Beta

Slashdot: News for Nerds

×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

WinXP and WinAmp Vulnerable to Malicious MP3s

michael posted more than 11 years ago | from the cruddy-music dept.

Bug 505

mypenwry writes "Foundstone, a Mission Viejo, CA security services company, is reporting several vulnerabilities that would allow malicious code embedded in MP3 and WMA files to be executed via WinXP and WinAmp. WinAmp versions 2.81 and 3.0 are vulnerable to buffer overflows via certain long ID3v2 tags when MP3 files are loaded. More troubling is the WinXP vulnerability: A buffer overflow exists in Explorer's automatic reading of MP3 or WMA (Windows Media Audio) file attributes in Windows XP. An attacker could create a malicious MP3 or WMA file, that if placed in an accessed folder on a Windows XP system, would compromise the system and allow for remote code execution. The MP3 does not need to be played, it simply needs to be stored in a folder that is browsed to, such as an MP3 download folder, the desktop, or a NetBIOS share. This vulnerability is also exploitable via Internet Explorer by loading a malicious web site. Explorer automatically reads file attributes regardless of whether or not the user actually highlights, clicks on, reads, or opens the file. Windows XP's Explorer will overflow if corrupted attributes exist within the MP3 or WMA file. Microsoft has issued a fix for this vulnerability. Nullsoft has posted fixed version of WinAmp 2.81 and 3.0 on their web site."

cancel ×

505 comments

FP?? (-1, Offtopic)

Anonymous Coward | more than 11 years ago | (#4922494)

Probably not.

FP !!!! (-1, Offtopic)

kcar5150 (55850) | more than 11 years ago | (#4922496)

w00t !

My first FP !!!!

Re:FP !!!! (-1, Offtopic)

Anonymous Coward | more than 11 years ago | (#4922518)

Watch it so you don't cum all over us... :-P

Re:FP !!!! (-1, Offtopic)

kcar5150 (55850) | more than 11 years ago | (#4922534)

Or not. Damn.

IN SOVIET RUSSIA (-1, Troll)

Anonymous Coward | more than 11 years ago | (#4922503)

Malicious mp3s are vulnerable to YOU

i got the first post (-1, Offtopic)

Anonymous Coward | more than 11 years ago | (#4922504)

Yo Yo BZATCHES,

First post mofo

Uh Oh (5, Insightful)

Jaysyn (203771) | more than 11 years ago | (#4922505)

I hope no one tells the RIAA about this. They will be putting landmines in P2P soon.

Jaysyn

Re:Uh Oh (1)

Nasheer (179086) | more than 11 years ago | (#4922565)

I hope no one tells the RIAA about this.


Theory of Conspiracy: they do already know, and somehow they have something to do about that.

Re:Uh Oh (5, Funny)

Jugalator (259273) | more than 11 years ago | (#4922606)

Uh oh. I think they already infected my computer when I d/l:ed some christmas mu*?DZMV*Z@@@@+++ KNEEL BEFORE HILLARY ROSEN +++""!##""!1!!1.

NO CARRIER

Re:Uh Oh (0, Troll)

TheMidget (512188) | more than 11 years ago | (#4922631)

I hope no one tells the RIAA about this. They will be putting landmines in P2P soon.

I hope someone does tell them. What better ally than the RIAA to fight that Redmond scum. Let the bad guys turn their guns on each other!

Re:Uh Oh (1)

tomstdenis (446163) | more than 11 years ago | (#4922702)

What redmond scum?

Besides I figure this is a way for ISPs to save bandwidth cost... if all the users are rooted and can't go on P2P networks and such all the better.

Tom

Re:Uh Oh (-1, Flamebait)

Anonymous Coward | more than 11 years ago | (#4922707)

youre an idiot

Not a problem... (2, Funny)

D-Cypell (446534) | more than 11 years ago | (#4922751)

If the RIAA use these tactics the solution is simple...

Wait a few months until the RIAA's trojanized files are well and truely spread throughout the P2P networks...

then use the thousands of trojanized nodes to DDOS the RIAA

*chuckle*

SLASHCODE VULNERABILITY DISCLOSURE (-1, Offtopic)

Anonymous Coward | more than 11 years ago | (#4922507)

Hitting "Reply" causes a Denial of Service in SlashCode!!!

404 File Not Found
The requested URL (articles/02/12/19/1329243.shtml?tid=128) was not found.

If you feel like it, mail the url, and where ya came from to pater@slashdot.org.


Get your l33t 0-dayz h3r3!!

In Soviet Russia... (-1, Troll)

Anonymous Coward | more than 11 years ago | (#4922510)

In Soviet Russia, data hacks you.

