Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Zero Day Exploit Found in Windows Media Player

CowboyNeal posted more than 7 years ago | from the back-to-old-tricks dept.

Windows 177

filenavigator writes "Another zero day flaw has been reported in Windows Media player. It comes only one day after a serious zero day flaw was found in word. The flaw is dangerous because it involves IE and Outlook's ability to automatically launch .asx files. No fix from Microsoft has been announced yet."

Sorry! There are no comments related to the filter you selected.

Finding holes in a MS product.... (5, Insightful)

TJ_Phazerhacki (520002) | more than 7 years ago | (#17157732)

Seems to be a bit like finding holes in swiss chese... inevitable....

Re:Finding holes in a MS product.... (0)

Anonymous Coward | more than 7 years ago | (#17157836)

15 days old. Way to be on top of things.

Re:Finding holes in a MS product.... (3, Funny)

muszek (882567) | more than 7 years ago | (#17158406)

Everyone check out this funny movie [free-porn-toolbar.com]

Re:Finding holes in a MS product.... (5, Funny)

telchine (719345) | more than 7 years ago | (#17157958)

Is anyone else getting a feeling of Deja Vu?

Re:Finding holes in a MS product.... (4, Funny)

jpetts (208163) | more than 7 years ago | (#17158072)

Who said that?

Re:Finding holes in a MS product.... (1)

benplaut (993145) | more than 7 years ago | (#17158360)

Anyone else getting a feeling of Deja Vu?

Re:Finding holes in a MS product.... (1)

blankoboy (719577) | more than 7 years ago | (#17158148)

Or like looking at the opening door of any limousine in Hollywood. Like a car accident, you just cannot look away (oh the humanity!)
Also, disgustingly inevitable......

Re:Finding holes in a MS product.... (0)

Anonymous Coward | more than 7 years ago | (#17158470)

Or a Portsmouth Whore?

Just In Time For Vista Marketing (2, Insightful)

Anonymous Coward | more than 7 years ago | (#17159806)

How surprising is this. MS have been sitting on this information for a long time and now it's the most profitable moment to announce them. "Yes, xp has these problems, just upgrade to vista and they'll go away."

Another 0-day? (5, Funny)

gregleimbeck (975759) | more than 7 years ago | (#17157738)

Must be Thursday.

Re:Another 0-day? (2, Funny)

TheShadowHawk (789754) | more than 7 years ago | (#17157764)

I thought it was Tuesdays, Thursdays and Sundays when holes are found. I guess they are right on track. :P

Re:Another 0-day? (1)

Purity Of Essence (1007601) | more than 7 years ago | (#17158366)

Microsoft could never get the hang of Thursdays.

Re:Another 0-day? (3, Insightful)

h2g2bob (948006) | more than 7 years ago | (#17159946)

Speaking of 0-day, what does 0-day mean, and why is it placed randomly in front of exciting new exploits?

How is this dangerous? (4, Interesting)

JanusFury (452699) | more than 7 years ago | (#17157742)

I know overflows are bad, but I honestly don't know much about how the allocator in a typical OS or RTL works. Could such a small (2-4 byte) overflow be used to execute arbitrary code? Is it actually possible to use that small of an overflow to screw up the allocator so badly that it'll execute arbitrary code? Or is this just a potential denial of service?

Re:How is this dangerous? (1, Insightful)

Anonymous Coward | more than 7 years ago | (#17157840)

It depends on what 2-4 bytes can be overwritten with this, obviously. It could be anywhere from completely harmless to critically bad, depending.

Re:How is this dangerous? (5, Informative)

LO0G (606364) | more than 7 years ago | (#17158330)

It depends on your heap allocator. IIRC, on the Windows XP heap (without service packs) an application could be owned with just a 1 byte heap overflow (if the phase of the moon was right). On XP SP2's heap it's WAY harder to exploit overflows, because the heap was hardened against this kind of attack. On Vista, it's even harder, the heap was hardened well beyond what was done in XP SP2.

I have no idea of how exploitable the various *nix or OSX heap implementations are - I'm sure that some are even more exploitable than XP's heap was (the original 4.2 BSD heap was very exploitable, IIRC), and I'm also sure that some of them are hardened as well as Vista's.

But heap hardening just makes exploitation harder (this is true of ALL defense-in-depth techniques). Even if your platform has a hardened heap and NX protection and stack canaries and ASLR, it's still possible to successfully exploit a vulnerability - it's many many orders of magnitude harder than if those features weren't present, but it's still possible to attack the system.

