.ANI Vulnerability Patch Breaks Applications

Jud writes "Microsoft's fix for the .ANI vulnerability was part of Patch Tuesday yesterday. However, all is not well with the update. Reportedly, installing the patch will break applications such as Realtek HD Audio Control Panel and CD-Tag, which mentions they are affected by the problem on their main page. A hotfix is currently available from Microsoft, however their current position is this is an isolated problem and the fix is not planned to be pushed out through Microsoft Update. "

Re:Hehe

[mwvdlee]

They released a patch yesterday, discovered problems with it since yesterday then fixed it today. Yet you've been hearing about these problems for weeks?

Re:he

[cnettel]

If it does affect calc.exe, it rather seems like you have some DLL injection (keylogger/spyware, or something legit) that then causes this. If they messed up the base address, or just increased the size over a previously valid boundary, all kinds of DLLs with preferred addresses in the same region could start causing interference.

You simply have to be careful with the address space if you are a library that will be dynamically loaded in plenty of images, especially if you are loaded very early on.

(Heh, last summer, I got the genius idea that the base addresses were probably not optimal after all hotfixes and 3rd party software, so I started a gigantic rebase on the complete system32. That's a baaaad idea. I should at least have had enough sense to exclude NTOSKRNL, but I obviously didn't. Repair was fun...)

I had the Realtek issue.....

[8127972]

... and all I had to do to solve it was go to Realtek's site [realtek.com.tw] and download the latest version of their driver. Problem solved (knock on wood).

So.. If the fix is that simple, is this issue really an issue or is this issue blown out of proportion?

Re:Before all the lame bashing..

[PinkPanther]

I'm not justifying the .ANI feature, but recognize that IE is far more than a simple "web browser". With features such as HTML Application [wikipedia.org], IE can be used for developing extremely rich enterprise applications...which is where most of the "bloat" comes in.

Yes, you mightn't need a full development environment inside of your word processor or web browser, but they didn't spend time and energy putting those features in there for nothing. Someone determined that the bloat would make them more money...based on their revenue stream, I'm going to say that they were right.

Re:Before all the lame bashing..

[afidel]

Useless feature??!?

Uh, several of our enterprise webapps used animated cursors to let the user know that something is being processed. Maybe to a clueless geek user feedback is a useless feature, but to anyone who knows about UI design it is a requirement. The real sin with this patch is that this bug was already patched TWO years ago, but they meerly patched the codepath for the known vulnerability and left it at that, they did not look at the actual cause of the problem and so we have the same vulnerability with a twist come out two years later.

Re:Hehe

[adisakp]

"their current position is this is an isolated problem"

I have a fairly new Dell XPS600 (1 year old) and the update borked my machine due to the realtek program. I got some obscure message about how rtdcpl.exe was performing an illegal access trying to move some OCX DLL.

I was able to solve the problem by Google Searching and installing the MS hotfix. The only problem now is that "hotfix" makes it so I have to wait about 1 minute longer after I log in before I can access the internet. I used to be able to pop-up IE right away and surf but now if I do that, I get the error page for site not found for about 1 minute before things start working normally.

I don't know how isolated it can be since Dell alone has sold millions of PC's with realtek audio chipsets.

big program breaking

[Anonymous Coward]

I'm a developer for a software package that lots of automotive engineers use to do bus analysis. The patch broke our software, and we've gotten calls from lots of people at our smaller companies wondering what was going on. The bigger (think Big 3) customers have huge turn around times on Windows Update patches, but as of now we have lots of angry people wondering why our software won't work. Nothing like MS giving us bad rep for essentially us doing nothing.

A big ha-ha to vendors using animated cursors

[PetiePooo]

A big HA-HA! goes out to the vendors who insist on using every imaginable gimmick and gee-wiz animation / transparency effect / irregular shaped window trick to try to make their product appeal to their target audience of 8 year olds. Stick with the basics, please! There's no reason for an audio control panel to require an animated cursor, for christsakes!!!

Reminds me of when I bought a little FM radio controlled by a serial link. The crapplet they sent on the CD-ROM was so annoying, the first thing I did was sniff the serial protocol and write my own little non-obtrusive applet. I asked the manufacturer for the proto specs first, but they delined, even after I pointed out how easy it was going to be to reverse engineer them... idiots!

Never thought I'd write something like this, but kudos to MS for saying we're not going to work around your crappy little app.

</rant>

Was the DLL base address ALL they changed!?

[Anonymous Coward]

What bothers me is that it makes me feel like this "fix" may not even patch the real problem.

You see, moving where a DLL is stored in memory might break the proof of concept, but it might not actually fix the vulnerability. Sure, the code it hooked into before in order to hack the machine won't be in the same place, but it might well be possible to fix the exploit to point to the code's new location.

In short, I wonder if they're playing tricks to make it more difficult to exploit without actually fixing the underlying problem?

MMC crash after patch on 2003 servers

[Anonymous Coward]

I had MMC crash after reboot, login when this patch on two 2003 servers (patched 6 servers on wednesday). Thought it was wierd til I read this thread.

m10