The RIAA was right... (0, Troll)

Hasie (316698) | more than 11 years ago | (#4922512)

...MP3s are harmful to business!

It's a sad day when... (2, Interesting)

Anonymous Coward | more than 11 years ago | (#4922564)

...a machine can be hacked through the mp3 player. This is all not so Windows centric either, many software developers need to get a clue.

Re:It's a sad day when... (2, Insightful)

xsbellx (94649) | more than 11 years ago | (#4922656)

Definitely one of the more insightfull comments in a while. Exploits like this really speak volumes about the current state of software development, both at the application and O/S levels.

XMMS too. (0, Troll)

Anonymous Coward | more than 11 years ago | (#4922515)

I just found a buffer with unchecked bounds in XMMS. This ain't no good. I should have a patch posted in a few minutes.

Re:XMMS too. (1, Insightful)

Jaysyn (203771) | more than 11 years ago | (#4922701)

Now that is the true difference between open source & the other guys.

Jaysyn

Re:XMMS too. (2)

damiangerous (218679) | more than 11 years ago | (#4922714)

Well, Microsoft and Nullsoft have already posted fixes, so I wouldn't draw attention to that difference too much. :)

Don't worry (4, Funny)

Psmylie (169236) | more than 11 years ago | (#4922520)

This is all part of the Berman Bill [digitalspeech.org] .

Subject : Name : AC (3, Funny)

Anonymous Coward | more than 11 years ago | (#4922526)

So, now when the users are afraid because of having virii in their mp3s, they are not stupid anymore?

Re:Subject : Name : AC (-1)

Anonymous Coward | more than 11 years ago | (#4922557)

A buffer overflow is quite different from a virus.

Re:Subject : Name : AC (1)

binner1 (516856) | more than 11 years ago | (#4922623)

I think that even though they've been worried about virus' disguised as mp3's (read: the .vbs files that plague file swapping networks) your point still stands.

-Ben

Re:Subject : Name : AC (2)

Jucius Maximus (229128) | more than 11 years ago | (#4922637)

"So, now when the users are afraid because of having virii in their mp3s, they are not stupid anymore?"

It's a good argument to get your friends to finally switch to ogg vorbis. I haven't encoded an mp3 since vorbis beta 3 (which was well before RC3) anyway.

Re:Subject : Name : AC (4, Insightful)

doofusclam (528746) | more than 11 years ago | (#4922757)

Thats a feeble excuse for switching to Vorbis regardless of the merits of this format. It's like saying "They found vulnerabilities in Apache so i'm gonna change my webserver to something else"

I'm sure there are exploitable buffer overflows in Vorbis too but as the format is so little used (relatively), hackers ain't looking for them. The day Vorbis is more popular than mp3 is the day the hackers change what they're targeting.

seany

"hack me baby one more time" (4, Funny)

sweeney37 (325921) | more than 11 years ago | (#4922531)

looks like listening to the newest Britney Spears album will result in more than just bad taste.

Mike

Re:"hack me baby one more time" (1)

Nodatadj (28279) | more than 11 years ago | (#4922641)

is listening to britney spears something that results because you have bad taste, or do you have bad taste after you listen to britney spears?

Obvious reply (1)

triptolemeus (538604) | more than 11 years ago | (#4922532)

Makes me slowly wonder: is there a list of fileformats around there that are actually save on windows, or are they all corrupt nowadays...

Obvious Answer (0)

Anonymous Coward | more than 11 years ago | (#4922559)

"Makes me slowly wonder: is there a list of fileformats around there that are actually save on windows, or are they all corrupt nowadays..."

Uhhh ... .txt files?

Re:Obvious Answer (0)

Anonymous Coward | more than 11 years ago | (#4922647)

readme.txt

after reading this file run

format c:

Re:Obvious reply (4, Insightful)

archen (447353) | more than 11 years ago | (#4922610)

All file formats are safe, it's just the programs that read them.

In other news (-1, Offtopic)

Anonymous Coward | more than 11 years ago | (#4922537)

GNU HURD STILL dosent support ps2 mice, and serial mice support is still alpha!

No problems here. (0)

Anonymous Coward | more than 11 years ago | (#4922539)

In Soviet Russia (-1)

Anonymous Coward | more than 11 years ago | (#4922542)

MP3s listen to you!

Buffer overflow yet again (5, Interesting)

graikor (127470) | more than 11 years ago | (#4922546)

Why hasn't Microsoft just changed the way it handles buffers to eliminate the weekly discovery of yet another buffer overflow exploit that compromises security? It's obvious to just about everyone else that any buffer that doesn't ignore excessive input will be a problem in the future - why does Microsoft insist on treating each one of these issues as though it was a totally new problem instead of making a global change to secure the OS from this kind of hack?

