WinXP and WinAmp Vulnerable to Malicious MP3s 505
mypenwry writes "Foundstone, a Mission Viejo, CA security
services company, is reporting several vulnerabilities that would allow malicious
code embedded in MP3 and WMA files to be executed via WinXP and WinAmp. WinAmp
versions 2.81 and 3.0 are vulnerable
to buffer overflows via certain long ID3v2 tags when MP3 files are loaded.
More troubling is the WinXP
vulnerability: A buffer overflow exists in Explorer's automatic reading
of MP3 or WMA (Windows Media Audio) file attributes in Windows XP. An attacker
could create a malicious MP3 or WMA file, that if placed in an accessed folder
on a Windows XP system, would compromise the system and allow for remote code
execution. The MP3 does not need to be played, it simply needs to be stored in
a folder that is browsed to, such as an MP3 download folder, the desktop, or a
NetBIOS share. This vulnerability is also exploitable via Internet Explorer by
loading a malicious web site. Explorer automatically reads file attributes regardless
of whether or not the user actually highlights, clicks on, reads, or opens the
file. Windows XP's Explorer will overflow if corrupted attributes exist within
the MP3 or WMA file. Microsoft
has issued a fix for this vulnerability. Nullsoft has posted fixed version of WinAmp 2.81 and 3.0 on their web site."
Uh Oh (Score:5, Insightful)
Jaysyn
Re:Uh Oh (Score:5, Funny)
NO CARRIER
Maybe my mind's in the gutter... (Score:4, Funny)
Not a problem... (Score:2, Funny)
Wait a few months until the RIAA's trojanized files are well and truely spread throughout the P2P networks...
then use the thousands of trojanized nodes to DDOS the RIAA
*chuckle*
What if this IS the plan? (Score:3, Interesting)
I wonder if the EULA on the MS patch for this will be overreaching and invasive?
Re:What if this IS the plan? (Score:5, Insightful)
I mean, it would seem to me that Microsoft's DRM -- or DRM in general -- is based somewhat on "human" trust. Once that trust is abrogated -- just once -- the whole thing spirals into a "well, it's still pretty secure" type of situation -- and then sprials into "wait'll next generation's DRM. It'll be secure as hell."
I know no cryto scheme is 100% -- at least in theory -- but because the consumer/DRM stuff is being built up and hyped so much lately, it seems that its potential -- potential for complete security, potential for complete failure -- far outstrips the more practical, usability/crackability aspects.
And then I wonder: once this sort of consumer/DRM is launched mainstream, it'll become -- eventually -- embedded into the economic model for distribution. But once this DRM stuff is cracked or broken or whatever happens, the DRM itself will fall apart, as well the economic model. And companies who go balls-out to invest in this stuff -- and work hard to secure the "human" trust aspect of it -- will be in dire, dire straits -- economically, technologically, you name it.
DRM is like a massive WMD waiting to be let loose. It's failure -- assuming it fails at least once a generation -- will sink more companies than I think anyone realizes.
Just some thoughts.
Re:Pathetic (Score:5, Informative)
Any buffer lacking good bounds checking is subject to this.
Re:Pathetic (Score:3, Insightful)
So, if you do bounds checking, is that a 100% fix? If so, it strikes me as simple good procedure that there's no excuse for omitting.
Re:Pathetic (Score:3, Interesting)
Seems to me the solution is to whack budding programmers' knuckles with a ruler until they get in the habit of using bounds checking with each and every buffer their program requires, written on the spot and not tacked on as an afterthought. But considering that probably half the coders out there are self-taught and still have whatever good or bad habits they started with.. *sigh*
Re:Pathetic (Score:3, Insightful)
Ignorant programmers are not the fault of the language. C makes it simple to avoid buffer overflows almost everywhere (exception being the absence of snprintf() - remedied in C99).
If a programmer is too weak to avoid buffer overflows in C, how will they cope with, say, C++ exception safety?
Re:Except that C... (Score:3, Insightful)
In Java:
int a[] = new int[10];
for (int i = 0; i < a.length; i++) a[i] = i++;
Each access a[i] is needlessly bounds-checked.
