Image Causes Exploitable Overflow in Microsoft Products

Em Adespoton writes "Core Security researchers discovered that by electing a specially-crafted graphic as the user's display picture in MSN Messenger, an attacker could trigger a buffer overflow vulnerability on the chat partner's computer. Through this, it is possible to covertly take over machines running instant messaging software. Windows Messenger and Windows Media Player are also affected by this vulnerability. The story is also available at Newsfactor.com and SearchSecurity.com."

That's genius...

[Assmasher]

Use the old security notification for image library overflows and do nothing new with it except use the image code running in messenger. WOW, that's news...

Re:That's genius...

[robslimo]

Is this one at all related to the previous image library flaws (the vulnerability for which the GDI detection tool was released to identify any Windows apps that were affected)?

Oh, wait, I think I found it [microsoft.com]! A patch was released for PNG processing flaws on Tuesday this week; among the affected software: Microsoft MSN Messenger.

Re:That's genius...

[dsginter]

A friend of mine used the goatse image for his MSN person icon and I had a buffer overflow of my own.

When did I ever eat corn?

Re:That's genius...

[halivar]

A friend of mine used the goatse image for his MSN person icon and I had a buffer overflow of my own.

This begs the question... is he really your friend, after all?

Re:That's genius...

[Hognoxious]

And risk getting sued for copyright infringement?

MS loss...

[LazyPhoenix]

Microsofts loss is my GAIM.

ha.

Re:MS loss...

[superpulpsicle]

But I use Trillion, which opens a simultaneous tunnel to aol, msn, yahoo, ICQ etc. Does that mean I am absolutely screwed thru the ass?!

Re:MS loss...

[XMyth]

No, it means you didn't get the joke. :)

Re:MS loss...

[BorgCopyeditor]

Are you the Electrician?

Re:MS loss...

[beelsebob]

You can take a windows user to Mac OS and Adium, but you can't make them use it.

Where are the Cherubs?

[Speare]

I think I heard of this method of attack in a security book I read once. Where the image of an avatar's identification turned out to be a computer-infecting virus. Oh, wait, it was a novel. "Snow Crash" by Neal Stephenson.

Re:Where are the Cherubs?

[jgoemat]

The images wouldn't only affect your computer, but your brain as well. I hope virus writers never figure that one out!

Re:Where are the Cherubs?

[ultranova]

The images wouldn't only affect your computer, but your brain as well. I hope virus writers never figure that one out!

Don't worry; after a lifetime of constant exposure to ads, it would take one hell of a picture virus to even make you sneeze :).

Seriously: the purpose of ads is to reprogram our behaviour, either permanently or temporarily. They do this by exploiting various psychological weaknesses of human minds - such as the need to associate with (imitate) what is perceived as succesfull people, th

Re:Where are the Cherubs?

[k96822]

However, if we ever develop artificial intelligence, I truly feel sorry for any robots produced by Microsoft ;).

Oh, that's just peachy. An army of Microsoft Robots (TM), all with their security holes, easily programmed to destroy humanity. Good thing they won't work long enough before a reboot to do too much damage!

Re:Where are the Cherubs?

[Dr Caleb]

The images wouldn't only affect your computer, but your brain as well.

So instead of Cherubs, they have Tub Girl.

Did I really just write that? :P

Re:Where are the Cherubs?

[br0ck]

??SPOILER?? Cheers for trying to make this exploit fit the story, but unless I'm forgetting something, it wasn't the avatar doing the infecting. It was an assassin killing key hackers within the metaverse. The attacker showed a screen to intended victims which displayed 'snow'--like a TV tuned with no signal--which contained a message that crashed the victims brain turning them into a useless vegetable. More Info [deoxy.org]

Re: Where are the Cherubs?

[Black Parrot]

> Never read Snow Crash, but the proper pluralization of cherub is cherubim. (::seraph:seraphim::nephil:nephilim, etc.)

::virus:viriim:: ?

Article left out significant information...

[bigtallmofo]

Animated pictures of shiny pocketwatches moving back and forth were found to be the most effective at taking control of other people's computers.

Still think

[Threni]

it's safer using an OS which has less security updates per year than Linux?

Re:Still think

[Anonymous Coward]

Don't worry, I've sent everyone the patch via a .png file.

Re:Still think

[ultranova]

it's safer using an OS which has less security updates per year than Linux?

Yeah, but MS-DOS v1.0 is even safer; no security updates ever! That's right folks, DOS 1.0 has never had a single security related patch released!

