and Windows Media Player).

It looks to me like your are getting bent out of shape because you wanted to appear as if you know what you are talking about and omeomi corrected you.

Re:Nothing New...

[UncleTogie]

For instance, if I can play raw .avi files, but don't have the DivX codec, I can't play DivX encoded .avi files at all. I need the DivX codec.

Yes, but why would you trust a codec from a site you've never heard of before? There are far more reliable and trustworthy download locations other than www.JimBobRoysEmporiumOfMusic.com....

It's the same idea with food. If someone on the street sells you a cheap hot dog, and turns away while adding "the Chef's secret sauce" under their trenchcoat, you're still the one ultimately responsible for the decision to eat said weiner.

Re:Nothing New...

It has nothing to do with the "fastest" or "best" codec. If you don't have the right codec, the video won't play back at all.

If you have an MPEG-4 codec you can play DivX, XviD and all things MPEG-4 cause on the decoder side, they're all the same. You can install the XviD codec and play DivX files just fine for example.

Re:Nothing New...

[cbiltcliffe]

Ok...I see what you're getting at. It just wouldn't be my choice of words, that's all.

When I say you can play a file format, "play", to me, means that you can see the video.

To you, it means you've got a program that says "Hey! That's an .avi file! I can open that!"

You mean you can open the container. I mean you can deal with what's in the container.

Damn ambiguous languages like english. Why can't all languages be simple and obvious, like Perl. :)

Re:Nothing New...

That's actually not true.

It is if you allow him the generous definition of "file format" = {encapsulation format}+{codecs required to play streams}. You don't need a codec to demux an AVI (every media player knows how to do that already), you need codecs to play the streams that are inside. I'm pretty sure he already knew that...

Re:Nothing New...

[luke923]

That's why I use VLC. If VLC can't play it, I probably don't want to watch it; either that, or they'll come out with an update so I can. After all, VLC comes built-in with every legit codec installed, and, even though it doesn't use the codecs installed in WindWoes, it actually runs faster and w/ a smaller memory footprint than WMP.

Re:Nothing New...

[clone53421]

Damn ambiguous languages like english. Why can't all languages be simple and obvious, like Perl. :)

Damn straight. There might be two dozen different scripts that do exactly the same thing in PERL, but any one PERL script will only do one thing. There's no ambiguity at all... ;-)

Re:Nothing New...

[mariofreak]

I don't blaim Microsoft for it. I blamed my own stupidity and being so stupid (being 14 at that time). Why would I blaim Microsoft for the problem when it was obviously my fault?

Re:Nothing New...

[Obfuscant]

Look, your initial comment was "if you can play the file format, you have both a working codec and a codec that the player knows about, so the player isn't going to tell you that you need to download another one.".

That was the initial statement from a couple of comments above. It is also the truth. If you can play it, you already have the codec for the data in it.

If you had just left out the word format, I would have had no complaints.

No, you would have picked some other part of the comment to avoid reading, just like you pretended that someone said that any codec will play any encoding and jumped on me for that, or started talking about being able to open the file when the verb was and still is "play".

I told you that I am not interested in debating with you your line between format and encoding. "Format" is a perfectly valid way to refer to the complete structure of a file, which includes not only the file extension that windows wants to apply to it, but the structure of the data within the file (e.g., how it is encoded). To stop at the first level of structure and call only that the format is an artificial distinction that most people ignore. The DivX encoding follows a certain format for that data or else you couldn't read it.

Now, tell me how you play a file without having the codec for it. And if you want to be strictly pendantic in every word you use, tell me how you can claim to play a file format if you don't have the codec for the data in those files. Exactly what result do you get when you play a file of a specific "format" if you don't have the codec, and in what language would whatever that result is be called "playing"?

"I can play AVI files, too. They all only display a warning that I need a codec, but other than that, they play just fine. Did I like the movie in that file? I don't know, I never got past the 'need a codec' warning. But it played just fine." If my boss said that to me after I gave him an AVI of something, I'd think he was nuts. Either it plays or it doesn't. Don't say it plays if it does not.

This argument is silly. I am quite correct in saying if you can play a file you have the codec. If you can play a file formatted as an AVI, you already have the codec for whatever encoding it's in. The operative word is "play", not "format". Don't tell me you can play a file in AVI format without the codec, because you can't, and you've not yet explained how you do this, if you can.

Re:Nothing New...

[Obfuscant]

You mean you can open the container. I mean you can deal with what's in the container.

Bingo. Exactly. "Open" wasn't the verb being used. "Play" was, with all the connotations that includes.

Re:Nothing New...

[dedazo]

Don't pay attention to me, I was trying to be funny =)

Microsoft only threat?

[UnknowingFool]

Can anyone comment about the possible risk to non Windows machines? Well it appears that IE is affected as well as the ASF format. The Trojans itself appears to be Windows only. Does anyone know if FF or other browsers can be used? Also I don't know much about the ASF container but if you run it in another player like iTunes will it still activate?

Re:Microsoft only threat?

[UnknowingFool]

Geez, take a pill. The Trojan appears to have a very complex activation, and I asked for clarification and more detail. The article seemed to state that IE, ASF (Windows Media Player), and Windows were required. What if I'm using FF, WMP, and Windows? How about FF, iTunes, and Windows? How about Safari, iTunes, and Windows? Nowhere in my post did I mention Linux, OS X, or Unix.

Re:Microsoft only threat?

[sesshomaru]

Well, I haven't actually looked at one of these yet, but I'm suspecting that the infection vector is Windows Media Player and P2P downloaders that preview things using Windows Media Player.

The rule is that if you are downloading files from a suspect place, it will have malware in it. I once downloaded something that had an impact both in Windows and Linux, it was a somewhat sophisticated design. (Basically, a payload of useless files that were treated as read only both by Windows and my Linux install.)

For MP3s? Well, you could always make MP3 CDs and DVDs out of them and play them one a CD/DVD player with MP3 capability. It won't be able to do anything to them, but it probably won't tell you if it is infected or not. You could also try something like a GeeXBox boot disk. Of course, caveat emptor on suspiscious MP3 files, here translated "let the downloader beware."

Re:Microsoft only threat?

[Fishbulb]

I second that. I admit, I have downloaded an mp3 or two from the net (mostly stuff I just can't find in print still since my music tastes are...eccentric). I don't use Windows much, but I do use iTunes on it, and share the mp3s from a server.

But aside from that, I like to know that the files on my systems are clean.

So, yeah, I'd be specifally interested in any utility that could scour a directory of mp3s and tell me if any have such trappings.

Re:Microsoft only threat?

[UnknowingFool]

The rule is that if you are downloading files from a suspect place, it will have malware in it.

True, but I've read some reports where ordinary websites are being unwittingly hijacked to spread malware. This makes it harder for ordinary users to know what to click on and what not to click on. It used to be you could play a sound file and be assured it was okay. Also hackers was able to inject malware without the visitor downloading anything. Personally, I visited some forums about gaming recently and got a worm even though I didn't download anything. The file format disguised itself as PDF but like I said, I didn't download anything from that site.

Re:Microsoft only threat?

[causality]

Jealous much?

*When* people start using Linux en masse (which will NEVER happen because the Linux commuity doesn't know the first thing about marketing itself or user interface design or making the transition easy), THEN there will be an incentive to actually write viri for Linux.

That the Linux community is not a marketing machine is 100% a Good Thing to me. I would probably end up enjoying Linux less if there were a corporate financial interest that competed with the community's current interest in producing useful software (of course if you WANT corporate support you can do that too via Redhat and others, it just isn't necessary with Linux). In a nutshell, that's Windows' biggest problem; the company is run by marketing and not by software engineering. You do realize that the primary purpose of Windows is to make money for Microsoft and its shareholders and that any benefit or usefulness to you is entirely secondary to that primary purpose, right? At fulfilling its primary purpose, Windows has been phenomenally successful. At being useful to me (keywords: "to me"), Windows has been substandard and I am glad to use a better alternative. Linux satisfies my computing needs and it does so whether most other people use Windows or not, so why would I care about marketing? This is a real question, I'd like to see your answer.

Re:Microsoft only threat?

[clone53421]

What if I'm using FF, WMP, and Windows?

Don't you still have IE? I'm not sure if it'll use your "default browser" or if it will kickstart IE, but either way, it's a security flaw. Also, I don't like popups of any kind, so even if the browser exploit is IE-only it's still irritating.

How about FF, iTunes, and Windows? How about Safari, iTunes, and Windows?

Depends. Does iTunes launch the hyperlinks in ASF files? If so, you're vulnerable. (There are media players that won't. VLC won't, for one.)

Re:Microsoft only threat?

[clone53421]

I believe VLC won't launch the hyperlinks in the ASF.

Re:Microsoft only threat?

ChuckSchwab here. Okay, good questions, and I've got some good answers. I have to post anon, and won't be able to respond much beyond this post (because some jerks set me to Terrible karma) so I'll try to give the most complete answer I can. Here goes:

You're equating "marketing" with "all the negative connotations I associate with the term 'marketing'". By "marketing" I simply mean being able to present a case to the average person -- THAT HE SEES -- why he should switch, and how he should do it.

Here, corporate financial interest is an issue. It's like this:

Reaching the layman takes MONEY. But if you spend that money and create a complete, self-contained, easy-as-pie package ... so can someone else. They will COPY. They will take your work and undercut you. In the store, they will see "Hey ultra-cool linux conversion kit, which you have been persuaded of the merit of, only $49.99" (actually, $50 because they're ethical). And also, "Hey, exact same thing, that you were convinced of, only $9.99 because we copied those other guys."

And so we see, copyright is criticial to generating the funds necessary to get folks to come over. And those very folks are valuable TO YOU. More Linux folks = more justification to write software for Linux.

This is where I dispute your claim that Linux is useful TO YOU. Where is your Linux photoshop equivalent? Your games?

Yeah, you got the programs that someone got around to. But for other stuff, the newest stuff, the folks with the CASH to hire people WITH A GODDAMN CLUE about interface design, ain't gonna write for Linux -- no people there.

Now, maybe I'm wrong. Maybe every conceivable thing you will ever want to do, you can do right now (or at least have the software to on Linux). But then look at the broader perspective: what about average people, who can't do the stuff, the hacks, the kludges, the troubleshooting, that you find so easy? That you don't even *notice* as being hard to others? Why would *they* switch?

I tried to switch to Linux myself. I'm pretty technically inclined (ignore my troll posts). I ran into inexcusable problems. Not just any problems -- problems that could have been avoided early on with a teensy pinch of care to making it accessible for the masses.

Marketing, in other words.