Re:Except that C... (Score:3, Informative)
Don't worry (Score:4, Funny)
Subject : Name : AC (Score:3, Funny)
Re:Subject : Name : AC (Score:2)
It's a good argument to get your friends to finally switch to ogg vorbis. I haven't encoded an mp3 since vorbis beta 3 (which was well before RC3) anyway.
Re:Subject : Name : AC (Score:4, Insightful)
I'm sure there are exploitable buffer overflows in Vorbis too but as the format is so little used (relatively), hackers ain't looking for them. The day Vorbis is more popular than mp3 is the day the hackers change what they're targeting.
seany
Re:Subject : Name : AC (Score:3, Interesting)
Much like people used to claim in days of old that certain message base formats (BBS / FTN message 'echoes') were faster than others, this is also a bit of rubbish. The format doesn't contain vulnerabilities; the players that implement the format have vulnerabilities. It is, in point of fact, perfectly feasable to assume that the same, if only slightly different vulnerability could possibly be exploited with the Ogg Vorbis format.
Unchecked buffers (read: lazy/braindead programming and poor code audits) are at fault here. MP3 is merely the current carrier.
But you're right; it is a feeble excuse to switch formats. It would be more apt to suggest that people switch to a different [musicmatch.com] player [xmms.org], or use a different [apple.com] operating [linux.org] system [freebsd.org], but I'm not going to do that.
Re:Subject : Name : AC (Score:3, Interesting)
"hack me baby one more time" (Score:4, Funny)
Mike
Buffer overflow yet again (Score:5, Interesting)
Re:Buffer overflow yet again (Score:2, Funny)
Re:Buffer overflow yet again (Score:2, Insightful)
Changing something THAT global could result in more harm than good.
Mind you, I think you are right, and that's what should be done; I'm just telling you what is (probably) on the architects/lead developers minds.
Re:Buffer overflow yet again (Score:5, Funny)
Oh, wait a minute...
Re:Buffer overflow yet again (Score:5, Informative)
Changing "the way it handles buffers" is harder than it sounds, There's a huge amount of legacy code in shared DLLs, older operating systems and so on.
If Microsoft asked me to recommend a global change, I'd tell them to go through the agony of implementing least-privilege throughout their entire system architecture. That would be sheer hell, but at least it would contain the damage from whatever next week's security hole turns out to be.
Re:Buffer overflow yet again (Score:5, Informative)
Re:Buffer overflow yet again (Score:5, Interesting)
a project that tries to catch buffer
overflows under linux.
freshmeat entry [freshmeat.net]
homepage [avayalabs.com]
Re:Buffer overflow yet again (Score:3, Informative)
It is not a sufficient solution to prevent programmers making mistakes.
Linux Security - Re:Buffer overflow yet again (Score:3, Interesting)
There is a kernel level patch so that nothing can be executed in the stack, but a lot of people don't seem to want it. Actually, I think there are two competing patches. One of them is called Openwall [openwall.com].
There are also libraries to combat this sort of problem as well. Such as the one another poster listed...
Re:Buffer overflow yet again (Score:3, Funny)
Re:Buffer overflow yet again (Score:2, Interesting)
Palladium
Oh wait, you don't want that.
So what do you want?
Automatic source code analysis (Score:4, Insightful)
Buying or installing one of these tools and running all their source code through it as part of development would cost Microsoft less than they spend on caffeinated liquids, and would pay for itself with the first potential exploit caught before shipment.
I can only ascribe people's refusal to try these tools to programmer hubris - "MY code can't be understood by a mere code analyzer".
I am rashly assuming here that Microsoft doesn't use tools like this. If anyone out there knows differently, please reply.
won't affect most people (Score:2, Interesting)
Effects more then you realize (Score:2)
Unless i TOTALLY misunderstood....