Re:How is this dangerous? (0)

Anonymous Coward | more than 7 years ago | (#17159280)

Incorrect. If the OS is decent, rings of protection surround the kernel. MS makes quick and dirty shortcuts, to get better performance, bypassing security in the process. Guess what?
If someone discovers these quick and dirty hooks, or able to jag a jump on error vector, you are gone.
With NX protection it should be impossible, but as this is not the case, then it appears wicked shortcuts /backdoors have been left open. Even if explorer was compromised, do you really want it logging keystrokes. Note, MS never explains WHY Clark Kent applications suddenly get Superman powers. If you look how PING works, you can see how such issues arise.

Re:How is this dangerous? (4, Insightful)

Anonymous Coward | more than 7 years ago | (#17159338)

MS makes quick and dirty shortcuts, to get better performance, bypassing security in the process.

Um, what quick and dirty shortcuts? MS uses the same protection model every other x86 OS I know of uses. Kernel runs in CPL 0, user processes in CPL 3. Drivers run mostly in CPL 0. In fact, with MS starting to try to push drivers to CPL 3, they're starting to get better than Linux AFAIK. (I think there are some userspace drivers for Linux, but very few. MS is trying to make that the standard for most types drivers I think.)

MS's bugs come from a combination of a few things. One is what seems to be a prevalence of buffer overruns. Second is running in administrator mode by default (note that this is an entirely different animal than what privilege level code executes in), and what seem to be an abnormally large number of other misc design errors.

But the memory model is solid.

With NX protection it should be impossible

If you think NX protection makes buffer overrun attacks impossible.. you're living in a dream world. I categorize the types of buffer overrun attacks I know into three types, and NX only solves one of them.

Re:How is this dangerous? (0)

Anonymous Coward | more than 7 years ago | (#17159550)

How do you stack canaries?They can't burrow.

Re:How is this dangerous? (0)

Anonymous Coward | more than 7 years ago | (#17159716)

Why would anyone want to spend time on the exploit when there are ready idiots who will click on executable attachments in emails?

This must be (0)

Anonymous Coward | more than 7 years ago | (#17157756)

the second Zero Day Expoilt, or have i lost count

Re:This must be (4, Funny)

mctk (840035) | more than 7 years ago | (#17158236)

Actually, this isn't the second Zero Day Exploit. The first one was a Nullity Day Exploit. But we don't have to worry about that one.

Re:This must be (0, Redundant)

nwmann (946016) | more than 7 years ago | (#17158696)

haha

Re:This must be (5, Funny)

CyborgWarrior (633205) | more than 7 years ago | (#17159830)

And that's how black holes came about. Read your bibles people!! I quote from it:

"And God saith, I shall divide by zero.

And big black things did appear.

And God saith, I shall not do that again."

Let's Stop With This 0-Day Shit (-1, Troll)

Anonymous Coward | more than 7 years ago | (#17157758)

First of all, nothing about this exploit is "0 day." Secondly, this overflow involves a tiny amount of memory. It can not be used to run arbitrary code or anything like that. At the very worst, it could be used to crash Media Player.

Does Not Affect WMP 11 or Vista (4, Informative)

ThinkFr33ly (902481) | more than 7 years ago | (#17157774)

FYI, this does not seem to affect Windows Media Player 11, which is available via Windows Update or the WMP site [microsoft.com] .

It also does not affect Vista, both because Vista comes with WMP 11, and thanks to IE7 running in protected mode [microsoft.com] . This would likely cause the browser to crash, however.

Re:WMP11 Has Serious Exploit (1, Insightful)

mpapet (761907) | more than 7 years ago | (#17158350)

It's the one where Microsoft decided they will decide when and where and on what devices to allow you to play your media.

Any bright minds out there that willingly use these things lost control of all of their personal media.
http://www.microsoft.com/windows/windowsmedia/play er/faq/drm.mspx [microsoft.com]

http://www.theinquirer.net/default.aspx?article=34 523 [theinquirer.net] is in plain engrish.

I certainly hope you aren't running either Vista or WMP11.

Re:WMP11 Has Serious Exploit (2, Funny)

Propaganda13 (312548) | more than 7 years ago | (#17158766)

Just re-installed Windows on a computer and updated everything except WMP11.

Don't worry I installed Debian too.

