.ANI Vulnerability Patch Breaks Applications

Jud writes "Microsoft's fix for the .ANI vulnerability was part of Patch Tuesday yesterday. However, all is not well with the update. Reportedly, installing the patch will break applications such as Realtek HD Audio Control Panel and CD-Tag, which mentions they are affected by the problem on their main page. A hotfix is currently available from Microsoft, however their current position is this is an isolated problem and the fix is not planned to be pushed out through Microsoft Update. "

Hehe

[Mateo_LeFou]

"their current position is this is an isolated problem"

Weird, 'cause I hear about one of these stories almost every week. Isolated in what sense?

Re:

[ady1]

All the effected cursors are in sandtank with sand all over them. So year, they are isolated.

Re:

[krakelohm]

What?

Re:

[default luser]

Cursors are! What a flagellant parade.

I recommend you ground your human decency in salt domes. One cannot expect the animated cursors to fly in a vaccuum.

In an entirely unrelated note, "sand" is German for "sand." I sand acquitted!

Re:Hehe

[mwvdlee]

They released a patch yesterday, discovered problems with it since yesterday then fixed it today. Yet you've been hearing about these problems for weeks?

Re:

[Mateo_LeFou]

"Microsoft Lost the Backwards Compatibility Religion

Inside Microsoft, the MSDN Magazine Camp has won the battle...."

From one of the best articles [joelonsoftware.com] a guy can read

Re:Hehe

[Anonymous Conrad]

They released a patch yesterday, discovered problems with it since yesterday then fixed it today. Yet you've been hearing about these problems for weeks?

Actually, no, they did know about this ahead of time. From the MSRC blog [technet.com]:

The result of our comprehensive testing is that at the time of release, only one minor quality issue was known and guidance as well as a hotfix was ready for customers at the same time of release.

I'd guess they haven't had time to put the hotfix through the full test cycle yet but still needed to release the general fix.

Was the DLL base address ALL they changed!?

[Anonymous Coward]

What bothers me is that it makes me feel like this "fix" may not even patch the real problem.

You see, moving where a DLL is stored in memory might break the proof of concept, but it might not actually fix the vulnerability. Sure, the code it hooked into before in order to hack the machine won't be in the same place, but it might well be possible to fix the exploit to point to the code's new location.

In short, I wonder if they're playing tricks to make it more difficult to exploit without actually fixing th

Re:

[bradkittenbrink]

So where's the little star next to his name?

Re:Hehe

[t0tAl_mElTd0wN]

You know, it's really starting to get to me, everyone beating on MS all the time. I mean, when you're the biggest, a lot of times your flaws stand out easier. Really, so what if a bunch of geeks on their spare time can write a 3D interface which performs better, and existed much earlier than the product of ten times as many full-time professionals? So what if you can do awesome things like formatting an empty file with its own filesystem? I mean, a huge security vulnerability in animated mouse cursors, and then releasing a patch that breaks more than it fixes... that's a mistake anyone can make, right? Well... apparently except for Linux, Apple, Amgia, Palm, BSD, or... well, pretty much anyone else.

Sarcasm aside, how exactly did it come to pass that the guy who wrote the code for animated mouse cursors managed to open an "extremely critical" security vulnerability in the process... and then how did it become so important that fixing it breaks applications which relied on said bug?

I'm sorry, I'm not entirely 100% anti-MS (XBox Live owns, Visual Studio .NET is one of the best IDEs that I've ever used, etc.) but really, these are some mighty clumsy mistakes to be making considering the magnitude of some of their more powerful clients [slashdot.org]...

Re:

[BlueTrin]

Wow you got modded positively while defending MS, you might try to bash alit bit Linux the next time to check if we are assisting in a shift in /. base.

Re:Hehe

[adisakp]

"their current position is this is an isolated problem"

I have a fairly new Dell XPS600 (1 year old) and the update borked my machine due to the realtek program. I got some obscure message about how rtdcpl.exe was performing an illegal access trying to move some OCX DLL.

I was able to solve the problem by Google Searching and installing the MS hotfix. The only problem now is that "hotfix" makes it so I have to wait about 1 minute longer after I log in before I can access the internet. I used to be able to pop-up IE right away and surf but now if I do that, I get the error page for site not found for about 1 minute before things start working normally.

I don't know how isolated it can be since Dell alone has sold millions of PC's with realtek audio chipsets.