Re:Effects more then you realize (ID3v1 vs. ID3v2) (Score:5, Informative)
I think what the previous poster is thinking of is ID3v1 tags, which are located at the end of the MP3, so you don't get them until the MP3s finish downloading (and what's more, they have a fixed size so they're easy to check, but that's besides the point)
Now, this bug involves ID3v2 tags. ID3v2 tags are located at that start of the MP3, which is why when you add one to a MP3 playing in Winamp you get a brief pause, it has to add it to the start of the file. Therefore, any MP3 with an ID3v2 tag will already have the potential of compromising you by the time it's downloaded enough to play part of the song if you preview them using Winamp.
I don't know how Explorer checks file attributes on MP3s, but I'm assuming that you're already in danger by this time too.
Re:won't affect most people (Score:5, Insightful)
That average person does not notice when a backdoor app is covertly installed on their machine. As long as the mp3 is actually what they wanted, chances are they will keep sharing it.
The even more dangerous part is that someone could be downloading mp3s and LOOKING for these trojans. And as soon as they find one, they can just go back to the IP of the machine they got the file from and have an instant DDOS zombie!
Or even better, if I am an RIAA employed disturber-of-the-peace, I could create a bunch of these trojaned mp3s share them, and then whenever someone downloads it from my machine I could instantly use the backdoor to destroy their music collection. (But I'm sure the RIAA has already thought of that.)
WILL affect most people (Score:5, Interesting)
I don't think so. I know people who download a lot of stuff, and if you have it set up to download 100 MP3s overnight, your system could be compromised by morning. Are you going to listen to those 100 MP3s first thing in the morning?
The kicker is that the odds you get compromised go up greatly if someone seeds Kazaa, or even a web page, with an infected MP3 file. They can see who is downloading it so they know the IP to attack. On a web page, they could get your IP out of the logs. I never thought an MP3 file would leave a system vulnerable, but I guess that is why this is a pretty scary vulnerability - nobody else would either.
Re:won't affect most people (Score:3, Informative)
Read the Microsoft Bulletin [microsoft.com] (which I got yesterday). Opening a shared directory with one of these MP3s in will trigger the attack, or even previewing an email with one of these attached will execute it.
Here's MS own words:
So click the update button (Score:4, Interesting)
Re:So click the update button (Score:2, Insightful)
Yes.
Sincerely,
Linus
Re:So click the update button (Score:5, Insightful)
You couldn't pay me to have my system automatically update itself with patches tested quite possibly only from the company that created it.
I would rather my system be vulnerable for a day or two than have the contents of my hard drive obliterated.
What if some patch disabled a computer's networking? What is Ma an Pa gonna do when that is the only computer they have? Download a fix using broken networking?
IMHO, automatic updating is a monumental disaster waiting to happen.
Re:So click the update button (Score:4, Funny)
What gives you the idea that they would reject a story for any of those reasons? That sounds like a description of the front page to me.
Re:So click the update button (Score:5, Insightful)
Also, on my [platform] I have seen only a few security updates a year on a young OS, some addressing obscure services I don't even use. What's the deal with MS? Why sweep this under the rug?
I don't buy that automatic bandaids are the answer to hemmoraging code.
Conspiracy theorist? (Score:3, Interesting)
I'm not sure which is worse:
a) Those that imagine everything MS does is attempt to rule the world
b) Those that imagine every posting mentioning a bug in MS is a covert attack.
Considering the amount of geeks here that are into Mp3's, or those that maintain networks (with users who play downloaded Mp3's, permitted or not), this warning sounds like it fits well on slashdot.
Automatic updates are spooky (Score:3, Insightful)
I don't wear the tinfoil hats either, but I find it a little unnerving that people let their system be updated automatically. There's just so many things wrong with that concept. Some updates I don't want, others I defintiely do. All of them I want to see before they get installed so I know what is going to be done. Although I suppose figuring out what an MS update will do can be pretty hard, since they tend to bundle lots of fixes into sinlge packages.
On the other hand, we're not talking about a dedicated SQL Server machine or anything, so maybe auto updates for desktops isn't a bad idea after all...
-B
Hrm... virus scanning my MP3 collection (Score:2, Funny)
Oh wait... it's a Windows problem... never mind...
RickTheWizKid
My purpose: to inject random comments...