The Linux community *could* take over the home desktop market. But they refuse. They refuse to recognize the value of each additional person, and get on their knees for anyone who wants to join on. They refuse to write idiot-proof conversion packages and pay to get the knowledge of their existence into people's minds. Because, fundamentally, they don't *want* people to join. It's *their* system. (I can even see in your tone how you'd hate for myspace kiddies to be using Linux, even if it didn't involve that evil corporate marketing.)

All I ask is that you stop being schizophrenic. Either:

-Accept that Linux is 1337, and accept the low marketshare and developer interest.
-TRY to get people to join, and ponder why no one does.

Don't do these half-assed efforts while confounded as to why people aren't joining.

Hope that answers your question. :-)

Re:Microsoft only threat?

[g0bshiTe]

I say we ask MS to give us the option to uninstall IE totally from a Windows system. If I use Opera, or Moz, or whatever I like IE is just taking HD space.

Re:Microsoft only threat?

[advocate_one]

Nowhere in my post did I mention Linux, OS X, or Unix.

yes you did... here right in the first line of your OP

Can anyone comment about the possible risk to non Windows machines?

Re:Microsoft only threat?

[thePowerOfGrayskull]

My understanding is that the "codec" download page is explicitly launched in IE. I /think/ winamp still DirectShow for ASF files; which would mean that WMP is still getting invoked (and thus IE).

Re:Microsoft only threat?

[thePowerOfGrayskull]

More Linux folks = more justification to write software for Linux.

And that shows a fundamental lack of understanding of why OSS people write software. Unless by 'people' you mean 'corporations'; which then shows a fundamental misunderstanding of GP's post.

Re:Microsoft only threat?

[thePowerOfGrayskull]

Not that easy. A large number of third party applications embed portions of IE functionality (ranging from GUI control styles to embedded web browsers - yes Quicken I'm talking to YOU you POS) removing it would break those applications.

Re:Microsoft only threat?

[QRDeNameland]

I've seen so many weird things launch from WMP over the years that my solution is to make sure that no media files types are associated with it. If on the rare occasion I need to play a WMV that has problems in VLC, I just do a right-click "Open with...".

Does anyone know for sure whether or not this vector can be launched from other media players? My guess is not.

Re:Microsoft only threat?

Look troll: Your an idiot. Enjoy your play-skool interface, Mc Donalds crapware. Using the windows interface is like a sharp stick in the eye, its such a mess with no functionality. I mean we are talking about file extensions, a windows idea. Oh and dont forget to reboot. Pure shit. Popularity is not a measure of security. You know how many hackers out there who are DYING to be the first to write a successful trojan/virus on linux desktops? We dont want to market ourselves,so go give Balmer a BJ, stay an uninformed drone, and go back to Digg.

Re:Microsoft only threat?

[Vexorian]

A lot of people and companies use Linux. And the OP was not implying that non-windows OS are safer, he was just asking if this issue was windows-only. A question you utterly failed to answer. May I say fuck off?

Re:Microsoft only threat?

[UncleTogie]

The file format disguised itself as PDF but like I said, I didn't download anything from that site.

Either the page didn't display at all, or you WERE engaged in the downloading of material from that site...

Re:Microsoft only threat?

[benwaggoner]

This doesn't have anything to do with browsers, other than that the exploit also requires a browser that will allow malware to install.

I have more details below, but basically this requires all of:

1) An "infected" file being opened
2) The user had previously changed a default WMP security setting
2) The user ignores a warning dialog
3) A default web browser that allows a malicious URL to install malware

Re:Microsoft only threat?

[janrinok]

I am not the OP you were responding to, but I think that you have missed the point(s):

Reaching the layman takes MONEY.

Why should we try to reach the layman, or anyone else for that matter? Those that want to use linux can, those that want to stay with Windows are welcome to it. There isn't a desire, or need, to increase the user base. The linux community can survive at its current size. More would be welcome, but they are not essential for linux to continue.

This is where I dispute your claim that Linux is useful TO YOU. Where is your Linux photoshop equivalent? Your games?

What does Photoshop do that I need that GIMP doesn't? GIMP serves me well, thank you. Oh, and I don't play games. Not because I can't, but I grew up quite some time ago and don't need to play games on my computer. Now, a good board game with members of my family, well that is something different....

I tried to switch to Linux myself. I'm pretty technically inclined (ignore my troll posts). I ran into inexcusable problems.

So linux isn't for you. OK, we will get over it. Perhaps it just isn't your scene, or perhaps you are not as 'pretty technically inclined' as you think you are. But neither is my wife, and she uses it daily, nor my father-in-law, who is in his 70s but has no problem with it.

You seem to have made the assumption that linux and Windows are in some kind of competition. They're not. Linux is an alternative that, for those who want to try it, will probably meet their needs and then some. But for those that want to continue paying Microsoft or Apple, be my guest. The recent popularity of some linux distros, particularly Ubuntu and Suse, has brought new users who think that the only purpose of linux is to defeat Microsoft. That's not the way that I, and many others, see it.

Don't do these half-assed efforts while confounded as to why people aren't joining.

Joining what? Its not a club. Nor are we on different 'sides' in some kind of battle. If you like linux then great, if not, make your own choice of OS and live your life. Its not a big philosophical thing...

Re:Microsoft only threat?

Wow, you don't seem to be very bright. You act like I've cast this into a giant competition, a battle.

I did no such thing. I'm just stating the obvious fact that if you want folks to write good software for linux, there has to be a market to justify it. Yeah, you can rely on the little open source projects hobbled together by folks that don't like doing all the tedious work. Good for you. But there seem to be a lot of pros out there doing real work that seem to swear by their Photoshop.

If you stay in your little basement world, you obviously don't care about any software beyond your browser, your Office suite, and your compiler. Great! But there *is* an abundance of software people use beyond that.

Your wifey has no problem with Linux? WOW, I am *so* shocked. Let me guess ... you obtained it and installed it and did the troubleshooting and handholding and teaching, right? Congratulations on missing the fucking point.

Re:Microsoft only threat?

[sm62704]

If your OS can play a DRMed file, you're at risk. However, there's very little chance that Mac or Linux will be infected unless there's a Mac or Linux executable in the bogus codec.

In short, yes you're at risk from terrorists but you're far, far more at risk from cancer or heart disease. If you're not running Windows the risk is only theoretical. It's not enough of a risk to worry about.

Re:Microsoft only threat?

[janrinok]

By "marketing" I simply mean being able to present a case to the average person -- THAT HE SEES -- why he should switch, and how he should do it.

And so we see, copyright is criticial to generating the funds necessary to get folks to come over.

Why would *they* switch?

The Linux community *could* take over the home desktop market.

No, I didn't miss the 'fucking' point (hey, isn't it big to use naughty words....!). Your quote was asking why people were not switching, as though you think that someone should be trying to persuade them to do so. If that isn't the point you were trying to make, could you please trying stringing some words together that explain your case, preferably without the profanities. I don't stay in my basement but I haven't got your view of the world either. There is funding for Linux projects available, and quite a few of the big names in Linux are employed and continue to work on their software with their employer's blessing.

Do you have a particular piece of software in mind that needs writing? If so, and assuming that you are competent to do so, why don't you write it or at least offer to fund it?

Yeah, you can rely on the little open source projects hobbled together by folks that don't like doing all the tedious work

OK, I'm retired now but I was employed for quite some years writing real-time software for military avionic and weapons systems. My browser, my Office suite, and my compiler all seem to be well written and supported, in my most humble opinion.

Re:Microsoft only threat?

[clone53421]

Does anyone know for sure whether or not this vector can be launched from other media players? My guess is not.

Not, at least not in the players that were intelligently written and don't cater to obvious security flaws like "launch arbitrary web site".

Between VLC and Media Player Classic, I can play just about everything I need to... well, except those hi-definition videos. They don't render at all, or I get about 1 frame/sec. My computer is slow... :-(

Re:Microsoft only threat?

[natebarney]

$ echo "Can anyone comment about the possible risk to non Windows machines?" | grep -i 'linux\|unix\|os\s*x\|mac'
$

Re:Microsoft only threat?

[natebarney]

That'll teach me to post regexes before testing them. Make that:

$ echo "Can anyone comment about the possible risk to non Windows machines?" | grep -i 'linux\|unix\|os\s*x'
$

Re:Microsoft only threat?

[causality]

You're equating "marketing" with "all the negative connotations I associate with the term 'marketing'". By "marketing" I simply mean being able to present a case to the average person -- THAT HE SEES -- why he should switch, and how he should do it.

I realize it's extremely widespread, and is in fact THE prevalent view of life on earth. However, I just don't share this idea that people need to be told what they need and what they should and shouldn't want. I am also unconcerned with the fact that our economy might collapse or suffer if everyone agreed with me about this, since advertising and consumerist culture is such a big part of it; to me, if that happened, it would be because it was built on a faulty foundation to begin with. Note, I am not against businesses or marketplaces in the slightest, but I believe that the proper role of these artificial constructs is to serve and respond to people, not the other way around. If I am against anything, I am against people being so sheeplike and so easily led and so thoughtless that glossy ads matter more to them than sincere inquiry. I can certainly see that most people allow this to happen and that many of them might even believe this to be convenient. "Average" or not, if a person makes an assessment of what is available and finds something that he really likes that meets his needs, good for him. If he fails to find such a thing, that is not my concern unless he asks for my assistance. If he cannot be bothered to look, that is a personal shortcoming that must be resolved by that person.

Most of the rest of your post seems to assume that there must be this big contest, a struggle for domination of the desktops of the world. Either Linux displaces Microsoft and wins the day, or Linux fades away and Microsoft retains their iron grip. I can see how Microsoft might feel that way, but I am not Microsoft, nor do I own any of their stock (nor would I allow it to compromise my refusal to get caught up in another silly us-against-them group identity if I did). That you ask me to "stop being schizophrenic" because I can happily accept that Linux might be a terrible choice for you and might utterly fail to meet your needs amuses me, since I do not assume that what satisfies me must also satisfy you.

I have no need to convert anyone, nor would I easily respect a person who completely changed his preferences just because I told him I believe it's a good idea. I like what I like and I have reasons for that which I am glad to share with other people, but this does not mean that what they use is my decision. When I say that Windows is compromised because it is primarily market-driven (that is, designed to make money), it's because there is something of a conflict of interest between developing the finest software you can possibly create and minimizing your costs in order to make more profit. As a business decision, it makes little difference to you whether users absolutely love your product or whether they are merely not annoyed with it enough to switch to something else, so long as you can make sales and move product and satisfy shareholders. This is true whether Linux takes over the desktop or not.

Re:Microsoft only threat?

You're such a douchebag.

