backtop

Print 51 comment(s) - last by Smilin.. on Dec 31 at 4:30 PM

Microsoft denies security researcher Laurent Gaffi's claims that a bug found in Windows Media Player 9, 10, and 11 can allow remote code execution, opening the door to computer takeovers. Microsoft says the flaw poses "no security risk".
Microsoft insists flaw in Windows Media Player is harmless, independent security experts say otherwise

Last week on December 24, security researcher Laurent Gaffi reported what he called a critical security flaw in Microsoft's Windows Media Player to the Bugtraq security mailing list, marking the second major Windows vulnerability found in recent weeks.  He said the flaw, which affects Versions 9, 10, and 11 could allow malicious users to malformed .wav, .snd, or .mid audio files to compromise a PC running Windows XP or Windows Vista.

Mr. Gaffi included code for a proof-of-concept attack, which would execute code remotely on the victim's PC. 

The claims evoked a quick and emphatic response from Microsoft.  Microsoft claims that there is no "critical vulnerability" at all, and that the bug the research found could not be exploited.  Microsoft stated that the problem is a "reliability issue with no security risk to customers."

The company also took Mr. Gaffi to task for publishing his findings without first reporting them to security researchers.

Christopher Budd, a spokesman for the Microsoft Security Response Center (MSRC) said in an MSRC blog, "[Gaffi's] claims are false.  We've found no possibility for code execution in this issue."

He did acknowledge that the flaw crashes Windows Media Player, but he claimed that it could be restarted without restarting the operating system and with no negative side effects.  Microsoft's Security Vulnerability Research and Defense (SVRD) group released its own researchers' technical take on the bug.

Jonathan Ness and Fermin Serna of the SVRD team knew of the bug and had fixed it in one server version of the media player.  They too argued it could not be used to cause serious damage, stating, "This bug cannot be leveraged for arbitrary code execution.  We found this already through our internal fuzzing efforts.  It was correctly triaged at the time as a reliability issue with no security risk to customers."

Mr. Ness and Serna concluded, "We do like to get these reliability issues fixed in a future service pack or a future version of the platform whenever possible. This particular bug, for example, has already been fixed in Windows Server 2003 Service Pack 2."

Some are skeptical, though, of Microsoft's claims.  Last April researchers discovered an operating system-level vulnerability, which Microsoft promptly denied was dangerous.  Three weeks later it was forced to recant and issue a security advisory.  Despite being actively exploited since October Microsoft has yet to issue a fix for that problem.  Of late Microsoft has been under increasing and contradictory pressure to release patches more quickly and test them more thoroughly.

Comments     Threshold


This article is over a month old, voting and posting comments is disabled
OK, which is it?
By fishbits on 12/30/2008 2:07:24 PM , Rating: 5
"Mr. Gaffi included code for a proof-of-concept attack, which would execute code remotely on the victim's PC."

"We've found no possibility for code execution in this issue."

What happens when Mr. Gaffi's code is run? Sounds like a pretty simple thing to verify, rather than he-said / she-said.




RE: OK, which is it?
By ccmfreak2 on 12/30/2008 2:23:32 PM , Rating: 4
I read an article on another site about this topic that states the following (bold font added by myself):

"The security researcher making the initial report didn't contact us or work with us directly but instead posted the report along with proof of concept code to a public mailing list," reads the Security Response Team's statement yesterday. "After that report, other organizations picked the report up and claimed that the issue was a code execution vulnerability in Windows Media Player. Those claims are false. We've found no possibility for code execution in this issue. Yes, the proof of concept code does trigger a crash of Windows Media player, but the application can be restarted right away and doesn't affect the rest of the system ."

http://www.betanews.com/article/Microsoft_denies_t...

So, Microsoft admits that it will crash the program, but then again, so will the task manager. I'd say a crash (aka improper shutdown) of an app is hardly an exploit, but an inconvenience.