Already fixed

[dreamt]

After RTFMing, this was part of this week's Microsoft patches.

Re:Already fixed

[stinky wizzleteats]

After RTFMing, this problem has been known since August of last year

I RTFMed, too. Seems like vulnerability [slashdot.org] was fixed in August of last year by Gentoo [gentoo.org], Red Hat [redhat.com], andMandrake. [linuxsecurity.com]

Nothing compares MS security to that of the rest of the world better than seeing how they fix the same damn vulnerability. Let this be a lesson to you. Never astroturf with facts. A quality 'turf would have been to say: "Yes, but Linux has a history of at least three times as many security problems with PNG as Microsoft"

MS Security Chief Says Windows is Safer Than Linux

[hoggoth]

Hello? Didn't you get the memo?

MS Security Chief Says Windows is Safer Than Linux [slashdot.org]

Now stop trying to spread FUD.

Re:MS Security Chief Says Windows is Safer Than Li

[Leknor]

Anyone ever done a study to determine the mean time between when MS claims their products are secure and when the next exploit is announced?

Re:MS Security Chief Says Windows is Safer Than Li

[BrynM]

Anyone ever done a study to determine the mean time between when MS claims their products are secure and when the next exploit is announced?

Measuring negative time is moot.

Re:MS Security Chief Says Windows is Safer Than Li

[NanoGator]

"Now stop trying to spread FUD."

So, if a single security problem turns up in Linux, can I cry FUD when it's claimed that Linux is more secure?

Re:MS Security Chief Says Windows is Safer Than Li

[XMyth]

I don't think you understand.

1. Claim Linux is more secure than windows.
2. Someone finds exploit in Linux
3. Cry FUD
4. Profit

Re:Hmmmm

[Rosco P. Coltrane]

there should be a RTFRPFYM (Read the F* Redundant posts first, you moron) acronym.

What do you think, guys?

IMHO, WADR, STFU.

What???

[Jeffery]

I can't belive that.. but i love all my microsoft products.. they must be wrong, microsoft doesn't have security flaws!! and my MSN messanger is totally safe, and all my WMA and WMV files are so totally secure! /sarcasm

Re:What???

[hoggoth]

Phwew. I was about to go BALLISTIC on your post... but then thank goodness I saw the '/sarcasm' at the end. I mean, I was stoked up to spew some hellfire on you for your outrageous statements. They seemed... almost... too extreme to believe. Now that I see you clearly labelled it as 'sarcasm' I took a step back, and I'm cooling off. Shaking my arms, letting the anger go.

Good thing you clearly labelled it as sarcasm.

'cause otherwise I wouldn't have known.

Really good sarcasm, too.

Got me, there.

Phwew.

Bill Gates

[kai.chan]

If only I had Bill Gate's MSN . . .

In other news...

[Dutchmaan]

IT: MS Security Chief Says Windows is Safer Than Linux....

Re:In other news...

[Stephen Samuel]

IT: MS Security Chief Says Windows is Safer Than Linux....

I think that's because it's generally so full of worms, that you can't fit any more exploits into your average box. In that respect this actually makes Windows more secure because it makes it more likely that you box will be too infected for any given virus to be able to do anything.

Am I the only one

[mr.newt]

who finds it funny that the Google ads for the article show an advert for MSN Messenger?

Question

[Spy der Mann]

Is this why today my MSN asked me to upgrade to a new version? Or is the new version still vulnerable to this? I'm using version 6.2.0205

This is the picture...

[Anonymous Coward]

http://blog.monkeymethods.org/images/billgates01.j pg [monkeymethods.org] Enough to make any buffer quit really...

Re:This is the picture...

[quanticle]

This pic caused a buffer overflow in my mind...

Buffer overflow errors/vulnerabilities

[KiltedKnight]

Anyone notice how they seem to be all over Windows?

I'll bet the guy who used gets() is long gone, so they're still searching for each of his hidden calls to it. It's either that, or he won't admit to ever having used it.

Stupid question:

[JayJay.br]

Looks like the problem is with PNG handling. Could it be then exploited through web pages? Or is it only the use those applications make of the format?

Re:Stupid question:

[pavon]

Yes, the flaw is actually in the open source library libpng. It was discovered and fixed back in August. Any application that uses an old version of this library is affected. This included mozilla and firefox, which both released fixed versions within a day of the libpng patch. Internet Explorer is not affected by this exploit as it doesn not use libpng.