Re:Hehe

[140Mandak262Jamuna]

I used to be able to pop-up IE right away

That is your root cause of the problem. Stop using IE, all your problems will go away.

Re:

[adisakp]

FWIW, ping in a CMD window won't work until after a minute passes. Something in the hotfix for the hotfix ends up delaying the availability of internet-accessing services.

Re:

[HermMunster]

It isn't so isolated that I haven't encountered the problem 2 times already in one day in my shop--I fix computers for a living.

Other affected programs: Tugzip...

[semifamous]

My archiving application of choice, Tugzip [tugzip.com] is also affected by this update and the mentioned fix took care of the problem.

Anyone's surprised?

[keisar]

Microsoft breaks something when patching something else? I'm surprised. Really. I am. No, really. I am.

Re:

[Yetihehe]

Oh really? Thats unposiible!

Re:

[TheNetAvenger]

Do you think that it is possible that maybe Microsoft has to compensate for every bad developer in the world using unsupported or corrupt format cursors?

Re:Anyone's surprised?

[cheater512]

Uh...Ever heard of not playing a corrupt ANI file? Theres no need to have exploits there nor is there a reason to break existing functionality.

If you read the hotfix page you'd see this:

The Hhctrl.ocx file that is included in security update 928843 and the User32.dll file that is included in security update 925902 have conflicting base addresses. This problem occurs if the program loads the Hhctrl.ocx file before it loads the User32.dll file.

So yes it is Microsoft's fault that they screwed up.

Re:

[Uksi]

The software this is affecting is loading key DLLs in the wrong order.

Whoa, since when is loading DLLs in wrong order been a problem? Any DLL that needs another DLL as a dependency will load that other DLL. So the order of loading doesn't matter, as it works out in the end.

Except that in this case, Microsoft screwed up and released the file with a conflicting base address! Hell, I don't even know why this problem even exists anymore! It's a shame that in 2007, such a problem occurs. Why would Microsoft have

Re:

[NormalVisual]

a few apps bite it on an emergency hotfix, and people act like this is a big deal.

In my case, it was a bit more serious than "a few apps bite it". On my work machine, Windows was stuck in a boot-bluescreen-reboot loop and was totally unable to start, even into safe mode. It wasn't until I booted ERD Commander and rolled off the 925902 hotfix that the machine would cooperate. Interestingly, the Windows event log was unable to even give me the hotfix number - I had to get that from ERD.

Windows shoul

Re:

[TheNetAvenger]

Oh shit, wait... You're serious aren't you?

Actually, ya. And this is just in reference to Win32/Win16/DOS applications that are the MS bread and butter. You have any idea how many of these freaking applications are out there?

PS Windows also has a full BSD Interface UNIX subsystem (even ships on the Vista DVD), and most all *nix applications compile and run just fine in the UNIX subsystem sitting on the NT kernel running alongside Win32/Win64 applications.

So, ya, Windows does support more applications than a

Re:

[Anonymous Coward]

Do you think that it is possible that maybe Microsoft has to compensate for every bad developer in the world using unsupported or corrupt format cursors?

It's not only possible. It's mandatory. It's called input validation, and everybody else is doing it. The only reason I can see why Microsoft is an exception is that they have convinced people like you that it's not their fault if *their* software breaks. Get a clue.

Re:

[TheNetAvenger]

since any monkey can be a "developer" (or a virus author) without knowing what they're doing with those development environments they put out they should expect to have a lot of bad software as a result of that.


Wow, brilliant.

So... since I can write a really bad script that deletes a user's files or a bad application for any OS, it is the OS's fault or the company that designed the scripting language?

Cool, I will write tons of applets to wipe hard drives to give to my friends and then tell them that you sai

Re:Anyone's surprised?

[pilgrim23]

Cursor's Foiled AGAIN!

This was not patch Tuesday

[Anonymous Coward]

Patch Tuesday is the second Tuesday of each month. This was an out of cycle patch released.

Re:

[Rik Sweeney]

Patch Tuesday is the second Tuesday of each month. This was an out of cycle patch released.

So what you're saying is that they've got 6 days left to patch the patch?

Re:This was not patch Tuesday

[Opportunist]

So this was "break Tuesday" then?

Except for down under

[MadMidnightBomber]

...unless you're in NZ or Australia, when Patch Tuesday is on Wednesday.

Before all the lame bashing..