Re:Buffer overflow yet again (2, Funny)

Anonymous Coward | more than 11 years ago | (#4922587)

because it's a feature !

Re:Buffer overflow yet again (2, Insightful)

FortKnox (169099) | more than 11 years ago | (#4922603)

I'm guessing that it require a retest of the entire OS (which isn't a half-bad idea).
Changing something THAT global could result in more harm than good.

Mind you, I think you are right, and that's what should be done; I'm just telling you what is (probably) on the architects/lead developers minds.

Re:Buffer overflow yet again (5, Funny)

Frosty Inc. (571723) | more than 11 years ago | (#4922617)

Because it would cost a lot of money to design and implement, something Microsoft doesn't hav...

Oh, wait a minute...

Re:Buffer overflow yet again (0)

Anonymous Coward | more than 11 years ago | (#4922620)

... why does Microsoft insist on treating each one of these issues as though it was a totally new problem instead of making a global change to secure the OS from this kind of hack?

They are... one patch at a time.

Re:Buffer overflow yet again (5, Informative)

Beryllium Sphere(tm) (193358) | more than 11 years ago | (#4922625)

This isn't exactly what you're asking about, but to Microsoft's credit they have added a flag to the compiler which adds a "canary" to the stack to detect stack-smashing. Better, the flag is on by default.

Changing "the way it handles buffers" is harder than it sounds, There's a huge amount of legacy code in shared DLLs, older operating systems and so on.

If Microsoft asked me to recommend a global change, I'd tell them to go through the agony of implementing least-privilege throughout their entire system architecture. That would be sheer hell, but at least it would contain the damage from whatever next week's security hole turns out to be.

Re:Buffer overflow yet again (0)

Anonymous Coward | more than 11 years ago | (#4922660)

f Microsoft asked me to recommend a global change, I'd tell them to go through the agony of implementing least-privilege throughout their entire system architecture

Least-privilege? Why not just go the whole way and do something like Pallidum?

Re:Buffer overflow yet again (5, Informative)

NineNine (235196) | more than 11 years ago | (#4922648)

I dunno. Why doesn't Linux handle buffer overflows, also? There are always buffer overflow bugs in various apps, like Apache, the PHP mod, etc. Maybe there's no good way of doing it?

Re:Buffer overflow yet again (2, Interesting)

stratjakt (596332) | more than 11 years ago | (#4922705)

>> why does Microsoft insist on treating each one of these issues as though it was a totally new problem instead of making a global change to secure the OS

Palladium

Oh wait, you don't want that.

So what do you want?

won't affect most people (2, Interesting)

tps12 (105590) | more than 11 years ago | (#4922548)

This is more of a curiosity than any sort of danger. Most of us, when we get a new mp3 file, give it a listen to make sure it's not mislabeled, doesn't cut off in the middle of the song, and sounds okay. We throw out or fix the ones that aren't up to our standards. So the number of people who would let one of these dangerous mp3s just sit there and be scanned is probably pretty small. And as is usually the case when something like this is discovered, they probably deserve what they get for being such idiots.

Re:won't affect most people (1)

graikor (127470) | more than 11 years ago | (#4922577)

If you were a malicious hacker, you might put a corrupt ID3 tag in an otherwise valid mp3.

It's a moot point anyway - the very act of listening to the file in the first place to verify the quality of the mp3 would cause the corrupt ID3 tag to be loaded, and that's all the file needs to do the damage.

Effects more then you realize (2)

nurb432 (527695) | more than 11 years ago | (#4922582)

From what it says, by then its to late.. As the act of verifying will let the malicious code take effect..

Unless i TOTALLY misunderstood....

Re:Effects more then you realize (ID3v1 vs. ID3v2) (5, Informative)

GreenHell (209242) | more than 11 years ago | (#4922706)

You're exactly right.

I think what the previous poster is thinking of is ID3v1 tags, which are located at the end of the MP3, so you don't get them until the MP3s finish downloading (and what's more, they have a fixed size so they're easy to check, but that's besides the point)

Now, this bug involves ID3v2 tags. ID3v2 tags are located at that start of the MP3, which is why when you add one to a MP3 playing in Winamp you get a brief pause, it has to add it to the start of the file. Therefore, any MP3 with an ID3v2 tag will already have the potential of compromising you by the time it's downloaded enough to play part of the song if you preview them using Winamp.

I don't know how Explorer checks file attributes on MP3s, but I'm assuming that you're already in danger by this time too.

Re:won't affect most people (1)

Jaysyn (203771) | more than 11 years ago | (#4922584)

I'm sure there are 1000's of people who do the exact opposite of what you said.

I'm sure lots of people will just download something to have it, never check it, never listen to it.

