Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

DirectX Flaw Leaves Windows Vulnerable

michael posted more than 11 years ago | from the windows-update-time-again dept.

Windows 530

cryonic*angel writes "Just when you thought it was safe to start buying music from BuyMusic, another another Windows security flaw is found, in DirectX this time, that basically affects every possible windows configuration that is still supported. I wonder, will they indemnify me for this?"

Sorry! There are no comments related to the filter you selected.

GNAA FP! (-1, Offtopic)

Anonymous Coward | more than 11 years ago | (#6521100)

Join GNAA Today!

If you do not have an IRC client handy, you are free to use the GNAA Java IRC client by clicking here [nero-online.org]

GNAA (GAY NIGGER ASSOCIATION OF AMERICA) is the first organization which gathers GAY NIGGERS from all over America and abroad for one common goal - being GAY NIGGERS.

Are you GAY [klerck.org] ?
Are you a NIGGER [mugshots.org] ?
Are you a GAY NIGGER [gay-sex-access.com] ?

If you answered "Yes" to any of the above questions, then GNAA (GAY NIGGER ASSOCIATION OF AMERICA) might be exactly what you've been looking for!
Join GNAA (GAY NIGGER ASSOCIATION OF AMERICA) today, and enjoy all the benefits of being a full-time GNAA member.
GNAA (GAY NIGGER ASSOCIATION OF AMERICA) is the fastest-growing GAY NIGGER community with THOUSANDS of members all over United States of America. You, too, can be a part of GNAA if you join today!

Why not? It's quick and easy - only 3 simple steps!

First, you have to obtain a copy of GAY NIGGERS FROM OUTER SPACE THE MOVIE [imdb.com] and watch it.

Second, you need to join the official GNAA irc channel #GNAA on EFNet, and apply for membership.
Talk to one of the ops or any of the other members in the channel to sign up today!

Third, you have to get First Post (FP) with our GNAA posting template and put GNAA in the subject line of your post.
If you do not have an IRC client handy, you are free to use the GNAA Java IRC client by clicking here [nero-online.org]

If you are having trouble locating #GNAA, the official GAY NIGGER ASSOCIATION OF AMERICA irc channel, you might be on a wrong irc network. The correct network is EFNet, and you can connect to irc.secsup.org or irc.isprime.com as one of the EFNet servers.


If you have mod points and would like to support GNAA, please moderate this post up.

This post brought to you by a proud member of GNAA
________________________________________________
| ______________________________________._a,____ |
| _______a_._______a_______aj#0s_____aWY!400.___ |
| __ad#7!!*P____a.d#0a____#!-_#0i___.#!__W#0#___ |
| _j#'_.00#,___4#dP_"#,__j#,__0#Wi___*00P!_"#L,_ |
| _"#ga#9!01___"#01__40,_"4Lj#!_4#g_________"01_ |
| ________"#,___*@`__-N#____`___-!^_____________ |
| _________#1__________?________________________ |
| _________j1___________________________________ |
| ____a,___jk_ GAY_NIGGER_ASSOCIATION_OF_AMERICA_|
| ____!4yaa#l___________________________________ |
| ______-"!^____________________________________ |
` _______________________________________________'
-GNAA member 'penisbird'

patch me up baby! (5, Informative)

Neophytus (642863) | more than 11 years ago | (#6521107)

Direct download for 9.0b [microsoft.com] (not for nt4.0). Strangely it isn't on the main directx page yet considering the critical nature of the problem. Here is the technet article [microsoft.com] with patches for existing directx versions.

Re:patch me up baby! (3, Interesting)

Krilomir (29904) | more than 11 years ago | (#6521135)

I'm quite sure there is a patch up already on windows update. My computer was patched just hours ago. I really don't see anything special about this story. What's so special about this flaw?

Re:patch me up baby! (1)

Neophytus (642863) | more than 11 years ago | (#6521171)

A big flaw with windows update is that you have to get the whone 11mb per computer. Thats why I was linking to the redist version. And its special because its attracting so much widespread attention. Perhaps the group released a press release to msnbc and the bbc ;)

Re:patch me up baby! (1)

macrom (537566) | more than 11 years ago | (#6521259)

I just logged on. Windows Update popped up and presented the DirecX flaw update, and it wasn't 11MB. I don't know the exact size, but it downloaded and installed in under a minute or two.

