Zero Day Exploit Found in Windows Media Player 177
filenavigator writes "Another zero day flaw has been reported in Windows Media player. It comes only one day after a serious zero day flaw was found in word. The flaw is dangerous because it involves IE and Outlook's ability to automatically launch .asx files. No fix from Microsoft has been announced yet."
Finding holes in a MS product.... (Score:5, Insightful)
Re:Finding holes in a MS product.... (Score:5, Funny)
Re:Finding holes in a MS product.... (Score:5, Funny)
Re: (Score:1)
Mod parent redundant... (Score:2, Funny)
Re: (Score:1)
Also, disgustingly inevitable......
Just In Time For Vista Marketing (Score:2, Insightful)
Re:Finding holes in a MS product.... (Score:5, Funny)
Please stop insulting the Swiss. Swiss cheese is completely unlike MS security:
If you insists on comparing MS security with a cheese product, then compare it with foam-cheese :-)
Does Windows now come in Spray Cans? (Score:2)
If you insists on comparing MS security with a cheese product, then compare it with foam-cheese
Something vaguely cheesy, that has more holes than substance? Works for me....
And if you had left off the smiley, you probably would have gotten the +5 as "Insightful" instead of "Funny".
Re:Finding holes in a MS product.... (Score:4, Funny)
Another 0-day? (Score:5, Funny)
Re: (Score:2, Funny)
Re: (Score:1)
Re: (Score:3, Insightful)
Re:Another 0-day? (Score:4, Informative)
-jfedor
Re: (Score:2)
In the case of viruses, it means by the time they know there is a potential exploit, it's out in the wild being a real exploit.
Contrast this with the kind of exploits which someone say "this is a proof of concept vulnerability", but it's not really a dangerous thing since it only shows how someone could potentially use the exploit.
Basically, it's real, dangerous, and already happening by the time they kn
Oh, So Happy It's Thursday (Score:4, Funny)
Oh
So
Happy
It's
Thursday
moments this week so far: Tuesday's 0-day in Word (which has an exploit) and this one Friday (which currently does not have an exploit).
How is this dangerous? (Score:4, Interesting)
Re: (Score:1, Insightful)
Re:How is this dangerous? (Score:5, Informative)
I have no idea of how exploitable the various *nix or OSX heap implementations are - I'm sure that some are even more exploitable than XP's heap was (the original 4.2 BSD heap was very exploitable, IIRC), and I'm also sure that some of them are hardened as well as Vista's.
But heap hardening just makes exploitation harder (this is true of ALL defense-in-depth techniques). Even if your platform has a hardened heap and NX protection and stack canaries and ASLR, it's still possible to successfully exploit a vulnerability - it's many many orders of magnitude harder than if those features weren't present, but it's still possible to attack the system.
Re:How is this dangerous? (Score:4, Insightful)
Um, what quick and dirty shortcuts? MS uses the same protection model every other x86 OS I know of uses. Kernel runs in CPL 0, user processes in CPL 3. Drivers run mostly in CPL 0. In fact, with MS starting to try to push drivers to CPL 3, they're starting to get better than Linux AFAIK. (I think there are some userspace drivers for Linux, but very few. MS is trying to make that the standard for most types drivers I think.)
MS's bugs come from a combination of a few things. One is what seems to be a prevalence of buffer overruns. Second is running in administrator mode by default (note that this is an entirely different animal than what privilege level code executes in), and what seem to be an abnormally large number of other misc design errors.
But the memory model is solid.
With NX protection it should be impossible
If you think NX protection makes buffer overrun attacks impossible.. you're living in a dream world. I categorize the types of buffer overrun attacks I know into three types, and NX only solves one of them.
Does Not Affect WMP 11 or Vista (Score:5, Informative)
It also does not affect Vista, both because Vista comes with WMP 11, and thanks to IE7 running in protected mode [microsoft.com]. This would likely cause the browser to crash, however.
Re:WMP11 Has Serious Exploit (Score:2, Insightful)
Any bright minds out there that willingly use these things lost control of all of their personal media.
http://www.microsoft.com/windows/windowsmedia/play er/faq/drm.mspx [microsoft.com]
http://www.theinquirer.net/default.aspx?article=34 523 [theinquirer.net] is in plain engrish.
I certainly hope you aren't running either Vista or WMP11.
Re: (Score:3, Funny)
Don't worry I installed Debian too.