Of course this is just my experience from the 100's of mislabled files I've downloaded over P2P.

Jaysyn

Re:won't affect most people (5, Insightful)

Jucius Maximus (229128) | more than 11 years ago | (#4922599)

"This is more of a curiosity than any sort of danger. Most of us, when we get a new mp3 file, give it a listen to make sure it's not mislabeled, doesn't cut off in the middle of the song, and sounds okay. We throw out or fix the ones that aren't up to our standards. So the number of people who would let one of these dangerous mp3s just sit there and be scanned is probably pretty small."

That average person does not notice when a backdoor app is covertly installed on their machine. As long as the mp3 is actually what they wanted, chances are they will keep sharing it.

The even more dangerous part is that someone could be downloading mp3s and LOOKING for these trojans. And as soon as they find one, they can just go back to the IP of the machine they got the file from and have an instant DDOS zombie!

Or even better, if I am an RIAA employed disturber-of-the-peace, I could create a bunch of these trojaned mp3s share them, and then whenever someone downloads it from my machine I could instantly use the backdoor to destroy their music collection. (But I'm sure the RIAA has already thought of that.)

WILL affect most people (5, Interesting)

gosand (234100) | more than 11 years ago | (#4922650)

This is more of a curiosity than any sort of danger. Most of us, when we get a new mp3 file, give it a listen to make sure it's not mislabeled, doesn't cut off in the middle of the song, and sounds okay. We throw out or fix the ones that aren't up to our standards. So the number of people who would let one of these dangerous mp3s just sit there and be scanned is probably pretty small. And as is usually the case when something like this is discovered, they probably deserve what they get for being such idiots.

I don't think so. I know people who download a lot of stuff, and if you have it set up to download 100 MP3s overnight, your system could be compromised by morning. Are you going to listen to those 100 MP3s first thing in the morning?

The kicker is that the odds you get compromised go up greatly if someone seeds Kazaa, or even a web page, with an infected MP3 file. They can see who is downloading it so they know the IP to attack. On a web page, they could get your IP out of the logs. I never thought an MP3 file would leave a system vulnerable, but I guess that is why this is a pretty scary vulnerability - nobody else would either.

blame the victim? (0)

Anonymous Coward | more than 11 years ago | (#4922662)

And as is usually the case when something like this is discovered, they probably deserve what they get for being such idiots.

One never deserves to be the victim of a crime.

Maybe the victim failed to be careful. Maybe the victim deserved to suffer. But it is the criminal who made the truly blameworthy decisions.

The only reason to blame the victim is laziness in identifying or punishing the culprit, or in some cases a tacit sympathy for same.

Re:won't affect most people (3, Informative)

illtud (115152) | more than 11 years ago | (#4922728)

So the number of people who would let one of these dangerous mp3s just sit there and be scanned is probably pretty small.

Read the Microsoft Bulletin [microsoft.com] (which I got yesterday). Opening a shared directory with one of these MP3s in will trigger the attack, or even previewing an email with one of these attached will execute it.


Here's MS own words:

An attacker could seek to exploit this vulnerability by creating

an .MP3 or .WMA file that contained a corrupt custom attribute
and then host it on a website, on a network share, or send it via
an HTML email. If a user were to hover his or her mouse pointer
over the icon for the file (either on a web page or on the local
disk), or open the shared folder where the file was stored, the
vulnerable code would be invoked. An HTML email could cause the
vulnerable code to be invoked when a user opened or previewed the
email.

THat is why its ogg vorbis for me (-1)

Anonymous Coward | more than 11 years ago | (#4922554)

This is the reason i only burn to ogg now.

Why Does tracert Time Out At Exodus? +1 (-1, Troll)

Anonymous Coward | more than 11 years ago | (#4922560)