Re:Stupid question:

[l3v1]

Thing is, it is a sad day when handling images (PNG or else) can be so dumbly done so as to give room for such exploits - again.

Ah HA!

[MrFreshly]

The image that triggers it is an inverted picture of Bill Gates playing cards with Sadam, Satan, and Celine Dion.

Re:Ah HA!

[TheDauthi]

Satan would never lower himself to the level of playing cards with Celine Dion.

Defeating the Borg?

[bokmann]

Isn't this the same technique Geordie LaForge came up with for introducing a virus into the Borg collective? Remember Hugh?

Maybe the image of Bill Gates-as-Borg was a little more prophetic than we all realized.

Re:Defeating the Borg?

[Swamii]

Yawn. I don't know about a virus, but you've just put me to sleep like Data did to the Borg in episode 128 where he issues a low-priority regeneration command to the Borg collective and then they revive Captain Picard who was actually named Locutus of Borg when he was merged into the Borg identity as he was captured on the Borg Cube after a mission of reconaissance in the ... zzzzzzzz

*Proprietary* Network Graphic?

[TomorrowPlusX]

What? I thought all this time they were *Portable* Network Graphics. Well, the article says "Proprietary" so they must be right.

They're wrong about PNG

[BluhDeBluh]

They've said that PNG stands for "Proprietary Network Graphics". In fact, this is very wrong - it's not proprietary at all. The idea of the format is that it _ISN'T_ proprietary - it's free as in speech, free as in beer, free as in patents.

PNG really stands for Portable Network Graphics. And I hope that people don't get confused and start blaming the PNG file format for a bug that is MS's fault.

Re:They're wrong about PNG

[Trillan]

Microsoft wrote LibPNG?

Before anyone goes off bashing MS...

[k98sven]

Perhaps one should take note that this overflow bug is not in MS code, but in the open-source LibPNG [libpng.org], which MS used.

And it's also included in most Linux distros.

If MS is to blame, it's for their lousy reaction speed. This vunerability has been known for months.

Re:Before anyone goes off bashing MS...

[Nintendork]

I just verified this and you're right. Here's some info [mitre.org] on the vulnerability.

I wonder though why Microsoft didn't update to a newer version of libPNG when the vulnerability was addressed last August.

-Lucas

HAHAHAH GRABOULOUS!

[Thud457]

So Microsoft's use of FOSS directly led to this problem? The mind boggles at the interpertations people will draw from that!!!

Re:HAHAHAH GRABOULOUS!

[Lehk228]

Microsofts use of old vulnerable versions of OSS tools led to this problem.

Isn't it worth mentioning

[apoplectic]

The Slashdot story blurb leaves out that this fix is already available. Certainly, if the fix hadn't already been made available you could count on that tidbit being mentioned....

Re:Isn't it worth mentioning

[cortana]

An apt-get upgrade fixed this (for _all_ my programs) last August. You have been vulnerable since then.

I think I understand Windows users now...

[crazyphilman]

I used to struggle with the "why do they keep using it, when there are so many (much better) alternatives" question. I see now how silly my confusion was. It's all so clear...

Windows... Is a video game!

Sure, think about it. Can you hack your friend Billy's computer before he hacks yours while you chat online? The suspense must be very exciting. Who has the better Script? Who has the better collection of vulnerabilities?

It must be almost like playing Magic: The Gathering, or one of the other card games kids are into now. "My hack trumps yours! I get all your pr0n!"

Suddenly I feel very boring. Sigh... It's okay, Slackware, I love you even IF you're secure. I'll just have to settle for being Rudolph, and not play in any Reindeer Games.

Oh! Look! My Microwave just beeped! Pea Soup!

Mmmm!

The exploit.....

[FreshlyShornBalls]

.....is already out [k-otik.com].

Already patched?

[a_nonamiss]

Am I reading this wrong, or are these exploits for vulnerabilities that are already patched? As much as I love to hate Microsoft, you can't really hold it against them once they've released a patch (even if it is only a number of days after the patch was released.)

I just need more solid ammunition if I'm going to get in arguments with my Cult-Of-Microsoft coworker zealots.

Re:Already patched?

[digidave]

the libpng patch was out in August and MS sat on their hands all that time before patching the version they shipped.

And I bet some independent report will become available claiming that MS patches quicker than OSS because they only awknowledged the libpng bug a few days before releasing the patch.

End user ease of use...