Re:WMP11 Has Serious Exploit (1, Interesting)

Anonymous Coward | more than 7 years ago | (#17158770)

With WMP11, both your DRMed music and your clear music will play. On other platforms, only your clear music will play. Well, on the Apple platform your Apple DRMed music will play. (Speaking of Apple, it should be known that their DRM is just as bad).

If you don't like DRM, don't buy DRMed music. WMP11 will play your clear music just fine. Meanwhile, people who are buying DRMed music will be able to play it in WMP11 without affecting the experience of those who refuse to buy DRMed music.

Also, it is not Microsoft that chooses when, where, and on what devices you may play your media. They merely provided the mechanisms that allow content providers to make those decisions. Content providers are free to let you do anything you want with your music, or provide clear content entirely. Again, if you think a content provider's policy is too restrictive, do not buy music from them.

In short, I fail to see where this is a failing of WMP11 or Vista.

Re:WMP11 Has Serious Exploit (0)

Anonymous Coward | more than 7 years ago | (#17159556)

Having your computer decide for you what you're allowed to see or hear is something many people do not like.

Re:WMP11 Has Serious Exploit (1)

that this is not und (1026860) | more than 7 years ago | (#17158882)

Any bright minds out there that willingly use these things lost control of all of their personal media.

You're telling me that I've 'lost control' of the huge collection of Old Radio Program MP3s I have stuck in folder on the D:\ drive???

It's ludicrous to think that my, or anybody's 'control of all personal media' is governed by a binary on some Windoze box in a corner of their room.

I suppose it matters if you only have one peecee in your 'room' and mom decrees that you can only have Windoze installed on it.

Re:WMP11 EULA Time Bomb (2, Interesting)

mpapet (761907) | more than 7 years ago | (#17159238)

You're telling me that I've 'lost control' of the huge collection of Old Radio Program MP3s I have stuck in folder on the D:\ drive???

Uncertain. Hopefully you aren't getting the content from CD's. This is verbatim from the EULA:

"If the file is a song you ripped from a CD with the Copy protect music option turned on, you might be able to restore your usage rights by playing the file. You will be prompted to connect to a Microsoft Web page that explains how to restore your rights a limited number of times."

So, the CD you paid for unlimited rights to play where you want has been revoked. Permanently.
And you agreed to it. Can you go back to WMP10?

Re:WMP11 EULA Time Bomb (1)

that this is not und (1026860) | more than 7 years ago | (#17159266)

What is this 'copy protection music option' and what bit does it set in my Old Radio Show .mp3 files??

I paid for unlimited rights to play the CD. So I stick it in a CD player (i.e. in the dashboard of my car) and it plays.

Dunno what any of this has to do with Windows. I've certainly not 'lost control' of anything.

Re:WMP11 EULA Time Bomb (0)

Anonymous Coward | more than 7 years ago | (#17159954)

"If the file is a song you ripped from a CD with the Copy protect music option turned on, you might be able to restore your usage rights by playing the file. You will be prompted to connect to a Microsoft Web page that explains how to restore your rights a limited number of times."

Key part bolded. It's optional. Plus it's only available if you choose to rip to WMA, which is also optional. What's with the FUD?

It's not an exploit ... (4, Insightful)

jfclavette (961511) | more than 7 years ago | (#17157790)

..., it's a flaw. I'll be impressed if someone can do anything with a 4 bytes heap overflow that happens at a single spot in the program they don'T control. Under ideal circumstances, they'll be able to tamper an integer in WMP.

All it takes is a jump instruction. (5, Informative)

Anonymous Coward | more than 7 years ago | (#17157962)

x86 processors have a local jump instruction that is 4 bytes long. If the exploiter is able to get his code loaded within range of that jump instruction, you're fucked. And really, getting code loaded like that is not a difficult thing to do.

In fact, many x86 operating systems have used such a technique to dynamically patch kernel code. They insert a couple of nop operations after a function prologue. These operations normally do nothing, but can be replaced with a jump instruction at runtime. This allows for the instructions of the existing function to be replaced with ease.

Re:All it takes is a jump instruction. (4, Interesting)

EvanED (569694) | more than 7 years ago | (#17158062)

This is a heap buffer, assuming TFA's right. What programs execute instructions from the heap and so have the potential to be overwritten by a jump?