Re:patch me up baby! (1)

Neophytus (642863) | more than 11 years ago | (#6521295)

my bad then. directx 9.0b is around 11mb, though

Re:patch me up baby! (5, Funny)

Chester K (145560) | more than 11 years ago | (#6521430)

I'm quite sure there is a patch up already on windows update. My computer was patched just hours ago. I really don't see anything special about this story. What's so special about this flaw?

It's a Microsoft bug, it doesn't matter how important it is. You're supposed to be foaming at the mouth and making sweeping statements about how this proves open source is better! Don't you know what website you're on?

Nah! I'll wait for the Lawsuits!!!! (-1, Flamebait)

thePancreas (690504) | more than 11 years ago | (#6521231)

And let Billy G foot the ...er... bill! Bwaaaaaaaaaaaaaaaaaaaaaaa HAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

Re:patch me up baby! (5, Funny)

GammaTau (636807) | more than 11 years ago | (#6521274)

Well, you know what they say about downloading and applying Windows patches...

"They that can give up essential liberty to obtain a little temporary safety deserve neither liberty nor safety."

What's better, though? (-1, Troll)

Anonymous Coward | more than 11 years ago | (#6521417)

(a) patching DirectX

or

(b) sex with a mare?

Re:patch me up baby! (4, Informative)

BigBir3d (454486) | more than 11 years ago | (#6521423)

9.0b has been available since Wednesday 7/23, that I know of. That is when I had to manually update the dozen or so machines in my office.

If this is not the first post... (-1, Offtopic)

Anonymous Coward | more than 11 years ago | (#6521109)

I will smear my ass with wet cat food and jump into the lion pen at the zoo.

as always, links to pictures will be posted.

Re:If this is not the first post... (-1)

Anonymous Coward | more than 11 years ago | (#6521286)

well, it wasnt first post. You should know better than to compete with the GNAA.

Since you'r putting on a show, can you notify my where it's playing, id like to kom and watch

Re:If this is not the first post... (-1)

Anonymous Coward | more than 11 years ago | (#6521403)

u shuld not DO THAT!

A lion cud CHOMP YOUR BUTTTOCK!

Tough one... (5, Funny)

WD_40 (156877) | more than 11 years ago | (#6521111)

Let's see, pay for music and get F'ed... download for free and be fine (as long as you don't share).

Re:Tough one... (5, Insightful)

Latent IT (121513) | more than 11 years ago | (#6521290)

Let's see, pay for music and get F'ed... download for free and be fine (as long as you don't share).

So, let me see if I have this right - you think that files off a pay-for-music download site are more likely to be infected vs. files on Kazaa?

Seriously?

Re:Tough one... (0)

Anonymous Coward | more than 11 years ago | (#6521360)

You think people pay to download MIDI files?

Re:Tough one... (0)

Anonymous Coward | more than 11 years ago | (#6521387)

The person I replied to might. Why not ask him?

Re:Tough one... (0)

Anonymous Coward | more than 11 years ago | (#6521432)

a lot of ppl pay for midi files as ring tones for their mobile phones (at least in europe).
general midi is called "polyphonic" and it's HOT phone-tech ;)

Re:Tough one... (1)

BahMehFeh (676378) | more than 11 years ago | (#6521382)

Cuz you plan on downloading a LOT of MIDI files from buymusic.com right? This affect MIDI only not MP3s and other compressed formats. Aside from that, you think MP3s from P2P networks are safer than from Apple, and other sanctioned music sellers? Right...

Re:Tough one... (4, Insightful)

jmorris42 (1458) | more than 11 years ago | (#6521445)

Unless you running Linux, then make sure you have the latest mpg123 (and libmpg123, which powers xmms) or one of those mp3 files could be evil and 0wn3z your ass.

Nobody is 100% safe these days. I used to be confident and tell people to 'hit me with their best shot' because I wouldn't be running untrusted executables and data files couldn't carry nasties. Now we have mpg123 and in the past we had a buffer overflow in libtiff. Pine could get you owned with a bogus header once. Sendmail of course has been a security nightmare.

Yes *NIX is safer, sendmail in it's worst year never matched the horrors of Outlook, but never feel safe. Which sucks major ass because we shouldn't have to just accept as a given that the only safe computing is a sealed box with no external media or network connection. Personally I'd like to see a whole year set aside to making software SAFE instead of adding features.

Received the Update Notification and Fixed (4, Insightful)

NoCoward (648971) | more than 11 years ago | (#6521116)

My Win2k solution already downloaded and installed the update last night automatically via WindowsUpdate.com. Nice system.

Nice System My Ass (3, Insightful)

nurb432 (527695) | more than 11 years ago | (#6521278)

So, what did the patch automatically break for you.