RE: OK, which is it?
By Spectator on 12/30/08, Rating: -1
RE: OK, which is it?
By mondo1234 on 12/31/2008 1:44:20 PM , Rating: 2
Its not a bug, its a feature.


RE: OK, which is it?
By fishbits on 12/30/2008 2:46:19 PM , Rating: 3
Thanks for the additional info. Pretty scary if this "security researcher" made a false/ erroneous claim and rushed it out.

How long til this is in an Apple ad?
"Hey PC, I heard if people play music on you, you'll get viruses."

Meanwhile our researcher gets a cushy position on the iTunes team. :P


RE: OK, which is it?
By 9nails on 12/31/2008 7:31:33 AM , Rating: 2
I would think that false claims are more common than not. It could be that the researcher is trying to earn more credit than what is due, or just doesn't fully understand the situation and is asking the public to verify their findings.

I'm so glad that Microsoft doesn't acknowledge Apple in (the majority of) their ad's. Microsoft can open such a huge can of whoopass if they lowered themselves to these attack ad's, but it wouldn't make them the better company.


RE: OK, which is it?
By quiksilvr on 12/30/08, Rating: 0
RE: OK, which is it?
By ebakke on 12/30/2008 2:32:56 PM , Rating: 2
You're also not technically inept.


RE: OK, which is it?
By Spivonious on 12/30/2008 2:51:01 PM , Rating: 2
I tried WinAmp 8 years ago and couldn't stand its complete lack of library support.

WMP11 is the best media player I've used, and I'll stick with it unless someone shows me something better.


RE: OK, which is it?
By mherlund on 12/30/2008 3:03:52 PM , Rating: 4
quote:
WMP11 is the best media player I've used, and I'll stick with it unless someone shows me something better.


Have you ever tried iTunes?

/sarcasm


RE: OK, which is it?
By 9nails on 12/31/2008 7:46:07 AM , Rating: 2
You mean Quicktime?

It was my understanding that iTunes is just an interface for Quicktime which guides you to the Apple store and provided a sweet interface for file management. The "media player" in iTunes is still Quicktime.

Not to fuel any fires, but WMP and Quicktime are both good players. Neither support all media formats that one would need, but at least they offer a plug-in systems to expand their support. I think that they both have their faults as well; size, security and stability can be problematic in either player.


RE: OK, which is it?
By rudolphna on 12/31/2008 12:22:48 PM , Rating: 2
I agree. I use itunes, because of the vast music store available. Its pretty easy, and I can use it with my ipod


RE: OK, which is it?
By UNHchabo on 12/30/2008 3:21:07 PM , Rating: 3
Eight years ago Winamp was on version 2. Version 5.5 was released over a year ago (with various minor releases since then).

Winamp 2 is a MUCH different program than it currently is. Remember how long of a time 8 years is in software development -- we were all struggling to get Quake 3 to run at more than 30 frames per second 8 years ago!

Up until about 6 months ago I was running Winamp 5 with the classic interface (same interface as Winamp 2, for less memory usage), and it did everything I wanted. I started using foobar2000 only out of a desire to switch to open-source software as much as possible, and now that does everything I need, too.

Check out foobar2000, I bet it'll fit your needs, no matter what they are. Plus it supports Flacs, Oggs, and anything else you throw at it, without installing codec packs.


RE: OK, which is it?
By omnicronx on 12/30/2008 3:51:03 PM , Rating: 3
Foobar2000 is the best mainstream audio application out there, especially if you are still using Windows XP, kernel streaming bypasses all the crappyness that is pre windows vista Windows audio.

I like winamp, but I would rather use WMP or VLC for video, Winamp just doesnt cut it anymore.


RE: OK, which is it?
By UNHchabo on 12/30/2008 4:43:59 PM , Rating: 2
Right now I use foobar2000 for my music library, VLC for most individual media files (video and audio), and Media Player Classic Home Cinema for hi-def video files, because of the decoders included.