Re: (Score:1, Interesting)
With WMP11, both your DRMed music and your clear music will play. On other platforms, only your clear music will play. Well, on the Apple platform your Apple DRMed music will play. (Speaking of Apple, it should be known that their DRM is just as bad).
If you don't like DRM, don't buy DRMed music. WMP11 will play your clear music just fine. Meanwhile, people who are buying DRMed music will be able to play it in WMP11 without affecting the experience of those who refuse to buy DRMed music.
Also, it is not
Re: (Score:2)
Yeah, WMP and DRM are really "
Re: (Score:2)
I have no idea about how DRM in cable works though. I record all my shows using a VCR because it's analog and the shows look warmer than using digital recording.
Re:WMP11 EULA Time Bomb (Score:3, Interesting)
Uncertain. Hopefully you aren't getting the content from CD's. This is verbatim from the EULA:
"If the file is a song you ripped from a CD with the Copy protect music option turned on, you might be able to restore your usage rights by playing the file. You will be prompted to connect to a Microsoft Web page that explains how to restore your rights a limited number of times."
Re: (Score:2)
I speak as a person who has been hit by it several times already. And you are affected too, if you'd be willing to open your eyes. What if you want to listen to the CD on the computer and you're told you may not do that? How is
Re: (Score:2)
DRM isn't going to stay or go away based on anything I do, and I'm not affected by it, nor will I be upgrading to Vista or WMP11 or any of the other crap being excreted by Microsoft.
DRM can't affect you if you don't invite it on to your hardware.
Re: (Score:3, Insightful)
1. Maintain their monopoly
2. Fool the government into thinking they don't have a monopoly
3. Enforce Microsoft lock-in to existing customers
4. Spreading FUD about Linux and Open Software in general
5. Band-aiding the constant stream of security flaws in their older products
6. Inventing more and more byzantine and fragile DRM schemes that are still hacked before they are even released
7. Making new software people actually want t
Re: (Score:2)
Problem is that WMP 11 contains even more DRM. DRM adds much more complexity to a media player, including the trusting of external sites.
It's not an exploit ... (Score:4, Insightful)
All it takes is a jump instruction. (Score:5, Informative)
In fact, many x86 operating systems have used such a technique to dynamically patch kernel code. They insert a couple of nop operations after a function prologue. These operations normally do nothing, but can be replaced with a jump instruction at runtime. This allows for the instructions of the existing function to be replaced with ease.
Re:All it takes is a jump instruction. (Score:5, Interesting)
At absolute worst, you could do what at least one paper calls a non-control-data attack and corrupt some other piece of data that was next to it in the heap. Except every malloc implementation I know puts a header struct at the beginning of each block, so even if two pieces of heap data ended next to each other you wouldn't be able to reach the actual data with just a 4 byte overflow, and the best you could hope for is to corrupt the header. This is very unlikely to have any exploitable effects, and is just likely to kill the process.
Re: (Score:2)
Re: (Score:2)
Re: (Score:2, Interesting)
It's easy (in the context of attacking a computer via a media file) to load code into a data segment, sure. But not into a text (code) segment. So the jump instruction does a local jump to -- oops, access violation.
It is truly amazing, though, that six-seven years after Microsoft really started talking big about dealing with their security problems, they still haven't managed to complete a code review to deal with buffer overrun vu
Re: (Score:2)
a lot of their stuff is written in languages like C and C++ where you can pass a buffer to a method without its bounding information
And it took them until Visual Studio 2005 for them to bite that last bullet. In case you haven't used it yet, they've added a set of "safer" routines to the standard C runtime library. They They are not backward compatible. Now, instead of sprintf(), you call sprintf_s(), which takes the traditional output buffer pointer plus a new parameter indicating the length of the output buffer. It also validates the format string, although if you let the users modify that you'll still have problems (and the do
Re: (Score:2)
x86's local jump is two bytes long. One byte for the prefix (74/75 for conditional, EB for unconditional) and one byte for the offset.
If it's not dangerous... (Score:3, Insightful)
zero-day exploit (Score:3, Insightful)
Re: (Score:2, Informative)
Neither the linked article, or the eEye alert, say that there is an exploit available, just that it's a flaw.
And eEye somehow missed listing "upgrade to the unaffected WMP11" as a form of mitigation.
zero day potentially exploitable flaw .. (Score:2)
Happy now
was zero-day exploit (Score:4, lets not talk about the potential flaw)
4 bytes IS ENOUGH (Score:1, Insightful)
Re:4 bytes IS ENOUGH (Score:5, Interesting)
Re:4 bytes IS ENOUGH (Score:5, Interesting)
Worst case that's remotely likely would be that you corrupt the header that markes the beginning of the next heap block and wreak havoc with future malloc calls. Probably nothing controllable though.
