RSSMicrosoft denies the severity of a Media Player exploit
By Scott M. Fulton, III | Published December 30, 2008, 11:45 AM
The proof of concept for a Windows Media Player exploit does exist, and it has been shared. But it's not a vulnerability, Microsoft said, because it would need to trigger remote code execution...and this one doesn't.
Coder Laurent Jaffié recently posted to some "security" sites (at least one of which clearly deserves the prefix "in-") a Perl script that literally does nothing more than create a malformed .WAV file. If you play that WAV file in Windows Media Player, well, it evidently crashes. And Jaffié's description of the file in his comments actually does not claim to do more than that -- specifically, he calls it a "remote integrer [sic] overflow."
Somehow, the word was spread in recent days that Jaffié had discovered an overflow that triggers the possibility of remote code execution. Yet a check of the Perl script shows no such proof of any concept of exploitability -- literally, all it does is make a WAV file that crashes WMP.
Still, that didn't stop alarm bells from sounding anyway. British IT news site Heise Online tested Jaffié's code and confirmed that it did indeed crash WMP. But rather than take the test further, Heise then took the word of another Web site which claimed the crash was exploitable, prior to that site issuing a retraction yesterday. Heise has not corrected its version.
"Security Tracker say that the vulnerability can allow code to pass through the hole," reads the Heise story. "If this is true it won't be long before real exploits appear. This was demonstrated with the recent zero day vulnerability of Internet Explorer."
But the world at large was introduced by the issue yesterday when Microsoft squashed Heise's report like...well, like a bug, providing technical details to back itself up.
"The security researcher making the initial report didn't contact us or work with us directly but instead posted the report along with proof of concept code to a public mailing list," reads the Security Response Team's statement yesterday. "After that report, other organizations picked the report up and claimed that the issue was a code execution vulnerability in Windows Media Player. Those claims are false. We've found no possibility for code execution in this issue. Yes, the proof of concept code does trigger a crash of Windows Media player, but the application can be restarted right away and doesn't affect the rest of the system."
As the new Microsoft vulnerability team's Jonathan Ness blogged in a separate post, the crash takes place when an intentionally malformed WAV file produces data that would normally set the rate at which data plays back, but which instead produces a quotient that doesn't fit in a 32-bit register. That should trigger a CPU exception, but in this case, WMP doesn't handle that exception.
Ness wrote, "There is no memory corruption here and the value does not appear to be used for any memory allocation. Rather, the operation is calculating a value related to the rate at which the media is to be played."
Microsoft currently considers the problem a reliability issue with Windows Media Player, and is promising to fix it. That fix would most likely come with a future WMP patch, rather than a Patch Tuesday feature.
It so much fun to watch so many collectively whine when their over-priced hi-tech low-fi version of Hot Wheels goes on the fritz.
The moral: don't mess with big kids' toys.
LOL!
Score: 0
|Cmon BetaNews, go copy and paste the Zune freeze story from somewhere else so we can all have a good laugh.
For a news site that doesn't actually write it's own news, you guys sure are slow.
You realize any of us could make a better tech news website than this one.
Score: 0
|Well, isn't this a "troll-fodder" site? I don't think I;ve _ever_ mistaken it for a tech news site...
That's what Ars Technica is for.
Score: 0
|All tech news sites are filled with fanboys and trolls defending their foolish purchases and venting their buyer's remorse by bashing the competition, which is clearly superior.
Some people can objectiviely give opinions of products because they don't have to take sides. I own a PS3, 360, and a Wii and can clearly figure out which console is better and for what reasons.
Fanboys just want the whole world to buy what they own regardless of how bad it really is to feel better about thier purchase. They figure if more people own it, I can't be as bad as everyone says.
You are either a lemming / zombie / troll without the ability to think for yourself or a free thinker who can admit you made a mistake and move on. I have bought all kinds of expensive items that I have either given away to family members, freinds etc...
It's a shame that most of the population has some fixation with having to belong to some type of group or emulate celebrities to feel special.
Score: 0
|On ars right now I get:
Server Error in '/' Application.
Runtime Error
Description: An application error occurred on the server. The current custom error settings for this application prevent the details of the application error from being viewed remotely (for security reasons). It could, however, be viewed by browsers running on the local server machine.
Details: To enable the details of this specific error message to be viewable on remote machines, please create a tag within a "web.config" configuration file located in the root directory of the current web application. This tag should then have its "mode" attribute set to "Off".
Notes: The current error page you are seeing can be replaced by a custom error page by modifying the "defaultRedirect" attribute of the application's configuration tag to point to a custom error page URL.
Score: 0
|"You realize any of us could make a better tech news website than this one."
Go for it. Let us know when it's up. ;)
Score: 1
|So what? The content is still a damned sight better than anything that is _ever_ going on over here.
But you can point out one time where it's not functioning perfectly and believe that proves what?
Score: 0
|"It's a shame that most of the population has some fixation with having to belong to some type of group or emulate celebrities to feel special."
Including thise who feel compelled to buy ALL of them! LOL!
Some "free thinkers" also have the self control to not buy many of the products all the lemmings feel they "must" possess. But then they are deprives of that that masochistic delight of buyer's remorse entirely.
Score: 0
|A bug that make Windows Media Player crash. That's all.
Score: 0
|Of course Microsoft denies any culpability. That's one of their better social skills.
Score: 0
|They aren't denying it's a bug.
They are denying that it can be exploited to cause remote code execution.
Big difference, and one I wouldn't expect a troll to comprehend (or at least admit to).
Score: 0
|How is a "bug" different from a "remote execution exploit"?
Score: 0
|What's even funnier is that some care.
Score: 0
|FFS...
You can't be serious..
How is causing a program to crash different than allowing remote users to execute code on your machine?
Really?
You need an answer to that?
Score: 0
|To be fair, /many/ buffer overflows do allow remote code execution, but is wrong to say it's feasible in all cases.
Score: 1
|