RE: OK, which is it?
By B3an on 12/31/2008 3:04:31 AM , Rating: 2
All that just to play music and video. Well f-ck that, i'll stick to WMP11 and any codecs/addons i need to play anything.

And before someone says, i've tried most of them but have no need for any.


RE: OK, which is it?
By UNHchabo on 12/31/2008 11:49:13 AM , Rating: 2
I keep VLC as the default on my home machine because it can play any file, even if it's broken. On my work machine I never play broken files, so I just have Media Player Classic handle everything, and I use foobar2000 for my music playlist. It's very easy.


RE: OK, which is it?
By Suntan on 12/31/2008 1:44:54 PM , Rating: 2
quote:
Foobar2000 is the best mainstream audio application out there


Appologies, but foobar is not "mainstream." The fact of the matter is that anyone that even knows what the term kmixer is, is not part of the mainstream.

Personally, for audio, I believe J. River has a better interface than Itunes, and is much more mainstream than foobar.

In anycase, WMP is a necissary evil for taking advantage of online video content. But it is not my player of choice for anything. (Zoomplayer for most, SageTV for DVR and VLC when the file is really F'ed up.)

-Suntan


RE: OK, which is it?
By neothe0ne on 12/30/2008 4:08:12 PM , Rating: 2
Winamp still sucks though. Version 5.5 or whichever version included the new theme broke compatibility with a wide variety of plugins, the use of which is the ONLY reason I ever bother installing Winamp, and Winamp is still the root of all Unicode evils.

That said, foobar2000 isn't doing as well as it used to either. A tangible minority of the developers in the community have quit due to arbitrary decisions by the developer of foobar2000 regarding functionality of components. I'm still using foobar2000 for lack of anything better, but I wish some of my favorite component's developers were still developing instead of being forced out by foobar2000.


RE: OK, which is it?
By StevoLincolnite on 12/30/2008 10:45:43 PM , Rating: 3
I actually love Winamp though, but that's not saying much it has been my program of choice for my Music for the last 10 years.

I especially love the Radio and TV channels as well, and there is allot of plugins available, for instance I wanted the MSN Messenger Music display thingy but didn't want to use Windows Media Player, no problem, just go grab the plugin and away you go.

However I completely skipped Winamp 3, I found it to be utter crap, and stuck with Winamp 2 until Winamp 5 came along, I also love the ability of making your own AVS effects as well.

Unfortunately, I love all my music in a single list, and a simple press of a "J" on the keyboard brings up a window to search for particular songs, and set Queue's etc.

I think half the programs flexibility is hidden in Keyboard Shortcuts unfortunately.


RE: OK, which is it?
By dgingeri on 12/30/2008 6:54:14 PM , Rating: 1
I tried WinAmp about 8 years ago, too, and I was appalled at the extreme processor usage. I couldn't run anything else on the machine while WinAmp was running.

I tried it again about 5 years ago, and got the same thing.

I tried it again about 2 years ago, when I got my dual core processor (Athlon64 X2 4400) only to find that it pretty much maxxed out both cores. Glad to know it's inept programming is dual core aware.

I'm sticking with iTunes for music and WMP for movie playback. At least this exploit is only for music files.


RE: OK, which is it?
By MrBlastman on 12/31/2008 10:22:19 AM , Rating: 2
Media Player Classic > all

period

(and this is not a Microsoft product - look it up on Sourceforge)

The interface is simple, effective and well - it has a very efficient footprint.


RE: OK, which is it?
By shamgar03 on 12/31/2008 11:17:01 AM , Rating: 2
Ummm....mplayer can play x264 in an avi container, dvds, ISOs, bin/cues, it can play anything. I'm pretty sure mplayer is the gold standard of media players. vlc is also widely regarded, but mplayer can even do stuff like artificially boost sound levels, for instance if you have a video that was encoded at a low sound level.


RE: OK, which is it?
By UNHchabo on 12/31/2008 11:45:01 AM , Rating: 2
But the Windows port of Mplayer is terrible, so we use Media Player Classic instead.


