February 16, 2006 6:55 PM PST

Attack code out for latest Microsoft flaw

Two examples of computer code that exploit a flaw in Windows Media Player have become available only days after Microsoft released a patch to fix the bug.

The "proof-of-concept" exploits that take advantage of a flaw in the media player were posted on the Web over the past couple of days. The flaw, rated "critical" by Microsoft, could enable an attacker to seize control of a vulnerable computer system.

The appearance of proof-of concept code is usually a sign that actual attacks are not far off. Microsoft, when it released its patch Tuesday, urged users to upgrade their systems as soon as possible.

Microsoft recently issued patch MS06-005 as part of its monthly security update. The vulnerability in Windows Media Player can compromise a system through malicious images embedded in the player.

Versions of Windows Media Player affected by the bug include 7.1 through 10. The vulnerability was also tagged as "critical" by the French Security Incident Response Team, or FrSIRT, a research outfit that published one of the two exploits.

Microsoft announced the release of seven fixes on Tuesday, including a "critical" patch for a Windows Meta File vulnerability in Internet Explorer. It exists only in IE 5.01 with Service Pack 4 on Windows 2000 and IE 5.5 with Service Pack 2 on Windows ME, Microsoft said in the security advisory.

See more CNET content tagged:
flaw, media player, Microsoft Windows Media Player, Windows Media, patch

20 comments

Join the conversation!
Add your comment
hmm thats funny
my computer has never been infected with one of these "high priority" windows flaws since I got it in 2002. however, it's best to be careful, especially if you do a lot of work on your computer.
Posted by xtuser (18 comments )
Reply Link Flag
mine was
Mine ws infected by a virus mear minutes after getting the damn thing. Damn worm attcked though a flaw in Windows that only required me to be online (which I was doing to register windows, and ironically download the patch to cure the vunerabillity the worm got in through)

Windows should be secure out of the box, you shouldn't need to spend hours downloading fixes to it.
Posted by booboo1243 (328 comments )
Link Flag
mine's secure too
Windows XP "can" be secure...
Mine's been running for almost 2 years, never was i infected by a virus or spyware. I can't even remember if i ever experience BSOD. You just need to configure file/folder AND REGISTRY permissions, policies and firewall. My XP doesn't have an Anti-virus and Anti-spyware installed, AV software adds strain to HDD so it will last longer. Just make sure you do these first before connecting to the internet, and just be very careful of what sites you visit and files you download.
Posted by stoicnluv (22 comments )
Link Flag
Same here
I've had Windows machines since 3.1 and have had 1 virus. Keep the machine updated and you're reasonably secure...
Posted by robertcampbell2 (103 comments )
Link Flag
DeJa Vu? I do believe I've read this story before...
This story was posted minutes ago. Yet, I feel as though I have read it in the past week...and month, and the month before that...

CNet Editor's: Do you copy paste the "Critical Flaw Found In Microsoft Products" story weekly, only changing the name of the flaw and worm used this week?
Posted by booboo1243 (328 comments )
Reply Link Flag
Microsoft Flawed Again.
I bet you thought I was going to complain about Microsoft and it's bugs didn't you. Well, I'm not.

In the past few weeks I have read about flaws in Linux and Microsoft. I've even read about a virus for the MacOSX (couldn't tell you if it's true or not).

I thought about it a bit and the real problem starts with the foundation of computers. First you have the hardware that is mass produced to be sold at the lowest possible price while generating the best bottom line. Then you have old languages that allow for bad programming. Then add legacy code which creates the potential for old flaws to still exist. Top that off with many over worked programmers and deadlines. Then you through in the average user or the user who thinks they know enough to be safe.

What I think we have here is an accident waiting to happen. The more I think about it the more I realize that the problem is really big and way beyond just Microsoft or Linux. Standards are seldom fully followed and cheap hardware is just that Cheap.

I think we need hardware that knows how to monitor itself for bad data and a programming language that makes it much harder for programmers to let bad code slip in. I think we need more openness in the technology world without becoming completly open source. I think we need to work harder at creating and following standards. I think users need to work harder at understanding the systems they are working on. We also need to slow down. Are we all really in that big a hurry to get it all done. When you die it's not going to make a bit of difference to you anyway.