How long before... (Score:3, Interesting)
Re:How long before... (Score:2)
Since a properly administered server is not also a client, it should not be affected, even if a rogue client dumps an infected MP3 onto one of its shares. That is until the admin logs in via TermServ and starts poking around.. but that's still user interaction.
Hmm.. I wonder. If a person does a search of MP3's, does viewing it in the search window run the exploit? I bet it does..
Why does this matter to /.-ers? (Score:5, Funny)
Re:Why does this matter to /.-ers? (Score:4, Insightful)
In high bitrate modes, there is little difference between properly encoded MP3s and OGG files. And high bitrate is what really matters, unless you are streaming over a low bandwidth connection (in which OGG is the clear winner due to size).
Maybe your comment would make sense if you were referring to something like FLAC from http://flac.sourceforge.net/ . MP3 and OGG are both lossy, so you really can't be a snooty audiophile if you use them.
Snooty audiophiles (Score:4, Funny)
A snooty audiophile sneers at any form of digitization - "You aren't getting all of the music - Yes, I know you are sampling a 1GHz, 64 bits per sample, but you aren't getting all the music! Only analog gets all the music! I don't care that what you are missing wouldn't amount to the width of a hydrogen atom on my beloved LP - YOU AREN'T GETTING ALL THE MUSIC"
That's what a snooty audiophile would say.
Re:Snooty audiophiles (Score:5, Funny)
Hence why audiophiles hate modern sound systems - it is far too easy to get great sound reproduction nowadays, and how are you to demonstrate how large you are when a $19 CD player sounds as good as your $3000 turntable?
That is why audiophiles use "oxygen-free copper wires with authentic virgin yak wool insulation, cryogenicly treated to release signal-distorting sub-micron strain! A steal at $300/ft! Act now, and we will throw in our patented Feng Shui turntable stones - five of these will disgronificate your turntable! Normally $150 each, but a steal at $800 for a set!"
True Audiophile cables! (Score:4, Funny)
That is why audiophiles use "oxygen-free copper wires with authentic virgin yak wool insulation, cryogenicly treated to release signal-distorting sub-micron strain! A steal at $300/ft! Act now, and we will throw in our patented Feng Shui turntable stones - five of these will disgronificate your turntable! Normally $150 each, but a steal at $800 for a set!"
Bah, $300/ft? Are you kidding?
From Purist Audio Design [puristaudiodesign.com]:
-------
Dominus Speaker Cables (1.5 Meter)
Stereo pair of Speaker cables with fluid jacket. For more information on product, see the Product Page. Item weight per pair is 14.0 lbs.
Price each: $10,460.00
-------
So, that's about $2500/ft.
Bwhaahaahahahaha!! /me wipes eyes.
And for the record, I am not an "audiophile". I'm an audio and broadcasting engineer.
-T
Don't even need to have the file local? (Score:4, Informative)
An attacker might attempt to exploit this in one of three ways:
* Host the file on a website. In this case, if a user were browsing the page containing the file and hovered over it with his or her mouse, the vulnerability could be exploited.
Eep!
* Host the file on a network share. In this case, if a user browsed to the network share and simply opened the folder which contained the file, it could cause the vulnerability to be exploited.
Gaah!
Also, it seems you can send an e-mail with the mp3 object in a frame (this is the third way of exploiting it) so you don't even need to click a link in Outlook / OE for it to be run. This shouldn't be possible on XP SP1 or a recently patched IE though.
Obligatory: (Score:2)
Or, of course, Mozilla, Eudora, or Opera.
Disturbing that it's in WinAmp too. Guess that llama's ass only holds so much.
Freedom to innovate (Score:3, Insightful)
M$ has been continually improving virus transmission methods, and now you might be infected just by moving your mouse.
But do we really need to worry? After all, how many kiddies are out there bragging that they '@dm1n1str@t0r3d' someone's XP box. No, it's just not as sexy as r00t3d.
The only thing funnier (Score:2)
In defense of Microsoft... (Score:5, Insightful)
I would like to ask for factually-based opinions whether these innumerable highly dangerous security holes in MS software are more the result of the ingenuity of the hackers or the incompetence of the Microsoft design and testing process, or about 50:50. I am inclined to be prejudiced against Microsoft, so I would be REALLY interested in hearing reasoned defenses of their predicament, if such exist.