RE: OK, which is it?
By inighthawki on 12/30/2008 3:52:38 PM , Rating: 2
Personally i think WMP11 is the greatest media player out right now. WinAmp and iTunes, imo, both suck pretty hard, so it's a matter of personal opinion, and you shouldnt try to spread yours like its a fact.


RE: OK, which is it?
By blppt on 12/30/2008 4:43:11 PM , Rating: 2
I agree...mpclassic rules. I've trying for a while now to ditch everything for VLC, but theres always something buggy about it. At least they fixed the stupid fullscreen interface bug that existed for all of 0.8.x.

0.9.x Has a much better looking interface, and yet, playing a couple of video files the other day, I noticed VLC had several hitches that always occured at the same point in those videos that didnt show up on mpclassic or WMP11. And yes, I tried changing outputs from D3D to DX to OGL to GDI, etc. No change.

Its a shame because vlc plays pretty much any mainstream media and seems to take up smaller space than klite+mpclassic or klite+wmp11. Would've liked to use it full time, but theres just always something not quite right about it IMHO.


RE: OK, which is it?
By UNHchabo on 12/30/2008 4:48:09 PM , Rating: 2
My biggest issue is that VLC 0.9.x has to catch up with ANY video that I start with it. I don't get anything on the screen for at least 4-5 seconds after I start the video.


RE: OK, which is it?
By blppt on 12/30/2008 8:37:21 PM , Rating: 2
I dont have that specific problem, BUT, say you are watching a video off of some disc, be it CD, DVD, etc. You miss say, a minute or so because of a phone call. When you go back to watch that minute, everything is fine, but as soon as it reaches the end of that minute, VLC will just START spooling up the disc to read uncached data after that minute (when it runs out of data to play), causing a 10 second or so pause. No other media player I've used does this, and its really annoying.

I wish I could find which cache setting I need to change to stop this from happening.


RE: OK, which is it?
By icrf on 12/30/2008 3:29:02 PM , Rating: 1
The real dichotomy is:

"It's not a security hole"

"Curse you for not telling us before going public"

Yelling at someone for not releasing non-critical information privately first?


RE: OK, which is it?
By fishbits on 12/30/2008 3:54:38 PM , Rating: 2
Yeah, I'd be pretty miffed about someone releasing damaging FALSE information about my product without checking with me first. And even if it were true, since security is involved, it's generally seen as better for everyone to try to evaluate and fix the problem quietly before calling attention to it.

I don't understand where you see conflict in MS wanting the information to be accurate, and to get first crack at it.


RE: OK, which is it?
By ccmfreak2 on 12/30/2008 4:13:55 PM , Rating: 2
Yeah, I agree. Security isn't something that is taken lightly today. Telling Microsoft first wouldn't only be the "responsible" thing to do, but it would also give this guy credibility to future issues - if it is an issue.


RE: OK, which is it?
By Smilin on 12/30/2008 4:07:41 PM , Rating: 4
Don't be so obtuse.

This guy thought it was a security hole yet went ahead and released proof of concept code publicly before even bothering to notify the vendor. That is how worms get started and it was a completely stupid and irresponsible thing to do.

Fortunately it turned out not to be an actual vulnerability it seems. This stroke of luck doesn't mean the guy doesn't deserve an 4ss chewing for what he did.

You would be happy if someone pointed a gun at your head and heard a "click!". Happy you heard the "click!" that is. You're still kicking the guy's 4ss post-haste for pointing a gun at you and pulling the trigger.


RE: OK, which is it?
By codeThug on 12/30/2008 11:23:07 PM , Rating: 2
L Ron Ballmer says it can't happen. Therefore it will not.

Next...