The reality is that programmers can make software more secure and stable and hardware makers can make smarter hardware. However, it's not going to happen until we all realize that the problem with the world is the people living in it. People are the greatest computer this world has ever known and look how flawed we all are. :)
Posted by System Tyrant (1453 comments )
Reply Link Flag
Well I for one...
Welcome our new robotic code-checking overlords.
Posted by wazzledoozle (288 comments )
Link Flag
hard to ti have hardware security
The problem how is a piece of hardware ment to know what a program should be doing. There are times when programs need to do things legitimatly that a virus could also use. For instance I might want to upgrade my firewall, I would need to change the firewalls executable, that would be legitimate. However a virus might do the same thing to stop a firewll working.

I think you are getting into the realm of "trustworthy computing" where all apps need to be digitally sined before the hardware will run them. But then you still have many of the flaws that allow a remote attacker to use a legitimate program to do its bidding. Remember the WMF flaw, an image could make Windows execute the code for it.

There are things like hardware DEP which can protect things in memory to try and prevent tampering.

I agree about insecure languages, C allows you to exceed the memory you have reserved and keep going through memory till you run out of the memory belonging to your program, though this is sometimes considered a "feature" which makes it versitile. Simple things like checking user input tend to be skipped, its not taught thourelghy enough, When I was taught to program security of apps was not seen as important. Unfortunatly it is. When apps could only be provided with data from the user it was safer but now apps such as your webbrowser are given data by remote users there can be problems. And even non networked apps can be targetted for privillage escillation, if I have an app with higher permissions running then anopther app could exploit its vunerabillitys to bypass OS execution permissions.
Posted by booboo1243 (328 comments )
Link Flag
Flaws
The hardware and software we use today is made by people. People aren't perfect so neither is the hardware and software they make.

Programmers CAN program better code and Engineers CAN make smarter hardware but so long as we care more about how much something costs and not how well it performs, we will always have cheap hardware and buggy software.
Posted by thedreaming (573 comments )
Link Flag
The Perfect Solution.
We all work for free and for the betterment of the human race.

Ok, now we all know that's never going to happen.

Unfortunatly there is no real perfect solution. If the day comes we build hardware and software smart enough to fix itself or learn and build better version then you get the Terminator or the Matrix.

I'm not sure that in the big picture computers or advancing technology will ever be safe and secure. Someone will always have away to convert a 1 into a 0 when it should have stayed a 1. This doesn't mean that we should work for better hardware and software, but it's just never going to be perfect or unbreakable (at least not in my lifetime).

You could have a programming language that gave you all the power of assembly or C/C++, but by default had that power turned off. In other words in you code you might specify a piece of code that says it's turning on a potentially unsafe bit of code. This way you get all the power you want and you can have a safe (relatively speaking) language. I suppose you could say a language that's VB and C++.

Ah, well. It's never going to happen so I'm done talking about it.
Posted by System Tyrant (1453 comments )
Link Flag
Poof-of-concept only, thats better news.
Microhard-up needs to evaluate its source code for their media-player. I think with the presure of open source they are starting to ramp-up their patch criteria.

Carry on...
Posted by solarflair (35 comments )
Reply Link Flag
Patched before Exploited - even better news
A patch was available for the exploit before the proof of concept existed... and has been available on WindowsUpdate as a critical patch since then.

People who auto-update are protected. People who manually update can only blame themselves for not installing the patch.

At least Microsoft didn't solve the problem by telling people to install the latest kernel.... or uninstall their Databse engine and reinstall the latest version.... "Just upgrade to the latest version" is a strategy that seems far too common with many open-source projects.

It is far easier for a business to test and integrate a patch than it is to evaluate and implement an entire new version of a relied-upon application.
Posted by David Arbogast (1709 comments )
Link Flag
Microsoft
I think that Microsoft flaw is too strong to be really attacked.
<a class="jive-link-external" href="http://www.referate-romana.com" target="_newWindow">http://www.referate-romana.com</a>
Posted by mess487 (5 comments )
Reply Link Flag
 

Join the conversation

Add your comment

The posting of advertisements, profanity, or personal attacks is prohibited. Click here to review our Terms of Use.

What's Hot

Discussions

Shared

RSS Feeds

Add headlines from CNET News to your homepage or feedreader.