Security researchers are warning that popular media players offered by Microsoft and AOL are vulnerable to attacks that can completely compromise a user's PC. Attack code has already been released for the bug, which has been confirmed in a codec used by older versions of Windows Media Player, made by Microsoft, and in AOL's …
Perhaps it should read "more vulns"?
Aside from that, Media Player Classic isn't made by M$. It's made by Gabest.
Back to Java then
If people can't trust their media player, they can always run a Java one. Safe, reliable, upgradeable.
One man's mead...
"Taking care not to click on suspicious links in browsers and email programs should suffice"
If we could trust the general population to do this then we wouldn't have viruses, exploits and other malware running around the world like wildfire. WE (as reg readers) are neither the kind to get exploited by this and nor are we the kind to whom the advice is directed. But you have to remember, a lot of people are stupid and, even more importantly, a lot of seemingly intelligent people become stupid in the face of technology. They elevate someone to the role of 'knows computers' just because they know where the on switch is and if they can manage to order something from Amazon or find the lyrics to an old song on Google then they become revered as IT Gods.
SYS 49152 eh? Ahhh.. the good old days of the Commodore 64....
I suspect anything short of disabling the codec would leave you vulnerable to webpages with embeded media at least via Internet exploder, so their advice is probably more correct than the advice presented in this article.
Re: Back to Java then
I think you missed out Slow, Inefficient, Resource hogging?
Re: Re: Back to Java then
> think you missed out Slow, Inefficient, Resource hogging?
So no different from WMP then?
Winamp version 3.5?
I assume you mean 5.3 - there is no such thing as 3.5, Winamp 3 died before it got that far.
Winamp not vulnerable
The exploit linked to appears to be an older exploit for 5.32, the comment at the bottom of the exploit actually states that it was patched by the vendor in at least 5.5, released back in October. And from a quick glance, seemed to be a completely different issue. Secunia also reports no unpatched vulnerabilities in Winamp:
However, if the problem is with the 3ivx product, which is a directshow filter. And is installed on the machine, and Winamp is configured to use 3ivx instead of its built in MP4 decoder, then I'd assume you could still cause an exploit via 3ivx. The same is true of ANY directshow enabled media player. Which counts pretty much any media player on windows utilising the windows media/directx api, including embedded media in IE and Firefox and Opera.
However, 3ivx is not a part of any of the reported applications, so would only be installed should a user have done so, either knowingly, or unknowingly via one of those "codec packs".
WMP 6.4 = Win 95?
Win 95 on the web?
That must be fun
RE: WMP 6.4 = Win 95?
Actually, if you don't want all your resources eaten by the various functions and eye candy included in the newer versions, 6.4 is a good little player.
It's also included as part of XP, under Program Files\Windows Media Player\mplayer2.exe
If you know and trust the source of all your videos, and don't run IE or have it plugged in to firefox, it's even safe :-P
Presumably, using it with ffdshow to display divx/xvid, it wouldn't matter about IE or playing untrusted videos, as ffdshow uses it's own libs instead of seperate codecs. I could be wrong though.
mplayerhq.hu - open source, Windows version, own codecs...
I guess there'll be 100's of 'skiddies out there now downloading "maliciously crafted" Paris Hilton videos. But then again, anything with her in it is malicious... I always feel like I've been infected with something after seeing The Simple Life.
Sounds like it's been specifically crafted for those dodgy people that download dodgy vids off the net. The Media Players concerned are all packaged in the ACE Mega Codecs Pack which contains pretty much every popular codec going.
"We are not in the business of scaring people." -- Symantec
Since El Reg's moderators won't take a standardized form for critiquing their standardized security articles, I'll just have to go all out on the biggest flaw in this article:
It quotes a computer security firm with a financial interest in publicizing this problem.
This still rates a 6 out of 10 on the BS Meter: "We're here to protect you." But any rating from 4 ("We're not in the business of scaring people") and up may apply.
@One man's mead...
> If we could trust the general population to do this [not clicking on "suspicious" links] then we wouldn't have viruses, exploits and other malware running around the world like wildfire.
Surely the point is that if the software was properly written - even just *slightly better* written - then it wouldn't matter WHAT people clicked on. Even "suspicious" links. (whatever *they* are - do you have some way of spotting them in advance?)
Back to Java then (again)
Once you get to full frame rate video with plenty of CPU power to spare, it doesn't matter much how much resources a media player takes.
A Ferrari on a motorway goes pretty much the same speed as a mini. What matters is that it arrives without breaking down - or perhaps a better analogy in the case of a virus is to arrive without the road ahead being destroyed. Reliability and security come with Java.
re: Back to Java then (again)
Lemme see: the issue is that there's some sort of unchecked input vulnerability in the 3ivx codec; since it leads to a stack-smashing attack it's almost certainly a buffer overflow. Care to explain again how writing the media player in [insert fashionable language du jour] here is going to make a blind bit of difference. Or are you positing that the world's codecs should all be re-written in Java - a language which, let's not forget, is oh so suited to bit-twiddling, coming second only to COBOL in that particular race.
Here's 5 pence; feel free to go buy yourself a clue then once you're done you can come back and join the conversation.
Java strikes back
I admit writing codecs in ARM machine code was quite fun, particularly when it came to bit twiddling, but codecs these days don't need that much bit twiddling. With a modern JIT, Java isn't that different in performance to C++ - with similar bitwise operators too.
I'd be very intrigued by a Cobol media player - though it wouldn't be much use as my browser can't run Cobol! But it can run my Java media player, as can almost every browser on the planet. And without buffer overflows.