Feeds

back to article Critical Windows vulnerability under attack, Microsoft warns

Microsoft has warned of a critical security bug in older versions of its Windows operating system that is already being exploited in the wild to remotely execute malware on vulnerable machines. The vulnerability in a Windows component known as DirectX is being targeted using booby-trapped QuickTime files, which when parsed can …

COMMENTS

This topic is closed for new posts.

Page:

E

No title

Or... just don't use Windows?

0
0
Linux

Typical MS...

1) They've only just noticed a security vulnerability that's presumably been around for years...

2) "(We got an error when using Firefox, but it worked fine with Internet Explorer.)"

Why am I not surprised? :)

Here's the best fix:

1) Turn your computer off

2) Buy a Linux magazine

3) Turn computer on

4) Insert CD into computer

5) Kiss goodbye to Windoze

Why Tux? Do I have to explain?!

0
0
Gates Halo

Marketing Ploy ??

MS want us to adopt Vista crap.

0
0
Gates Horns

@AC

Re advice for Windows users - transpose items 3 & 4.

Apart from that, makes a lot of sense.

0
0

This Fix It

Is being fixed...

http://yfrog.com/63screenshotlryp

I was just checking if it would work in Firefox under Ubuntu just in case the authors problem was trying to use Firefox under Windows. I'll let you know, if I can be bothered, if they get around to fixing the fix it but, for the moment, everyone else will have to use the fix it to fix Internet Explorer under Windows when they manage to fix it.... the fix it that is...

Perhaps someone else can check, when it is fixed, whether it fixes the problem using Safari, or whatever browser folks use, on a Mac.

Can't be too careful about this Critical security stuff you know!

0
0
DT

damned if they do, damned if they don't = asper (yawn)

@a/c you missed out the other vital steps

6) Migrate all your old data.

7) Take a course on learning how to use linux

8) Spend a month attempting to find/learn programs which did the same as your previous windows programs.

9) Spend another week learning/re-configuring your machine to dual boot as you realise that half your business/engineering/accounting software and none of your games will run on linux

10) Another half day to give up, uninstall linux and reinstall all the apps you were used to.

11) five seconds to click on the link provided

Or you could just skip to stage 11.

Linux might be fine for surfing tinternet, hosting websites and doing all manner of techy things that get you guys wet, but frankly it's niche. Computers are for running software and last time I checked gloating isn't a "killer app" , but an effective way of putting people off your little club.

0
0
Dead Vulture

i don't use linux because...

...I can't turn up to work at 11am in a black teeshirt and jeans my mum bought for me

surely "this is why you should use Linux" type comments must now be regarded as trolling?

saying this mind, I can't get the fix working either

0
0

@AC @Kwac

Sigh..... Although I may be wrong as well...

1) Turn off Computer.

2) Turn on Computer.

3) Tap DEL (or as appropriate) during boot.

4) Find appropriate settings, Under Advanced Cmos settings ?, and select Boot From CD as first option.

5) Select boot from HDD0 as second option.

6) Insert Live CD

7) Save settings and exit, F10 Y, ?

Oh...... silly me. It's Windows. Autorun/Autoplay will sort things for you.

1) Insert LiveCD.

2) Follow On Screen Instructions.

That's the trouble with you Linux people. It's always got to be so 'bloody' complicated. Even Windows makes migration to Linux simpler than your sort would have things.

0
0

This Fix It...

Which was being fixed......

Has now gone AWOL

http://yfrog.com/89screenshot1crep

0
0

Work around on MS website returns 404

Thank you for the notice of the vulnerability, wanted to share that as of 7:26pm San Francisco time, the referenced Microsoft article's workaround link returns a 404 error in IE 8.

0
0

@Slappy Frog

"wanted to share that as of 7:26pm San Francisco time"

OH CRAP!!!!!!

"This Fix It By Camilla Smythe Posted Friday 29th May 2009 00:27 GMT

Is being fixed..."

