M$ Media Player open to attack! How???

[Xeen]

I found this article on M$'s site that says that Windows Media Player is open up to attack from intruders unless patched because of the code it uses in changing skins!!!!

How the fuck is this possible?? How could a MEDIA PLAYER be written in such a way that it allows hackers to get into your pc???

http://www.microsoft.com/downloads/details.aspx?FamilyID=012f143a-77d1-4f6f-9338-5a6332614532&DisplayLang=en

[Stilly]

its possible when you integrate that shit in your OS

[Laukev7]

Perhaps the same way that allows script kiddies to use a word processor to execute macro viruses or hackers to exploit the DirectX game API.

[Seth]

quote: How the fuck is this possible?? How could a MEDIA PLAYER be written in such a way that it allows hackers to get into your pc???

Maybe when they outsourced their projects to places like India, etc., programmers there put in backdoors into the OS.
If memory serves me right, didn't the first infamous virus come from Pakistan in the 80s, and was called, appropriately, the Pakistani virus ? Two brothers selling pirated softwares from their shop would sell infected softwares to Westerners because, and their reasons were,  these foreigners were deliberately breaking their countries' laws by buying these pirated softwares and should be punished, whereas the locals were sold virus free softwares because they were not breaking any Pakistani laws (as there were none)!! IIRC, they even had the audacity to leave their address in the inner most sector of the pirated softwares' floppies.

[ September 08, 2003: Message edited by: Seth ]

[Refalm]

http://www.openopen.org/ie/

[Zombie9920]

Umm ok? I'm using Windows and Internet Explorer and that page didn't do shit. Really, that page looks retarded because it is telling me that I wouldn't be viewing it if I were using IE and Windows. You know, people who sit on thier ass all day and try to exploit *any* software..I don't care what it is....have way too much time on thier hands. Maybe they should get some friends, get a woman or hell even get an imaginary friend. People like exploiters are who give the internet a bad name. As far as I'm concerned they are nothing more than a waste of skin&bones and a waste of the electricity they use in the process of creating exploits.



FYI - The old cd-rom eject trick didn't work on my system either. Software is only as good as the person administrating the computer.

[Zombie9920]

Lets not forget to mention a few exploits found in Mplayer.

http://www.security-corporation.com/articles-20030902-002.html

http://www.security-corporation.com/exploits-20030906-000.html

Myth - Ohhh, MPlayer is open source!! Surely it doesn't have any flaws(*riiight*)!

Fact - All software has flaws. You will never find a perfectly coded piece of software(app/os/game, etc.). Get over it.

(Edit)I decided to add a little way of crashing Mozilla.

http://lists.insecure.org/lists/bugtraq/2003/Sep/0082.html

Some Mozilla advisories

http://www.secunia.com/product/1481/

A KDE/Konqueror problem that doesn't even have to be exploited to cause harm.

http://www.securityfocus.com/bid/7520/exploit/

I think this is related to the above listed KDE issue. It is called the KDE Referrer Authentication Leak

http://www.derkeiler.com/Mailing-Lists/Full-Disclosure/2003-07/1178.html

If Open Source security issues were made public like MS ones are you would see at least 1 new exploit a day being mentioned. You would easily see 10x more security warnings for Linux than you do for Windows(on average...the 10x figure is actually a little low). Why don't people like to mention all of the bugs in Open source stuff? The bugs exist and the security vulnerabilities are real(just like security vulnerabilities for MS products).

[ September 09, 2003: Message edited by: Viper ]

[Faust]

quote: Umm ok? I'm using Windows and Internet Explorer and that page didn't do shit. Really, that page looks retarded because it is telling me that I wouldn't be viewing it if I were using IE and Windows. You know, people who sit on thier ass all day and try to exploit *any* software..I don't care what it is....have way too much time on thier hands. Maybe they should get some friends, get a woman or hell even get an imaginary friend. People like exploiters are who give the internet a bad name. As far as I'm concerned they are nothing more than a waste of skin&bones and a waste of the electricity they use in the process of creating exploits.