[madsheep]

I just wanted to make a quick post before I see all the standard lame M$ bashing gets out of hands from a ton of idiots that are most likely using Windows while posting.

This is exactly why it takes Microsoft so long to put out patches sometimes. Unlikely all these free and open source packages, Microsoft Windows is actually used by tons of users at home and in the business world. People need their machines to do their daily activities and jobs. This is why so much testing is needed before something can just be shoved out there. This is why you tend to see this sort of thing from patches released out of cycle. It obviously has not and could not have been tested as much (and yes sometimes problems occur with patch Tuesday patches).

You might not see as many issues with *nix based systems. Why? Well, there just are as many users. This might sound like a cliche but it is a fact. Look at when official Redhat patches and other updated packages actually come out. They come out days, weeks, and months later. Sure there is some patch that some random guy hatched together -- the power of open source!! However, if you were to apply that untested P.O.S. across the world in tons of real environments, you'd probably have a shitton of problems.

This does not excuse problems with patches, but at least it came quicker. Remember, M$ has to release stuff that fortune 1000, government, home users, and everyone else can live with. Pushing some patch 30 minutes later for an OSS package that 2000 rag tag home users use.. just isn't the same.

Re:

[backbyter]

>Remember, M$ has to release stuff that fortune 1000, government, home users, and everyone else can live with. Most large shops do not allow patching via MS update. Most large shops review the patch, send off the ones they are contemplating to apply to the in house testers, then wait until standard installed systems and critical in house application have tested. Then the patches will be applied.

Re:Before all the lame bashing..

[camcorder]

It's not time taking releasing the patch, it's the design decition done by a software company with its flagship product used by millions. You put a useless feature like handling .ani in HTML with your renderer, you also embed this renderer everywhere throughout your "OS", then for sure it would take lots of time to test for problems for such a single fix in .ani file handler. We saw same scenerio in past dozens of times.

Having millions of users might be an excuse, but having a bad design can't, if you claim to be developing best software.

I really find it just plain spreading FUD to compare open source software equivalent microsoft software with those metrics. Blah, blah, but it's used by millions, see what happens when open source is used by millions. Just wondering how many in those millions compare design decisions taken during software development of product they use. What's lame is not seeing how broken design of some parts of the software, not bashing due to these flaws.

Re:

[PinkPanther]

I'm not justifying the .ANI feature, but recognize that IE is far more than a simple "web browser". With features such as HTML Application [wikipedia.org], IE can be used for developing extremely rich enterprise applications...which is where most of the "bloat" comes in.

Yes, you mightn't need a full development environment inside of your word processor or web browser, but they didn't spend time and energy putting those features in there for nothing. Someone determined that the bloat would make them more money...based o

Re:

[0123456]

"I'm not justifying the .ANI feature, but recognize that IE is far more than a simple "web browser"."

But that's the whole problem.

Re:

[PinkPanther]

From your point of view, maybe. But, again, MS put in the features you aren't using because someone wanted to pay for them.

Re:

[t0rkm3]

I think the problem would be more accurately stated as; Microsoft saw a revenue opportunity and chased it using Time-To-Market as the indicator of success.

They could have created a similar product with a similar feature-set and performed better as a software company if they had learned the lessons of the past (UNIX) and learned them early. Modularity rules all other design concepts. I hear they are picking up the banner of modularity but I certainly am not banking on it.

That is why the Unix mentality produc

Re:

[ralphdaugherty]

From your point of view, maybe. But, again, MS put in the features you aren't using because someone wanted to pay for them.

      I would term it embrace and extend to proprietary features that only work where Microsoft allows it to work. It's called lockin, and it comes free.

  rd

Re:Before all the lame bashing..

[afidel]

Useless feature??!?

Uh, several of our enterprise webapps used animated cursors to let the user know that something is being processed. Maybe to a clueless geek user feedback is a useless feature, but to anyone who knows about UI design it is a requirement. The real sin with this patch is that this bug was already patched TWO years ago, but they meerly patched the codepath for the known vulnerability and left it at that, they did not look at the actual cause of the problem and so we have the same vulnerability with a twist come out two years later.

Re:Before all the lame bashing..

[phasm42]

How about an hourglass? The animation is merely for looks, the animation is not necessary for feedback. It's not like the animation is actually tied to the progress anyways. It's like those sites that use animated GIFs as a "progress bar" -- there is nothing tying progress of the task to progress of the animation.