Sorry about that peeps. Looks like trying to use the fix in Firefox under Ubuntu ended up breaking Miscrosofts website. :-(

0
0
JC
Gates Horns

Linux Isn't The Answer

If enough people start running 'nix, crackers will just start targeting it too. Enjoy your exclusive club boys, the worst thing for you is to get every lame user out there on the boat. Pretty soon they'd have to dumb down the interface and sprinkle large rainbox colored boxes and wizards into it, push self-destructing updates and start charging more through OEMs to support all these less savvy users.

OEMs then have to pay more for people that know more than clicking a mouse in windows which raises the OEM cost to nearly what it is with windows since MS nearly gives it away to OEMs.

Things are the way they are for a reason, there is balance in the world it's just not an OS market share balance.

0
0
Anonymous Coward

Me too

@Slappy Frog - same here - 8:17 PDT "Internet Explorer cannot download enableadvisory971778.msi" Goes on to say, not able to open the site...

And Swedish Chef says "Bork, Bork!!" :)

0
0
Thumb Up

If Windows is the answer

...it was a bloody stupid question.

0
0
Anonymous Coward

DirectX is a Security Hole

Don't blame Microsoft because the whiny developers keep writing stuff that needs DirectX.

0
0
Linux

@ Linux Isn't The Answer

You have a point.

Of course, targeting 'nix would STILL require more work than targeting Windows boxes.

Since most "crackers" are looking for little more these days than :

1) Your credit/bank info, so they don't have to go work for a living.

2) Your online game username/pass, so they don't have to work for a living

3) Some pron, 'cos they're unemployed w*nkers..

Then they are infinitely less likely to go to the trouble of trying to crack linux, and instead will stick with their tried-and-tru methods of using the latest pre-built 'pwning' tool.

Tux, cos he's a flippin' penguin!

0
0
Linux

Oh gee!

Another hole the size of a bus in Windwoes. How surprising. And the fix broken? Gee.

Beats my why anyone continues to buy this crap.

0
0

(puts on sh*t proof coat)

With some trepidation ... Isn't one of the advantages of 'nix that open source means not just the authors can look at a fix? I run windoze and unix derived op syss here. The revisions and updates seem to come faster on the open source software on both op syss, the difference being that more of the software on the unix derived machines is open source. There may well be an argument that there is more to be fixed on the open source software... but in use , there seems little difference in the failure rate (crash vulnerability or non functionality) . If I could run dragon dictate and my winodze games under a 'nix variant , I'd happily drop the last b*stard calf of the Microsoft cash cow in an instant. My in-house rule is all new apps must be open source and run on both opsyss.

0
0
Anonymous Coward

Am I wrong but...

isn't quicktime apple, and the article says that the quicktime filter was removed in vista, wouldn't apple have made the quicktime filter? I mean if you don't install quicktime but have direct x are you still vunerable?

0
0
Thumb Up

Hey

Maybe MS should add two more buttons to that page:

1. Uninstall Windows

2. Install Linux

0
0

re:Typical MS...

6) get the s*%t licked out of you by your it department cos now all your companys programs will not work

most of the windows computers in the world are in a corprate inviroment and most companys use windows and windows programs for very good reasions

0
0
Linux

polarity

It increases.

Every new story of yet another Microsoft fuck-up brings out those who are now at peace and can laugh at this because they've moved on to Linux/Mac.

Then there's those who clearly tried Linux but gave up after a couple of days and think themselves most clever and witty as they go about flinging mud. (Whereas really they just look silly. What a brave decision - I'll keep this OS that I know is badly written, that I know is over priced, by a company oft convicted of dodgy behaviour, that is just waiting for someone to discover the hole that will bring Windows down globally, that I have to add extra software to in order to make it halfway safe to use online and all this SO I CAN PLAY GAMES!)

And then there's the last hopeless few - still defending the indefensible (Microsoft). Still flinging words of hate and bitterness at those who have escaped. Stockholm Syndrome doesn't even come close to describing these folks.