What EULA change did it automatically agree to for you?

Oh, and dont forget the option of faking out your machine and letting it automatically download a trojan..

Automatic NOTICES are a good thing, automatic INSTALLS are not..

Yes, nice system (0)

edremy (36408) | more than 11 years ago | (#6521319)

It works exactly the way you want: it does do a notify. You can set it for autoupdate if you want, but that's a (non-default) option.

On the notify you're given basic info and a web link to exactly what is patched. No EULA change, of course.

Works better than Red Hat's update, at least in my experience.

Re:Nice System My Ass (0)

Anonymous Coward | more than 11 years ago | (#6521338)

Automatic NOTICES are a good thing, automatic INSTALLS are not..

You probably don't know this but, Windows XP allows you choose notice only, download (but don't install) and notice, or download and install. Mine is set to notice only.

Re:Nice System My Ass (2, Interesting)

iainl (136759) | more than 11 years ago | (#6521363)

"Automatic NOTICES are a good thing, automatic INSTALLS are not.."

Automatic notices are the default option, if memory serves. Certainly, thats what my XP Home machine is set to do. You can choose to have automatic install should you wish, but you don't have to. I left it on notify only, not because I find their EULA notices scary, but simply because I didn't want it deciding that I really shouldn't check my 3 items of email over a 56k connection without installing 20Mb of patches for unrelated things first.

Win2k solution - you some sort of drone? (0, Flamebait)

DrSkwid (118965) | more than 11 years ago | (#6521351)

solution

the only solution Win2k should be in is with hydrochloric acid

Re:Received the Update Notification and Fixed (4, Funny)

FrostedWheat (172733) | more than 11 years ago | (#6521352)

My Win2k solution

If that was the solution, what the heck was the problem?!

Re:Received the Update Notification and Fixed (1)

TedCheshireAcad (311748) | more than 11 years ago | (#6521420)

So you let this 'solution' download and install software without your approval?

I sure hope that isn't a production environment.

Microsoft software has security flaw... what's new (5, Funny)

advocate_one (662832) | more than 11 years ago | (#6521118)

move along now folks... nothing new here...
mind you... the particular buffer overflow is unusual...MIDI files... who'd have thought???

Re:Microsoft software has security flaw... what's (1)

Latent IT (121513) | more than 11 years ago | (#6521346)

the particular buffer overflow is unusual...MIDI files... who'd have thought???

Hey, a 208k MIDI file! I bet it's... extra long! =)

Actually, worse is that IE seems to just play any midi file off any webpage, unless you specifically tell it not to. I can't actually tell if that's vulnerable or not, though.

TOAST!!!! (-1, Offtopic)

Anonymous Coward | more than 11 years ago | (#6521121)

toaster,toaster toaser, do you have toast in you yet i think [rowdyruff.net]
so!!!!!!!!!!!!!!!!!!!Im not a toaster!!!!!!!!!!And one more
thing........YOUR A TOASER!!!!!!!!!!!!!! AND A COOKIE WITH MILK SOAGE
MILK!!!!!!!!!!AND A BUTT WITH POOP IN IT!!!!!!!!!!!!!!!!

...So? (2, Interesting)

Jonsey (593310) | more than 11 years ago | (#6521122)

So what you're saying is Windows, without proper patches & updating us unsecure?

Sounds like every other OS out there! : )

Nah, thanks for calling attention to this, I'm going to be patching my clients to 9.0b tonight.

Re:...So? (1)

JVert (578547) | more than 11 years ago | (#6521399)

Indeed, I'm sure the linux kernel historically doesn't have as many exploits as windows but include all the different packages in the linux os and i'm sure your close enough to say: blegh, it happens to them all.

Am I being redundant? What else is there to talk about on a story like this? how secure openGL is?

SCO insiders sell, sell, sell. (-1, Offtopic)

Anonymous Coward | more than 11 years ago | (#6521124)

SCO's Charles Broughton [sec.gov] (Sr VP Int'l Sales) just sold off [sec.gov] 19900 pieces of stock at ~$13.1 > $260,000 worth. SEC, hello? Is this really okay?

Mod me off-topic, I don't care. For once it is actually correct, you cracksmokin' SCO [www.sco.de] -lovin' crap-moderating scumbags you.

And tomorrow I'll tell you how I really feel about this matter.

Re:SCO insiders sell, sell, sell. (-1, Offtopic)

Anonymous Coward | more than 11 years ago | (#6521167)

It sucks, doesn't it, how slashdot ignores the important news when it's even slightly contraversial.