Re:

[danpsmith]

How about an hourglass? The animation is merely for looks, the animation is not necessary for feedback. It's not like the animation is actually tied to the progress anyways. It's like those sites that use animated GIFs as a "progress bar" -- there is nothing tying progress of the task to progress of the animation.

Really? And all this time I thought that animated blue box filling up dialog really meant that it was working hard.

Re:

[Some_Llama]

"they did not look at the actual cause of the problem and so we have the same vulnerability with a twist come out two years later."

Cue M. Night Shyamalan, sounds like a new movie opportunity...

Re:

[irc.goatse.cx troll]

Whats the better solution, every app having its own incomputable html renderer each needing to be updated separately? From a security standpoint, yeah, that would lead to not having one vulnerability effect all apps, but it also means a lot more codebases each with their own bugs, especially considering the number of developers that use IE's renderer vs the number that are capable of writing their own non-fail html renderer.

Re:

[Twillerror]

Mozzila has no design flaws?Apache, Linux, all the open source file systems, all the various packages all have flawless designs? Kde and Gnome and X itself all designed flawlessly? Of course not...humans write most lines of code after all.

Re-use of code like allowing an .ANI file to be played in a browser and everywhere else is a good design. It might cause secrutity issues, but having a consistent standard is great for many reasons. Even if in this case animated cursors which would seem to have no purpose

Re:

[cheater512]

Context is important here.

A security exploit in animated cursors and then they stuff up a number of other applications trying to patch the exploit.
This isnt Internet Explorer. Its a simple animated cursor.

And yeah I am using Linux and have been for years. Happy?

Re:

[kosmosik]

> This is exactly why it takes Microsoft so long to put out patches sometimes.

Yeah like allowing websites to load animated cursors is great idea of bloat. WTF you would event want to do that? When using operating system shell I have my OWN set of cursors and it is totally stupid to even add such feature...

So take it like this (it is quite obvious). Windows is bloated. Bloat means that in every stupid feature that nobody uses can be a but. Bloat means that patching is hell because it is so bloated that th

Re:

[wwahammy]

I always like when people say anything they don't like is "bloat". Lots of my non-computer geek friends think those animated cursors are neat. I find them moronic but that's my opinion. Quit calling things you don't like "bloat".

Re:

[kosmosik]

> I always like when people say anything they don't like is "bloat".

I was refering to particular function that ALLOWS WEBSTIES TO LOAD CURSOR INTO YOUR COMPUTER. Not animated cursors per se (every decent shell uses them).

Re:

[wwahammy]

That was what I was referring to as well

Re:

[kosmosik]

OK so maybe some user likes cursors.

But it was still BAD DESIGN decision to allow websites (untrusted) to load cursors into shell. It is like asking for trouble. The problem is that they introduced something like this. Nobody really used it and they let it alone to rot in few Windows versions. And than *boom* it comes back.

Don't you see a pattern here? Some of Windows flaws come from such legacy stuff (that nobody really used).

Re:Before all the lame bashing..

[CowTipperGore]

However, if you were to apply that untested P.O.S. across the world in tons of real environments, you'd probably have a shitton of problems.

At least we know [techtarget.com] this [netscape.com] doesn't [techspot.com] happen [com.com] with [com.com] Microsoft [microsoft.com] patches [microsoft.com].

Re:

[chavo valdez]

How long have you been saving that one up?

Re:

[CowTipperGore]

How long have you been saving that one up?

It took me about 90 seconds with Google...

Re:

[spellraiser]

Unlikely [sic] all these free and open source packages, Microsoft Windows is actually used by tons of users at home and in the business world.

Yeah, it's not like MySQL or Apache are used by anyone. Or PHP, Perl, Java, Firefox ...

Re:Before all the lame bashing..

[lenski]

Pushing some patch 30 minutes later for an OSS package that 2000 rag tag home users use.. just isn't the same.

2000 ragtag home users? You are smarter than that, I can tell by the quality of your writing and sentence structure alone. While some OSS packages serve small communities, there are lots of packages that serve large and diverse communities. (PostgreSQL, Apache, the Linux kernel, Firefox, the list goes on). Those packages have, on occasion introduced vulnerabilities due to the natural vicissitudes of software development. And when their vulnerabilities are discovered, they get fixed quickly. (And this one hit me this morning: I don't need Linux Genuine Advantage for permission to receive updates to my damn software!!!)