Data vs Program

[mlwmohawk]

Microsoft has a SERIOUS design pathology. They too often confused "data" with "program." Every G.D. thing in Windows can, in some way, initiate an action. This is a problem.

A "music" file should be data. E-mail should be DATA! This is absolutely crazy. Making everything capable of being interpreted as programmatic content is at best a security flaw.

Re:Data vs Program

You mean just have it read X bytes of data and stop!? But how would they have supercyberhyperwebbrowsing? I want gimmicks not reliability.

Re:Data vs Program

[Zoltair]

I am not so sure it is a MS issue, they are developing "by popular demand". Computer users (yourself included, me too!) have demanded more automation, they want less user interaction, thus MS and everybody else will develop for these wants. I remember when email was just that data!, had to uuencode/uudecode anything binary, Gopher was the the WWW back then, automation has removed that need, but it has also left us all open to attack. If it were not for our need and desires for this automation, we would all still be using MS-DOS or Unix....

Re:Data vs Program

Coming from Windows to a Linux distro, this was actually very confusing to me, but I get what you're saying.

Re:Data vs Program

[geogob]

I don't agree with your evaluation. As I understands it, the asf contains a download link for the codec. The player Program for the file (most likely windows media player components) initiate the "please download this missing codec" action using the information within the ASF container (link to the trojan/worm).

This is the problem right here: Using corruptible information for a system-sensitive operation. WMP should only initiate such a download from a secure and authenticated source on the internet or use its own pre-defined sources, like windows update.

This is a "good" user-friendliness feature for users who don't like to be put in front of a simple "missing codec" cryptic error. But so many user-friendliness feature tend to lead, if badly implemented, to major vulnerabilities through common user-behavior attacks.

It's all "data". The problem is how this data is handles by the system components. More importantly is how unverified (and unverifiable - and potentially corrupted) can be used for system sensitive operations. Worse, how this can be done fooling the user to think it's a normal and appropriate measure. This is a FAIL in user psychology and end user system design.

Re:Data vs Program

[mlwmohawk]

Computer users (yourself included, me too!) have demanded more automation,

Speak for yourself. I don't want "automation" and most of my family and friends get confused by it, "Hey, why is it doing that?" is the typical response.

they want less user interaction, thus MS and everybody else will develop for these wants.

You are confusing "wanting it to work" and "automation." Clicking, or double clicking, on an icon in a window and having the correct player pop up and play the file correctly is what people want. That is, in fact, *all* they want. No one asked for media files that would "automate" anything.

User's don't even understand computers at the level where they could ask for such a thing. If they did, they wouldn't even ask. I submit that much of the push for programmatic content within media is from the *IAA types looking to extend control.

I remember when email was just that data!, had to uuencode/uudecode anything binary

There is no reason why an email message has to contain programmatic content for an email program to be able to properly decode an attachment. That's what MIME types are all about.

Re:Data vs Program

[Applekid]

A "music" file should be data. E-mail should be DATA! This is absolutely crazy. Making everything capable of being interpreted as programmatic content is at best a security flaw.

I'm not going to dispute that, I fully agree. In a sense, though, the infected "mp3" file is still just data... it's the codec library that's malicious. It's no different than files wrapped in that damned Zango codec that's basically just malware on top of an existing mpeg-4 decoder.

The splitting of codec versus player I think was a great development that's been pretty much made obsolete by huge storage space, GHz range processors, and codec packs like K-Lite and DefilerPak. My personal (and admittedly antiquainted) view is that a player shouldn't automatically know how to decompress every random, trivial, academic, color-of-the-week compression format and should defer to some kind of library with a plug-in system so you have only the codecs you need.

The problem here is really two-fold:
1) Downloading untrusted, unsigned codecs. It's usually agreed that an open environment is great, but, in an open environment you can't demand codecs be signed by a central, possibly competing, authority. Damned if you do, damned if you don't. The alternative would be not letting the player/library download codecs at all, in which case you'd just have another step to trick users into running malicious code.

2) Playing ".mp3" files that aren't mp3 files. If it doesn't follow the format the extention suggests, should a good player make a reasonable attempt to find out what formats it DOES fit and play it (the "it should just work" philosophy) or should it crash and call the user an idiot? If a player is going to interpret a file with an mp3 extension as a generic file it has to discover its format to play, why bother having extensions at all?

I don't think it's a "leave it to Microsoft to blahblahblah" thing. It's just a thing that came out of having a world where you CAN download code AND data, and that hasn't ever been limited to the Windows world.

Re:Data vs Program

[1u3hr]

I am not so sure it is a MS issue, they are developing "by popular demand". Computer users (yourself included, me too!) have demanded more automation

Perhaps you can substantiate how this "popular demand" was determined? By who? When? Where?

Application writers, advertisers and other assholes have wanted to make it easier, and preferably, automatic, for users to install their software. I don't know of any surveys of users on this subject.

Re:Data vs Program

[CodeBuster]

It is not all Microsoft's fault. The mixing of "data" and "program" goes much deeper than just Windows because ever since the Intel 8080 modern commodity processors, with a few exceptions, have made no clear distinction between data and programmatic instructions when it comes to loading registers, shifting data, jumping to addresses, etc from a common memory address space. This original design decision lies at the heart of many modern computer problems and hacks (i.e. smashing the stack). So although Microsoft hasn't helped matters, they certainly weren't the first to make the "mistake" or perpetuate the status quo with regard to mixing of data and instructions.

Re:Data vs Program

[Zoltair]

Every time we are developing software we issue a requests for functional descriptions, alpha and beta testers respond with their comments on functional features. There is plenty of opportunities for the user to intervene, for the developer just to go off on their own and develop unwarranted or requested features is irresponsible and usually represents a poor developer just writing code for the sake of code (read newbie VB coder wannabe). Not to say they are not out there, but MS is not a one man show. Seldom do I ever see a client asking the developer what he wants! usually it is spelled out very clearly and expensively what the client wants in features and ability, the developer will code to those specs..... I do agree some of the clients pushing this kind of content may not be like you or me, a direct user, but probably a facilitator that can use the features to their benefit, but their role in software development remains the same, client with a need, and developer with the expertise. Suffice it to say, I doubt anyone here would even consider going back to MS-DOS or giving up 1/10 of the features their choice of OS provides, it doesn't matter, what O/S they all have their vulnerabilities due to feature creatures....

Re:Data vs Program

[mlwmohawk]

The mixing of "data" and "program" goes much deeper than just Windows because ever since the Intel 8080 modern commodity processors, with a few exceptions, have made no clear distinction between data and programmatic instructions

STOP RIGHT THERE!!! Yes, the Intel 8080, the zylog Z80 as well as most primitive micro CPUs from the 70s that was basically true.

On "real mode" 8086, 8088, 80186, and V20 code was indexed by the "cs" register and data by "ds" register. The tools to separate code and data existed in DOS 1.0.

Starting with the 80286 protected mode, code and data are separated further in that code physical memory has to be defined withing a selector number in the CS register. To load data into memory and execute it, you need to create a CS to DS alias for the CPU to be able to jump to it. You could not jump to code in a "data selector" without causing an exception. You could not write to a code selector without creating an exception. You HAD to load into data and then convert that data into code. It did not happen by accident and a typical program had to call a privileged instruction or an API routine to do it.

In 386 "flat" model, the CS and DS registers STILL define the difference between code and data. The fact that they usually point to the same area is not a flaw of the processor.
 

Re:Data vs Program

[filthpickle]

WMP should only initiate such a download from a secure and authenticated source on the internet or use its own pre-defined sources, like windows update.

Great idea...the kind that makes too much sense to ever happen.

Re:Data vs Program

[fabs64]

To see the same functionality without the security implications, install a fresh version of ubuntu (feisty is what I've seen this with), and double click on any avi file that you do not have the codec for.

:-)

There's nothing wrong with specifying in your file what codecs are required, but being able to specify a url is imho not a particularly bright design.

Re:Data vs Program

[magus_melchior]

Every time we are developing software we issue a requests for functional descriptions, alpha and beta testers respond with their comments on functional features.
If by "functional descriptions" you mean "requirements", the QA team doesn't enter into it yet unless they're also part of the design team. If you're talking about QA testing proper (alpha and beta testing early implementations), then I fail to see what that has to do with user demand.

There is plenty of opportunities for the user to intervene, for the developer just to go off on their own and develop unwarranted or requested features is irresponsible and usually represents a poor developer just writing code for the sake of code (read newbie VB coder wannabe). Not to say they are not out there, but MS is not a one man show.
None of this absolves Microsoft or any other developer of the responsibility to keep a consistent process. If X.org, MySQL, and countless other large projects can manage code check-in integrity, surely Microsoft can do it with Media Player. I seriously doubt, unless the management is hopelessly inept, that Microsoft would allow a novice developer, let alone a third party, to muck around with the code or the design. If they allowed something like that to happen, we'd be all over them like flies on a turd.

Seldom do I ever see a client asking the developer what he wants! usually it is spelled out very clearly and expensively what the client wants in features and ability, the developer will code to those specs...
Is it not the developer's responsibility to inform the client, "You asked for this feature, but it will open these security risks."?

Suffice it to say, I doubt anyone here would even consider going back to MS-DOS or giving up 1/10 of the features their choice of OS provides, it doesn't matter, what O/S they all have their vulnerabilities due to feature creatures...
Isn't it odd that you're effectively saying, "If you want a really secure OS, go back to the CLI" when this really misses the point that Microsoft went ahead with a design that tries to impose new features at the cost of more attack vectors on the user (read: red herring, straw man)? Isn't it a little pretentious to blame all users for security woes based on a bad design decision?

Re:Data vs Program

Why do codecs even have to be allowed to perform more than simple transformations on the data? Why should they be any more than limited plugins? MS could provide an API including all necessary mathematical functions to allow the codec to perform its translation operations on secured buffers and write the output to a stream that's piped to the audio/video subsystems. A separate streaming architecture could allow for a limited and strictly temporary cache and a limited subset of network operations with no other filesystem access. A DRM architecture along the same lines shouldn't be unreasonable for them to develop. But there's absolutely no reason for a media codec to have arbitrary network and filesystem access.
If the architectures are standardized, there's no reason a codec couldn't be a reusable library of strictly limited code that all media players could share, implementing their own versions of the sandbox.

Re:Data vs Program

[1u3hr]

usually it is spelled out very clearly and expensively what the client wants in features and ability

Exactly. It's the CLIENTS, not the USERS who demand features. And some of them don't give a shit about what a mess they leave our machines in as long as their application is installed and prominent. This story demonstrates that. A sequence of poor choices in the name of "usability" created a big problem.

I doubt anyone here would even consider going back to MS-DOS ...