Before declaring U.S. in violation of U.N. Security Council
resolutions

CANADIANS TO LEAD WEAPONS INSPECTION TEAM INTO USA

November 21, 2002

(Toronto) - A coalition of Canadian peace groups today
announced their intention to send an international team of
volunteer weapons inspectors into the United States later
this winter. The coalition, Rooting Out Evil, are recruiting
inspectors through their newly launched website,
Routing Out Evil [rootingoutevil.org]
.
"Our action has been inspired by none other than George W.
Bush," said Christy Ferguson, a spokesperson for the group.
"The Bush administration has repeatedly declared that the
most dangerous rogue nations are those that:
1) have massive stockpiles of chemical, biological, andnuclear weapons;
2) ignore due process at the United Nations;
3) refuse to sign and honour international treaties; and
4) have come to power through illegitimate means.
"On the basis of President Bush's guidelines, it is clear
that the current U.S. administration poses a great threat to
global security," said Ferguson. "We're following Bush's
lead and demanding that the U.S. grant our inspectors
immediate and unfettered access to any site in the country -
including all presidential compounds - so that we can
identify the weapons of mass destruction in this rogue
state," added David Langille.
Visitors to Rooting Out Evil's website are invited to sign
on as honorary members of the weapons inspection team.
Honorary inspectors can participate in the action, or they
can simply lend the support of their name as they would on a
petition. The actual inspection team that crosses the
border will be comprised of prominent individuals from
Canada and other countries.
The Rooting Out Evil coalition includes Greenpeace Canada,
the Centre for Social Justice, and the Toronto Committee
Against War and Sanctions on Iraq, and is supported by
American groups such as the National Network to End the War
Against Iraq, Global Exchange and the US section of the
Women's International League for Peace and Freedom. They
oppose the development, storage, and use of weapons of mass
destruction by any state.--For information: David Langille or Christy Ferguson
info@rootingoutevil.orgDavid Langille, Director of Public Affairs
CENTRE FOR SOCIAL JUSTICE489 College Street, Suite 303Toronto, OntarioM6G 1A5
Tel: 416-927-0777 x225Fax: 416-927-7771Toll free: 1-888-803-8881
Email: langille@socialjustice.orgWebsite: http://www.socialjustice.org
Not interested in a war against Iraq?

Become a Weapons Inspector [rootingoutevil.org]

Cheers,
Woot

Beware the Metadata (1)

pr0ntab (632466) | more than 11 years ago | (#4922566)

For it shall be your undoing.

Nothing really more needs to be said about this. I mean, 5 minutes on Kazaa will convince you of this. The metadata only serves those who create it, and it WILL be abused. We can consider malformed metdata as another form of said abuse. You would think the WinAMP devs would have recognized this.

So click the update button (4, Interesting)

AKnightCowboy (608632) | more than 11 years ago | (#4922568)

Click the Windows Update button and reboot and you're fixed. Or if you're like many people, the fix has already installed during an automatic update check last night. This isn't really news unless Slashdot is merging with Bugtraq (Slashtraq? Bugdot?). Are we just posting this to bash Microsoft once again? Automatic updates were one of the best new features they added to Windows and they make life much easier. Oh and no, I don't wrap tinfoil around my head worrying whether Microsoft is going to invade my PC and lock me out of it.

Re:So click the update button (2, Insightful)

Anonymous Coward | more than 11 years ago | (#4922652)

"Are we just posting this to bash Microsoft once again?"


Yes.

Sincerely,
Linus

Re:So click the update button (5, Insightful)

div_2n (525075) | more than 11 years ago | (#4922658)

So if NT SP4 had been automatically updating servers and workstations everywhere, that would have been a good thing?

You couldn't pay me to have my system automatically update itself with patches tested quite possibly only from the company that created it.

I would rather my system be vulnerable for a day or two than have the contents of my hard drive obliterated.

What if some patch disabled a computer's networking? What is Ma an Pa gonna do when that is the only computer they have? Download a fix using broken networking?

IMHO, automatic updating is a monumental disaster waiting to happen.

Re:So click the update button (0)

Anonymous Coward | more than 11 years ago | (#4922692)

/me checks his Enlightenment menus for a "Windows Update" button..

Nope, not there. Guess I have to worry then. Oh, damn, I use oggs not mp3s as well, so I guess that's not a problem either! :)

Re:So click the update button (5, Insightful)

MacAndrew (463832) | more than 11 years ago | (#4922704)

Like another poster I am very wary of updates to anything. Not needing a security patch in the first place is a heckuva lot better than beta testing a hastily written patch for free. Then there are th people who get nailed in the interim.

Also, on my [platform] I have seen only a few security updates a year on a young OS, some addressing obscure services I don't even use. What's the deal with MS? Why sweep this under the rug?

I don't buy that automatic bandaids are the answer to hemmoraging code.

Hrm... virus scanning my MP3 collection (2, Funny)

rickthewizkid (536429) | more than 11 years ago | (#4922570)

Something tells me that my daily virus scan is gonna take a lot longer now...

Oh wait... it's a Windows problem... never mind...
RickTheWizKid
My purpose: to inject random comments...

Virus Scanning won't do jack (1)

kurokaze (221063) | more than 11 years ago | (#4922764)

unless the malicious tag itself is has a virus
signature.

Your only real protection is backups incase of
data loss and something like zone alarm to tell
you if your machine has just become a zombie.

How long before... (3, Interesting)

bryhhh (317224) | more than 11 years ago | (#4922571)

we see a worm exploiting this, remember the last worm [symantec.com] that was executed without even opening a file.