Point being that each and everytime a story like comes out the contrast seems a little more pronounced.

OS's are tools. Microsoft make demonstrably poor quality tools. Apple make reasonably high quality tools.

Linux is just awesome - can be frustrating but that is almost always down to lack of user knowledge rather than lacking functionality.

The biggest attacks on Windows (in my own experience) come from animated icons in MSN and game key-generators and cracks.

Moral of the story is - if you hang about in disreputable places inserting your unprotected tool into places you're not sure of - you get infected.

Just like sex really.

But Linux still pisses all over the competition.

0
0
Anonymous Coward

Ah as normal...

a possibly useful post about a ms vunerability (which is actual fact looks more like a apple vun as far as i can, as i'm sure quicktime filters are not installed as default so if its not installed, no issue ,but there you go ) causes rants about using linux.

there are different O.S's for different people, as half the users in the world can barly handle windows way of installing drivers how the hell do you think they are going to manage to recompile a kernal to install a driver!!

Different od for different people, understand that, and kindly sod off from hijacking a comment thread to spew anti ms crap. If you don;t like it actually do something proper about it, rather than wasting your time ranting on the internet!

0
0
Stop

RE: damned if they do, damned if they don't = asper (yawn)

DT wrote: "Linux might be fine for surfing tinternet, hosting websites and doing all manner of techy things that get you guys wet, but frankly it's niche. Computers are for running software and last time I checked gloating isn't a "killer app" , but an effective way of putting people off your little club."

...and what do the majority of users do with their computers. Oh, wait. It's number one on your list "surfing tinternet". They might also need a copy of Open Office, just in case. Apart from that, they're good to go. It no longer takes a PhD in Computer Science to understand Linux, my friend installed in instead of WIndows on his PC and he's a computer amatuer. So far he has asked me for advice a total of zero times...

0
0
Anonymous Coward

hum just read...

.. that the parser in error is apparently not quicktimes own one, but is MS's one (didn;t think apple woudl allow ms to code that but hey ho :p)

my rant about anti ms people is still valid tho!

0
0
Joke

boobytrapped quicktime files?

If you're going to target windows, you might as well use a common windows format file to do it. Seriously, how many windows users routinely use* quicktime files?

*if iTunes didn't secretly install every other apple program ever written along with itself, most people wouldn't even be able to play them.

0
0
Anonymous Coward

This is where the title should go.

@DT - Incredibly well said.

Where's the evil Tux icon?

0
0

Nice to See AV firms business plan in action

I think that Anti-virus firms are the only working example of perpetual motion machine!

If these so called 'anti-virus' businesses where actually interested in security they would most likely start to issues advice about changing to a secure operating system.

While they have to put bread on their tables there is no doubt they could other ways to make money, and from what I know they list they have of options is very long...

Does anyone else notice that when they comment here they get some interesting firewall logs, or is it just me?

0
0
DS

Make the change NOW.

For years, you've been told not to run as admin.

Take note, make the change, or pay the penalty.

There are no excuses for running as admin on your day to day account. End of discussion.

0
0
Jobs Horns

The simplest answer is

Do what I do, and don't let that dirty abomination of a file format anywhere near your computer.

It's just as bad, if not worse than wmv for DRM infections. At least WMV has some redeeming features, like compression that doesn't come straight from the stone age.

I've been seeing the qt format replacing wmv files as the malware speading choice on p2p networks for quite some time now.

And remember, kiddies. This isn't a vulnerability in the OS. This isn't a vulnerability in the in the DirectX API. This is a vulnerability in the Quicktime implementation, which was supplied by....

Apple! The purveyors of the worst 3rd party software in the world, by a full length.

Their media player is so shonky that it belongs in the dustbin alongside Realplayer. This is the reason we have open source codecs called Real Alternative and Quicktime Alternative.

ITunes is one of the biggest piles of gated community excrement ever to have insulted our collective intelligence. Never mind open source, it's not even open functionality, and it breaks most 3rd party disc writing software when you install it as it tries to DRM your system up to the hilt.