So, please, no MICROSOFT RULZ!!! or MICROSOFT SUX!!! I'm not asking for a vote.
Microsoft provides the #1 small-system OS, for better or worse, which means Windows will immediately be the hot target for black-hat types intent on spreading misery or demonstrating their hatred for the leviathan.
I know, too, that half the problem has been MS's arguably foolhardy decisions in adding dubious extensions to their software, like default enabling scripting in Outlook and macros in Word. But I'm kind of curious about the mistakes in doing their core work, like handling MP3's.
Last, I have trouble understanding how so many of these bugs come from a company with many of the brightest programmers. Is it a largely problem of scale and bureaucracy?
Share your concise insightful informative nonprofane fact-based reactions from experience?
Re:In defense of Microsoft... (Score:4, Insightful)
If Microsoft is still shipping them, it has to either be because they think it's just not important enough to worry about, or because they don't have the resources to hire decent programmers. The rumors going around indicate that Microsoft has abundant resources.
For some reason, this has never happened, even though the the opportunity has been there for many years. My guess is that the kind of people who write Worms For Windows, enjoy the fun of it, and know that if they ever write a truly nasty one (massively destructive payload with a time-delay so that it can spread before detonating), there will be a crackdown (either legal or technical) and then the fun will be over. Perhaps that is why Microsoft considers security unimportant: so far there haven't been any serious incidents.Re:In defense of Microsoft... (Score:3, Insightful)
Re:In defense of Microsoft... (Score:3, Insightful)
Much as I love the idea of OSS (and indeed I contribute myself) there are a lot of OSS coders who just want to write new, funky stuff - bug fixing and other stuff that could be termed 'patrolling the perimeter of the code' just isn't funky enough so it gets forgotten about.
MS coders used to be the same, because obviously they're driven by the dollar, dollars which would only be spent on their software if it had the wizziest new features. Now after a few years of being mercilessly slagged off for bad code they're doing something about it because Chairman Bill realises that it's gonna affect the bottom line if they don't. They are paying a lot of dollars to fix their own bugs - which you may laugh at but - hey - at least it's being done. Big-name OSS projects, such as the Apaches of this world are similar to MS in that they have a lot of people working on them and, more importantly, *willing* to work on them so project admins can crack the whip and get the juniors to do the same code security audits that MS are now doing.
There are however a lot of less well known OSS projects with worse code than anything Microsoft come up with. They neither have the dollars of MS or the cachet of a big OSS project so people just code whatever bits they want. Hence, their code is likely to be worse without sufficient peer review etc.
The point of all this being that inferring that OSS is better that MS because linux has 'thousands of very bright programers (sic) accross the world' is not only incorrect it's harmful to the acceptance of OSS when the most vocal advocates turn out to be dumb-asses who don't think before they type.
seany
Re:In defense of Microsoft... (Score:3, Interesting)
Of course when there is no shareholder value to increase, priorities change. For examples of how this system works, please observe GNU/Linux.
Or, more accurately, please observe GNU/Hurd which is a project several years old that is still nowhere near to a 1.0 release.
Microsoft releases buggy software. So does Redhat. So does Debian. In fact, anyone who releases any reasonably complex code (and an entire operating system with loads of supporting packages is pretty damn complex) and claims that their code is entirely bug-free is lying. As has been pointed out elsewhere in this thread, Redhat 6 had a remote root exploit in its default install. Even OpenBSD, that bastion of religious security auditing, discovered recently that it was distributing a package with a hole in it.
The simple reason is that you have to put up with releasing buggy software because otherwise you will never release. No QA system will be able to get rid of all the bugs. The best you can do is prioritise the bugs you have and try and get the most significant ones fixed in time for a reasonable shipping date.
In terms of how good/buggy MS's code is, I think it's fantastic in some areas and terrible in others. I think that they are relatively weak and often irresponsible when it comes to security but they are learning. They share the same problems as any massive software development organisation, which is that as you grow it gets harder to enforce regimented coding practices. God knows they really have no excuse for bounds-checking errors (given the number of implementations of safe arrays they have lying around) other than policing this stuff is very hard, especially when it comes to legacy code.