Re:How long before... (2)

PetiePooo (606423) | more than 11 years ago | (#4922765)

This cannot be a self-propagating worm ala Nimda or Code Red. Simply put, it requires user interaction. A user must browse to an infected folder in order for the shellcode to be executed.

Since a properly administered server is not also a client, it should not be affected, even if a rogue client dumps an infected MP3 onto one of its shares. That is until the admin logs in via TermServ and starts poking around.. but that's still user interaction.

Hmm.. I wonder. If a person does a search of MP3's, does viewing it in the search window run the exploit? I bet it does..

Why does this matter to /.-ers? (5, Funny)

toupsie (88295) | more than 11 years ago | (#4922572)

You guys are all supposed to be using Ogg [vorbis.com] anyways! That way you can act like you are a snooty audiophile anytime a MP3 story is posted...

Re:Why does this matter to /.-ers? (4, Insightful)

13Echo (209846) | more than 11 years ago | (#4922621)

Most people don't use Ogg Vorbis for the quality. They use it for the license.

In high bitrate modes, there is little difference between properly encoded MP3s and OGG files. And high bitrate is what really matters, unless you are streaming over a low bandwidth connection (in which OGG is the clear winner due to size).

Maybe your comment would make sense if you were referring to something like FLAC from http://flac.sourceforge.net/ . MP3 and OGG are both lossy, so you really can't be a snooty audiophile if you use them. ;)

Why...... (1)

RyoSaeba (627522) | more than 11 years ago | (#4922576)

...do we need all this flash & bell things in Explorer / whatever in the first place ? Sure it's nice to see tags of a file without opening, but is it really necessary ? Couldn't people live without it ?
As for the buffer overflows, that isn't exactly a new thing, you'd like people to take better attention on those sort of things...
Oh, and that's a trouble also because Explorer runs with high-level privileges, too (just can't help smacking ms, sorry), that this kind of exploits can be annoying...

Re:Why...... (1)

bryhhh (317224) | more than 11 years ago | (#4922683)

do we need all this flash & bell things in Explorer / whatever in the first place ?

Unfortuntaly we are stuck with it in the latest versions of windows. Personally I'd rather do without it and have a much more responsive system.

Explorer runs with high-level privileges

On any windows system i've used, it runs with the same privelages as the user who is logged on. I guess the parnoid amoungst us could run with an account with user rights, and then use runas to do everything that an account with user rights can't do.

Don't even need to have the file local? (4, Informative)

Jugalator (259273) | more than 11 years ago | (#4922579)

From Microsoft:

An attacker might attempt to exploit this in one of three ways:

* Host the file on a website. In this case, if a user were browsing the page containing the file and hovered over it with his or her mouse, the vulnerability could be exploited.

Eep!

* Host the file on a network share. In this case, if a user browsed to the network share and simply opened the folder which contained the file, it could cause the vulnerability to be exploited.

Gaah!

Also, it seems you can send an e-mail with the mp3 object in a frame (this is the third way of exploiting it) so you don't even need to click a link in Outlook / OE for it to be run. This shouldn't be possible on XP SP1 or a recently patched IE though.

Obligatory: (2)

Mr Guy (547690) | more than 11 years ago | (#4922624)

This shouldn't be possible on XP SP1 or a recently patched IE though.

Or, of course, Mozilla, Eudora, or Opera.

Disturbing that it's in WinAmp too. Guess that llama's ass only holds so much.

Freedom to innovate (3, Insightful)

c0y (169660) | more than 11 years ago | (#4922633)

It can't be denied any longer. Back in the day the poor virus writer had to rely on his victims to carry the payload through meatspace on floppies.

M$ has been continually improving virus transmission methods, and now you might be infected just by moving your mouse.

But do we really need to worry? After all, how many kiddies are out there bragging that they '@dm1n1str@t0r3d' someone's XP box. No, it's just not as sexy as r00t3d.

completely off topic (-1, Offtopic)

OpCode42 (253084) | more than 11 years ago | (#4922581)

In [www.soviet.russia] websites [links.to] you!

Re:completely off topic (-1)

Anonymous Coward | more than 11 years ago | (#4922667)

Yes. It's off-topic, and really stupid.

Don't be a homo.

The only thing funnier (2)

I Am The Owl (531076) | more than 11 years ago | (#4922591)

would be if they embedded these in Jon Bon Jovi MP3s.

Why are there still buffer overruns? (1)

boatboy (549643) | more than 11 years ago | (#4922605)

We all know what buffer overruns are [techtarget.com] , but why do they seem to be so common? It would seem like this is something that could be easily prevented in the compiler or at most with very basic programming procedures. As many of us are programmers, any advice how to prevent these in our code? Is it possible to accidently allow buffer overruns in other languages besides C(Java, C#, etc.)?