Please don't give me that false dichotomy. It is possible to be user friendly, and yet not leave a system wide open to hackers. I think most people here know they have to change many MS defaults in order to get a safe and usable system, and never to take on trust that software will install itself without creating collateral damage.

Re:Data vs Program

[PhasmatisApparatus]

Please mod parent up. The Microsoft mentality has never been so perfectly phrased.

Re:Data vs Program

[CodeBuster]

a typical program had to call a privileged instruction or an API routine to do it.

what about a program, written in C for example, that uses inline assembly code without making a call to the APIs provided by the operating system? At that low level isn't it possible to write bytes to an area of memory that you know the program counter will return to when the stack is popped and execution returns to the main branch so that the new (possibly malicious) instructions are executed instead? Granted, it has been a decade since I hand coded assembly (only in school projects, never for actual work), but I seem to recall that most of the registers (EAX, EDX, ESP, etc) and all of the instructions (MULT, PUSH, POP, ADD, BRANCH, etc) were all available to the programmer. Now in practice it might be difficult to manipulate things so that the computer does some desired action rather than simply crashing when you start messing with the stack, but it has been done right (worms, trojans, viruses, etc)?

Re:Data vs Program

[mlwmohawk]

You have a pretty complex example, but lets not confuse a malicious attack with a normal practice.

For instance:
void myfunction()
{
                printf("This is a test");
}
int main()
{
                void *p = (void *) myfunction;
                printf("%X\n", p);
                int *pn = (int *) p;
                *pn = 0;
}

This will cause a segmentation fault. The code is read-only. (On linux) You can't jump to a static location or a stack location.

Try it.

There are many was to affect the CS,DS,SS,ES and other "selector" registers and depending on operation may cause an exception.

The tools to secure an x[n]86 type processor have been there since protected mode. The holes in the security are software.

Re:Data vs Program

It's not a bug, it's a feature. Microsoft has made this decision on purpose because it's far more important to them that everyone in the world be required to run windows to view the content (or they can't execute the random crap) than for windows to be secure.

Re:Data vs Program

[mlwmohawk]

Someone mod parent up.

This is a very excellent statement. I agree 100%

Dont use untrusted codecs!

[carp3_noct3m]

Don't enable any audio program you use to automatically download codecs. Use third-party trusted codec packs, or better yet, use VLC! As for Joe Schmo internet user, he is just fsked anyway, and probably already has more trojans on his PC than I've ever had on my... um.... usb dongle?

Re:Dont use untrusted codecs!

[surata]

The problem is the proliferation of file formats. MS tried to address this by including a simple mechanism for a user to download codecs that were unavailable when Media Player was released, but screwed up the implementation by allowing the data in the media file point to where the codec could be obtained. MS probably should have forced MP to point to their own file server only, that way they could control what could be added into systems. Perhaps they didn't do this as a result of all the antitrust lawsuits that they endured. How does anyone know what codecs to trust anyway? Mal ware authors are good at confusing people into installing their programs.

Re:Dont use untrusted codecs!

[ConceptJunkie]

The irony is that in all these years, I don't think I've ever seen WMP successfully find and install a codec it was missing. I just end up with a message saying it couldn't find the codec that doesn't even tell me which codec it was looking for. Then it turns out this all just another malware attack vector.

In 2000, this problem would have "more of the same" but the fact that this still exists in 2008 is insane. I mean Microsoft publicly admitted their security is awful in 2000, took four years to make a decent attempt to correct things, and yet here we are four years after that...

Thanks, Microsoft. Thanks a lot. You give new meaning to word FAIL on a daily basis.

Re:Dont use untrusted codecs!

[benwaggoner]

The irony is that in all these years, I don't think I've ever seen WMP successfully find and install a codec it was missing. I just end up with a message saying it couldn't find the codec that doesn't even tell me which codec it was looking for. Then it turns out this all just another malware attack vector.

This doesn't have anything to do with the actual codec update service. All it does is bring up a web page that tries to make something bad happen.

And again, stock WMP 9 and 11 ignore the URL script commands, so the web page wouldn't even open unless the user had changed a default security setting.

Re:Dont use untrusted codecs!

[ConceptJunkie]

So WMP 10 didn't ignore the script commands by default? Sounds like a bad decision, but at least it's been corrected.

It's sad that Microsoft's policy of making every document a vector for code execution, which may have seemed to be a good idea in the early 90's, hasn't been thoroughly and consistently demolished. There are so many better ways to make these things happen (and the codec update service, which you pointed out that I mistakenly conflated with this problem, assuming it ever worked, is a better idea).

I know there will always be security issues with any software, but how long will we have to wait before Microsoft stops doing _obviously stupid_ things?

Re:Dont use untrusted codecs!

[benwaggoner]

So WMP 10 didn't ignore the script commands by default? Sounds like a bad decision, but at least it's been corrected.

Oh, I'm sure WMP 10 does the right thing as well. I just didn't have a copy handy, and only personally tested in 9 and 11.

It's sad that Microsoft's policy of making every document a vector for code execution, which may have seemed to be a good idea in the early 90's, hasn't been thoroughly and consistently demolished. There are so many better ways to make these things happen (and the codec update service, which you pointed out that I mistakenly conflated with this problem, assuming it ever worked, is a better idea).

Again, this is NOT an issue of any code executing inside or via WMP. All that's happening is that in a non-default state, the player will open a URL in the default browser.

I think we're going in the correct direction here, particularly for web technologies. For example, Silverlight doesn't offer any way to call native code from the sandbox, not even with UAC or a user opt-in. .NET itself has always been sandboxed by default.

Re:Dont use untrusted codecs!

[ConceptJunkie]

Fair enough, but I find it hard to argue this cannot be attributed to happening "via WMP". Nevertheless, it is a perversely impressive execution. I pity non-expert Windows users.

I hope Microsoft continues to get a clue on security because that will prevent much pain, misery and expense, but it's too late for me. I've finally switched my last machine to Ubuntu, although my kids still run Windows because of all their games. My wife liked Ubuntu fine on her laptop (which came with Vista which made it literally the slowest computer I've ever used, and I've been around a while) for several months, but since her classes stupidly required so much MS-specific stuff (Office, etc), she asked to go back to Windows. Fortunately I had an XP license she could use.

Speaking of Silverlight, I was curious to try it, and I thought it supported Firefox, but all I could ever get it to was ask to be installed, even after it was installed. Perhaps I was wrong.

Re:Dont use untrusted codecs!

[ConceptJunkie]

Upon further reflection, I have to you props for trying to set the record straight in such a hostile environment. I would never work for Microsoft, but since you do I have to give you credit for braving the lion den.

My experience with Microsoft engineers I've met is that they truly are sharp people who want to do, and can do, good stuff... it's your management which is incompetent and evil.

ASF?

[ruiner13]

I've been using/creating websites since 1994, and I don't think I've ever even seen an ASF file for download. I assume it is a windows media format?

Re:ASF?

[BlueParrot]

Being able to make an asf look like an MP3 is...weird

Not really , name the file: mymusicfile.mp3.asf , Windows does the rest for you.

Re:ASF?

[Thelasko]

Being able to make an asf look like an MP3 is...weird. If true then that is going to spread very quickly.

I suspect as a "feature" built into Windows Media Player to make things "just work" if a .asf file has the extension .mp3 WMP will detect that the file is a .asf file and play it anyway.

Re:ASF?

[Perseid]

I just tested it. An ASF renamed to MP3 will play but it brings up a warning that says the format doesn't match the extension, do you really want to play this file? Quite a shock that Windows Media Player would do something cool like that.

Re:ASF?

[clone53421]

ASF is the container format typically used to encapsulate WMA and WMV encoded streams.

Basically, you have an audio stream (maybe two for stereo) and a video stream. Raw data is huge, so they're encoded using common codecs (for example, WMA, MP3, A3C, MP4A; WMV, MPG1, MPG2, MP4V, DIVX). Once you have several encoded streams, they take up less space than the original data did, but you still have to combine them into a single package. That's what the container format does, and again there are multiple common container formats (AVI, MOV, a few MPEG formats, ASF).

Basically, when you have a file named .WMV, .WMA, .MP3, or .DIVX, it's referring to the codec, not the container. Extensions of .ASF, .MPEG, .AVI, or .MOV are referring to the container, and you'd have to open it up and examine the streams to find out what codecs were used.

To complicate issues, the extension can lie, and most media players are forgiving. So there's no guarantee that .MP3 is actually a MP3; it could be an ASF container with a WMA track inside... which is exactly the case in this exploit.

Re:ASF?

[clone53421]

It's worse than that. Just name it mymusicfile.mp3 - it'll still be an ASF, and it'll still play. (Windows Media Player might pop up a weird message about the format not matching the extension, but do people pay attention to that?)

Re:ASF?

[Thelasko]

An ASF renamed to MP3 will play but it brings up a warning that says the format doesn't match the extension, do you really want to play this file?

So, the tricky part is getting WMP to not display the warning. Anybody have any suggestions on how that is done? I suspect the worm displays the warning and relies on the user to simply click OK.

Re:ASF?

[Thelasko]

I just answered my own question. From TFA:

Users downloading from P2P networks need to exercise caution anyway, but should also be sensitive to pop-ups appearing upon playing a downloaded video or audio stream

Re:ASF?

WMP warns. VLC does not, but then on the other hand VLC won't honor the request "please open this web page" from the ASF file. So VLC is still more secure than WMP because it cripples the ASF functionality that allowed the exploit in the first place.

What player?

[Blice]

TFA doesn't say what media player is vulnerable to this...

I have a feeling this exploit doesn't work in VLC.

A few days ago I played a movie in VLC on a Windows machine and half way through the VLC error log opened and had some interesting things in it. It was trying to place some files into some directories, and then lastly was trying to open a website.

So it wasn't able to do those things, but I can't help shake the feeling that if I had played it in Windows Media Player it would have done some damage. Though it could have also been an exploit for a specific player like Realtime, Xvid, etc..

Disclaimer: I'm not associated with VLC, although I do really like it.

Re:What player?

[X0563511]

My question is how the hell that works? Why is it even possible to do that!?

Data comes in, gets split into an audio stream and a video stream. You look at the magical tags and figure out which decoder to fire up. Feed compressed data into the decoder, get decompressed data out. Pass the video data to the display pipeline, and the audio data to the audio pipeline.

There should be no way to execute anything from those pipelines.

Re:What player?

That should be how it works but a lot of the Microsoft based media files are able to launch websites through Media Player.

Re:What player?

[afidel]

Open webpage to display cover art, link to the bands tour page, etc. The problem is that it uses IE to open the page no matter what you have your default browser set to and we all know how secure IE is. It can also have an embedded link to a download for a new codec, if you don't have the codec then it will ask you if you want to install it. In this case the codec is a trojan.