Yes they are lame and need to get lives.  But THEY WILL ALWAYS BE THERE.  People who say break into banks are lamers as well, but they wont stop just because you think they need to get a life, so what you do?  YOU GO TO A SECURE BANK.  When my bank gets broken into I'm not going to blame only the robbers, I'm going to blame the bank and the bank admins as well.

 

quote:If Open Source security issues were made public like MS ones are you would see at least 1 new exploit a day being mentioned. You would easily see 10x more security warnings for Linux than you do for Windows(on average...the 10x figure is actually a little low). Why don't people like to mention all of the bugs in Open source stuff? The bugs exist and the security vulnerabilities are real(just like security vulnerabilities for MS products).

I use Debian and the Debian philosophy is that all bugs are made fully public.  In fact any Tom Dick or Harry is allowed full read access to the bug database as theyre submitted.  Thats not "after the bug has been looked at by an admin, thats as theyre submitted.  Oh and would you like to offer any proof or is this just anecdotal?  Yes software will always have exploitable flaws, but I prefer software where those flaws can be fixed quickly.

edit:
 

quote:Fact - All software has flaws. You will never find a perfectly coded piece of software(app/os/game, etc.). Get over it.

Not all software is perfect, but that doesnt mean all software is as exploitable as the rest.  If whitehouse.gov and other top level US sites choose to use an Open Source codebase (OpenBSD) then Open Source and Free Software is good enough for me.

[ September 09, 2003: Message edited by: Faust ]

[Xeen]

quote:If whitehouse.gov and other top level US sites choose to use an Open Source codebase (OpenBSD) then Open Source and Free Software is good enough for me.

Bad example - someone could use the same argument for using Windows. Homeland Security is now stuck using the buggy Window Server 2003 and XP and Office because the dick Tom Ridge or someone who works for him was stupid enough to sign a $90 million contract with M$.

[Faust]

Good point, but even Zombie has admitted in the past that OpenBSD is a good server...  BTW Seth that sig is massive, could you shrink it a bit please?  (with a cherry?)

[Seth]

quote:Originally posted by Faust:
Good point, but even Zombie has admitted in the past that OpenBSD is a good server...  BTW Seth that sig is massive, could you shrink it a bit please?  (with a cherry?)

Done!  

[emh]

quote:Originally posted by Viper:

Myth - Ohhh, MPlayer is open source!! Surely it doesn't have any flaws(*riiight*)!

Fact - All software has flaws. You will never find a perfectly coded piece of software(app/os/game, etc.). Get over it.

No one ever said MPlayer didn't have flaws.  The difference with open source software versus non-open source software is that the flaws are indeed posted for everyone to see so that someone can fix it.

 

quote:
If Open Source security issues were made public like MS ones are you would see at least 1 new exploit a day being mentioned.

Um, the security issues are being made public.  They're available for everyone to see on the sites where the software originates, as well as the fix, not to mention most Linux sites post security advisories on software when they are discovered.  Just because they're not announced on CNN or MSNBC doesn't mean they're not public.
 

quote:
You would easily see 10x more security warnings for Linux than you do for Windows(on average...the 10x figure is actually a little low).

This is possible, but it's because it's always undergoing rigorous testing and even the smallest security flaw is posted for everyone to see so that it can be fixed ASAP.  The mere number of security flaws doesn't tell the whole story of security of software.  Whereas, we have Microsoft, who doesn't acknowledge flaws unless someone tells the media.  (At least that's how I see it.  Whether it's accurate or not, I couldn't say.)
 

quote:
 Why don't people like to mention all of the bugs in Open source stuff? The bugs exist and the security vulnerabilities are real(just like security vulnerabilities for MS products).

See above.  Bugs are mentioned all over the place, and in 99.9% of the cases, the fix is mentioned along with the mention of the bug.

[ September 09, 2003: Message edited by: emh ]