[BrynM]

<sarcasm> Use Microsoft's [microsoft.com] simple instructions to remove messenger. Glad they made it so point-and-click for those end users!</sarcasm>They obfuscated it because Messenger is such an important part of the lock-i... er operating system. Never mind that editing your registry may void your tech support, destroy your install, burn your clothes, hit your dog. I guess I'll be getting more calls from my family if disabling Messenger gets recommended in the press. Whenever they see that "Warning If you use Registry Editor incorrectly, you may cause serious problems that may require you to reinstall your operating system. Microsoft cannot guarantee that you can solve problems that result from using Registry Editor incorrectly. Use Registry Editor at your own risk." they ask me to fix it. I guess I should put together a .reg and a.vbs file for them now.

Re:End user ease of use...

[spectecjr]

Use Microsoft's simple instructions to remove messenger. Glad they made it so point-and-click for those end users!They obfuscated it because Messenger is such an important part of the lock-i... er operating system. Never mind that editing your registry may void your tech support, destroy your install, burn your clothes, hit your dog. I guess I'll be getting more calls from my family if disabling Messenger gets recommended in the press. Whenever they see that "Warning If you use Registry Editor incorrectly,

From TFA: Proprietary Network Graphics (PNG)!?!

[denis-The-menace]

God damned stupid people!
It's Portable Network Graphics
http://en.wikipedia.org/wiki/Png [wikipedia.org]

Re:From TFA: Proprietary Network Graphics (PNG)!?!

[iggymanz]

no, it's Pornographic Network Graphics, your definition is just a smoke screen so the religious right doesn't get all fired up

Basilisks, etc.

[Black Parrot]

Ah, see and die. Check out the Wikipedia article on harmful sensation [wikipedia.org] motif.

erm...

[7-Vodka]

Are other programs vulnerable? I would assume messenger uses shared library to deal with immages.

hmm. What picture could possibly cause a program to crash and burn and the computer to be PWNT?
Does goatse strike again? *grin*

6 months to patch a known vulnerability

[hweimer]

The vulnerability is described in MS05-009 [microsoft.com] which refers to CAN-2004-0597 [mitre.org]. This is a buffer overflow in libpng which was fixed in early August last year. So Microsoft needed six months to fix a publicly known vulnerability.

Re:6 months to patch a known vulnerability

[jpostel]

Wasn't there a similar vulnerability in AIM last year? I think it was with JPEG though.

Re:6 months to patch a known vulnerability

[hikerhat]

That's an astoundingly good bit of logic there. So all logic on slashdot is astoundingly good. I wish I could bump it up to "+6, kneel before my powerful logic."

Re:6 months to patch a known vulnerability

[wolf31o2]

That's because Microsoft software is more secure than Linux. They were just waiting for the right time to release the patch, that's all. Yeah...

Bad Image Causes Exploitable Overflow

[Anonymous Coward]

Exploitable Overflows Cause Bad Image

(A day like every day in Redmond)

Re:Bad Image Causes Exploitable Overflow

[WhatAmIDoingHere]

In Monopolist Redmond?

Boring!

[ChiralSoftware]

When oh when are we going to learn, you cannot handle untrusted data (data from unknown hosts on the net) using software written with tools that allow dangerous memory access? These exploits have happened once a month for the past twenty years... let's see, in Sendmail, in BIND, in a bunch of browsers, in image processing libraries, in chat programs, in Outlook, on and on. Once a month for TWENTY YEARS! What these vulnerabilities all have in common is that they work on programs written in C. What C has is the ability to overflow buffers because buffers don't know their own size. What the solution is is to only use tools that have safe buffers, where buffer size constraints are enforced at the compiler or execution level. There's no performance penalty inherent in such tools and they make the programmer's job easier. The other component that is needed is a tool-level enforcement that prevents the programmer from directly altering the stack. Finally, all programs should run under the constraints of a capabilities system [coyotos.org], so that even if the program is 100% malicious, it can only take actions which are pre-defined by a user. For example a chat program should not have the capability to write sectors on a disk, access network ports beyond its allocated port, execute other code, or write or delete files outside of its directory.

Until things start getting fixed at the tool and OS level we're going to continue having these types of exploits once a month for the NEXT twenty years. If we don't switch from using C this is going to be the Slashdot headline in 2025: "Vulnerability on Microsoft HoloChat allows attackers to take over your nervous system."

Re:Boring!