Re:What player?

[clone53421]

...unless ASF has pipelines specifically designed to do that... wait, isn't that an obvious security flaw?

Re:What player?

overflow in the metadata reader processor?

Re:What player?

[DaveV1.0]

Try reading the article and the wikipedia page on ASF

Re:What player?

[MPAB]

The way I understand it, when you feed unknown data to a very "helpful" player, it will try to locate a codec for you. That's the trojan, and it relies on the user to be installed.

Try playing a DivX or xVid file on a fresh install of Windows XP and you'll see what I mean. (Media Player won't find the codec, anyway).

I don't remember the name of perhaps the first mainstream adware program, back in the 90s. It prompted the user to see "kewl vidz", but a "viewer" had to be downloaded. Once installed, it would take over even your email and messenger programs attaching propaganda about itself as signatures. This uses the same principle.

Re:What player?

The format is the trojan.

Re:What player?

[X0563511]

I know how it happens. This was my way of saying the idea is, to say it bluntly, retarded!

Comment removed

[account_deleted]

Comment removed based on user account deletion

von Neuman rolls in his grave

[Gothmolly]

This is why you separate the executable code from the data.

Re:von Neuman rolls in his grave

[zappepcs]

I'm glad you were modded up. Running everything in a sandbox that disappears on reboot, and other methods to keep real data away from what your doing online is the what will make it safe(r). In the case of simply separating user data and system data, such malware still has a chance to truly fsck with you. The need is to keep online malware 'away' from your user data AND system data. To do that, you need to do the equivalent of putting on rubber gloves, mask, protective goggles and going over to your neighbor's house to surf the web.

In general principle, and probably in practice, this is one thing that virtualization can do to improve the average user's environment.

Re:von Neuman rolls in his grave

Uhm, dude..
Von Neuman was the guy where data and code is the same thing.

Re:von Neuman rolls in his grave

[clone53421]

...but since when has MS ever done this? Just about anything MS products can open can also contain macros, in the intent of making it more useful (but at the sacrifice of security).

Re:von Neuman rolls in his grave

Harvard rolls in his grave.

Here fixed that for you.

Re:von Neuman rolls in his grave

[Wildclaw]

And just as importantly, this is why you seperate the executable code from other executable code.

I should be able to install a program without having to grant it any rights. It should only have access to its own program directory and its own configuration directory, nothing else. And that should be the default.

Any extra rights like bulk access to user data files and internet access should be granted on a per program basis. Access to single files can be handled by user verified access via file dialogs. The security risk a program poses should never go any further than any rights I grant it, and in the majority of cases that should be none or very few.

I should be able to take number of malware applications, and install them followed by an uninstall and they should all be gone. If they aren't, that is the fault of the operating system.

The rights for a program to make changes to other programs or parts of the system should also be heavily restricted. And it should be impossible to hide a program in the system. One program, one directory, one installation entry.

Would this help for the dumb users that just click on anything without understanding. No, but those users are already a lost cause. The real problem is that even power users that have a good understanding can install a malware that ruins the whole system with a single misclick. That is simply not acceptable.

Requiring a password to do some stuff is simply not enough. There simply needs to be more steps between a no access program and an all access program.

Re:von Neuman rolls in his grave

[75bhp]

That's not how von Neuman rolls...

Re:von Neuman rolls in his grave

[Kuciwalker]

1) As siblings have noted, von Neumann's architecture was the one where code and data are *the same*. Idiot.

2) At the time the Harvard (distinct code/data) and von Neumann (unified code/data) were conceived, computer were non-networked devices that occupied an entire room. The idea of computer security didn't *exist*, let alone inform their architectures.

Re:von Neuman rolls in his grave

[clone53421]

The idea of computer security didn't *exist*, let alone inform their architectures.

Sure it did. In fact it had a lot to do with architecture. In fact, consisted mostly of big strong walls, locked doors and men with guns.

Not as bad as WMVs

I think five years ago, my PC was infected from playing a WMV.

Yes, it was pr0n, yes the file was very tiny and of bad quality.

Basically turned my machine into a bot after I played a file from IRC or eDonkey in Windows Media Player. Even after I cleansed it, it had put itself into all of the WMVs and duped/renamed them funny so I could never pin it down. Basically if I tried playing any Windows Media file on my machine, I was just re-infecting it. On top of that, it hashed the names together to make it hard to pin down where my files were or what was in them ... solution? Complete wipe and reinstall. Lesson learned: never use a media player that is married to the kernel with super user rights.

For lack of a name, call it the RIAA worm.

[suck_burners_rice]

Hmmm, it sounds like this kind of worm really benefits the RIAA. It works like this: If all your mp3 files are encoded from your own CDs for legitimate purposes, then nothing will happen to you. But if you download a single song, or if you copy a single song from a friend, then BOOM! All of your music becomes totally jacked up. It seems a pretty sophisticated worm/virus concept and the transcoding of mp3s is kind of like an additional "fsck you" from the RIAA.

Re:For lack of a name, call it the RIAA worm.

[clone53421]

If all your mp3 files are encoded from your own CDs for legitimate purposes, then nothing will happen to you.

Now if they figured out how to do that, I'd be really impressed.

hmm...

[Taibhsear]

Good thing I only download FLAC and transcode it myself to mp3... I mean, I buy cds straight from the RIAA for $50 a pop so I can bypass those greedy artists... yeah, that's the ticket...

They're ASF, Not MP3, Files

[Doc+Ruby]

The buggy format is not MP3. The MP3 files are perfectly safe.

This worm transcodes them into ASF files. The ASF files are the threat. The ASF files pretend to be safe MP3s, but they include links that Windows automatically opens. MP3 files don't do that.

Of course, it's really Windows that's buggy (duh). Windows allows the worm to enter and run. Windows lets the unsafe ASF files appear to the operator to be safe MP3. Windows opens the ASF links to the bad sites. Windows then runs whatever the bad sites deliver to the browser (which the user could have just clicked to from another page, without the MP3/ASF worm at all, and just blown their system by Web surfing).

But of course, we can't say that Windows and ASF and IE are the security monsters. We have to blame MP3. Even though this exploit requires converting the file into something that's not MP3 before it can get started attacking you.

Re:They're ASF, Not MP3, Files

[Tim+C]

Windows lets the unsafe ASF files appear to the operator to be safe MP3.

The last time I opened a file in Windows Media Player that had an incorrect extension it warned me of the fact, giving me the option of not playing it.

But of course, we can't say that Windows and ASF and IE are the security monsters. We have to blame MP3.

I don't see anything in the summary or article that blames mp3s, so I'm really not sure what you mean by that.

Re:They're ASF, Not MP3, Files

[geminidomino]

I'm glad someone else mentioned this. Seriously, how braindead do you have to be to actually think that a file extension means anything as to the format of a file?

Worse, even FOSS is going in this direction (Just tested with Gnome. It doesn't update the icon until you've already tried to click-execute it and it attempts to open a text file named foo.jpg as an image) :(

I'd expect this kind of braindead stupidity from MS, but geez.

Re:They're ASF, Not MP3, Files

[Doc+Ruby]

Windows lets the unsafe ASF files appear to the operator to be safe MP3.

The last time I opened a file in Windows Media Player that had an incorrect extension it warned me of the fact, giving me the option of not playing it.

This report says that safeguard fails.

But of course, we can't say that Windows and ASF and IE are the security monsters. We have to blame MP3.

I don't see anything in the summary or article that blames mp3s, so I'm really not sure what you mean by that.

The title of this story is "Worm Transcodes MP3s To Infect PCs, not "Worm Infects PCs with ASFs". How much more clear could that be?

Re:They're ASF, Not MP3, Files

[qoncept]

The original post seems to be pretty carefully worded so as to not imply that mp3s are the problem. Where is anyone blaming mp3s?

I had to reread because after a once through it seemed there was no risk to me, as I don't download wma/asf. Then I realized it said the extension remains the same. Which makes sense -- I know Windows Media Player will open any supported media type by reading the headers, and double clicking on a file with a media extension will open WMP. So there's your problem -- WMP, not Windows.

Then I also remembered that I'm not using Windows anymore, so I'm safe after all.

Re:They're ASF, Not MP3, Files

[Thelasko]

To quote Wikipedia:

Advanced Systems Format (formerly Advanced Streaming Format, Active Streaming Format) is Microsoft's proprietary digital audio/digital video container format, especially meant for streaming media. ASF is part of the Windows Media framework.

Well there's your problem!

Re:They're ASF, Not MP3, Files

[Doc+Ruby]

"Worm Transcodes MP3s To Infect PCs"

That seems pretty clearly to say "MP3s". And not to say "ASFs".

Re:They're ASF, Not MP3, Files

That just means that the MP3 file is the victim, not the cause. You're reading too much into this.

Re:They're ASF, Not MP3, Files

[Doc+Ruby]

I know what it means, as I explained in detail.

But the headline says "MP3s" and "Infect PCs", but not ASF. That's how headlines work: the effect is to associate MP3s with the infection.

It's like a headline "Virus Infects Gays to Plague Nation". Gays are the victims, but "AIDS is the Gay Disease".

Re:They're ASF, Not MP3, Files

[clone53421]

Worse, even FOSS is going in this direction (Just tested with Gnome. It doesn't update the icon until you've already tried to click-execute it and it attempts to open a text file named foo.jpg as an image) :(

Nothing wrong with trying to open it and saying "whoops, this isn't the format I thought. I can't open it!" For that matter, there's nothing wrong with saying "whoops, this is a different format. I guess I'll open it anyway" -- IF -- and ONLY if -- the other format is secure. It's essentially the fault of the insecure format. However, if the other format is inherently insecure (which ASF is), it needs to be crippled (VLC isn't vulnerable to this exploit, because it won't execute the crud that ASF tries to deliver... it just plays the audio/video like it should). So there is a certain amount of responsibility on the head of whoever built the media player too, for allowing the security hole in the format to be exploited. In this case, the format and the player are both MS, so it goes back to them.

Re:They're ASF, Not MP3, Files

Not to mention that it was Microsoft's brilliant idea to embed non-audio functionality into an audio file format to begin with. "Hey, let's make it so this audio file can automatically initiate a connection to the Internet! Yeah! That'll be cool!"

That's probably even dumber than putting VBscript in Word documents or Javascript in PDFs.

You would rarely find this kind of stupidity in the open source world because most open source software is driven by sensible engineering and functionality considerations, not by a marketing mentality of adding ever more flashy "features" (i.e. bloated anti-features).