Alter the next heap header to point to a location on the stack as the next free block, and send another chunk of data so malloc() is called and allocates from there. Then write your code/retp change and wait. (Or something equally bizarre)
A couple bytes overflow in the heap is abusable enough to screw with pointers; and in some cases it suddenly turns into a big overflow in situations we didn't predict (this happened with an old libpng CVE, and with an Apache flaw where the overflow was always exactly "k`" until someone figured out how to do better).
Re: (Score:1)
For your plan to work:
1. The following memory would likely have to be deallocated (this depends on the malloc implementation, but assuming that it keeps track of a free list, the block that you corrupt would have to be deallocated before that address was used for anything), so the following would have to be done at the first allocation following this deallocation
2. You would have to be able to determi
Hmm... (Score:4, Funny)
Re: (Score:2)
GG Misleading Post (Score:5, Insightful)
Doesn't affect my Vista machine. Nor my XP Pro machine running IE7 + WMP 11.
Seeing things like this, I can't help but wonder what it might look like if every time a flaw was discovered in *Nix, and a security advisory (even if barely remotely applicable, as in this case) were released,and slashdotted. Maybe this post is flamebait too (seems to be my trend as of late), maybe not. But the title of this particular post, is pretty misleading.
0 day flaw! Congratulations. It's software. I still play games that if they run for more than 2 hours I'm lucky. The real problem is the testing, and the coding that goes into these. You fix one thing, and something else inevitably breaks.
How often does a kernel update in Linux break something that you now have to update, or sometimes roll back alltogether because they won't work.
This post is as Overdramatic as going nuts every single time something in Linux broke or didn't work right. Sometimes MS deserves to be thumped on the head. This time though, seriously, come on. Tell you what, run your 4 byte program that is gonna hax0r my computer. I invite it, might give me something to do.
Re: (Score:2)
Slight difference (Score:5, Insightful)
The vast majority of Windows users do not run Vista, IE7, or WMP11, even though all are technically available.
So this particular flaw affects most Windows users, and is thus important to those that have to deal with these users and/or their computers.
Re: (Score:2)
http://news.com.com/MySpace+to+Apple+Fix+that+wor
Reported to slashdot 3 days ago, story accepted, never published.
You are soo correct, if it is Microsoft it is critical news. If it is anyone else, it's covered up.
Re: (Score:2)
doesn't affect my Vista machine .. (Score:2)
"Doesn't affect my Vista machine. Nor my XP Pro machine running IE7 + WMP 11"
What version of WMVCORE.DLL does WMP 11 use and is there a security advisory saying XP is not affected.
""the function at 7D7A8F27 in WMVCORE.DLL version 9.0.0.3250, and at 086E586E in WMVCORE.DLL [intelliadmin.com] version 10.0.0.3802"
""I can't help but wonder what it might look like if every time a flaw wa
No plans to fix the Word flaw (Score:5, Interesting)
It could be fixed already (Score:4, Funny)
Has this been tested? (Score:2)
Exploitability due to the corruption of the adjacent heap block's header is assumed likely but research is ongoing.
It's "likely"?
That sounds to me like something could *potentially* happen, but they haven't been able to actually prove it yet. And, the date on this discovery (according to the source article) was over two weeks ago. By now, wouldn't they have concluded something with their research?
The company does, however, sell a product to help mitigate "issues" like this.. which they link to at the bottom of their article.
Re: (Score:2)
No... not at all. They're just very liberal with their definition of "zero-day"...
Re: (Score:2)
The recent coverage of ASX Playlist issues in various security mailing lists and forums seems somewhat strange. For the uninitiated, here is a quick wrapup:
XMPlay
Tomorrow's zero day exploit (Score:1)
To quote Bizarro Gates (Score:2, Funny)
The new "thing" (Score:1)
Is it just me, or did these "zero day exploits" suddenly come out of nowhere?
We used to hear about all kinds of interesting security vulnerabilities, flaws, buffer overruns, etc. Did someone reclassify everything as a "zero day exploit"?
