MS06-049 Causing Silent Data Corruption

Uncle Mike writes "It looks like there is a problem with the recently released MS06-049 / KB920958 patch. If you have compression activated on any folder, then the compressed data is at risk from corruption. New files that are close to a multiple of 4K in size will have their last 4,000 bytes or so overwritten with 0xDF. Although this problem has been reported to Microsoft, as yet there appears to have been no official announcement. "

interesting

its interesting how when they make a patch that corrupts your data you dont hear anything from them.. but when someone makes a program to allow fair use by opening DRM on their movies they come up with a CRITICAL patch within ours to prevent it. i think that speaks to their priorities, protecting their drm IMPORTANT protecting your data hmm.. not so important

When you have a monopoly

What're your customers going to do?

 

Re:When you have a monopoly

> When you have a monopoly
>
> What're your customers going to do?

The guy at the keyboard of a Windows Vista box, using Microsoft Office at work, and Windows Media Player at home is not the customer, he is the product. The customers are Dell, AOL, media licensing conglomerates, and so on.

Re:When you have a monopoly

That may be accurate for televion broadcasts, but it isn't so for Microsoft. Customers are people who pay for services. AOL and the media companies aren't paying MS anything, other than licensing fees for the services they use from Microsoft (i.e., their Windows PCs). Microsoft is paid by the guy at the keyboard of the Windows box (or his employer).

Microsoft may be able to leverage all those customers into a product for another customer (such as advertising or licensing DRM solutions), just like the movie theater leverages their movie watching customers into a product for advertising. Until Windows is free (as in beer), the guy using Windows is a still a customer.

Re:interesting

"...Have you read the EULA? Well, neither have I actually..."

Are you this person [amazon.com] by chance?

Re:interesting

Well, if you look closely you find that this patch is for Windows 2000 SP4 only, and all other versions of windows are not affected.

That does make a big difference, win2k is not MS' top priority.

Not that I condone their delay or lack of forsight, however.

How does something like this happen

What type of programmer puts such possibilities or leaks in a program? I have been programming for a long time and I never had stuff like this happening. Data integrity is one of the primary things you want to maintain and you should be extra careful when handling and altering files not your own.

Re:How does something like this happen

If you really have been programming for a long time, you must only be writing very simple programs if you've never had something like this happen, and you think that being "extra careful" is all you need to do to avoid it. What type of programmer does this? Every type of programmer - it's unavoidable.

The programmer is not to blame here. The real question you should be asking is "What type of QA department fails to catch a bug like this?"

Re:How does something like this happen

Plus, why would you pad with 0xDF instead of null? (There might be a reason, but I don't know of it.)

So this is how Microsoft claims support for ODF. Clever.

Re:How does something like this happen

Made me think of Grannies Perls of Wisdom [javaranch.com] I read on Java Ranch (I first found it about 6 or 7 years ago...): "Testing can show the presence of bugs, but not their absence."

Re:How does something like this happen

What type of programmer puts such possibilities or leaks in a program?

Every programmer that's ever worked on something longer than 6 or 7 lines of code? Except you, of course. I've been in the bathroom after you and am always impressed by the way it smells just like roses.

Re:You can stop now

I hate to burst your bubble, but you did not check the return code from printf. What if stdout is closed, as in "./a.out >&-"?

Original troll never writes any bugs, so his hello world is more like this:

int main(int czArgCount, LPSZ *lpszArgv[]) {
    if (-1 == printf("Hello world!\n")) {
        if (errno == EBADF) {
            if (-1 == fprintf(stderr, "Error stdout closed!\n")) {
                int fdTty = open("/dev/tty", O_WRONLY, 0666);
                if (fdTty != -1)
                    write(fdTty, "Hey dumbass dont close my streams\n", 34);
            }
        }
        exit(1);
    }
    exit(0);
}

Re:How does something like this happen

Maybe you should ask Linus... I seem to remember a released stable kernel that neglected to sync file systems before shutting down.....

I love Linux, hate Windows, but point it, sh!t happens.

A Paradox...

If data is being silently corrupted, is there a problem if no one can hear it? That could explain Microsoft's silence.

How to avoid

assuming you're using Windows

It has been confirmed that either turning off the compression attribute (disk space permitting) OR uninstalling KB920958 will prevent further loss of data.

Re:How to avoid

"assuming you're using Windows " ...if you're using Linux, the process is far more complex. Got a Mac? You're screwed.

Re:How to avoid

I wish I had one of those cute ASCII graphics of a circle going over a tiny guy's head handy. I'll try to make my own, but I'm probably gonna screw this up.

0
----
| <-You
/\

o <-Joke

... Crap.

If the RIAA et al subpoena you

be sure to place your music files in compressed folders and let the 'evidence' self destruct at the hands of thine OS...

RAID

As is often pointed out on slashdot, this is why it's so important to have a good backup plan. Like most slashdotters, I recommend RAID.

Close?

"close to a multiple of 4K in size"

How close is close? Is 162k close to 164k? Sounds like it is to me. From the examples in the discussion cited, it seems that anything over 4k is at risk, not just things 'near' a 4k boundary.