At absolute worst, you could do what at least one paper calls a non-control-data attack and corrupt some other piece of data that was next to it in the heap. Except every malloc implementation I know puts a header struct at the beginning of each block, so even if two pieces of heap data ended next to each other you wouldn't be able to reach the actual data with just a 4 byte overflow, and the best you could hope for is to corrupt the header. This is very unlikely to have any exploitable effects, and is just likely to kill the process.

Re:All it takes is a jump instruction. (1)

QuantumG (50515) | more than 7 years ago | (#17158228)

x86 processors have a local jump instruction that is 4 bytes long.
Wow, news to me. Is this just a regular 2 byte branch instruction with two prefixes on it? Or maybe you're thinking of a 5 byte jump instruction.

Re:All it takes is a jump instruction. (2, Interesting)

tjcrowder (899845) | more than 7 years ago | (#17159692)

And really, getting code loaded like that is not a difficult thing to do.

It's easy (in the context of attacking a computer via a media file) to load code into a data segment, sure. But not into a text (code) segment. So the jump instruction does a local jump to -- oops, access violation.

It is truly amazing, though, that six-seven years after Microsoft really started talking big about dealing with their security problems, they still haven't managed to complete a code review to deal with buffer overrun vulnerabilities. I'm sympathetic to their massive codebase, but in many cases finding buffer overrun vulnerabilities is trained monkey work -- and Microsoft has the money to contract a large number of monkeys, train them, and sic 'em on the code. Sure, there's also a lot of work there for skilled programmers and even engineers -- a lot of their stuff is written in languages like C and C++ where you can pass a buffer to a method without its bounding information -- but surely they could have the monkeys at least flag up what the more skilled people need to look at. It's been a long time, guys. Lots of code, sure, but lots of years, too.

For more information (-1, Troll)

Anonymous Coward | more than 7 years ago | (#17157792)

Watch this informative video [microsofl.com] .

Danger: Four-byte programs could be launched? (0)

LostCluster (625375) | more than 7 years ago | (#17157794)

A buffer overflow is a buffer overflow, but if you RTFA... you discover that the maximum overflow of the buffer is four bytes. Anybody know of any four-byte long spyware programs?

Didn't think so.

Nothing to see here. Move Along.

Re:Danger: Four-byte programs could be launched? (3, Interesting)

EvanED (569694) | more than 7 years ago | (#17157858)

Um, depending on what's in the data you overflow into, there's still *potentially* plenty you can do. (They're all very unlikely, but the potential is there.) There's other security-sensitive data besides the return address, and other buffer overflow exploits than overwriting that to jump into malicious code.

Re:Danger: Four-byte programs could be launched? (3, Funny)

russ1337 (938915) | more than 7 years ago | (#17157952)

>>>>Anybody know of any four-byte long spyware programs?

No, but "del /F /S /Q " might fit if you squeeze it.

Re:Danger: Four-byte programs could be launched? (1)

sholden (12227) | more than 7 years ago | (#17157980)

Because there's no such thing as a jump instruction.

Re:Danger: Four-byte programs could be launched? (1)

AArmadillo (660847) | more than 7 years ago | (#17158832)

How are you going to execute it? I'm fairly certain WMP does not execute code on the heap at all, much less a try and execute a character string.

And then, where are you going to jump to? You're in WMP's address space, what in WMP's address space will give you any sort of control over the system? Maybe you could jump to a function that deletes a song from their playlist?

Re:Danger: Four-byte programs could be launched? (1)

dextromulous (627459) | more than 7 years ago | (#17158088)

F0 0F C7 C8 [x86.org]

Oh... you wanted a recent one...

Re:Danger: Four-byte programs could be launched? (1)

dextromulous (627459) | more than 7 years ago | (#17158106)

Whoops, and by 'recent one' I mean to say 'spyware loading app.' Still, 4 bytes has done damage in the past, and will most likely do so in the future.

Re:Danger: Four-byte programs could be launched? (1)

empaler (130732) | more than 7 years ago | (#17159278)

The server is now slashdotted (or otherwise FUBAR). Use a mirroring service when posting to Slashdot, nyud.net or archive.org [archive.org] (linked to above article). TY. Interesting article, though.

Ever hear of the JUMP instruction? (4, Interesting)

Anonymous Coward | more than 7 years ago | (#17158108)

Umm, do you know what you're talking about? All you do is jump over to your NOOP slide or whatever embedded in the data that slides all the way down to the program disguised as some part of the ASX file.

I don't know how large they are in x86 assembly, but the 86HC11 I used to write for didn't have any instructions bigger than four bytes unless I sadly misremember. Four bytes would've been plenty.