It is worth noting, however, that such vulnerabilities are nearly always limited in scope due the inherently modular nature of the OSS world. Microsoft built a highly integrated system to support its business model. They are welcome to their high integration approach. And those of use who do not appreciate the effects of that way of doing business are welcome to complain when it wacks the shit out of our families' productivity when we are trying to get some proprietary fix.

I don't need Linux Genuine Advantage...

[symbolset]

But of course it's available if you do want it [linuxgenui...antage.org].

Naturally Linux Genuine Advantage is open source, and not to be outdone by Microsoft platform hackers a hack is available to auto-certify LGA without actually contacting the LGA server.

Re:

[jamesjw]

Linux Genuine Advantage?

Wonder how long before SCO buys into this product :)

-- Jim.

In actual fact

[Toreo asesino]

You don't need WGA to receive Windows patches either. Automatic updates will work perfectly fine even if your serial is blatantly stolen; but 'upgrades' won't (IE7, WMP, and all that good fun).

Yeah, WGA sucks, but software updates will come either way.

Also, to say Linux is completely independently modular isn't entirely accurate either (although, in fairness it's not like I completely disagree). Upgrading kernels (due to 'serious' security vulns) will break more things than I'd like for instance - my (yes I

...you will make your own bashing

[drinkypoo]

Pushing some patch 30 minutes later for an OSS package that 2000 rag tag home users use.. just isn't the same.

Perhaps you have not noticed that a majority of fortune 500 companies are using Linux in some capacity.

Rag Tag home users? You don't have a job, do you?

Re:

[uvayankee1]

This is exactly why it takes Microsoft so long to put out patches sometimes.

The problem here is that MS did have a long time to put out the patch (the vulnerability was reported to them 3 months ago) and yet they did not do anything about it until it was already a zero-day exploit, and then their patch breaks applications. That doesn't look good for any group, open or closed source.

Re:

[VertigoAce]

Actually, I imagine the dev team had a patch ready within a short time of it being reported in December. The initial patch probably broke a lot more stuff than the released one does. Microsoft tests patches against a huge number of applications and configurations as part of their regression testing. As long as it's not being exploited, it's better for MS to keep working on compatibility issues. Once the exploit was public, MS pushed it out the door with one remaining compatibility issue and a hotfix for tha

Point of Order:

[Penguinisto]

Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8.0.9) Gecko/20070209 Fedora/1.5.0.9-3.fc6 Firefox/1.5.0.9 (yeah, yeah - haven't fiddled with an upgrade yet... sue me).

Now - forget the dazzling array of hardware and software to check against. This .ani thingy is a UI issue that should --at worst-- munge the way an app's mouse cursor animation looks, but not munge the app itself, or even think of touching OS stability.

C'mon... we're not talking about patching the TCP/IP stack, or patching against ntldr here

Re:

[phasm42]

Although I find the fact that a bad animated mouse cursor can subject me to a remote code execution exploit to be adding insult to injury, this isn't something unique to Windows. Something has to parse the cursor file, and it runs as whatever the current user is, and thus has the privileges of the current user. If Linux's GUI had a shitty implementation of an animated mouse cursor file, it would subject to the same exploit (but probably with less damage because you're less likely to be running as root).

Re:

[code65536]

Well, for starters, changing the mouse cursor is a part of the official W3C CSS specs...
http://www.w3.org/TR/CSS21/ui.html#propdef-cursor [w3.org]

In other words, *something* has to be able to load and process the mouse cursor. And if the thing that loads and processes the mouse cursor falls prey to a buffer overflow, then you've got yourself a vulnerability. Since it's the OS that handles and draws the mouse (so it's not an IE thing; FF will fall prey to this too), it's the OS that handles the mouse cursor, so a b

The sad life of a Windows developer

[symbolset]

Developers, developers, developers

Many of them trying to keep afloat the bastardized zombie of a legacy project begun in DOS and ported to Win 3.1, Win32, Win64, .NET, Sun Java, MSJava, Sun Java again and Vista. None of them with Microsoft's preferred and undocumented internal APIs for any of those systems. Many of them with no clue how to write good code, managed by non-programmers who can't tell. Each of them insisting that each revision has slain their sacred cow. So many of them that any patch no m

Re:

[kripkenstein]

You might not see as many issues with *nix based systems. Why? Well, there just are as many users. This might sound like a cliche but it is a fact.