Dear Micosoft (and Adobe): Integration of extraneous functionality is at the root of a lot of your complexity and security problems. Keep separate things separate. Keep it simple.

Re:They're ASF, Not MP3, Files

[geminidomino]

No argument that this particular bug is yet another Microsoft brainfuck. My comment was directed at the headline and article for making the same mistake. Filenames are for users, not the system.

Re:They're ASF, Not MP3, Files

[benwaggoner]

The ASF files pretend to be safe MP3s, but they include links that Windows automatically opens.

Actually, I just tested, and it appears Windows with the current Windows Media Player does not. See my post downthread for the details.

Re:They're ASF, Not MP3, Files

[clone53421]

I'm not sure I understand your point. Yes, it's true that an incorrect filename extension is often ignored and the file still works (try renaming a JPEG to GIF or vice versa, and it'll still open in Preview; same for MP3/WMA/ASF/etc. in Windows Media Player, apparently).

From your earlier post, I thought you were saying that's bad, and I was just pointing out that it isn't necessarily bad, it's only bad if the format is insecure. It allows an insecure format to masquerade as a secure one, but if insecure formats didn't exist, that wouldn't be a problem.

Re:They're ASF, Not MP3, Files

[qoncept]

No, it's not like that at all. It's like saying "Ice melts and gets stuff wet." Ice didn't do anything, water did. But now you know not to leave ice cubes sitting on your xbox. If you are downloading music, you need to look out for what appear to be mp3s.

Re:They're ASF, Not MP3, Files

[LilBlackDemon]

The title of this story is "Worm Transcodes MP3s To Infect PCs, not "Worm Infects PCs with ASFs". How much more clear could that be?

The worm transcodes MP3s into ASFs, and then adds some naughty bits to the ASF. The MP3 is just dummy data - something to get the user to lower their guard because everything comes ok A-OK.

It's still the ASF that's doing the damage.

Re:They're ASF, Not MP3, Files

[Doc+Ruby]

Well, ASF is really a structured container format for multimedia. The audio format is supposed to be WMA or something similar. The links are contained along with the separate audio in the ASF file. If an app or the OS is going to coordinate the audio with some other content pointed to (whether HTML via HTTP or otherwise), then there's going to be something that has both the way that ASF does.

The problem is the way that ASF does the combination, and the way that Windows does the access - and just Windows' misleading truncation of filenames that are clues to whether the content could be executable. There are more secure ways of doing all of that, and Windows has bugs and design flaws in every layer. As usual.

Re:They're ASF, Not MP3, Files

[Doc+Ruby]

So you need to look out for what looks like ice, because it could really be water? Even though ice gets stuff wet by default? The metaphor doesn't work at all.

No, the problem is not in the MP3. Watching out for MP3 isn't going to help. Watching out for Windows is going to help.

Re:They're ASF, Not MP3, Files

[geminidomino]

My point as that there's no such thing as an "incorrect extension" as relates to filetype in a sane setup. There are plenty of ways to determine a filetype without relying on half-baked, easily-exploited methods like file names.

Re:They're ASF, Not MP3, Files

[Doc+Ruby]

Which is why the title is misleading because it doesn't reflect the damage that ASFs do, but implies that MP3s are dangerous.

Re:They're ASF, Not MP3, Files

[INeededALogin]

Which is why the title is misleading because it doesn't reflect the damage that ASFs do, but implies that MP3s are dangerous.

If you don't have any mp3s... then the virus won't have anything to transcode and you are safe:-P

Re:They're ASF, Not MP3, Files

[Doc+Ruby]

If you don't have Windows, you're even more safe, even if you do have MP3s.

It's clearly the Windows that's the problem, as if that were ever in doubt.

Wow...

[hyperz69]

That has to be one of the most nasty viruses I ever seen. Poor windows users. Though remember, if your ever asked to download a codec AFTER you installed a codec pack... likely it's malware. Even TV Shows are getting nasty DOWNLOAD THIS CODEC treatments. Pirating use to be such honest work too ;\

User intervention

load a page that asks the user to download a codec

While certainly sneaky, it looks like this still requires the user to do something.

Re:What do you really expect?

[HolyCrapSCOsux]

so copyrighted OR executables is good then?
So, kids, its okay to download cox}s}wivme from p2p but not epabad``dd!

Re:What do you really expect?

One should not be downloading things, especially things that are copyrighted and executables, from P2P networks.

Unless those P2P networks are under the full control of corporations, that is. You see, if you use the full bandwidth you're paying for all the time, you're a nuisance and should be cut off. But if they can take some of your bandwidth and use it to give vapid teenagers more episodes of The Hills, it's just good business!

No the ultimate evil is if...

[Fallen+Andy]

it *downloads* real player

Re:No the ultimate evil is if...

[worldcitizen]

Aargh! Stop it! I cannot take it anymore!

Re:No the ultimate evil is if...

... or else it gets the hose again?

Re:No the ultimate evil is if...

[saboola]

No, the real evil is buffering.. buffering..

"Windows XP is our most secure OS ever"

[Joce640k]

...apart from the ActiveX and the email program which auto-runs attachements and the music files which can launch the browser and the RPC daemon which can't be firewalled and the universal plug and play daemon which allows "drivers" to travel around networks and....

Defective by design.

Re:"Windows XP is our most secure OS ever"

[Spy+der+Mann]

Wrong. "Defective by design" means crippled by design (DRM). This is "Defectively Designed", which is a very different thing altogether.

Re:"Windows XP is our most secure OS ever"

[courteaudotbiz]

So they designed Windows Vista. It allows all of that, but asks you the question before doing so... That is *WAY* better for my brother in law who's watching porn, he can now get infected being asked by his computer right before...

Re:"Windows XP is our most secure OS ever"

[Sockatume]

Microsoft Mantra 2008 edition: it's not a security hole, it's a feature.

a) ASF is patented, b) by Microsoft.

[Joce640k]

So ... I think we can deduce which players are vulnerable to this.

Re:What do you really expect?

[DaveV1.0]

Excuse me, I guess I should have put:

One should not be downloading things, especially things that are copyrighted and/or executable, from P2P networks.

Is that better?

GoatWorship Channel On YouTube - ALF sodomy clowns

Check out the goatworship channel on YouTube and youll see stuffed ALF dolls sodomized by tampon holding laughing clowns and musings about Jesus with chaos like you never imagined.. I kid you not! You dont believe me you go see for yourself! Its the craziest thing on YouTube!

hidden extensions

[Kenshin]

I hate how Windows has hidden file extensions in every version since XP. It's supposed to make the machine more Mac-like and friendlier, but it is a serious security concern.

I try to turn it off on every machine that I'm asked to setup or fix, but occasionally I get someone who deletes the "unfamiliar" file extensions from their files and ends up not being able to open them.

Re:hidden extensions

[thePowerOfGrayskull]

If the file handling were based on its actual content instead of a friggin file extension, then this would be a much less serious problem. What bugs me is that after years of infections that can be directly tied to this 'feature', they still haven't changed it.

Re:hidden extensions

[QRDeNameland]

They hid file extensions by default in Windows 2000 as well, which is one of the things I would always turn off as ritual when building out a new machine. I always felt there should be an OS install or user account setup option of "User is not an idiot".

Re:hidden extensions

[MPAB]

but occasionally I get someone who deletes the "unfamiliar" file extensions from their files and ends up not being able to open them.

That shows they care about the "average user".

Re:hidden extensions

[BenoitRen]

How is it since Windows XP? Do you mean it hides all extensions? Because hiding known extensions is a feature that has existed since at least Windows 95, turned on by default.

Re:hidden extensions

[madmac63]

This has been a peev of mine for years. The name of a file and the application which should open it by default are two different things. And stupid frikkin' MS filesystems and OS's can't get that through their heads . . . . why they didn't move the "extention" into a directory field (the way the Mac does) associated with the file . . . then you could name it whatever you wanted, and put periods in the the filename, and not have to worry . . . madmac

Re:hidden extensions

[Sockatume]

I think you've picked the wrong battle there. People who are going around deleting file extensions are unlikely to hold back from opening funnykittens.exe just because they can see the .exe extension.

Re:hidden extensions

Even worse is that some script file extensions are STILL hidden even when you choose to show file extensions.

Re:hidden extensions

[clone53421]

I don't see how that would prevent this exploit. Even if handling was based on content, the system would still say "yup, it's an ASF, I'll just go ahead and launch up Windows Media Player and play it"...

Re:hidden extensions

[sm62704]

Windows 98 had hidden file extensions. I gave up preaching about it long ago, nobody listens.

Re:hidden extensions

[TerranFury]

Everybody bashes the Windows/DOS filename extension idea, but it's not bad. Personally, I think it's a heck of a lot more noticeable and transparent than some metadata (e.g., MIME type) that you never look at.

Re:hidden extensions

[slashgrim]

I'm still looking for the option to disable hidden file extensions in the Linux command line

Re:hidden extensions

[assassinator42]

No, the problem (well, one of them) here is that Windows Media Player IS determining the file type from actual content rather than extension. Hence why it's playing ASF files with a MP3 extension. Read the last line of the summary.
Of course, the real problem is people choosing to execute code from an unknown source. I'm curious, is this using the option to "Download Codecs Automatically" in WMP?

Re:hidden extensions

[thePowerOfGrayskull]

My thought is that then the user would /see/ that it was an ASF (not mp3 content, where the user expected MP3), assuming that the operating system reported content honestly.

Re:hidden extensions

[thePowerOfGrayskull]

Not quite - the content type is determined automatically, while /reporting something different based on file extension/ . Then again - Windows does tend to do the 'favor' of saying "Windows Media Player" file in the description, and not "MP3 file"...

Re:hidden extensions

Unless nearly every media file had the same icon and description... which they do tend to have: "Windows Media Audio/Video" and such crap. Unless you associate MP3s to some other programme, it'll be that.

Anyway, it would be irrelevant if the ASF format didn't have the security flaw, or if Windows Media Player acknowledged how stupid it was and disabled that functionality.

Re:hidden extensions

[hairyfeet]

Actually Windows has been doing this since Win95,maybe even earlier,but it has been so long since I worked with Win3.X I can't really tell you off the top of my head. Sadly,the only way I've found to get rid of this "bug" without having to worry about my nephews erasing the file extensions when they rename files is by bypassing Explorer completely and using Xplorer2. I have a code snippet that launches when you click on either My Computer or My Documents that launches Xplorer2 instead of Windows Explorer and Xplorer2 allows you to rename files WITHOUT changing the file extensions. Why MSFT after all these years can't seem to get something so simple right I'll never know. Oh and as always this is my 02c,YMMV

Re:hidden extensions

[windsurfer619]

I always felt there should be an OS install or user account setup option of "User is not an idiot".