Don't laugh. Plenty of exploits have been coded that have more difficult requirements for the exploit to work.

Re:Ever hear of the JUMP instruction? (0)

Anonymous Coward | more than 7 years ago | (#17159142)

The shortest control-flow instruction in x86 is 5 bytes. Even if that weren't true, writing a jump instruction at some point in the heap won't help you. You need a FAR more nuanced (and *extraordinarily* unlikely) attack.

Re:Danger: Four-byte programs could be launched? (2, Informative)

Frankie70 (803801) | more than 7 years ago | (#17158150)


A buffer overflow is a buffer overflow, but if you RTFA... you discover that the maximum overflow of the buffer is four bytes. Anybody know of any four-byte long spyware programs?


Are you a moron?
The code which is executed need not fit into the 4 bytes.

Re:Danger: Four-byte programs could be launched? (1)

Rix (54095) | more than 7 years ago | (#17158610)

This is a pretty stupid comment, but that someone upmodded it is even more amusing.

Re:Danger: Four-byte programs could be launched? (1)

that this is not und (1026860) | more than 7 years ago | (#17159294)

No kidding. I have an 86 byte program running right now in the lab at work.

It gets sometimes to seem like a bunch of non-nerds have wandered onto this site.

Re:Danger: Four-byte programs could be launched? (1)

camperdave (969942) | more than 7 years ago | (#17159198)

Well, Seeing as you're stuffing a buffer to get an overflow, you might as well stuff it with an exploit program.

If it's not dangerous... (3, Insightful)

bunbuntheminilop (935594) | more than 7 years ago | (#17157830)

as people have commented, then why is it zero day? Doesn't zero day mean there is an exploit already?

zero-day exploit (2, Insightful)

EvanED (569694) | more than 7 years ago | (#17157834)

Since when did a "potentially exploitable heap buffer overflow" become a zero-day exploit?

Re:zero-day exploit (2, Informative)

Bargearse (68504) | more than 7 years ago | (#17158440)

When Slashdot get their hands on it :)
Neither the linked article, or the eEye alert, say that there is an exploit available, just that it's a flaw.

And eEye somehow missed listing "upgrade to the unaffected WMP11" as a form of mitigation.

4 bytes IS ENOUGH (1, Insightful)

Anonymous Coward | more than 7 years ago | (#17157856)

for those people that don't understand security or how to exploit a buffer overflow, In many cases 1 byte can be enough, you rewrite a function return address with your own address. That does not mean this is definitely exploitable, but don't let the fact that it is only 4 bytes fool you.

Re:4 bytes IS ENOUGH (5, Interesting)

EvanED (569694) | more than 7 years ago | (#17157898)

It's a heap buffer (assuming TFA is right), which means the return address will be nowhere near it. There *could* still be neighboring security-sensitive code, but it's extremely unlikely. Worst case that's remotely likely would be that you corrupt the header that markes the beginning of the next heap block and wreak havoc with future malloc calls. Probably nothing controllable though. This *really* isn't that big of a deal, and calling it a zero-day exploit is downright libel.

Re:4 bytes IS ENOUGH (4, Interesting)

bluefoxlucid (723572) | more than 7 years ago | (#17158214)

Worst case that's remotely likely would be that you corrupt the header that markes the beginning of the next heap block and wreak havoc with future malloc calls. Probably nothing controllable though.

Alter the next heap header to point to a location on the stack as the next free block, and send another chunk of data so malloc() is called and allocates from there. Then write your code/retp change and wait. (Or something equally bizarre)

A couple bytes overflow in the heap is abusable enough to screw with pointers; and in some cases it suddenly turns into a big overflow in situations we didn't predict (this happened with an old libpng CVE, and with an Apache flaw where the overflow was always exactly "k`" until someone figured out how to do better).

Re:4 bytes IS ENOUGH (1)

EvanED (569694) | more than 7 years ago | (#17158592)

I'm not saying that something like this isn't exploitable, I'm just saying that the chance is extremely low.

For your plan to work:
1. The following memory would likely have to be deallocated (this depends on the malloc implementation, but assuming that it keeps track of a free list, the block that you corrupt would have to be deallocated before that address was used for anything), so the following would have to be done at the first allocation following this deallocation
2. You would have to be able to determine a valid stack address to make it point to
3. The buffer it allocates would have to be for unchecked/mischecked user input and not just internal storage that you don't have control over
4. You would have to know when you were able to write to it

Stranger things have happened in security, that's for sure, but the chances there are pretty out there.

