The "proof-of-concept" exploits that take advantage of a flaw in the media player were posted on the Web over the past couple of days. The flaw, rated "critical" by Microsoft, could enable an attacker to seize control of a vulnerable computer system.
The appearance of proof-of concept code is usually a sign that actual attacks are not far off. Microsoft, when it released its patch Tuesday, urged users to upgrade their systems as soon as possible.
Microsoft recently issued patch MS06-005 as part of its monthly security update. The vulnerability in Windows Media Player can compromise a system through malicious images embedded in the player.
Versions of Windows Media Player affected by the bug include 7.1 through 10. The vulnerability was also tagged as "critical" by the French Security Incident Response Team, or FrSIRT, a research outfit that published one of the two exploits.
Microsoft announced the release of seven fixes on Tuesday, including a "critical" patch for a Windows Meta File vulnerability in Internet Explorer. It exists only in IE 5.01 with Service Pack 4 on Windows 2000 and IE 5.5 with Service Pack 2 on Windows ME, Microsoft said in the security advisory.
See more CNET content tagged:
flaw, media player, Microsoft Windows Media Player, Windows Media, patch
Windows should be secure out of the box, you shouldn't need to spend hours downloading fixes to it.
Mine's been running for almost 2 years, never was i infected by a virus or spyware. I can't even remember if i ever experience BSOD. You just need to configure file/folder AND REGISTRY permissions, policies and firewall. My XP doesn't have an Anti-virus and Anti-spyware installed, AV software adds strain to HDD so it will last longer. Just make sure you do these first before connecting to the internet, and just be very careful of what sites you visit and files you download.
CNet Editor's: Do you copy paste the "Critical Flaw Found In Microsoft Products" story weekly, only changing the name of the flaw and worm used this week?
In the past few weeks I have read about flaws in Linux and Microsoft. I've even read about a virus for the MacOSX (couldn't tell you if it's true or not).
I thought about it a bit and the real problem starts with the foundation of computers. First you have the hardware that is mass produced to be sold at the lowest possible price while generating the best bottom line. Then you have old languages that allow for bad programming. Then add legacy code which creates the potential for old flaws to still exist. Top that off with many over worked programmers and deadlines. Then you through in the average user or the user who thinks they know enough to be safe.
What I think we have here is an accident waiting to happen. The more I think about it the more I realize that the problem is really big and way beyond just Microsoft or Linux. Standards are seldom fully followed and cheap hardware is just that Cheap.
I think we need hardware that knows how to monitor itself for bad data and a programming language that makes it much harder for programmers to let bad code slip in. I think we need more openness in the technology world without becoming completly open source. I think we need to work harder at creating and following standards. I think users need to work harder at understanding the systems they are working on. We also need to slow down. Are we all really in that big a hurry to get it all done. When you die it's not going to make a bit of difference to you anyway.
The reality is that programmers can make software more secure and stable and hardware makers can make smarter hardware. However, it's not going to happen until we all realize that the problem with the world is the people living in it. People are the greatest computer this world has ever known and look how flawed we all are. :)
I think you are getting into the realm of "trustworthy computing" where all apps need to be digitally sined before the hardware will run them. But then you still have many of the flaws that allow a remote attacker to use a legitimate program to do its bidding. Remember the WMF flaw, an image could make Windows execute the code for it.
There are things like hardware DEP which can protect things in memory to try and prevent tampering.
I agree about insecure languages, C allows you to exceed the memory you have reserved and keep going through memory till you run out of the memory belonging to your program, though this is sometimes considered a "feature" which makes it versitile. Simple things like checking user input tend to be skipped, its not taught thourelghy enough, When I was taught to program security of apps was not seen as important. Unfortunatly it is. When apps could only be provided with data from the user it was safer but now apps such as your webbrowser are given data by remote users there can be problems. And even non networked apps can be targetted for privillage escillation, if I have an app with higher permissions running then anopther app could exploit its vunerabillitys to bypass OS execution permissions.
Programmers CAN program better code and Engineers CAN make smarter hardware but so long as we care more about how much something costs and not how well it performs, we will always have cheap hardware and buggy software.
Ok, now we all know that's never going to happen.
Unfortunatly there is no real perfect solution. If the day comes we build hardware and software smart enough to fix itself or learn and build better version then you get the Terminator or the Matrix.
I'm not sure that in the big picture computers or advancing technology will ever be safe and secure. Someone will always have away to convert a 1 into a 0 when it should have stayed a 1. This doesn't mean that we should work for better hardware and software, but it's just never going to be perfect or unbreakable (at least not in my lifetime).
You could have a programming language that gave you all the power of assembly or C/C++, but by default had that power turned off. In other words in you code you might specify a piece of code that says it's turning on a potentially unsafe bit of code. This way you get all the power you want and you can have a safe (relatively speaking) language. I suppose you could say a language that's VB and C++.
Ah, well. It's never going to happen so I'm done talking about it.
Carry on...
People who auto-update are protected. People who manually update can only blame themselves for not installing the patch.
At least Microsoft didn't solve the problem by telling people to install the latest kernel.... or uninstall their Databse engine and reinstall the latest version.... "Just upgrade to the latest version" is a strategy that seems far too common with many open-source projects.
It is far easier for a business to test and integrate a patch than it is to evaluate and implement an entire new version of a relied-upon application.
- Microsoft
- by mess487 February 20, 2006 5:33 AM PST
- I think that Microsoft flaw is too strong to be really attacked.
- Reply to this comment
-
(20 Comments)http://www.referate-romana.com