Version: 2008
  • On mySimon: Pea Coats Are Another Wardrobe Staple

February 16, 2006 6:55 PM PST

Attack code out for latest Microsoft flaw

  • 20 comments
Two examples of computer code that exploit a flaw in Windows Media Player have become available only days after Microsoft released a patch to fix the bug.

The "proof-of-concept" exploits that take advantage of a flaw in the media player were posted on the Web over the past couple of days. The flaw, rated "critical" by Microsoft, could enable an attacker to seize control of a vulnerable computer system.

The appearance of proof-of concept code is usually a sign that actual attacks are not far off. Microsoft, when it released its patch Tuesday, urged users to upgrade their systems as soon as possible.

Microsoft recently issued patch MS06-005 as part of its monthly security update. The vulnerability in Windows Media Player can compromise a system through malicious images embedded in the player.

Versions of Windows Media Player affected by the bug include 7.1 through 10. The vulnerability was also tagged as "critical" by the French Security Incident Response Team, or FrSIRT, a research outfit that published one of the two exploits.

Microsoft announced the release of seven fixes on Tuesday, including a "critical" patch for a Windows Meta File vulnerability in Internet Explorer. It exists only in IE 5.01 with Service Pack 4 on Windows 2000 and IE 5.5 with Service Pack 2 on Windows ME, Microsoft said in the security advisory.

See more CNET content tagged:
flaw, media player, Microsoft Windows Media Player, Windows Media, patch

Add a Comment (Log in or register) (20 Comments)
  • prev
  • 1
  • next
hmm thats funny
by xtuser February 16, 2006 7:31 PM PST
my computer has never been infected with one of these "high priority" windows flaws since I got it in 2002. however, it's best to be careful, especially if you do a lot of work on your computer.
Reply to this comment
mine was
by booboo1243 February 17, 2006 1:26 AM PST
Mine ws infected by a virus mear minutes after getting the damn thing. Damn worm attcked though a flaw in Windows that only required me to be online (which I was doing to register windows, and ironically download the patch to cure the vunerabillity the worm got in through)

Windows should be secure out of the box, you shouldn't need to spend hours downloading fixes to it.
View reply
mine's secure too
by stoicnluv February 17, 2006 3:02 AM PST
Windows XP "can" be secure...
Mine's been running for almost 2 years, never was i infected by a virus or spyware. I can't even remember if i ever experience BSOD. You just need to configure file/folder AND REGISTRY permissions, policies and firewall. My XP doesn't have an Anti-virus and Anti-spyware installed, AV software adds strain to HDD so it will last longer. Just make sure you do these first before connecting to the internet, and just be very careful of what sites you visit and files you download.
Same here
by robertcampbell2 February 17, 2006 3:55 AM PST
I've had Windows machines since 3.1 and have had 1 virus. Keep the machine updated and you're reasonably secure...
DeJa Vu? I do believe I've read this story before...
by booboo1243 February 16, 2006 7:32 PM PST
This story was posted minutes ago. Yet, I feel as though I have read it in the past week...and month, and the month before that...

CNet Editor's: Do you copy paste the "Critical Flaw Found In Microsoft Products" story weekly, only changing the name of the flaw and worm used this week?
Reply to this comment
Microsoft Flawed Again.
by System Tyrant February 16, 2006 8:24 PM PST
I bet you thought I was going to complain about Microsoft and it's bugs didn't you. Well, I'm not.

In the past few weeks I have read about flaws in Linux and Microsoft. I've even read about a virus for the MacOSX (couldn't tell you if it's true or not).

I thought about it a bit and the real problem starts with the foundation of computers. First you have the hardware that is mass produced to be sold at the lowest possible price while generating the best bottom line. Then you have old languages that allow for bad programming. Then add legacy code which creates the potential for old flaws to still exist. Top that off with many over worked programmers and deadlines. Then you through in the average user or the user who thinks they know enough to be safe.

What I think we have here is an accident waiting to happen. The more I think about it the more I realize that the problem is really big and way beyond just Microsoft or Linux. Standards are seldom fully followed and cheap hardware is just that Cheap.

I think we need hardware that knows how to monitor itself for bad data and a programming language that makes it much harder for programmers to let bad code slip in. I think we need more openness in the technology world without becoming completly open source. I think we need to work harder at creating and following standards. I think users need to work harder at understanding the systems they are working on. We also need to slow down. Are we all really in that big a hurry to get it all done. When you die it's not going to make a bit of difference to you anyway.