[jonastullus]

What the solution is is to only use tools that have safe buffers, where buffer size constraints are enforced at the compiler or execution level. There's no performance penalty inherent in such tools and they make the programmer's job easier.

well, depending on the implementation bounds checking can actually incur quite a noticeable performance penalty for huge arrays! the question is whether you'll accept your image loading .001 seconds longer for the certainty(?) of not getting buffer overflows.

bounds ch

Re:Boring!

[pclminion]

When oh when are we going to learn, you cannot handle untrusted data (data from unknown hosts on the net) using software written with tools that allow dangerous memory access?

Never, because it isn't true. These tools which do not allow dangerous memory accesses, what language do you think they are written in?

Take a memory-secure language like Python or Java. What are these languages implemented in? Right, C. So clearly it is possible to use C to implement secure systems. The problem is that most people

once upon a time...

[ultramk]

a friend of mine used to work for MS on a version of IE... one bug they were trying to track down involved jpg (or was it gif) images of a certain--very large--dimension that could in some circumstances cause boot-block overwrite on the boot drive as it was being cached... (this was a few years back...)

when this bug was being discussed in a meeting, the first thing that was said was something to the effect of "oh, and if you tell anybody--anybody--about this, you might as well look for a new job at the same time, and a good lawyer."

of course, this was a few years ago, and from what i understand it was fixed right away, but still...

m-

Re:once upon a time...

[t_allardyce]

He should have said 'oh, and if you pay me anything -- anything less than $300,000 for this fix, you might as well look for a new job too, and a good PR team to cover up the leak i spill.'

Remember that this "exploit" doesn't count

[Corellon Larethian]

Against Windows [slashdot.org], because Messenger isn't part of the "core" functionality of Windows.

However...

The mailman exploit [secunia.com] counts against Redhat Enterprise, because it ships with the distribution.

(just squint really hard, and you'll be able to clearly see what I'm talking about)

Removing MSN Messenger doesn't actually remove it

[EnronHaliburton2004]

So anyone else notice that if you remove MSN Messenger and Outlook Express via the Control Panel's "Add/Remove Programs", the programs aren't actually removed from "C:\Program Files\Messenger" and "C:\Program Files\Outlook Express" ?

WindowsUpdate still asks you to install patches for Messenger and OE, even though they are supposedly "uninstalled".

IE still somtimes shows a Messenger icon on one of the toolbars.

I still occasionally find the the MSN Messenger icon in the status tray, even though it is supposedly "uninstalled", and the users on my network aren't smart enough to run MSN Messenger from the commandline.

What gives?

Re:Removing MSN Messenger doesn't actually remove

[MrP-(at work)]

Yeah that never uninstalls it

You have to manually call the uninstall section of the msn messenger INF file.. ive done it so many times i type it from memory..

go to start>run, and type

rundll32 advpack.dll,LaunchINFSection %windir%\inf\msmsgs.inf,BLC.Remove

make sure msn messenger is closed first so it wont error when it unregisters the dll files

Re:Removing MSN Messenger doesn't actually remove

[ad0gg]

Really? Removing MSN messenger is simple go, to add/remove files click uninstall. Simple and easy. Maybe if you were smart enough to realize that you're actually trying to remove Windows Messenger not MSN messenger, you wouldn't have have issues. Next are you going to complain about not being able to remove Oulook Express by trying to uninstall Outlook XP?

Re:Removing MSN Messenger doesn't actually remove

[EnronHaliburton2004]

ok fine, I screwed up the names. I don't actually use the program.

The fact still remains that removing "Windows Messenger" via "Control Panel: Add/remove programs: Add/remove Windows components" doesn't remove C:\Program Files\Messenger .

At least...

[jd]

...it's not the JPEG flaw again. If they'd fixed it in one place, but left it broken in another, it would be pretty bad. Well, mind you, this is still pretty bad. MS' PNG library has been stale for some time, which is why PNGs don't always show correctly on IE. Stale code won't develop new bugs, that is true, but it isn't being checked for old bugs either.

This is not the only MS security flaw under review, at the moment. It was shown recently that MS Office documents are weakly encrypted using the password directly. It has been shown that there is a way of recovering the key in a relatively short timeframe if you have two versions of the same file. (This isn't actually too hard to achieve, as most people keep backups.)

Instead of boasting how they've "only" released a few mega-patches over the last year, Microsoft really needs to sit down and do a thorough code audit. Hell, if that would be too expensive, just run the standard libraries through "splint" or the Stanford Code Validator. Even if Microsoft were to just fix those bugs one of those code auditing tools reported, I flat-out guarantee confidence in the security of their products will increase far beyond their wildest imagination.