That's called the "GNU/Linux" OS install.

Re:hidden extensions

[david.peace]

So do all malicious hackers work for microsucks?

Re:hidden extensions

[clone53421]

Yes, and that would work, because your average Joe Shmoe is going to say "Uh oh, that's an ASF, I'd better not run it... the ASF format is such a security issue."

Re:What do you really expect?

[sammyF70]

The problem with your logic, is that you forget why ASF/WMV/WMA files are so vulnerable

From wikipedia : "The ASF container provides the framework for digital rights management in Windows Media Audio and Windows Media Video."

So, the problem is not people who download (illegally or not .. think NIN) music/video via P2P or newsgroups, it's the companies pushing for harsher copyrights and stronger DRM. I'll agree that they wouldn't have to, if nobody pirated anything, but their answer is more akin to an atom bomb to get rid of a nest of cockroaches. It will probably NOT kill the roaches, but everybody else will feel the aftermath

Education

[gx5000]

"loads a page that asks the user to download a codec"
"While certainly sneaky, it looks like this still requires the user to do something."

User education is the culprit....
A computer is one of those hitech devices that you can use without almost
any education about it...

I mean, are we really reaching for a goof proof system where the user can
be completly in the dark about the inner workings ? LOGO anyone ? typewriter ?

Just use a player that won't download codecs.

[base3]

Media Player Classic or VLC FTW. And as a bonus, they don't call home to the mothership about the MP3s you're playing.

Re:Just use a player that won't download codecs.

[maxume]

Why would Windows software think of General Electric as home?

Are there stupid users in the world?

Oh God!

Media files can open webpages?

I see Microsoft is continuing their trend for installing as many obvious security holes in their software as possible.

Anyone try to turn off data CD auto-run in Windows XP lately? Even after all the service packs and patches, you still have to hack the registry to disable data cd auto-run.

Re:Media files can open webpages?

Or use group policy editor (XP Pro)...

Comment removed

[account_deleted]

Comment removed based on user account deletion

Re:What do you really expect?

[Perseid]

I envy you and the amount of free hard drive space you must have...

IANAMD (I am not a malware developer)...

[MattPat]

... but you've gotta' admit. That's a pretty genius method right there.

Why don't these people all go work for Microsoft? Maybe if they had their fair share of brilliance, they could start producing products without gaping security holes.

Re:IANAMD (I am not a malware developer)...

[courteaudotbiz]

they could start producing products without gaping security holes

You mean they would throw Windows code down the toilet and rewrite it from scratch?

Wait just a gosh darn second..

So what you're saying is that you can get malware off of Limewire? I feel enlightened.

Re:What do you really expect?

[clone53421]

Truth it may be, but it's still a major security hole, and MS should have known better.

Stupid

Why the hell can an ASF file open a web link? I don't want my media player showing popups.

A bit of clarification?

[sootman]

It searches for MP3s, transcodes them to WMA format, wraps them in an ASF container, and adds links to further copies of the malware, all without modifying the .MP3 extension. [emphasis mine]

So if this is correct, I figure one of two things is happening:
1) It renames the file blah.mp3.asf, but if you have extensions hidden, it will hide the 'asf' and show the 'mp3'
or
2) it is an asf named blah.mp3 but when WMP opens the file, WMP says "Who cares what it's named, I can see that this is an ASF so I will go ahead and play it."

Anyone know which it is?

Re:A bit of clarification?

2)

Re:A bit of clarification?

I'm pretty sure it's like 2 no matter what conditions it's in. Programs don't tend to care what the file is named, they just read the data from the file, in the format given in the file.

Re:What do you really expect?

[DaveV1.0]

I disagree. If one practices safe computing, then the fact that the file formats are vulnerable is irrelevant.

One should treat all external data as suspect regardless of supposed content.

Just like in the old days when one treated all floppies as possibly being infected and made sure to remove them from the drive before rebooting.

Also, this issue has nothing to do with DRM. From your own source:

Advanced Systems Format (formerly Advanced Streaming Format, Active Streaming Format) is Microsoft's proprietary digital audio/digital video container format, especially meant for streaming media.

ASF is based on serialized objects which are essentially byte sequences identified by a GUID marker.

The format does not specify how (i.e. with which codec) the video or audio should be encoded; it just specifies the structure of the video/audio stream. This is similar to the function performed by the QuickTime, AVI, or Ogg container formats. One of the objectives of ASF was to support playback from digital media servers, HTTP servers, and local storage devices such as hard disk drives.

The vulnerability of this format is due to it being a serialized object that can contain things other the media files such as website addresses, as addressed in TFA:

Advanced Systems Format is a Microsoft-defined container format for audio and video streams that can also hold arbitrary content such as images or links to Web resources.

The content of the container contains instructions saying a new codec is needed and links to trojan site. This is a new twist on the standard trojan tactic, which is to get the target to download and execute a file which seems safe but is actually a malicious.

Trying to throw this on DRM is a red herring and dishonest. It also shows your lack of knowledge and experience and your bias.

Keep it simple stupid.

[JustNiz]

This retarded philosophy that Microsoft have of bloating everything to hell like by adding embedded automation in every file format they get their hands on is one of the biggest reasons I hate Microsoft. Why the hell can an audio file even open web pages in the first place?

Jeez why can't they keep it simple, such that an audio file only contains audio?

Simple solution

Just another thing that could be solved with Linux or as much as I hate to say it.... the Mac OS.

It all starts with porn...

[TJamieson]

Ahem... anyone who has heavily browsed content on Usenet in the past 5 years has probably encountered this plenty of times. I haven't searched for a WMV file in years because of that!

Re:What do you really expect?

[DaveV1.0]

That still doesn't make the comment flaimbait.

Just because this is targeted at MS, it does not follow that this is an MS specific flaw. MS is the target of choice because of it's installed base. Why work to capture 10% or less of the targets when one can work to capture 80+%?

One may want to look into other container formats:
The format does not specify how (i.e. with which codec) the video or audio should be encoded; it just specifies the structure of the video/audio stream. This is similar to the function performed by the QuickTime, AVI, or Ogg container formats. They may also be vulnerable to a similar attack.

Nothing new

[reikoshea]

This is nothing new by any strech of the imagination. People have been adding malware links in ASF files since at least 2002.

I don't listen to music on media player...

[filthpickle]

...but I do sometimes watch video on it. It will give a message along the lines of "the file you are trying to open doesn't match the extension"

It gives you a yes/no choice asking if you still want to play it. I am positive that yes gets clicked 98% of the time...."shut up computer! Just show me them tittys!"

Oops, my bad

[Spy+der+Mann]

theora is for video. Vorbis is for audio. In any case, to prevent this particular worm from catching me unaware, I'm going to convert all my mp3 collection to ogg/vorbis. Doesn't affect me, winamp has a vorbis codec and I use amarok at home.

Better safe than sorry.

Xvid can play DivX

[tepples]

For instance, if I can play raw .avi files, but don't have the DivX codec, I can't play DivX encoded .avi files at all. I need the DivX codec.

How so? I thought all I needed to play DivX was an MPEG-4 Advanced Simple Profile video codec that answers to DivX's FourCCs, such as ffdshow or Xvid.

Re:Xvid can play DivX

[omeomi]

How so? I thought all I needed to play DivX was an MPEG-4 Advanced Simple Profile video codec that answers to DivX's FourCCs, such as ffdshow or Xvid.

Okay, I guess if you want to be pedantic, you need either the DivX codec, or a multi-codec that can play DivX files. Or a hardware DivX player, or a friend with the DivX codec who doesn't mind transcoding the file into something else, or a monkey that's been trained to decode DivX files with a pencil and paper.

Re:Xvid can play DivX

[Obfuscant]

Okay, I guess if you want to be pedantic, ...

If HE wants to be pedantic?

Re:What do you really expect?

[sammyF70]

Ask yourself this : WHY did Microsoft create yet-another-codec? Streaming is possible with many formats that already existed when ASF was introduced, including mp3.

Why must a media file contain anything other than data?

My guess is DRM, yours is probably different

Re:What do you really expect?

[DaveV1.0]

MS didn't "create yet-another-codec". They followed the heard and developed a container file type like their competitors did. There is no ASF codec. ASF is a container file type that can contain media files, usual WMA and WMV, as well as text, URLs, and images.

There is no ASF codec

Are you so much of dumbass that you didn't even bother to read the wikipedia article you linked to?

Originality

This trick has been around for years and was spurned by Microsoft quite some time ago. Any moderately recent version of Windows Media Player disables these 'events' by default.

Having tried to manipulate users through such means in recent months, I can attest to how poorly it performs. No, not because it's nasty - most people simply have a secure version of Media Player (see: quite some time ago).

It is worth noting that antipiracy / p2p spam / botnet outfits have been doing this for all eternity over Gnutella1/2 and FastTrack (older distributed p2p networks); I believe a similar trick is also exists in .mov / Quicktime media. This activity is probably what prompted Microsoft to secure Media Player in the first place.

Ultimately, I expect this worm will only ever manifest itself as an annoyance rather than serious threat. 'Tis a bit behind the times *yawn*

The ASF container is patented

[tepples]

Also I don't know much about the ASF container but if you run it in another player like iTunes will it still activate?

The ASF container is patented in the United States, home of Microsoft Corporation, Apple Inc., and Slashdot. Microsoft wants to be the only vendor of ASF tools; to this end, it has cease-and-desisted VirtualDub's author from including ASF support. And Microsoft's ASF parser is, predictably, the exploitable one.

Details on actual Windows Media behavior

[benwaggoner]

The original article is rather overblown by the real-world behavior here. I just whipped out a WMA file with a URL marker, renamed it to .mp3, and tried it to see what would happen.

With Windows Media Player 11 installed (out as an optional update for two years for XP, and default in Vista):

Trying to open up an ASF file with a .mp3 extension prompts a dialog reading:

"The file you are attempting to play has an extension (.mp3) that does not match the file format. Playing the file may result in unexpected behavior."

So, if a user opened one of these files, they'd have an immediate warning something was up.

However, if they play the file, nothing will happen if the player is in the stock state. Script commands don't run unless the user has gone into Tools > Options > Security and checked the "Run script commands if present" (which is off by default).

And if a user somehow got one of these modified files AND has ignored the first dialog AND changed the default security option, all they're going to get is a new web page opening up in the default browser, which would then be subject to other security on the machine.

So, current Windows installs appaer to be secure by default against this exploit.

Re:Details on actual Windows Media behavior

[T3Tech]

And if a user somehow got one of these modified files AND has ignored the first dialog AND changed the default security option, all they're going to get is a new web page opening up in the default browser, which would then be subject to other security on the machine.