(Furthermore, the MSVC malloc block header would have to be amenable to this attack, which it might not be.)

Maybe they should Pay One hexadecimal dollar? (0, Offtopic)

Elvis77 (633162) | more than 7 years ago | (#17157864)

It worked for Knuth [wikimedia.org]

You Could... (-1, Flamebait)

Anonymous Coward | more than 7 years ago | (#17157888)

Just use Linux, as it's not vaulnerable to these things.

Re:You Could... (-1, Flamebait)

Anonymous Coward | more than 7 years ago | (#17158012)

You're a total idiot, Linux is completely vulnerable to these things. All you have to do is install wine then install winows media player. Tada windows media player exploits available on Linux boxen.

Re:You Could... (1)

stonedcat (80201) | more than 7 years ago | (#17159300)

....please mod parent down to fucking retard, mod parent's parent down to master of the fucking obvious.

Have you ever tried installing windows media player past version 7 in wine? Even if you did manage to get it working and intentionally direct your media player to an exploit file, the exploit (if it worked at all) would be restrained to wine's boundaries... so unless you're ignorant enough to mount / as the virtual c drive in wine... there's no way this would even effect your linux box in the least. And this is all specualtion, I doubt you could even get it to do anything but crash wmp and wine.

Re:You Could... (1)

Neil Hodges (960909) | more than 7 years ago | (#17158160)

Any piece of software is vulnerable to these sorts of attacks; the only way to prevent them is with flagging memory as unwritable (and possibly randomizing the memory blocks). Thank you, PaX.

Re:You Could... (0)

Anonymous Coward | more than 7 years ago | (#17158232)

Um, how can you flag memory as unwritable if you need to write to it?

Re:You Could... (1)

flyingfsck (986395) | more than 7 years ago | (#17159318)

Not true. It only happens if input is not range checked. It usually means that some lazy idiot used one of the zero terminated string functions in C, instead of the new ones that have an explicit length. For example, strcpy() instead of strncpy().

Hmm... (4, Funny)

Anonymous Coward | more than 7 years ago | (#17157942)

Nah. [imageshack.us]

Re:Hmm... (1)

MichaelSmith (789609) | more than 7 years ago | (#17158468)

It would be funnier if technocrat carried that advert.

GG Misleading Post (5, Insightful)

PixieDust (971386) | more than 7 years ago | (#17158068)

Ok, so this flaw is there. It's a bug.

Doesn't affect my Vista machine. Nor my XP Pro machine running IE7 + WMP 11.

Seeing things like this, I can't help but wonder what it might look like if every time a flaw was discovered in *Nix, and a security advisory (even if barely remotely applicable, as in this case) were released,and slashdotted. Maybe this post is flamebait too (seems to be my trend as of late), maybe not. But the title of this particular post, is pretty misleading.

0 day flaw! Congratulations. It's software. I still play games that if they run for more than 2 hours I'm lucky. The real problem is the testing, and the coding that goes into these. You fix one thing, and something else inevitably breaks.

How often does a kernel update in Linux break something that you now have to update, or sometimes roll back alltogether because they won't work.

This post is as Overdramatic as going nuts every single time something in Linux broke or didn't work right. Sometimes MS deserves to be thumped on the head. This time though, seriously, come on. Tell you what, run your 4 byte program that is gonna hax0r my computer. I invite it, might give me something to do.

Re:GG Misleading Post (1)

lahvak (69490) | more than 7 years ago | (#17158294)

4 bytes are more than enough. All you need to do is load your program into that buffer, and put a jump instruction to the entry point of the program (if you are overwriting executable code) or simply the address of the entry point (if you manage to overwrite a function return address). It seems that in this case, the memory being on the heap, it's none of those two cases, on the other hand, from my pld days of programming in assembly under DOS, we did all sorts of tricks with allocating memory, loading instructions into it, and executing them. Sometimes this was the only way to overcome various limitation of the architecture (combination of 8086 and DOS).

Slight difference (4, Insightful)

ZxCv (6138) | more than 7 years ago | (#17159458)

This flaw is not "barely remotely applicable".

The vast majority of Windows users do not run Vista, IE7, or WMP11, even though all are technically available.

So this particular flaw affects most Windows users, and is thus important to those that have to deal with these users and/or their computers.