Nowadays...
By amanojaku on 12/30/2008 2:07:31 PM , Rating: 2
Funny, this was at the bottom of my article.

quote:
"Nowadays, security guys break the Mac every single day. Every single day, they come out with a total exploit, your machine can be taken over totally. I dare anybody to do that once a month on the Windows machine." -- Bill Gates




Microsoft
By Screwballl on 12/30/08, Rating: -1
RE: Microsoft
By Samus on 12/30/2008 2:26:46 PM , Rating: 4
yea, because linux is *so* secure

/rolls eyes


RE: Microsoft
By omnicronx on 12/30/2008 3:52:32 PM , Rating: 1
Linux is 'so' secure... much more so than windows if you have any technical background at all.. Of course marketshare plays a huge role in this, but you can't really knock unix security..


RE: Microsoft
By Smilin on 12/30/2008 4:10:11 PM , Rating: 2
Dunno about him but I've got a technical background.

Which Windows and which Linux are you talking about? Be specific.


RE: Microsoft
By omnicronx on 12/30/2008 4:38:45 PM , Rating: 1
Any well patched distro is going to be more secure than windows. There is a reason most mission critical data is kept some kind of unix based OS.


RE: Microsoft
By Smilin on 12/30/2008 5:35:41 PM , Rating: 5
Which Windows?

Nevermind. You made my point. This isn't 1995 dude and implying that something like a properly locked down and administered Windows Server 2008 box is insecure is just a bunch of fanboy tripe. REAL Linux admins will back me on this.

There are some very secure boxes running both Windows and Linux out there protecting that "mission critical data" but based on your flipant posts I'm betting you don't administer them.


RE: Microsoft
By TSS on 12/31/2008 7:35:00 AM , Rating: 2
might not be an linux admin but i'll back you on this anyway. one of the company's i finished an internship with was a school complex with nearly 5000 students in 6 locations connected via fibre. the whole system was running on windows server 2003 (and it's various forms for e-mail, ISA server and so forth) and it was damned secure.

and this was a high school. a place where you can bet on it the students will try and hack the system. one of the highschools connected to the network was my old school, where i *did* hack the network a few years prior. and quite easaly, i might add. we also got our own code running on the computers of the sysop school (bastards blocking our programs we'll show them!) fairly quickly. i tried getting into the system of my highschool when it was revamped, couldn't get anywhere into it. it was secured to the max *without* giving up functionality. i think i've removed 1 virus in about a years worth of working, and they where using IE6.

i wouldn't say your server/network is as secure as the operating system. your server/network is about as secure as the sysop running it.


RE: Microsoft
By Smilin on 12/31/2008 10:31:48 AM , Rating: 2
Yeah, as a whole the admin has a much greater impact on security than the OS.

Today's Windows just isn't the same as it was back in the blaster/sasser days. People keep recycling these 5-10 year old arguments when talking about "Windows" security.

A 10 year old yelling nanny-nanny-boo-boo isn't a very credible insult but frankly after 5 years of it continuously it gets a bit old.


RE: Microsoft
By Ratinator on 12/30/2008 5:37:22 PM , Rating: 3
Don't forget usability. If Linux had to be dumbed down so that everyday joe schmoe could use it, it would have a lot more security holes in it too. User friendly = significantly more code = a lot more potential for security holes. So while the technial savvy bunch can be up on their pedestal claiming the security benefits of being on Linux, MS is trying to reach those users who are not as well versed in computers.


RE: Microsoft
By mechBgon on 12/30/2008 7:58:28 PM , Rating: 2
I suggest reading Jeff Jones' Days Of Risk 1H '08 report, which you can find here:

http://blogs.technet.com/security/archive/2008/10/...

quote:
This report looks at all of the vulnerabilities fixed by Apple, Microsoft, Red Hat and Ubuntu during the first half of 2008. At the vendor level, the report examines all vulnerabilities as well as Days of Risk (DoR) associated with those vulnerabilities. The report further drills down to examine just those issues affecting the commonly installed desktop operating system components.

...

For desktop OS vulnerabilities, Windows Vista had the fewest vulnerabilities in 1H08 at 21. The next lowest number was Windows XP SP2 at 26.