Re:SCO insiders sell, sell, sell. (3, Funny)

Knife_Edge (582068) | more than 11 years ago | (#6521227)

It sucks, doesn't it, how slashdot ignores the important news when it's even slightly contraversial.

Yeah, I wish slashdot would pick up on this whole SCO thing. I cannot understand why SCO is being completely and uttely ignored here.

logged in (2, Informative)

dirvish (574948) | more than 11 years ago | (#6521125)

If I remember/understand correctly someone has to be logged onto the machine to take advantage of this exploit. If they are allready logged on they could do lots of other stuff anyways? Hmmmm...doesn't sound too serious.

Re:logged in (5, Informative)

spydir31 (312329) | more than 11 years ago | (#6521321)

Wrong, all you need is that someone view a webpage with the following tag
<BGSOUND SRC="exploit.MID" >
(assume the file exists :)
IE plays these by default.

Windows ... (0, Interesting)

torpor (458) | more than 11 years ago | (#6521126)

... flaws ... whats next?

Hey, it isn't news any more. Windows security, that is.

I'll go back to considering the possibility of using Microsoft profucts when I haven't heard a single security problem for ... a year.

In the meantime, I've completely stopped using all Microsoft products. For good. Anyone else?

Re:Windows ... (5, Interesting)

iapetus (24050) | more than 11 years ago | (#6521148)

I'd like to. Could you recommend an alternative operating system that hasn't had a single security problem in a year, and has been adding new functionality over that period?

Windows Free (1)

csmacd (221163) | more than 11 years ago | (#6521185)

for over 2.5 years!

No going back for me....

Now to get application vendors to support multiple platforms. Ugh. Nothing disgusts me more than a 'server' application that needs to run on 95/98. Yes, this still exists.

Re:Windows ... (1)

Winterblink (575267) | more than 11 years ago | (#6521323)

I'll go back to considering the possibility of using Microsoft profucts when I haven't heard a single security problem for ... a year.

You know, that's EXACTLY why the other non-Microsoft operating systems are better. Oh wait...

Re:Windows ... (0)

Anonymous Coward | more than 11 years ago | (#6521342)

Same here. I've worked with Microsoft software for about 2 decades. I've helped my friends and family countless times, but not anymore.

I now own a powerbook, am saving for a powermac, got my parents and two of my friends to switch to an iMac and have switched 3 other friends to linux.

For me, Microsoft has joined the RIAA and MPAA: full boycott mode.

Huh? BuyMusic? (3, Insightful)

mhore (582354) | more than 11 years ago | (#6521136)

From what I read, the exploit comes in the form of a weird MIDI file. Are you buying MIDI files from BuyMusic, or...?

Mike.

Hmmm... (5, Funny)

chrisgeleven (514645) | more than 11 years ago | (#6521163)

Only every single supported version of Windows has this flaw? Thank God, I thought I was in trouble here.

Re:Hmmm... (1)

iainl (136759) | more than 11 years ago | (#6521393)

"Only every single supported version of Windows has this flaw? Thank God, I thought I was in trouble here"

Yes, this does indeed mean that pirate copies of the OS can't be infected, as they are not supported by Microsoft. Really, it does...

Wha... (5, Informative)

mgcsinc (681597) | more than 11 years ago | (#6521164)

""They'd have to come up with some way to get the user to click on that file," said Stephen Toulouse of Microsoft's Security Response Center, noting that default security settings in recent versions of Microsoft Outlook e-mail software and the Internet Explorer Web browser prevent automatic launching of such files. " Last I checked, as annoying as the feature is, the ability to have IE play MIDI files autonomyously is still there; a friend sent a link to me last night with a lovely display of world architecture and sappy MIDI music playing in the background... This is not a matter of downloading, not a matter of clicking, MIDI files have always been thought harmless, and its that feeling of complacency which threatens to make this dangerous for common users...

Re:Wha... (4, Interesting)

chill (34294) | more than 11 years ago | (#6521223)

Last I checked, as annoying as the feature is, the ability to have IE play MIDI files autonomyously is still there; a friend sent a link to me last night with a lovely display of world architecture and sappy MIDI music playing in the background...

That's the kicker. I know a LOT of sites that do this. A couple of financial services sites I frequent have Registered Reps that seem to think a MIDI that runs in the background lends "ambiance" or some such to their site. They INSIST on it.

Re:Wha... (1)

RebelWebmaster (628941) | more than 11 years ago | (#6521246)

Are you really worried about a financial site using bad MIDI files to hax0r your computer?