Zero-day exploit (Score:4, Funny)
Zero day exploit??? (Score:2)
There's More - If you read the security lists (Score:3, Informative)
XMPlay ASX buffer overflow PoC code posted to milw0rm - 21 November
This PoC demonstrated an exploitable buffer overflow condition in the handling of 'ref href' URIs. A CVE entry (CVE-2006-6063 - though this only identifies the
A good chance to try VLC (Score:2, Informative)
VideoLAN - VLC Media Player [videolan.org] is an all-in-one open source and cross platform program which does much more than WMP: it's an user-friendly player, but also a powerful and flexible transcoder for almost every audio/video format and even a stream server supporting various network protocols.
Worth a try as a better replacement, especially for power users.
Lovely.. (Score:2)
After switching to OpenOffice and VideoLAN, I guess the leap to Linux isn't that far if it wasn't for the fact that you'd have to switch a whole infrastructure and find a new support environment. Not that easy, but more and more attractive, and it appears to have an ever improving ROI...
Fix (Score:2)
Also, they should more actively spread bad press about companies that release products that require administrator rights to be used.
Those companies should be pointed out as part of the reason for security problems and hacked systems.
More problems with the programming language C! (Score:2)
And no, this is no troll, it's reality: with a language like C, problems like buffer overflows are very easy to do...
At this day an age, a buffer length check is not a serious hit on performance!
no version, no POC, selling their 'solution' (Score:2)
Re: (Score:2)
WMP11 doesn't have the issue.
Re: (Score:2)
It's called... (Score:2)
The new versions of Winamp will play any file that WMP Plays. That, combined with WMP Classic, QT Alternative, Real Alternative, and The Matroska codecs and I'm all set. Heck, my XP box is still running WMP 9! I just dissassociate it with all files, and then stop using it. I never need to touch it again after that.
My Ubuntu box will also play any of the above thanks to Easy Ubuntu. I just loaded up what I wanted, and away I go. (although I wish Amarok was available for the Gnome interface.
Exploits in media players (Score:2)
Microsoft's Solutions? (Score:2)
That's one app down.
I suppose for the Player, they suggest...not playing anything.
Another app down.
What's left? Excel? Access? We already KNOW Outlook Express and Outlook and IE are toast on a daily basis.
And corporations still USE this crap?
Suckers.
Re: (Score:3, Interesting)
Re:Danger: Four-byte programs could be launched? (Score:4, Funny)
No, but "del
Re: (Score:2)
Re: (Score:2)
How are you going to execute it? I'm fairly certain WMP does not execute code on the heap at all, much less a try and execute a character string.
And then, where are you going to jump to? You're in WMP's address space, what in WMP's address space will give you any sort of control over the system? Maybe you could jump to a function that deletes a song from their playlist?
Re: (Score:1)
F0 0F C7 C8 [x86.org]
Oh... you wanted a recent one...
Re: (Score:1)
Ever hear of the JUMP instruction? (Score:4, Interesting)
I don't know how large they are in x86 assembly, but the 86HC11 I used to write for didn't have any instructions bigger than four bytes unless I sadly misremember. Four bytes would've been plenty.
Don't laugh. Plenty of exploits have been coded that have more difficult requirements for the exploit to work.
Re: (Score:3, Informative)
A buffer overflow is a buffer overflow, but if you RTFA... you discover that the maximum overflow of the buffer is four bytes. Anybody know of any four-byte long spyware programs?
Are you a moron?
The code which is executed need not fit into the 4 bytes.
Re: (Score:2)
Re: (Score:2)
Re: (Score:1)
Any piece of software is vulnerable to these sorts of attacks; the only way to prevent them is with flagging memory as unwritable (and possibly randomizing the memory blocks). Thank you, PaX.
Re: (Score:2)
Re: (Score:2)
Re: (Score:1, Funny)
Anti-Troll Measures (Score:2, Funny)
It got removed from slashcode at the same time the "-1, Nigger" mod went.
Re: (Score:2, Informative)
Re: (Score:1)
Re: (Score:1, Offtopic)
As a Windows user experimenting with Linux, I managed to make Linux kernel panic the very first time I booted it from my hard drive.
Of course I was trying to configure grub to triple boot manually... on Slackware. Ubuntu has it's own share of problems, like thinking my computer is running on GMT and "fixing" my clock for me to what it thinks is the actual local time. Then when I set it to the correct time, I can't use sudo or su for five hours because of a stupid sudo timestamp (I eventually figured out
Re: (Score:2)
cheers
Re:This must be (Score:5, Funny)
Re:This must be (Score:5, Funny)
"And God saith, I shall divide by zero.
And big black things did appear.
And God saith, I shall not do that again."
It's Been Merry Since Easter (Score:2)
Either way, it probably won't see much of a change, though it is disappointing to see
Re: (Score:2)