Besides, as I said earlier, OSS projects have security holes all the time. They just tend to be patched faster and have a smaller impact (due to smaller, more savvy audiences)
-- Yoz
Re:In defense of Microsoft... (Score:3, Interesting)
Note that I said tend to. I recall that Mozilla had a couple of nasty exploits that were known about for months before being properly fixed.
There's also the fact that "issuing a patch" can be an entirely different process for two different projects. OSS patches are usually:
whereas, in MS's case, it probably looks more like:
So yes, OSS is often faster, but you can see why. OSS is better able to handle a patch breaking something for some users, because it'll probably only be installed by power users who'll put up with it and know how to roll back, and the patch can be followed by a better patch. If a WU patch breaks something, even for only 10% of users, it's potentially disastrous because it's going out to everyone and 10% is still several million.
fixed version of WinAmp 2.81 and 3.0 (Score:2)
Thanks for nothing Nullsoft.
Versions?? (Score:5, Interesting)
Is there a reason they haven't released a new version with the bugfix instead of just uploading a new copy with the _same release number and date_? Both versions are listed as released in early or middle August, and there's no bugfixes listed anywhere on the site in regards to this. Site [winamp.com]. Are they trying to hide that it's been fixed, or just don't want anyone to figure it out?
Re:Versions?? (Score:2)
Re:Versions?? (Score:4, Informative)
Re:Versions?? (Score:5, Informative)
As it should be. ID3 tags are handled by the in_mp3.dll plugin.
I have to hand it to Bill on this (Score:5, Informative)
Re:I have to hand it to Bill on this (Score:2)
Wow. Most of us aren't that important.
Now, I'm wonder what was "sent and installed" with bugs in it?
Explorer workaround (Score:4, Informative)
set Web View to "Use Windows Classic Folders"
I've always done this, having never trusted 'web content' in any folder I browse to (nor needing the extra overhead it causes drawing thumbnails of bitmaps and whatnot)
I believe any Windows that's upgraded to Media Player 7.1 and/or IE6 would be vulnerable, not just XP?
Re: (Score:2, Interesting)
File associations in WinXP (Score:2, Insightful)
However, this brings up an interesting question. Short of modifying the registry entries in HKEY_CLASSES_ROOT, is there any way to avoid all the cutsie stuff MS has been doing with file associations? I seem to remember a Win95/NT/2k shell extension that did something similar to the MS code that's being exploited. It popped up an additional property sheet with all the ID3 tag info. Could someone use that instead of the Windows shell without severely hacking the registry?
It also reopens an old sore. If the Windows Media Player were installed as an "application," not as "part of the operating system," this shell code would not be needed until WMP is installed. Those smart enough to search for better media-playback solutions would not be subjected to this vulnerability. Thanks, Microsoft! DOJ, are you paying attention?
And one more observation: now that MP3 files can carry shellcode, the virus scanners will have to start scanning them too. More processor overhead, longer scantimes, moan, gripe,
How does a buffer overflow allow code execution? (Score:2, Interesting)
Re:How does a buffer overflow allow code execution (Score:3, Informative)
All you ever wanted to know, and then some...
Re:How does a buffer overflow allow code execution (Score:4, Informative)
By overflowing a buffer on the stack, it's possible to maliciously change a particular piece of information (the function call return address) to cause the program to jump to a new piece of code: the code you just overflowed the buffer with!
Stack overflow exploits are very common because programmers often declare fixed-length buffers as stack variables and are too lazy to perform proper checking to make sure data never overflows the buffer. This problem in WinAmp is no different than any other buffer overflow, it's just much more severe due to its widespread use.
danger for gnutella networks..? (Score:2)
And if they do, executing remote code using a vulnerability will be legal?
[just provoking]
The Next Nimda. (Score:4, Interesting)
When all of the college students here on campus had read/write shares on the network, Nimda Spread at an alarming rate, Especially since WinXP Home decided that you SHOULD have your Shared Documents folder open for read/write access after running one of those networking wizards.