No, that isn't the issue. There are several matters here. One of them: FOSS software has sources available. It is far easier, for certain types of patches at least, to check if there will be problems by checking source code. Even a simple grep can tell you what apps rely on the element you are changing. Furthermore, the patch's source is shown to the app develo

Re:

[marcosdumay]

"You might not see as many issues with *nix based systems. Why? Well, there just are as many users."

I used to think that it was because *nix doesn't execute arbitrary code embebed on images. But thanks for oppening my eyes.

Re:

[Kris_J]

I won't be bashing Microsoft regarding the production of this patch. I will, however, have a go at them for needing it (and many others) in the first place. If MS's products weren't shovelware inspired by flypaper we wouldn't have half these problems.

What I want is a first-party "XPLite [litepc.com]"

This looks like something vendors could fix.

[xxxJonBoyxxx]

From TFKB...

This problem occurs if the program loads the Hhctrl.ocx file before it loads the User32.dll file.

This looks like something vendors could fix without a "hotfix" from MS.

Re:

[Anonymous Coward]

There's an important sentence that comes right before the quoted one (emphasis added):

The Hhctrl.ocx file that is included in security update 928843 and the User32.dll file that is included in security update 925902 have conflicting base addresses.

Re:

[Alex_Ionescu]

Because Win32k.SYS (The Win32 GUI Subsystem) expects user32.dll to remain at the same base address. So while most other DLLs can be relocated, user32.dll can't, since all the pointers that win32k.sys uses would become invalid. A solution would be for user32.dll to report itself to Win32k.sys for every new GUI process, but this would considerably slow things down, and require callback tables and validation to be per-process instead of per-system.

Also, they're "hardcoded" because it's faster when the system d

Re:

[sqlrob]

Both are DLLs from MS. Therefore, it is MS' fault.

he

[godsfilth]

seems to be affecting calc.exe and avg on my computer and the patch dosnt seem to fix either but still gotta love that its affecting microsofts own stuff

Re:

[cnettel]

If it does affect calc.exe, it rather seems like you have some DLL injection (keylogger/spyware, or something legit) that then causes this. If they messed up the base address, or just increased the size over a previously valid boundary, all kinds of DLLs with preferred addresses in the same region could start causing interference.

You simply have to be careful with the address space if you are a library that will be dynamically loaded in plenty of images, especially if you are loaded very early on.

(Heh, last

Realtek HD Audio exists on a lot of PCs...

[tlhIngan]

A lot of machines have the Realtek HD Audio thing in them to provide audio - notably most of the Core/Core2 based ones (HD Audio is a standard by Intel, Realtek being one of the first to offer it).

Seems like this isn't really an "isolated" problem, but a fairly common one if you own a desktop made in the last year or a recent laptop...

Re:

[jsupreston]

I'm running into it right now with brand new HP dc7700 systems here at work. MS knowledgebase was no help, but the first hit I got using Google Groups pointed me back to the MS site and the patch. May look at getting the newer driver someone else posted. I agree that this shouldn't be considered an isolated issue. I've seen a lot of machines make use of Realtek's audio lately. Fortunately for me, I only have 3 of these systems on the network right now. I could see how it could cause a lot of grief in a lar

Re:

[jupiterssj4]

So THAT is why I am getting this illegal exception error since restarting my computer today. I have an Acer Travelmate 8210 and it has he realtek HD audio. Now, what to do to get it to work again. Grr microsoft, test things out before you force patched down our throats! I use firefox and therefore don't have to worry about .ani corrupted files anywaya!!!

Re:

[code65536]

Incorrect. The ANI vulnerability affects Firefox as well.

Re:

[poot_rootbeer]

Windows comes with a perfectly usable GUI interface to volume controls and other audio hardware settings. Why did Realtek have to create a crapware application to do the same thing?

Re:

[Grishnakh]

I have no idea; that seems to be the way everything works on Windows. Instead of just providing a device driver, every vendor has its own mega-application that provides the driver plus a lot of extra stuff for controlling it. You usually see the same thing with video drivers, wireless drivers, etc.

Anyway, if I want the audio to work in XP on my wife's new laptop, I have to use Realtek's crapware application. That's just the way it is.

I guess this is a good argument for the Linux model, where drivers are

Re:

[CodeBuster]

and you don't have to run around to different vendors' websites trying to find drivers for your hardware because it's all already included in the kernel and distro.