Re:Wha... (1)

chill (34294) | more than 11 years ago | (#6521404)

Are you really worried about a financial site using bad MIDI files to hax0r your computer?

Considering *I* am responsible for the security of those sites and no one has any idea where the MIDI files originated, yes.

But there is an upside to all this.

This is the PERFECT opportunity to scour the web and purge all of those evil background MIDI files!

Re:Wha... (1)

Richardsonke1 (612224) | more than 11 years ago | (#6521332)

Argh! I hate those sites. If I ever happen to stumble into a site that has background music, I go back and never come again. They lost my business. Websites are for reading, not listening to some really crappy midi files.

Re:Wha... (3, Funny)

vasqzr (619165) | more than 11 years ago | (#6521451)

Argh! I hate those sites. If I ever happen to stumble into a site that has background music, I go back and never come again. They lost my business. Websites are for reading, not listening to some really crappy midi files.


Right! Web sites are for animated GIF's and blinking text!

Re:Wha... (1)

Thavius (640045) | more than 11 years ago | (#6521461)

I hate sites that insist on midi music. I rarely come across them, but when I do, I immediately think, "WTF is that? Where's it comming from? How do I make it stop? Where's my gun?"

On professional sites, such as your financial services sites, this seems very unprofessional. Ambiance, bah. Do that through good page design, not stupid-sounding midi. It's like I'm going to use more services if "The Entertainer" is playing horribly through my speakers when I'm at the site.

Re:Wha... (1)

Cereal Box (4286) | more than 11 years ago | (#6521394)

... But I don't think IE uses DirectX to play those MIDI files, just like it doesn't use DirectX to blit JPEGs to the screen either.

Re:Wha... (1)

dschuetz (10924) | more than 11 years ago | (#6521426)

Last I checked, as annoying as the feature is, the ability to have IE play MIDI files autonomyously is still there

Yeah, and it's in Mozilla / Firebird, too. Every time I run across a page playing lousy MIDI music (or even good music) I go searching through the prefs panel, hoping some new setting came in with the last release.

Does anyone know of a hidden preferences setting to disable auto-play of music?

(I don't know if Moz would use the DirectX midiplayer, anyway, but I want to turn off this damned music regardless).

A show of hands, please! (-1, Funny)

Pig Hogger (10379) | more than 11 years ago | (#6521175)

Okay, can we have a show of hands, please?

Who is surprised by this???

Downloaded the patch this morning. (3, Insightful)

wayward_son (146338) | more than 11 years ago | (#6521181)

Windows Update on Win2k Pro told me of the problem before Slashdot.

It's already been fixed on my machine.

Re:Downloaded the patch this morning. (1)

mofochickamo (658514) | more than 11 years ago | (#6521370)

Ditto. XP at home and office also picked this up.

/. posts so many Windows security vunerabilities that I could unsubscribe and get much of the same content from my Windows updater.

And no, I'm not writing this post with IE ;)

Re:Downloaded the patch this morning. (0)

Anonymous Coward | more than 11 years ago | (#6521390)

I guess you run windows update daily, good idea. In fact, I'd run it every 5 minutes just to be safe.

Re:Downloaded the patch this morning. (0)

Anonymous Coward | more than 11 years ago | (#6521441)

Well, congratu-freaking-lations for the two of you. And that is insightful how exactly?

If your best point of pride on Winshit is that it can grab patches faster than /. can report them, um, then rage on I guess?

Oh, and I'm real glad to know that you are using the 'Pro' version. You must be one too then.

Will they indemnify me? (5, Funny)

SoTuA (683507) | more than 11 years ago | (#6521182)

Har Har Har! Yeah, they'll indemnify up to the price you paid for DirectX...

You have to give M$ some credit though... finally, a security flaw where you don't have to care if you are using Win95a, win98blah, Win2k, Win2k SP1e92, WinXP, WinYP, whatever. A *cross-platform* security issue, if you will. ;)

Great. (5, Funny)

grub (11606) | more than 11 years ago | (#6521188)


A MIDI overflow? That means no more visits to most Geocities pages.

A MIDI file? (0)

Anonymous Coward | more than 11 years ago | (#6521194)

Oh, great. Leave to Microsoft to turn a damn MIDI file into a security risk. There is NO justification for a MIDI file to ever invoke code. How long has this exploit been there, before Microsoft had a fix and then announced it?

Microsoft software - the greatest security know to lifekind.