Jeff Jones also noted that of the severe security vulns that affect both XP and Vista, 46% of them are mitigated by Vista's additional security capabilities. That's one more feather in the cap of Microsoft's SDL process, which aims to systematically reduce the quantity and severity of bugs at every possible stage of software development, and to build in mitigation for those that'll inevitably make it through.

Microsoft MVP, Windows Desktop Experience


RE: Microsoft
By Screwballl on 12/30/2008 4:59:34 PM , Rating: 1
quote:
yea, because linux is *so* secure


Spoken like a true sheep that sees no wrong with Microsoft.

Thats fine, Microsoft is digging its grave, slowly and surely. Only those who think and deal with the MS problems daily can actually see it.


RE: Microsoft
By inighthawki on 12/30/2008 6:52:45 PM , Rating: 2
Anyone who has problems on a windows machine clearly has a poor choice of hardware (and matching drivers) or loads a bunch of crap applications on that make it unstable.


RE: Microsoft
By Screwballl on 12/31/2008 1:16:02 PM , Rating: 2
quote:
Anyone who has problems on a windows machine clearly has a poor choice of hardware (and matching drivers) or loads a bunch of crap applications on that make it unstable.


Exactly. Adobe Photoshop, Comodo Firewall, Avira anti-virus, Spyware Terminator, Spyware Blaster... those are crap programs... Gigabyte and Asus boards with Vista certified drivers, yep that is crap hardware/drivers. Yet a majority of any systems running Vista in any form (retail, OEM, or custom built) is ALWAYS the least stable of any OS ever used. XP had a few compatibility issues with older programs but the drivers were never an issue with normal everyday hardware, versus Vista is a major crapshoot with everyday hardware.

An OS is only as secure as the programmers make/made it. You should not have to be "limited" by the programs you can run on it and have to worry about OS security when using 3rd party software (such as Adobe Photoshop or a game). Thats where linux shines and is working its way up.


RE: Microsoft
By Smilin on 12/31/2008 4:30:46 PM , Rating: 1
Actually, yea dude those spyware programs are far more likly to jack a perfectly healthy registry than actually resolve any issues. MS doesn't allow them to run but hey you know better and that's why you hit allow on the UAC prompt every time they run right? Adobe makes horribly insecure software.

And in case you didn't know 3rd party software has no ability to compromise the security or stability of the OS as a whole. Only retarded users who grand those apps admin privledges have that issue. Linux can't protect itself from a determined retard admin either. (Linux guys, got my back here?)

Here is a hint: if an application (not driver based like say CD burning software) requires you to hit a UAC prompt for some common task then there is a 99% chance it was written by a sh1tmonkey.

When your OS breaks a month later, go take it up with the sh1tmonkey and cut MS some slack.


RE: Microsoft
By anotherdude on 12/31/2008 10:23:41 AM , Rating: 2
"Thats fine, Microsoft is digging its grave, slowly and surely."

Muhahahahaha, you bested us this time but we'll get you M$, one way or another we'll get you in the end!


RE: Microsoft
By ccmfreak2 on 12/30/2008 2:28:41 PM , Rating: 2
quote:
This is not an exploit or bug, it is a "feature".


Stated like someone who definately knows the development business. :) My development team follows the rule of "There are never any bugs in our programs - just features. Sometimes a feature causes problems and needs to be fixed, but it is still a feature."


RE: Microsoft
By rudolphna on 12/31/2008 12:27:46 PM , Rating: 2
That is all good PR but.... I wouldnt want to buy from a company that doesnt acknowledge "bugs" in their programs. "features with problems" seems a bit less urgent than "gaping security bug"


"Young lady, in this house we obey the laws of thermodynamics!" -- Homer Simpson











botimage
Copyright 2012 DailyTech LLC. - RSS Feed | Advertise | About Us | Ethics | FAQ | Terms, Conditions & Privacy Information | Kristopher Kubicki