The reality is that programmers can make software more secure and stable and hardware makers can make smarter hardware. However, it's not going to happen until we all realize that the problem with the world is the people living in it. People are the greatest computer this world has ever known and look how flawed we all are. :)
Reply to this comment
Well I for one...
by wazzledoozle February 16, 2006 8:30 PM PST
Welcome our new robotic code-checking overlords.
View all 2 replies
hard to ti have hardware security
by booboo1243 February 17, 2006 1:44 AM PST
The problem how is a piece of hardware ment to know what a program should be doing. There are times when programs need to do things legitimatly that a virus could also use. For instance I might want to upgrade my firewall, I would need to change the firewalls executable, that would be legitimate. However a virus might do the same thing to stop a firewll working.

I think you are getting into the realm of "trustworthy computing" where all apps need to be digitally sined before the hardware will run them. But then you still have many of the flaws that allow a remote attacker to use a legitimate program to do its bidding. Remember the WMF flaw, an image could make Windows execute the code for it.

There are things like hardware DEP which can protect things in memory to try and prevent tampering.

I agree about insecure languages, C allows you to exceed the memory you have reserved and keep going through memory till you run out of the memory belonging to your program, though this is sometimes considered a "feature" which makes it versitile. Simple things like checking user input tend to be skipped, its not taught thourelghy enough, When I was taught to program security of apps was not seen as important. Unfortunatly it is. When apps could only be provided with data from the user it was safer but now apps such as your webbrowser are given data by remote users there can be problems. And even non networked apps can be targetted for privillage escillation, if I have an app with higher permissions running then anopther app could exploit its vunerabillitys to bypass OS execution permissions.
View reply
Flaws
by thedreaming February 17, 2006 7:54 AM PST
The hardware and software we use today is made by people. People aren't perfect so neither is the hardware and software they make.

Programmers CAN program better code and Engineers CAN make smarter hardware but so long as we care more about how much something costs and not how well it performs, we will always have cheap hardware and buggy software.
The Perfect Solution.
by System Tyrant February 17, 2006 9:16 AM PST
We all work for free and for the betterment of the human race.

Ok, now we all know that's never going to happen.

Unfortunatly there is no real perfect solution. If the day comes we build hardware and software smart enough to fix itself or learn and build better version then you get the Terminator or the Matrix.

I'm not sure that in the big picture computers or advancing technology will ever be safe and secure. Someone will always have away to convert a 1 into a 0 when it should have stayed a 1. This doesn't mean that we should work for better hardware and software, but it's just never going to be perfect or unbreakable (at least not in my lifetime).

You could have a programming language that gave you all the power of assembly or C/C++, but by default had that power turned off. In other words in you code you might specify a piece of code that says it's turning on a potentially unsafe bit of code. This way you get all the power you want and you can have a safe (relatively speaking) language. I suppose you could say a language that's VB and C++.

Ah, well. It's never going to happen so I'm done talking about it.
Poof-of-concept only, thats better news.
by solarflair February 16, 2006 9:05 PM PST
Microhard-up needs to evaluate its source code for their media-player. I think with the presure of open source they are starting to ramp-up their patch criteria.

Carry on...
Reply to this comment
Patched before Exploited - even better news
by David Arbogast February 17, 2006 9:20 AM PST
A patch was available for the exploit before the proof of concept existed... and has been available on WindowsUpdate as a critical patch since then.

People who auto-update are protected. People who manually update can only blame themselves for not installing the patch.

At least Microsoft didn't solve the problem by telling people to install the latest kernel.... or uninstall their Databse engine and reinstall the latest version.... "Just upgrade to the latest version" is a strategy that seems far too common with many open-source projects.

It is far easier for a business to test and integrate a patch than it is to evaluate and implement an entire new version of a relied-upon application.
View reply
Microsoft
by mess487 February 20, 2006 5:33 AM PST
I think that Microsoft flaw is too strong to be really attacked.
http://www.referate-romana.com
Reply to this comment
(20 Comments)
  • prev
  • 1
  • next
advertisement

Latest tech news headlines

RSS Feeds

Add headlines from CNET News to your homepage or feedreader.

More feeds available in our RSS feed index.

Markets

Market news, charts, SEC filings, and more

Related quotes

Microsoft (0.18%) 0.05 28.52
Dow Jones Industrials (0.17%) 17.46 10,023.42
S&P 500 (0.25%) 2.67 1,069.30
NASDAQ (0.34%) 7.12 2,112.44
CNET TECH (0.20%) 3.03 1,538.38
  Symbol Lookup
advertisement

Inside CNET News

Scroll Left Scroll Right