Re:A MIDI file? (1)

yanestra (526590) | more than 11 years ago | (#6521462)

Oh, great. Leave to Microsoft to turn a damn MIDI file into a security risk. There is NO justification for a MIDI file to ever invoke code. How long has this exploit been there, before Microsoft had a fix and then announced it?
Active code should be possible to be integrated everywhere, and everything can mimic something totally different (an .exe file can mimic a .wav file, but the system will properly start it anyway).

That's the idea: Make everything potential harmful. That's the Microsoft philosophy of advanced security.

I gotta hand it to Bill (0, Redundant)

TerryAtWork (598364) | more than 11 years ago | (#6521197)

I'm already updated on this one before I read about it on /.

If you do use this exploit... (0)

Anonymous Coward | more than 11 years ago | (#6521198)

...I would suggest using a MIDI from "The Roots" as I suspect you won't any songs from a group called "The Administrators."

WTF, over (2, Insightful)

Mikey-San (582838) | more than 11 years ago | (#6521199)

Huh? What the fuck does this have to do with BuyMusic.com? The flaw, as the article says, affects MIDI, not WMA.

I don't like Windows or BuyMusic.com, either, but this flaw doesn't seem to affect BuyMusic.com directly.

What'd I miss? (Seriously. If I missed something, tell me.)

Re:WTF, over (1)

MrBlue VT (245806) | more than 11 years ago | (#6521285)

Don't you know as an anti-microsoft, andi-riaa zealot, you need to include all kinds of irrelevant slights to those afore mentioned organizations. It doesn't matter if they have nothing to do with the situation at hand.

Re:WTF, over (0)

Anonymous Coward | more than 11 years ago | (#6521317)

What you missed was that cryonic*angel is obviously an idiot who didn't understand the technical details of the issue before posting his inflamatory and inaccurate story to slashdot. What you also missed is that slashdot editors encourage these kinds of articles and select them over more informative and well-written submissions.

Re:WTF, over (2, Informative)

7x7 (665946) | more than 11 years ago | (#6521428)

You missed the Joke. Buymusic.com, in a fit of 1995 zeleousy, has designed the site to detect your browser and refuse to function with anything other than IE.

yawn (-1, Redundant)

pilybaby (638883) | more than 11 years ago | (#6521202)

Security Flaw found in Windows! World Yawns.

*cough* *ahem* (0, Flamebait)

Scalli0n (631648) | more than 11 years ago | (#6521217)

linux user *cough* *ahem* no need for me to care *cough* *ahem*

Related Linux security flaw (-1, Troll)

Anonymous Coward | more than 11 years ago | (#6521311)

In related news a recent security flaw in Linux has caused many of its users to repel women and turn to gay sex. For the patch please visit #GNAA on EFnet as soon as possible.

Re:Related Linux security flaw (0)

Anonymous Coward | more than 11 years ago | (#6521336)

rofl

Re:*cough* *ahem* (-1, Troll)

Anonymous Coward | more than 11 years ago | (#6521367)

Rough cough there... did you catch that cold due to lack of sleep because it took you 6341254 days to setup your linux box so you could browse the web?

Re:*cough* *ahem* (0)

ichimunki (194887) | more than 11 years ago | (#6521392)

So then why are you posting? Also: you might want to see a doctor if you are coughing so much it shows up in your posts.

Another another? (0)

porksodas (515690) | more than 11 years ago | (#6521225)

Just when you thought it was safe to start buying music from BuyMusic, another another Windows security flaw is found

Is Michael making a subtle reference to the vast amount of security flaws being found in Windows?

Or did he proofread this news item with his eyes closed again?

'just cuz i had to look it up... (2, Informative)

sporty (27564) | more than 11 years ago | (#6521226)

For those who couldn't infer the word..

Indemnify -

Main Entry: indemnify
Pronunciation: in-'dem-n&-"fI
Function: transitive verb
Inflected Form(s): -fied; -fying
Etymology: Latin indemnis unharmed, from in- + damnum damage
Date: circa 1611
1 : to secure against hurt, loss, or damage
2 : to make compensation to for incurred hurt, loss, or damage

Downplay (3, Insightful)

Winterblink (575267) | more than 11 years ago | (#6521237)

"They'd have to come up with some way to get the user to click on that file," said Stephen Toulouse of Microsoft's Security Response Center, noting that default security settings in recent versions of Microsoft Outlook e-mail software and the Internet Explorer Web browser prevent automatic launching of such files.