I could only imagine the hell a Modified Nimda would be if it can now infect mp3 files. It wouldn't even have to spread infected
It's the RIAA Dream come true
Suggestion: Operation So Happy It's Thursday (Score:5, Funny)
So, why not make it official - I propose
Operation: So Happy It's Thursday
What I recommend is that everybody who finds an exploit in Windows release it on Thursday.
NOTE: be fair - a bug in a Windows APP that is not a part of Windows doesn't count - so the bug in Winamp doesn't count, but the bug in the Windows shell does.
It's a good think I have Linux (Score:5, Funny)
Re:It's a good think I have Linux (Score:3, Insightful)
I hate postings like this, because I never know whether I should mod it +1 Funny or -1 Clueless.
foobar2000 (Score:4, Informative)
Just don't expect too much; it's a very minimalist GUI (what mean these "skinz" of which you speak?), and doesn't support Win9x/NT4.
There's also a support forum [hydrogenaudio.org] for the player.
New URL (Score:3, Informative)
Foobar2000 has a new homepage [hydrogenaudio.org]. Version 0.3 has also been released.
For those wondering what to expect, foobar2000 has a minimalist interface, but it does the job. CPU usage is very frugal and your MP3s can sound noticeably better. Why? Because clipping prevention is built-in, removing any distortion induced by overly loud signals.
I am currently running 0.3, and it's a beautiful piece of work. If you want a multi-format player that runs unobtrusively in the background while you do your other stuff, then foobar2000 is for you. At 168 KB, it's worth trying out.
Hey idiots, strcpy bad! (Score:4, Informative)
Buffer overflows are bad.
It is easy to STOP buffer overflows just by using SAFE strcpy functions that don't blindly copy past the end of a buffer.
Since we've known this for many many years, why do programmers still USE dumb functions that allow buffer overflows?!
Hey Microsoft, since you are spending so much on improving security, I have a hint for you. Print this out and make all your programmers pin it on their cubicles walls:
BAD: strcpy
GOOD: strncpy
strncpy bad, strlcpy good (Score:4, Informative)
Hint, this code is buggy:
char buf[1024];
strncpy(buf, big_ass_string, sizeof buf);
strncpy doesn't bother adding a null-terminator in the case where big_ass_string is too big. Most people don't realize that they have to do all of this to be safe with strncpy:
strncpy(buf, big_ass_string, sizeof buf - 1);
buf[sizeof buf - 1] = '\0';
The real solution is to use a function that doesn't have such crappy behavior: strlcpy
strlcpy(buf, big_ass_string, sizeof buf);
It always does null-termination. You never have to lie to it about the size of your string. Same goes for strncat (bad) and strlcat (good). Thank the OpenBSD developers for these. They are very useful in avoiding overflows when you don't have the option of using C++ and the string class.
Is iTunes vulnerable? (Score:3, Interesting)
Give me full disclosure...
Copy and Paste into your MP3s (Score:5, Funny)
20 Print "Bill Gates laughs as he rolls about with his concubines!"
30 Print "Prepare for judgement!"
40 Input "Press any key";A$
50 If A$="AnyKey" Then fucksomeshitup;
60 W00t: Poke InChest;
70 Run "BSOD.exe -Playfile BritneySpears,HitMeOneMoreTime"
80 Print "This is what it sounds like when doves cry! Bwahaha!"
90 Goto 10
You should be able to find this on SourceForge too.
Build #'s and Winamp strangeness (Score:3, Interesting)
CDDB (Score:3, Interesting)
Question for slashdot (Score:5, Interesting)
So my question is, does anyone have any idea what this "new level of abstraction" might be?
Re:Question for slashdot (Score:4, Interesting)
Lisp.
There's even been an OS built in the language. Seemed to work just fine. Problem was, that in those days, you needed special purpose hardware to run a Lisp-based OS on. You don't anymore, but the code has been lost to people who could do something useful with it in the mist of time and bankruptcy. Google for Genera and OpenGenera. Hint - once the base code is built into the system, you cannot have buffer overflows, uncaught exceptions, or uncaught arithmetic overflows. It's a good environment (as I can attest, having it running on my Symbolics Lisp Machine at home).