Re:Why are there still buffer overruns? (1, Informative)

Anonymous Coward | more than 11 years ago | (#4922696)

Umm...in the old days compliers wouldn't let you overrun your buffers. You can just turn on "range checking" in the compiler. While this does add overhead, if we programmers had enabled this feature, we'd be have 90% fewer of these problems.

In defense of Microsoft... (5, Insightful)

MacAndrew (463832) | more than 11 years ago | (#4922615)

Oh, just kidding. :)

I would like to ask for factually-based opinions whether these innumerable highly dangerous security holes in MS software are more the result of the ingenuity of the hackers or the incompetence of the Microsoft design and testing process, or about 50:50. I am inclined to be prejudiced against Microsoft, so I would be REALLY interested in hearing reasoned defenses of their predicament, if such exist.

So, please, no MICROSOFT RULZ!!! or MICROSOFT SUX!!! I'm not asking for a vote.

Microsoft provides the #1 small-system OS, for better or worse, which means Windows will immediately be the hot target for black-hat types intent on spreading misery or demonstrating their hatred for the leviathan.

I know, too, that half the problem has been MS's arguably foolhardy decisions in adding dubious extensions to their software, like default enabling scripting in Outlook and macros in Word. But I'm kind of curious about the mistakes in doing their core work, like handling MP3's.

Last, I have trouble understanding how so many of these bugs come from a company with many of the brightest programmers. Is it a largely problem of scale and bureaucracy?

Share your concise insightful informative nonprofane fact-based reactions from experience? :)

Re:In defense of Microsoft... (1)

Jucius Maximus (229128) | more than 11 years ago | (#4922725)

"Last, I have trouble understanding how so many of these bugs come from a company with many of the brightest programmers. Is it a largely problem of scale and bureaucracy?"

Keep in mind that the guiding purpose of Microsoft is to increase shareholder value. If they can sell millions of copies of a product, even if it happens to be a bug ridden piece of garbage, then that is good for them. They have probably found that devoting resources to fix those bugs before release would not be as good for profits than just releasing the dang thing and fixing the high profile bugs later. Remember, it's about shareholder value. They must find the best medium between a competent product and a product that actually gets released on schedule and under budget.

From the point of view of increasing shareholder value, releasing a secure, bug free OS is bad for business. They have proven time and time again that people will buy their product for whatever reason, even if it is not at all secure. Now that they have a monopoly, user satisfaction is not part of the equation at all.

Of course when there is no shareholder value to increase, priorities change. For examples of how this system works, please observe GNU/Linux.

Re:In defense of Microsoft... (1)

TitleSeventeen (610091) | more than 11 years ago | (#4922730)

Microsoft may have very bright programers, but the linux community has thousands of very bright programers accross the world, you do the math.

Re:In defense of Microsoft... (1)

Fear the Clam (230933) | more than 11 years ago | (#4922743)

Microsoft provides the #1 small-system OS

But their security is for #2.

fixed version of WinAmp 2.81 and 3.0 (2)

Gregg M (2076) | more than 11 years ago | (#4922628)

You mean they patched both versions and gave them the same number?

Thanks for nothing Nullsoft.

Versions?? (5, Interesting)

bconway (63464) | more than 11 years ago | (#4922632)

Nullsoft has posted fixed version of WinAmp 2.81 and 3.0 on their web site."

Is there a reason they haven't released a new version with the bugfix instead of just uploading a new copy with the _same release number and date_? Both versions are listed as released in early or middle August, and there's no bugfixes listed anywhere on the site in regards to this. Site [winamp.com] . Are they trying to hide that it's been fixed, or just don't want anyone to figure it out?

Re:Versions?? (1)

()ils (633637) | more than 11 years ago | (#4922731)

Downloaded, installed and compared the "new" 2.81 with a older copy of 2.81. The file winamp.exe is exactly the same.

Re:Versions?? (5, Informative)

Edgewize (262271) | more than 11 years ago | (#4922754)

The file winamp.exe is exactly the same.

As it should be. ID3 tags are handled by the in_mp3.dll plugin.

Re:Versions?? (1)

Gtz (18854) | more than 11 years ago | (#4922735)

At least the 3.0 version has a different, higher build number than the vulnerable version. But you're right, silent updates really suck.

Re:Versions?? (2)

Night Goat (18437) | more than 11 years ago | (#4922759)

The new Winamp version is 2.81c. I don't know about version 3, that bastard crashes too much on my computers.

I have to hand it to Bill on this (5, Informative)

TerryAtWork (598364) | more than 11 years ago | (#4922675)

I was sent and installed the fix before I read about the vulnerability.