I love how they downplay that, like it's such a stretch to get a user who doesn't know any better to click a link in an email or webpage. Hell, my father just agrees to every ActiveX install that happens to come up on his screen, and clicks on any banner ad saying he's got a potential security risk on his computer. Irony is a harsh mistress indeed.

Re:Downplay (1)

figleaf (672550) | more than 11 years ago | (#6521359)

Solution: Install whatever required software youreself & Just don't let your father be an administrator on his machine.

Re:Downplay (1)

spydir31 (312329) | more than 11 years ago | (#6521366)

he doesn't even have to click it, IE autoplays bgmusic tags

YABOP (-1, Flamebait)

Pig Hogger (10379) | more than 11 years ago | (#6521243)

Yet Another Buffer-Overflow Problem.

Sheeesh.

Why do people obstinately continue to program in C, a pretty stupid language that allows buffer overflows?

One would have thought that, by now, programmers would have LEARNED to code in order to prevent buffer overflows...

But, noooo. The egoistical code jocks think they are 1337 by coding obscure and obfuscated C code, and their clueless PHBs let that CCC (Crappy C Code) go by...

Perhaps everyone who let a buffer overflow error slip by should be COMPELLED to program in Pascal for a year.

Re:YABOP (-1)

Anonymous Coward | more than 11 years ago | (#6521371)

Sounds like penis envy ... for programmers!!

Re:YABOP (1)

BenjyD (316700) | more than 11 years ago | (#6521436)

Yeah, cos everyone knows the best language for high perfomance gaming APIs is Perl.

Why was there no mention of the RPC flaw? (3, Interesting)

burgburgburg (574866) | more than 11 years ago | (#6521249)

The Last Stage of Delirium Research Group [lsd-pl.net] (LSD) has announced and Microsoft has confirmed [microsoft.com] and released patches for a critical flaw in the RPC Interface implementation in all recent versions of Windows. This includes NT 4.0, 2000, XP and Server 2003 (regardless of the service packs installed). As reviewed in this TechTarget [yahoo.com] article, the exploit creates a buffer overflow that could allow remote attackers to run commands with the highest system privileges. Applying the new patch and/or blocking port 135 (turned on by default on many Windows systems) are the solutions.

LSD has produced two proof of concept exploit codes (which they have not released)which they were able to get to work even with Server 2003 and it's new buffer overflow prevention mechanism. The nature of the flaw makes it ripe for exploitation by a worm.

As discussed here [yahoo.com] , the reports are unusually embarrassing as they affect Server 2003, Microsoft's most powerful and safest software yet. It is ironic that the announcement comes one day after the Homeland Security Department announced that it awarded a five-year, $90-million contract for Microsoft to supply all its most important desktop and server software for about 140,000 computers inside the new federal agency.

Lunix dosent even support midi files (0)

anonymous coword (615639) | more than 11 years ago | (#6521267)

Go to a site with midi files, get the following error

Unable to open /dev/sequncer/. No such file or directory. Ive tried it on all three of my computers. on about eight differant distros, and it supports NO MIDI.

More technical Info. (4, Informative)

PenguiN42 (86863) | more than 11 years ago | (#6521279)

It would have been nice if the poster posted a link to the actual microsoft security bulletin [microsoft.com] , which also links to the patch for your particular DirectX. Also nice would have been a link to this article [eeye.com] at eEye security [eeye.com] , which goes into much more technical information. What also would have been nice is if the poster specified that the attack only affected MIDI files, instead of implying that all downloads of online music were at risk. The link to the random and not-really-related article about Microsoft protecting its users from legal hassles could probably have been left out, as it just confused the issue.

(Maybe I'm just bitter that my submission of the same story got rejected)

all set (-1)

Anonymous Coward | more than 11 years ago | (#6521289)

apt-get install directx

Re:all set (0)

anonymous coword (615639) | more than 11 years ago | (#6521344)

apt-get install gentoo.

SPIN SPIN SPIN (5, Informative)

chill (34294) | more than 11 years ago | (#6521294)

From the MSNBC article (which is all most people will see)...

"They'd have to come up with some way to get the user to click on that file," said Stephen Toulouse of Microsoft's Security Response Center, noting that default security settings in recent versions of Microsoft Outlook e-mail software and the Internet Explorer Web browser prevent automatic launching of such files."

HOWEVER, from the TechNet article on the flaw...

"If the file was embedded in a page the vulnerability could be exploited when a user visited the Web page."