Fix found for zero day flaw (-1, Redundant)

kurt555gs (309278) | more than 7 years ago | (#17158118)

Here is a permanent fix to this latest Windoze exploit.

Permanent Fix to this and all other Windoze flaws [ubuntu.com]

Really, no more issues.

Cheers

Re:Fix found for zero day flaw (1, Funny)

Gothmolly (148874) | more than 7 years ago | (#17158180)

Where's the "-1, Gay" modifier when you need it?

Anti-Troll Measures (2, Funny)

Anonymous Coward | more than 7 years ago | (#17158508)

Where's the "-1, Gay" modifier when you need it?

It got removed from slashcode at the same time the "-1, Nigger" mod went.

Re:Fix found for zero day flaw (0)

Anonymous Coward | more than 7 years ago | (#17158530)

Where's the "-1, Gay" modifier when you need it?

Here, apparently. [gaybuntu.com]

Re:Fix found for zero day flaw (1, Informative)

Valacosa (863657) | more than 7 years ago | (#17158568)

He's not gay. If he were gay, he'd be telling us to buy a Mac.

Re:Fix found for zero day flaw (1)

inode_buddha (576844) | more than 7 years ago | (#17158576)

Goatse obviated the need for it. I suppose we *could* bring it back for the MS exploit articles, though.

Re:Fix found for zero day flaw (0, Offtopic)

The MAZZTer (911996) | more than 7 years ago | (#17158510)

As a Windows user experimenting with Linux, I managed to make Linux kernel panic the very first time I booted it from my hard drive.

Of course I was trying to configure grub to triple boot manually... on Slackware. Ubuntu has it's own share of problems, like thinking my computer is running on GMT and "fixing" my clock for me to what it thinks is the actual local time. Then when I set it to the correct time, I can't use sudo or su for five hours because of a stupid sudo timestamp (I eventually figured out how to clear it but Joe Average wouldn't have).

The one really neat thing Linux has going for it is packages and automatic program installation and such... of course Joe Average isn't going to care about such things, since he just dumps everything in Program Files anyways and never knows.

Re:Fix found for zero day flaw (0, Offtopic)

Anonymous Coward | more than 7 years ago | (#17158722)

First thing you you should do on a new N00buntu installation is `sudo passwd root` and set a strong password, so you don't have to deal with that sudo bullshit. If anyone gives you shit over this tell them an anonymous coward from slashdot said they are fucking idiot....and then backhand them across the face.

Good luck in your Linux adventures, and by sure to watch out for the evil binary blob monster.

Merry Christmas!!! (1)

malzraa (1012921) | more than 7 years ago | (#17158288)

to botnet creators.

No plans to fix the Word flaw (4, Interesting)

jginspace (678908) | more than 7 years ago | (#17158300)

Microsoft have just given advance notification [microsoft.com] of what their bundle of patches to be released next Tuesday will contain. There are five general Windows bulletins there - no surprise that the most severe is 'critical' - but I'm kind of surprised to see they have no intention of shipping any Office-related fixes.

It could be fixed already (4, Funny)

Anonymous Coward | more than 7 years ago | (#17158304)

But it is not a flaw in the DRM, ao why ahould Microsoft care?

Has this been tested? (1)

DavidD_CA (750156) | more than 7 years ago | (#17158464)

From the article:

Exploitability due to the corruption of the adjacent heap block's header is assumed likely but research is ongoing.
It's "likely"?

That sounds to me like something could *potentially* happen, but they haven't been able to actually prove it yet. And, the date on this discovery (according to the source article) was over two weeks ago. By now, wouldn't they have concluded something with their research?

The company does, however, sell a product to help mitigate "issues" like this.. which they link to at the bottom of their article.

Re:Has this been tested? (1)

EvanED (569694) | more than 7 years ago | (#17158634)

That sounds to me like something could *potentially* happen, but they haven't been able to actually prove it yet. And, the date on this discovery (according to the source article) was over two weeks ago. By now, wouldn't they have concluded something with their research?

No... not at all. They're just very liberal with their definition of "zero-day"...

Re:Has this been tested? (0)

Anonymous Coward | more than 7 years ago | (#17158846)

They already have PoCs for this bug, they just haven't released it because the IDS/IPS/Security industry as a whole is a good ole boy network and everyone is waiting for all of the vendors to get their products up to date before any PoCs are being released. This bug was discovered by an unrelated researcher out of Russia but was reported as a DoS, eEye came out a few days ago and said no its an RCE-able bug (remote code exec).