I would even hazzard to guess that the size matters not at all, but rather the contents of the files. If the contents match a certain pattern, the compression goes awry and adds the garbage to the end. (Accidentally overwriting the real data.)

Who wants 'encryption'??

Tagline's wrong, compression and encryption are two very different things!

And BTW, I got this same story rejected last week. Fuckers.

what i think

Well, it's interesting that 0xDF0xDF0xDF0xDF0xDF0xDF0xDF0xDF0xDF0xDF0xDF0xDF0x DF0xDF0xDF0xDF0xDF0xDF0xDF

MS06-049 ...

nicknamed (0x)DF aka Data F**ker

0xDF

0xDF :)

this reminds me of a virus for the Amiga computer that replaced all the files content with the word LAMMER :)

Jorge

http://www.retroreview.com

Strange

I've never heard Windows called MS06-049 before...

More background please...

The summary blurb is rather cryptic. MS06-049 is a patch to... what? Just Windows 2000 or XP too? And this was a patch for some vulnerability, assumedly? Which?

After a bit of research, here's what should have been included: MS06-049 [microsoft.com] was an elevation of privledge issue discovered in the kernel of Windows 2000 SP4 only. The patch for the issue, KB920958 [microsoft.com], appears to have a bug resulting in corruption of compressed folder.

The title is misleading as well. MS06-649 is the issue and KB920958 is the patch; the patch is what's causing the corruption, not the original issue.

Why even bother with compression anymore?

In the modern age where hard disk space can be had for so cheap, why would you even want to bother with disk based data compression?

Those files were important.

Those files were important! Sheißßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßß

Quick!

Someone figure out how to apply this problem to Windows Media DRM and we'll get a fix in no time!

Still no response from Microsoft

As of two minutes ago a search on http://search.microsoft.com/results.aspx?q=KB92095 8&l=2&mkt=en-US&FORM=QBME2 [microsoft.com] showed no reference to data corruption. Any tech journalists reading this?

scandisk

Because Windows was not properly written, one or more of your disks may have errors on it.

To avoid seeing this message again, get a Mac.

Forget it, it's a bug

As a matter of policy, Microsoft generally doesn't fix bugs in already released software, with the exceptions of publicly known security flaws (and then only once a monthg), service packs (notice WinME has had zero service packs), and $50 hotfixes. Since Microsoft now depends on returning customers more than new customers, and their customers have little chance of switching vendors, they have every motivation to make older versions as unpalatable as possible.

I personally haven't seen any files corrupted though. We'd see much more than a few newsgroup postings if this was a widespread problem.

Compressed files, are you kidding me?!

This is a bit of a tangent, but a somewhat relevant one none the less. But first of all, bad Microsoft! You freaking imbilices (probably misspelled to show how dumb I am too.)

Is anyone out there seriously using disk compression in a production environment? Didn't anyone teach you guys that disk compression is a crutch and not a solution? For as long as I've been working with servers, all of my mentors have led me to believe that it is pretty much generally accepted practice not to use disk compression due to the potential for data corruption and the performance hit your servers take. If you need to compress files to save space, throw them onto some LTO or DLT media and pull them completely offline.

If you're working for a company that can't come up with more money for disk space, maybe you need to click on the Dice.com adds that are all over /. here.

Good for Microsoft

With 300G drives costing less then $100, what type of cheap bastard uses file compression? //in my day we had 10M hard drives - and we LIKED IT!

MS06-049 = Lotto649 ?

Just did a re-read of this and it seems the significant digits are the same as one of the prominent Canadian Lotteries. Is this coincidence or does it say something of the likelihood of you getting your data back. .-.-. -.- .--- ...-.-

The LAMER Exterminator !!!

This is completely unacceptaLAMER!LAMER!LAMER!LAMER!...

What kind of idiot ...

... makes such massive changes to the VM of a stable kernel that allows this sort of thing to happen in the first place?

Oh wait...

classic excuse

Windows ate my homework.

Re:And this is NEWS?

MS products have been corrupting data esp. with respect to compression for a LONG TIME.

I've never heard of this, how about some proof?

You made a potentially libelous allegation, please back it up with some facts.

2000 only.

It seems like the problem is only for 2000 according to this reply [slashdot.org].

Re:Has anyone seen this problem?

I use compression on folders in XP Pro. and Home SP2. I have not seen this problem on my systems at home and work. I always get the newest patches on their first release dates. I even defragged (PerfectDisk v6.0 with its patches) over the weekend. I haven't seen anything odd. I am usiDFDFDFDFDFDFDFDFDFDFDFDFDFDFDFDFDFDFDFDFDFDFDFD FDFDFDFDFDFDFDFDFDFDFDFDFDFDFDFDFDFDFDFDFDFDFDFDF

You might want to double check. ;)

Re:Has anyone seen this problem?

The patch only applies to Windows 2000 SP4. Also, it happens when you create files -- it does not proactively seek out and corrupt existing files.