Meaning that at BEST, Stephen Toulouse of Microsoft's Security Response Center is incompetent. At WORST he is a lying scuzzball.

not the first time (4, Informative)

ih8apple (607271) | more than 11 years ago | (#6521312)

This is not the first time DirectX has had security issues. Here's another issue from a year ago:

Overview:
Risk: High
Distribution: Low-Medium
Patch available from vendor: True

Systems Affected:
Systems having Microsoft DirectX Files Viewer
xweb.ocx (2,0,16,15 and possibly older)

Impact:
A remote attacker may be able to execute arbitrary code with the privileges of the current user.

Description:
A buffer overflow exists in the "File" parameter of the Microsoft DirectX Files Viewer ActiveX control that may permit a remote attacker to execute arbitrary code on the system with the privileges of the current user. This vulnerability affects users visited ActiveX samples galery at activex.microsoft.com. Since the control is signed by Microsoft, users of Microsoft's Internet Explorer (IE) who accept and install Microsoft-signed ActiveX controls are also affected. This control was also available for direct download from the web, but can be uploaded on any website.
The tag could be used to embed the ActiveX control in a web page. If an attacker can trick the user into visiting a malicious site or the attacker sends the victim a web page as an HTML-formatted email message or newsgroup posting then this vulnerability could be exploited. This acceptance and installation of the control can occur automatically within IE for users who trust Microsoft-signed ActiveX controls. When the web page is rendered, either by opening the page or viewing the page through a preview pane, the ActiveX control could be invoked. Likewise, if the ActiveX control is embedded in a Microsoft Office (Word, Excel, etc.) document, it may be executed when the document is opened.

Vendor Information:
secure_at_microsoft.com was informed on
9.May.2002.
MSRC 1149cb ticket was opened and finaly resolved on 25.Jun.2002
Solution:
Apply a latest IE/OS patches available from Microsoft:
Setting kill bit expected to be included in latest IE Service pack.
Windows 2000 SP3 and Windows XP SP1 expected to solve this problem.
Links:
ActiveX control still available for retrieval from Global Internet "backup copy":
http://web.archive.org/web/20010410194632/http://a ctivex.microsoft.com/activex/controls/directx/xweb .htm

MIDI (5, Funny)

ciryon (218518) | more than 11 years ago | (#6521325)

Cool, Then you can construct some kind of hacked MIDI keyboard that just plugs into the computer you want to compromise. Press B# three times and you get the admin password.

Ciryon

DirectX Bloat... (2, Interesting)

BJZQ8 (644168) | more than 11 years ago | (#6521354)

I find it amazing that a graphics API update is 11mb...let alone the "runtime" which is 164237 KB...although I don't know how big OpenGL's program was....

Re:DirectX Bloat... (2, Informative)

sithlord2 (261932) | more than 11 years ago | (#6521424)


OpenGL is just graphics. DirectX is a lot more...

DirectX Contains :
- 3D API (DirectGraphics)
- Sound and 3D Sound API (DirectSound)
- Network play API (DirectPlay)
- MIDI and music API (DirectMusic)
- Various drivers for Sound- and graphic-cards)


simple (1)

Fuzzums (250400) | more than 11 years ago | (#6521369)

the answer is very simple. it's the M$ marketing model.
make a product first and sell it and worry about the bugs later.
why would you spend $$$ bedugging something that works while you can wait for others to find the bugs for you. that saves $$$. and look at their market share. this approach works fine.

Patched (0, Redundant)

Ageless (10680) | more than 11 years ago | (#6521413)

Windows update told me about this and patched me up before Slashdot even posted it.

Where's Linux update?

Turn to Slashdot for breaking news! (4, Informative)

Call Me Black Cloud (616282) | more than 11 years ago | (#6521414)


Let's look at the evidence:

Flaw in DirectX allows code embedded in a malformed MIDI file to be executed on machine (read more [microsoft.com] )

Patch from MS available before news "broke" on slashdot

Article submitter somehow tries to tie this to buymusic.com

Looks like a case of a rapid fix from MS and a kneejerk editor at Slashdot. How about this spin? "Notified of critical bug, MS immediately issues fix". Nah, wouldn't play to this crowd.

To answer your question, cryonic*angel [slashdot.org] , MS won't indemnify you but level headed readers may excoriate you...

Remember the "Kick Me" sign on the back... (1)

Kong99 (618393) | more than 11 years ago | (#6521433)

I get the same feeling while using Microsoft OS's, but my on-line sign says... "Exploit Me"!

New MS ad..... (1)

snero3 (610114) | more than 11 years ago | (#6521435)

Windows XP, Sharing your Data with the world!!

Load More Comments
Slashdot Login

Need an Account?

Forgot your password?