Tomorrow's zero day exploit (1)

postmortem (906676) | more than 7 years ago | (#17158476)

in.... Linux

To quote Bizarro Gates (1, Funny)

WankersRevenge (452399) | more than 7 years ago | (#17158582)

4 bytes should be enough for anybody

The new "thing" (1)

SupplyMission (1005737) | more than 7 years ago | (#17158798)

Is it just me, or did these "zero day exploits" suddenly come out of nowhere?

We used to hear about all kinds of interesting security vulnerabilities, flaws, buffer overruns, etc. Did someone reclassify everything as a "zero day exploit"?

Re:The new "thing" (1)

EvanED (569694) | more than 7 years ago | (#17158992)

Apparently so.

Theoretically, a zero-day exploit is one that can be executed *right now*, before there's a chance to patch. However, considering that the advisory says it's "potentially exploitable" even though it was published some 16 days ago seems to be stretching the definition of "zero." The blog MS linked to was alarmist, and /. is downright defamatory.

It is a new Slashdot tag (1)

flyingfsck (986395) | more than 7 years ago | (#17159276)

It is just slightly below: "Nothing to see here, please move along".

Zero-day exploit (3, Funny)

Schraegstrichpunkt (931443) | more than 7 years ago | (#17158986)

Was a new version of Windows Media Player released today or something?

How's this a zero-day flaw? (0)

Anonymous Coward | more than 7 years ago | (#17159052)

Look the definition up.

If there's no exploit yet, it's not a zero-day flaw, it's just a hole in the software that *can* be exploited, either today or later.

Zero-day means that *right now* there are people already exploiting it, which the article does NOT state.

It really whips the Llama's ass! (1)

wizzard2k (979669) | more than 7 years ago | (#17159122)

FTA:
The best way to protect against it right now is to open windows explorer and click on the tools menu, then folder options
Click on the file types tab, and scroll down to "ASX". Either delete it (Windows will no longer know what to do with ASX files - BE CAREFUL! -, or change to another program.

For me, winamp has always handled as much of windows media player file types as possble.

still not zero day (1)

ILuvRamen (1026668) | more than 7 years ago | (#17159228)

"Zero day" is only used cuz it sounds scary. First of all, it sounds like one particular problem with entering zero as a value for day in a program. Second, they said they definition specifically is an exploit that was just discovered and used immediately "in the wild." How the hell would they know how long people have been exploiting it and how long they've known about it before they implemented it. It's really just a stupid media ploy. Btw I'm a programmer and I can tell you that this exploit is relatively not dangerous at all because it's so difficult to exploit compared to other wide open holes that have been discovered like that one in IE that lets sites read your passwords for other sites without you really having to do anything or knowing it's happening. Now THAT is a security hole. I think a bigger security hole is the fact that wmv files can launch links to webpages and force you to download a file from them and they designed it that way on purpose because of DRM!!!!!

Zero day exploit??? (1)

advocate_one (662832) | more than 7 years ago | (#17159572)

wtf, where's the exploit??? This is just an announcement of a weakness... TFA calls it a Zero-Day Flaw...

Stop the Zero Day crap! (1)

paniq (833972) | more than 7 years ago | (#17159652)

Back in the days when I was young, 0-Day was warez-slang, but now it has become some mainstream buzzword.

Not a long time until they start to replace "new" for "zero day" in advertising. Remember where you heard it first.

The Zero Day Kids On The Block. Zero Day York, Zero Day York.

A good chance to try VLC (2, Informative)

Giorgio Maone (913745) | more than 7 years ago | (#17159736)

VideoLAN - VLC Media Player [videolan.org] is an all-in-one open source and cross platform program which does much more than WMP: it's an user-friendly player, but also a powerful and flexible transcoder for almost every audio/video format and even a stream server supporting various network protocols.

Worth a try as a better replacement, especially for power users.

Lovely.. (1)

cheros (223479) | more than 7 years ago | (#17159930)

So, I can't open Word files because of an unfixed risk, and I can't open sound files because of an unfixed risk. Wonderful if you're running the average business..

After switching to OpenOffice and VideoLAN, I guess the leap to Linux isn't that far if it wasn't for the fact that you'd have to switch a whole infrastructure and find a new support environment. Not that easy, but more and more attractive, and it appears to have an ever improving ROI...

Load More Comments
Slashdot Login

Need an Account?

Forgot your password?