Oh yeah, they have a great OO database, decent graphics, and all of the web crap you'll ever need, too.
The changing nature of Windows exploits (Score:4, Insightful)
Shortly thereafter, your files were potentially at risk from files that you spent all day downloading from a BBS. Fairly soon after that, a malicious file could sneak onto your hard drive and cause mischief once FTPed from the Internet at a bit higher of a rate. In each case, you pretty much had to type the name of the file to run it.
Enter the world of Windows. Now running the file gets a hell of a lot easier, just a few points and clicks. And obtaining those lovely infected files gets a lot easier with the faster Internet connections and new "killer apps" like Usenet, e-mail, and the World Wide Web gaining in popularity. In less than a year, these files gain literally thousands of new vectors.
Then it becomes possible to pick up an infection by receiving a file via e-mail inside a program that loves to muck about with files before you run them by, er... running them. The only user interaction required is hitting the "send/recieve" button.
After that, malicious files no longer need to be files. They can be specially formatted e-mails, and all you need to do is preview them -- you don't even have to read them -- in order to get smacked by the latest nasty bug.
Don't feel e-mail is safe? Well, it wouldn't matter if you stopped using it entirely, the creeping crud will still get in if you click on a link on the Web. And as if the front door didn't put up a paper-thin defense, the back door will allow malware to slip in via Web server software, file shares, file transfer servers, and even instant messaging.
Now what do we have?
A malicious file you only have to point at for a moment to get an infection.
You've come a long way, baby.
It's a sad day when... (Score:2, Interesting)
Re:It's a sad day when... (Score:2, Insightful)
Re:Obvious reply (Score:4, Insightful)
Re:Obvious reply (Score:5, Funny)
The correct phrasing of that is: File formats don't kill programs. Programs kill programs.
Re:Obvious Answer (Score:3, Insightful)
So, no.
Re:XMMS too. (Score:5, Insightful)
Really? Where's the bug report? I don't see anything on bugs.xmms.org [xmms.org].
Sorry for sounding like an a-hole, but an AC exclaiming a bug in a product, no follow up on the product's web site, and no other info sounds very suspect to me.
-Ducky
Re:XMMS too. (Score:2)
Re:Why are there still buffer overruns? (Score:3, Insightful)
It is critical that the software industry start to adopt VM's for managing applications, especially code that runs on a server. The emergence of a user-mode kernel for Linux is a critical development in this regard, but ultimately it makes more sense to modernize your codebase to Java, C# or any of the interpretive languages that can intercept/manage memory allocation checks for you.
You'd better check (Score:3, Informative)
One buffer overflow exists in Winamp 2.81 (latest 2.x release) and two buffer overflows exist in Winamp 3.0 (latest 3.x release). The Winamp 2.81 overflow is with the handling of the Artist ID3v2 tag upon immediate loading of an MP3. The two Winamp 3.0 overflows are present in Media Library's handling of the Artist and Album ID3v2 tags.
There is often the flawed assumption in these reports that people always use the latest version of a particular app. Yes, I know that it would be hard to get and test all versions, but they could at least find out from Nullsoft and indicate what range of versions might be vulnerable.
Nullsoft (bless them - I love Winamp) has an annoying habit of removing or changing features that I like in the minor rev's, which is why I stick to certain versions. I use Winamp 2.50e and 2.78 on various machines. I also have 2.09, 2.70, 2.72 and 2.81 (and a 1.xx and probably others), but don't use them for this reason. Winamp 3 was too buggy as of the build I got a couple of months ago.
Anyway, I often wonder, when I see vulnerability warnings and a version of something that I use is not specifically excluded, is it:
a) Not vulnerable?
b) Not tested for vulnerability ?
Winamp2.5 doesn't handle ID3v2, so it's probably OK. The ID3v2 handling was added somewhere around 2.72, IIRC, so I'll have to do some checking. You might want to check yours as well.
I'd hate be forced to abandon my beloved older Winamps because there's no fix, but that may happen.