Re:I have to hand it to Bill on this (2)

MacAndrew (463832) | more than 11 years ago | (#4922742)

By Bill [Gates] Himself?

Wow. Most of us aren't that important.

Now, I'm wonder what was "sent and installed" with bugs in it? ;-)

Explorer workaround (4, Informative)

stratjakt (596332) | more than 11 years ago | (#4922677)

Tools->Folder Options

set Web View to "Use Windows Classic Folders"

I've always done this, having never trusted 'web content' in any folder I browse to (nor needing the extra overhead it causes drawing thumbnails of bitmaps and whatnot)

I believe any Windows that's upgraded to Media Player 7.1 and/or IE6 would be vulnerable, not just XP?

Re:Explorer workaround (2, Interesting)

MrP- (45616) | more than 11 years ago | (#4922699)

That would work, except for the fact that XP likes to randomly enable web content on random folders. Stupid bug.

Microsoft Security (0, Interesting)

jellomizer (103300) | more than 11 years ago | (#4922687)

This type of stuff blows my mind. What the heck is MS doing underneth there code. They are Music File When played if altered you should get static at the worse. You take the MP3 get the Lable information if it has it. Decodes the rest of the information makes converts it to your sound card and you here music. I see no good reason for the OS to really get involved except for opening and reading the file and allowing it to the sound card. I think MS should stop putting in these backdoors that hackers find and use.

Re:Microsoft Security (1)

ergo98 (9391) | more than 11 years ago | (#4922766)

I see no good reason for the OS to really get involved except for opening and reading the file and allowing it to the sound card.

The application is running in the OS, and as it's operating as your little slave, it has the priviledges that you have on your PC (and from that malicious code that spawns off when a MP3 ID, for instance, is longer than it expects and overwrites too small of a stack based buffer, also has the rights that you have on your PC). Hence if you're a user you can wipe all your user files, and if you're an admin you can wipe the machine.

This is no different than Linux, and buffer overflow exploits can be found equally on both, it just tends to be that the firms that make tonnes of publicity finding exploits (i.e. eEye) spends all their time scanning Windows applications because that gets press, whereas saying that you found a fault in some obscure Linux app gets ignored.

File associations in WinXP (2, Insightful)

PetiePooo (606423) | more than 11 years ago | (#4922693)

Long ago, I've decided that Windows 2000 was going to be my last mainline MS operating system. Since Linux is making great strides towards usability on the desktop, it looks like I'll never have to rely on having XP on my PC. Now, I just have to make sure I keep Winamp current along with all my other applications.

However, this brings up an interesting question. Short of modifying the registry entries in HKEY_CLASSES_ROOT, is there any way to avoid all the cutsie stuff MS has been doing with file associations? I seem to remember a Win95/NT/2k shell extension that did something similar to the MS code that's being exploited. It popped up an additional property sheet with all the ID3 tag info. Could someone use that instead of the Windows shell without severely hacking the registry?

It also reopens an old sore. If the Windows Media Player were installed as an "application," not as "part of the operating system," this shell code would not be needed until WMP is installed. Those smart enough to search for better media-playback solutions would not be subjected to this vulnerability. Thanks, Microsoft! DOJ, are you paying attention?

And one more observation: now that MP3 files can carry shellcode, the virus scanners will have to start scanning them too. More processor overhead, longer scantimes, moan, gripe, ...

Dupe Poll! (0, Funny)

Anonymous Coward | more than 11 years ago | (#4922709)

How long until the story gets duped:

A) 15 minutes
B) 1 hour
C) 2 hours
D) 6 hours
E) 1 day

Nullsoft: What's this thing called versionnumbers? (0)

ArGeRuS (222391) | more than 11 years ago | (#4922710)

[john@cobetoar][/usr/storage/public/w32/winamp] ls -l winamp3*
-rwxr-xr-x 1 john storage 3269351 Dec 16 18:48 winamp3_0-full.exe
-rwxr-xr-x 1 john storage 3510536 Aug 28 12:15 winamp3_0-full_org.exe

New slogan for Microsoft... (1, Funny)

Anonymous Coward | more than 11 years ago | (#4922738)

"Where do you want to buffer overflow today?"

How does a buffer overflow allow code execution? (2, Interesting)

og_sh0x (520297) | more than 11 years ago | (#4922747)

Thanks to Boatboy for the explanation of buffer overflows [techtarget.com] , but what I've never understood about buffer overflows is how it allows you to execute arbitrary code? Can anyone explain?

danger for gnutella networks..? (2)

kipple (244681) | more than 11 years ago | (#4922756)

will now the MPAA and RIAA have a new weapon against pirates?
And if they do, executing remote code using a vulnerability will be legal? :)

[just provoking]
Load More Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Create a Slashdot Account

Loading...