So, current Windows installs appaer to be secure by default against this exploit.

I'm no malware expert and for the most part gave up keeping up to date with the myriad of windows security vulnerabilities long ago, but how difficult/easy is it to have some malware (activeX, javascript, flash, trojan, etc.?) simply change those settings?
Can that warning dialog be turned off, say by modifying a registry value?
Changing the script option to "on" I would think is a rather trivial thing to accomplish somehow without user knowledge.
Of course, I could be way off base here.

Re:Details on actual Windows Media behavior

[benwaggoner]

Well, once malicoius software has unfettered access to being able to edit your registry, you've got bigger problems then opening a random URL!

Re:Details on actual Windows Media behavior

[T3Tech]

As I understand, any software that can run has pretty much open access to the registry. The only exceptions to this are if one bothered to setup some specific policy restrictions or if one happens to use a regular user account rather than having their account == 'administrator'. And who actually does that, I mean other than the average /.er, network admin on company machines or technical user that actually knows what they are doing?
The average joe-user either uses administrator as their primary account or has their own name just equal to it per the default OEM setup process. Otherwise they have to switch accounts just to install something or change some 'system' setting and that's just too much of a hassle for most users.

Granted, I'm out of the loop on granularity of windows security settings and I'm stepping over the limits of my knowledge here since the latest environment I did any administration work in consisted of 98/ME/NT/2k machines when XP was just starting to trickle in, but aren't the defaults still mostly "all access until restricted" rather than a strict "least privilege" model?

If a user can run regedit without getting the "disabled by administrator" message, there's unfettered access. I suspect this is a rather common situation amongst home users, while not so much in office environments.

ouch

I feel sorry for any Windows user trying to use software like that. But what happens if they are not running as Administrator but as a user account? What can the exploit do then?

Re:GoatWorship Channel On YouTube - ALF sodomy clo

[BrentH]

I bet I'm going to need some special codec to see that, right? Sign me up!

WMP 9 is good too

[benwaggoner]

I launched up a VPC session with XP and WMP 9 installed, and verified the same behavior:

Warning that the extension doesn't match the content

Script command execution off by default.

Since WMP 9 is installed with XP SP 2, this suggests that SP 2-3 and Vista should be unaffected in stock state.

ASF=WMA=WMV

[benwaggoner]

Yes, same file format. It was originally called just .asf, but changed by default in the late 90's, IIRC, to different extensions for video and audio.

This enabled different icons for video and audio files, and easily filter between them so you didn't accidentally try to sync video to an audio-only player.

This is pretty standard practice. .m4a, for example, is a MPEG-4 file with just audio. .f4v is is a MPEG-4 file known to be compatible with Flash.

Re:What do you really expect?

[clone53421]

The topic of discussion is "worm transcodes MP3s to infect PCs". Responding with "well if you weren't illegally downloading MP3s you wouldn't get the worm" is, at best, not terribly helpful, and at worst, offtopic or flamebait. The mod is a bit harsh, because you did make a valid point, but the flamebait mod wasn't totally inappropriate IMO.

It's the format's fault if it can contain an executable nugget. Other formats that can't be injected in that way aren't vulnerable, and any player that simply ignores the executable payload won't be vulnerable. So it's a combination of an insecure format (ASF) and an insecure player (WMP)... both of which come from Microsoft. They should have known better.

"Worm"?

C'mon guys, get the terminology right. This is a classic trojan with some virus like properties, definitely not a worm.

Not a proper virus either as the infected files don't contain the executable code, and it requires user action to spread to another machine.

ASF? The Anti-Security Format?

[RobBebop]

Advanced Systems Format is a Microsoft-defined container format for audio and video streams that can also hold arbitrary content such as images or links to Web resources.

Who in their right mind would develop a format that allows people to do malicious things like this?

Are their any really good quality resources that enumerate the different audio formats... the advantages and disadvantages... and which ones to stay away because of shit like this?

Honestly, if I want "embedded content" I will use a Media Player that will search the current directory for an album cover JPEG or a text-file lyrics file. At no point should the Fileformat be permitted to establish an internet connection to download ANYTHING!

I look forward to the day when Microsoft changes their slogan from "Where do you want to go today?" to "Do you think we care if you object to what we are trying to do to your computer today?"

No executable code

[benwaggoner]

There isn't any executable code involved here (or supported), unless you consider a URL executable code.

As described, it sounds like they're using a URL Script Marker, which is just a marker in the file that associates with a particular time in the stream. And which WMP ignores entirely by default, unless a user manually changed a security option.

Re:No executable code

[xigxag]

Mod parent up. Current versions of WMP11 don't automatically open up web pages, and if you have it configured to do so, you can turn it off easily through options.

Odd that it's taken so long.

[argent]

This kind of thing is why I eventually included WMP among the software I banned back in the late '90s. When I realized the danger of Microsoft's HTML control I banned everything that I could find that used the HTML control on untrusted content. This wasn't really an issue for early versions, but most later versions of Window Media Player were tied into the HTML virus distribution ecosystem. Well, Outlook and Internet Explorer soon proved me right in doing so, but up to now Windows Media seemed to have pretty much dodged the bullet.

Re:What do you really expect?

[DaveV1.0]

It doesn't contain an executable nugget. Maybe you should go back and read the article and then the definition of the format.

Hmmm....

[Shinra]

"Infected files launch IE" Well good thing I never use that! Plus, any moderate listener of .mp3s and other formats (.ogg, .flac, .ape, and so forth) will have already gotten a reputable codec pack somewhere.

People still use ASF and WMx ?

[tuaris]

Stupid Idiots.

Data vs. program is all in your mind

[davidwr]

No, hear me out. All a "program" is is "data" to something that interprets the data.

The text in this /. post is input to your wetware. As a result of seeing this "data" I am tricking your brain into rewiring itself, creating circuits and data stores called "memories." I am also causing your eyes to move around the screen, probably in a left-to-right fashion.

Likewise, the data-input that is loaded into a CPU is what we call executable code.

In between, there are Word macros, Java bytecode sequences, and a host of other things that are either "code" or "data" depending entirely on how they are being used.

Microsoft's problem isn't distinguishing code from data, it is distinguishing privilege levels based on use and trust. A music file shouldn't have the privilege of doing anything except being input to an existing codec or alerting the user that he needs XYZ-brand codec installed to play it. Anything purporting to be a codec should only have the privileges it needs, including reading input from a file or stream, writing output to a file or stream, and interacting with audio and video devices. All of this I/O should be through carefully architected, bug-free APIs.

Re:Data vs. program is all in your mind

[mlwmohawk]

No, hear me out. All a "program" is is "data" to something that interprets the data.

The whole problem with your point of view is that it is wrong. :-)

The problem is trust and predictability. It is an easy line to cross, like java script in an HTML page. I personally dislike the practice.

Computer science is a science. There are "protocols" for the proper study and practice. Not that other things are impossible, but that we understand and can predict the outcome of what we do know.

In hardware terms, this is the debate between the "Harvard Architecture" and the "Von Newman architecture." While Von Newman more or less the hardware architecture because of costs, the "Harvard Architecture" is implemented in software.

Separating "program" from "data" is an important security device. It allows you to "trust" something, the program, to safely interact with something "untrusted," the data. If there is no trusted way to interact with data, which is "untrusted," then there is no way to secure your system.

In a very real sense, separating programs from data is like wearing a bio-hazard suit while treating Ebola victims. You are the program, the Ebola victim is data. Would invite an Ebola victim into your house, unprotected, to mean your wife and kids? Of course not.

Another good reason

[Snaller]

To user mplayer to play your files.

I think we are on the same page

[davidwr]

The point I'm trying to make is the distinction between "program" and "data" is one of labeling and restrictions, not one of the bits themselves. Labeling and restrictions can be changed without modifying the bits.

The very same bits can be a program one moment and data the next. When I dump memory under a debugger, my "code" is data. When I run my Perl files through a Perl interpreter, my "ascii text file data" becomes "code."

If your music program declares "I am a music player. When I read .mp3 files, they will have the following permissions and nothing more," including no ways to "cheat" to escape your restrictions, it is enforcing a "the music file is data" or "the music file may contain a codec and can be viewed as code, but only for the purposes of driving the following audiovisual devices and only within these limited parameters" viewpoint. If it fails to do this, then your music file "data" may turn into "code" when you don't want it to.

To the non-technically savvy ....

[PPH]

... this goes like:

(Blah, blah blah blah, blah) codec (blah blah, blah. Blah.)

[Allow] or [Cancel]

I am!

[Snaller]

I'm renaming all i see!

Re:What do you really expect?

[clone53421]

Video or audio are data. They are passed to the decoder, the decoder generates the raw data, and they play. "Open up the browser and go to this page" is not data, it's an instruction, and it can be executed. It's not the same as being able to inject arbitrary code, but it's still executable.

They have

[Snaller]

There is no program to be run. However if there is data in a media streams, and this data evaluates to a url - the program will launch that url.

Now you know why

[Intrinsic]

DRM just sucks, it puts the control of your computer in someone elses hands. Who wants to do that? it doesnt even make good business sense to do it. People are going to continue to use "Free" over "Restricted" especially when they get bitten by this.

Marketing - the untold story

[sjames]

The best fiction comes from real life. This is all part of the latest in marketing research. The telekinetic powers were, of course, fiction. The groupthink is the primary mission.

Re: Stupid DRM

[fondy44]

I'm not sure it's fair to casually attribute an infection from such an exploit to user stupidity. The first reason being that it sounds like the format was intentionally designed to allow this extra functionality. The second reason being that the way it's described sounds very similar to the kind of behavior that is sometimes encountered while using a subscription music service like Yahoo Unlimited or Netflix's 'Watch Now' feature. In the description it mentions that if the user plays the (infected) music file, IE launches and prompts them to download a codec. To me, this doesn't sound so much like typical malicious behavior as it does typical Windows-DRM behavior. I could see how someone who has spent much time using DRM'd WMAs might be conditioned to assume that behavior like this was just par for the course.

Why have links in an audio file?

[navsan]

May be I don't completely appreciate the potential here, but can somebody please explain the rationale behind allowing links and executable code in a media file? Isn't that begging for trouble in just such a way? At the most, you could have an instruction for the media player to ask you if you want to go to a link or execute said code (with more information about what it is for, of course). Why blame the "idiot" user for playing what looked like a media file before running a virus check? Navneet

Indeed!

[woolio]

I remember having similar thoughts when ActiveX was promoted for client-side use in webpages.

Everything went downhill from there...

So how to fix the poor mp3 collection ?

[zoharo]

so is there a way to fix the mp3 files and make them sound again .