The problem is neither inevitable nor insoluble. And boasting about Windows over Linux eliminates neither the problem nor the growing awareness of it. Addressing the problem, with a firm determination, would.

If only I was smarter...

[lcde]

I remember years ago I had the idea of embedding viruses in gif and jpg's. I just couldn't figure out how I would get it to execute the code.

Thanks Microsoft.

Elbonia & Irony

[catdevnull]

Well, I think it's ironic (funny ironic and sad ironic at the same time) that this article appears the same day as this one [slashdot.org]. It's difficult to be taken seriously about security when you're getting busted like this all the time.

is it just me...

[Fuzzums]

or was this already fixed in last round of bugfixes, this tuesday?

Re:Worst internet worm ever?

[PapaBoojum]

By spreading to everyone in your buddy list, a worm based on this exploit could infect 90% of the world in a couple hours.

I'm doing my part. I don't have any friends.

Re:Worst internet worm ever?

[l3v1]

By spreading to everyone in your buddy list, a worm based on this exploit could infect 90% of the world in a couple hours.

ROTFLMAO :D So now 90% of the world uses MSN Messenger
That should be on the front page up ahead :)

Re:Worst internet worm ever?

[somethinghollow]

The someone better hurry and write a "white-hat" worm that installs an update that patches the exploit. Then we could patch "90% of the world" in a couple hours.

Re:Worst internet worm ever?

[Queer Boy]

By spreading to everyone in your buddy list, a worm based on this exploit could infect 90% of the world in a couple hours.

You mean there are people using MSN Messenger?

Re:but its more secure than linux!

[Manip]

1. This has been patched.
2. GAIM has had exploits patched.
3. Linux has had exploits patched.
4. I remember reading people defending Linux by saying that a lot of the distribution patches are not for the OS but instead for tools/apps... Yet you don't hold the same true for Microsoft?
5. People need to be a little more objective, even on /.
6. This is old news.

Re:but its more secure than linux!

[TFGeditor]

But, have you ever tried to uninstall MS Messenger? http://www.theregister.co.uk/2002/04/02/windows_me ssenger_trojan_update/ [theregister.co.uk]

Those not blessed with geekiness cannot do it, so are stuck.

Re:but its more secure than linux!

[LocoMan]

Actually, I did try a couple days ago (bought a new HD so installed windows XP again), and it was just a matter of going to control panel, add-remove programs, windows components and uncheck MSN Messenger.

Maybe that was added in SP2, though, since I remember having to execute a file (got the instructions from annoyances.org) in the command prompt to uninstall it last time I had installed XP (about a year ago, IIRC). The uninstaller was there, just that there was no shortcut to go to it.

Re:but its more secure than linux!

[jproudfo]

...which was patched on Tuesday. IMHO, that qualifies old news.

Re:but its more secure than linux!

[joeljkp]

To add some sanity to this discussion, here's some facts:

The MS bulletin and patch: http://www.microsoft.com/technet/security/Bulletin /MS05-009.mspx [microsoft.com]

It's a vulnerability in libpng that was just patched by MS Tuesday, but was fixed by everyone else when it was discovered last June.

Re:When will this stop being "news?"

[Strudelkugel]

The patch [microsoft.com] was released on Feb 8, the story comes out on Feb 11. Right, not much to see here.

Maybe the RAF has a big PowerPoint that's of interest on web server somewhere...

Re:When will this stop being "news?"

[BrookHarty]

Reminds me of the local nightly news at 6pm.

Things you need to know RIGHT NOW that will save your life! Tonight at News at 11

Re:Mac classic

[jericho4.0]

No, I think he meant emacs. Emacians know no limits, after all.

You're mostly right about MacOS. Where did you get the 'ties with openBSD' bit from, though?

Re:WHAT THE FUCK?!

[jericho4.0]

I second that. Sound is totally unacceptable. If my browser runs into sound, it plays on the X client in the other room through the stereo, which is often turned up loud. Not cool.(especially on porn sites :-)

I refreshed a few times and saw a few vonage ads, but none played sound for me...

Re:Start the clock

[jerw134]

One of those 12 security patches was for... wait for it... this problem! You can stop your clock now.

Re:Talk about Timing!

[joeljkp]

You're not making any sense. The issue was with libpng, which is used by pretty much every image-capable platform in existance. Everyone else patched it when it was discovered last summer, though.

The real question to ask is "Why did it take MS so long to remember it had used a vulnerable version in MSN Messenger?"