Perhaps not, but then again Windows users don't have to recompile the kernel when they want to add, update, or swap drivers. I understand that this is mitigated in Linux with Loadable Kernel Modules, but how is that really different conceptually from the approach that Microsoft takes with not putting vendor drivers in the kernel to begin with

Re:

[Grishnakh]

Um, that's apples and oranges.

1) Loadable modules completely eliminates any need for recompiling the kernel when swapping drivers.

2) All drivers you need are almost always included with the kernel, which is supplied by the distro. The only exceptions are usually bleeding-edge stuff or wireless drivers.

3) If you need to update the kernel (e.g., a security update comes out), it's really quite simple, and is usually done automatically by your distro's system update software. You just click a few times to dow

Re:

[CodeBuster]

I fail to see how this has anything to do with MS not including drivers.

They do provide certified third party drivers with the OS out of the box, especially for common hardware from name brand manufacturers, and they provide updated drivers via their Windows Update service. I am not trolling, but maybe I just do not see why the Linux driver model is substantially better.

Re:

[Grishnakh]

In my (limited) experience, MS *only* provides drivers for extremely common hardware, like USB controllers, etc. They do not provide drivers for anything fairly new or complicated, such as 3D cards, the new HD audio chipsets (not Realtek anyway), etc. Not only that, but they don't bother providing drivers for anything older. Linux provides drivers for everything possible, unless they've finally decided that no one uses that thing any more (e.g., floppy tapes). The only things missing are things which th

I had the Realtek issue.....

[8127972]

... and all I had to do to solve it was go to Realtek's site [realtek.com.tw] and download the latest version of their driver. Problem solved (knock on wood).

So.. If the fix is that simple, is this issue really an issue or is this issue blown out of proportion?

Re:

[Spad]

You can install the latest version of their driver, I can install the latest version of their driver, but most users do not even know what a driver is, let alone that downloading and installing the latest version of it will resolve the fact that their copy of [application] is now crashing randomly referencing some .ocx file.

Re:

[lostboy2]

all I had to do to solve it was go to Realtek's site and download the latest version of their driver

It occurs to me that updating the Realtek driver might not solve the root problem. The Microsoft KB article [microsoft.com] states that

The Hhctrl.ocx file that is included in security update 928843 and the User32.dll file that is included in security update 925902 have conflicting base addresses. This problem occurs if the program loads the Hhctrl.ocx file before it loads the User32.dll file.

Updating the Realtek driver proba

Re:

[element-o.p.]

Considering that I support about 100 or so users, some 500 miles away from my desk and reachable only by airplane (remote Alaska), and many of whom are using Core/Core2 Duo based laptops with Realtek hardware, I'd say that for me at least, yes it's a real fricking issue >:( It may be easy enough to download the Realtek driver on one or two home computers, but it's a real PITA when you're trying to push that update out to a number of corporate desk/lap-tops.

I really wish I could just migrate everyone

Re:

[drew]

Let me get this straight. You had to reinstall your sound card drivers because they were broken by a change to the library that handles animated cursors. Yes, I'd say that's really an issue, although more in a 'how could any company possibly be that retarded' kind of way than a 'that\'s really going to be a pain to fix' kind of way.

That statement is almost more mind-boggling than the fact that there was a remote code execution vulnerability in animated cursor handling to start out with. The only think I'

Re:

[X.25]

... and all I had to do to solve it was go to Realtek's site and download the latest version of their driver. Problem solved (knock on wood).

Yes, that makes perfect sense.

Download new audio driver in order to fix the problem introduced in auto-installed security patch for a vulnerability in a Windows feature 99% of users never heard of.

So logical.

To Quote the movie "Brazil"

[Herkum01]

"There's been a little complication with my complication"

big program breaking

[Anonymous Coward]

I'm a developer for a software package that lots of automotive engineers use to do bus analysis. The patch broke our software, and we've gotten calls from lots of people at our smaller companies wondering what was going on. The bigger (think Big 3) customers have huge turn around times on Windows Update patches, but as of now we have lots of angry people wondering why our software won't work. Nothing like MS giving us bad rep for essentially us doing nothing.

MS build/release system?

[Aardvark99]

The screw up is in Microsoft's release system allowing hhctrl.ocx and user32.dll to be shipped with the exact same "DLL Base Address". They both share address 0x7E410000. I'm sure Microsoft has a system to prevent this, but either someone didn't follow it, or the system has flaws.

Normally clashes of base addresses happen all the time. For most DLLs the base address is sort of a suggested location, the OS load the DLL to this area if it can, but will "relocate" DLLs to free memory area if that space is taken. User32.dll isn't allowed to be relocated for some reason (a very good reason, I'm sure). If it's space is already taken (by HHctrl) the program using it cannot load. HHCtrl.ocx has no problem being relocated, but this will only happen if it's loaded after user32.

I'm surprised that anyone could manage to make an application that would load these DLLs in this bad order - but that's not the point I guess. Usually you'd HAVE to call a function in User32.dll long before loading anything COM - esp an HTML help control (which is what hhctrl is).

A big ha-ha to vendors using animated cursors

[PetiePooo]

A big HA-HA! goes out to the vendors who insist on using every imaginable gimmick and gee-wiz animation / transparency effect / irregular shaped window trick to try to make their product appeal to their target audience of 8 year olds. Stick with the basics, please! There's no reason for an audio control panel to require an animated cursor, for christsakes!!!

Reminds me of when I bought a little FM radio controlled by a serial link. The crapplet they sent on the CD-ROM was so annoying, the first thing I did was sniff the serial protocol and write my own little non-obtrusive applet. I asked the manufacturer for the proto specs first, but they delined, even after I pointed out how easy it was going to be to reverse engineer them... idiots!

Never thought I'd write something like this, but kudos to MS for saying we're not going to work around your crappy little app.

</rant>

Re:

[jibjibjib]

The problems are being caused just by loading two DLLs, both supplied by MS. A program doesn't need to be relying on animated cursors for this patch to break it.

Critical?

[3vi1]

Windows Genuine Advantage? Critical.
Broken applications? Eh... not so much.

Luckily I happened to be at my parents house...

[mkraft]

I happened to be at my parent's house when Microsoft pushed out this update. I saw the update wanted to install so I rebooted their machine and the error popped up immediately. Since I had been doing some work on their machine I originally thought it was something I did until I read the KB associated with the patch.

Good thing I happened to be there since there's no way they'd have figured out what had happened. I might have been able to figure it out eventually, but probably wouldn't have associated it w

This isn't Microsoft's fault

[Myria]

Blame Microsoft all you want for security holes in user32 and GDI, but don't blame them for these programs breaking.

The change that broke these applications was changing the base address of user32.dll (from 77D40000 to 7ED10000 I believe). The programs that broke were using the 7ED10000 range. When user32.dll can't load at its desired address, it will fail to start the process. DLLs hard-linked by an EXE will be loaded before user32 or kernel32 if they are the first in the import table. Once loaded, user32.dll can't load at its desired address and will get relocated. user32.dll doesn't like this and aborts starting the process. This happens even if the bad DLL is relocatable, because preferred addresses are first-come, first-serve.

The entire 60000000-7FFFFFFF address range is reserved for Microsoft DLLs and special memory. Don't stick your own DLLs in there! (This address range is true of Win64 as well: just add 8 zeros to the front.)

As for why user32.dll and kernel32.dll don't relocate like other DLLs: so many badly-coded programs that do DLL injection assume that the addresses of LoadLibraryW, etc. in other processes are the same as the ones in their own processes. Almost all DLL injection code snippets assume this, and it's just wrong. The proper way is to use either EnumProcessModules or CreateToolhelp32Snapshot to list all the DLLs in the target to find the one you want. The correct address to use is then remote_function = local_function - local_dll + remote_dll. The types HMODULE, HINSTANCE, and IMAGE_DOS_HEADER * are equivalent, so just cast to a DWORD_PTR.

Microsoft: Give it up!

[Khyber]

Seriously. We just moved al of our PE burn-in discs to Vista-based ones (we used XP) and now our productivity has dropped by nearly 40% just because Vista is that buggy.

What's worse? I've got an old windows 98 burn-in disc, that did more thorough testing and caught more bugs than either our XP or Vista discs do. And people wonder why every laptop I repair never fails - KISSER (Keep It Simple, Stupid, Every Revision.)

But, hey, if my company wants to move to Vista, lose profit, and put themselves out of a job

Re:

[illegalcortex]

Yes.

http://it.slashdot.org/comments.pl?sid=228751&cid= 18543473 [slashdot.org]