Don't believe me? Google "itunes upper filters" to discover a torrent of tear soaked forums filled with people desperately trying to get their CD drives back.

Quicktime is a creaky old format, and as with all old standards it was inevitable that gaping security holes were to be discovered. The only reason it still exsists at all is because appletards are still forced to use it.

0
0

would this work

on quicktime alternative codec ???

and why is nobody blaming apple for this ??

their bloody codec and player are as bad a malware once installed on ur computer ...

Although i would agree in thinking that M$ have waited till win7 was almost ready for release before admiting to this !

0
0
Flame

Move along

nothing to see here...

0
0

404 Error

In IE6 & 7 and it's even less happy under chrome.

As a Linux user since 94 I feel that I have to point out that I can't stand the Linux fanboi mentality (or BSD, windows, apple or even BeOS fanboi).

If everybody switched to Linux tomorrow you would switch to BSD or something as all the refugees would bring down the tone of the neighbourhood.

Now if only my house could support the power and cooling requirements to satisfy the VME machine I have just been offered

0
0
Thumb Up

@DT

LOL! well said - finally some realistic perspective on things.

0
0
Thumb Down

known as DirectX?

"The vulnerability in a Windows component known as DirectX is being targeted"

Is this a site for IT Pros? I'd be very surprised to find a reg reader that doesn't know what DirectX is, I'm not sure why of late the Reg feels the need to write as though it's articles are going to be printed in The Sun.

0
0
Thumb Up

Microsoft should fix this on newer and current operating systems

Oh wait. They did already.

It's all very well the *nix fanbois having a laugh about this but this affects operating systems that are at least 7 years old now.

0
0

Linux v Windows

Recently started playing with Linux (would have been sooner but the sometimes rather rabid fanboyism tended to put me off).

Actually got interested in OS's again, so thought I'd create a couple of partitions on my aging machine with 512MB RAM, whacked Windows 7 RC on one, tried a couple of flavours of ubuntu on the other.

Wanted something to watch tv, browse a bit of 'net, p2p - nothing too taxing.

Windows 7 ran surprisingly well with IE8 and FF3 running several tabs each and Freeview in Media Centre coming from an old Freecom USB stick (once I'd found drivers for it; Win7 didn't find them automatically) - although that was obviously it's limit as I'd get a pause or two occasionally.

Seeing comments on the good ol' Reg repeatedly telling me Linux is so much less demanding on older machines than Windows, I gave Ubuntu a go.

Tried "standard" Ubuntu - damn that default brown theme is ugly ;), tried Mythbuntu for the TV - failed to install properly; probably my fault for not being clued up enough on Linux.

Then had a look at Kubuntu - now we're talking, I thought. Really liked it with the gadgets an' all - excellent idea to have your UI gadget based I reckon. Took some time to get it to work on both my screens, mostly because of X server config file permissions not letting me save the changed settings.

Running Firefox and Opera with the same tabs as I had in Windows 7 and Kaffiene for TV seemed to work slightly less well than Windows 7, more pauses and telly quality not as good.

Now, I don't know if I could improve Kubuntu performance with the right configuration and optimisation settings, but right now I'm still leaning towards Windows, with Linux an interesting "hobby" OS for when I can afford either a new computer or at least some more RAM.

Windows just seems "to work" a little bit more than the distros of Linux I tried. Perhaps I'm more biased because I'm used to the way Windows works - but that could also apply to the majority of computer users out there, too.

0
0
Gates Horns

Fix doesn't even work in IE for me

When I try to download the file the "fix it" button links to, it gives me a file not found error. Top job Microsoft! Not only does your operating system not work, neither does your fix for it!

0
0
Gates Halo

@ polarity

Yeah, I noticed how many Linux zealots were posting from their mothers' homes / student digs today too.

Fortunately they are balanced by more sensible industry commentators who use computers to do actual work.

0
0

@AV Firms

Aren't AV firms really just software houses? So yes, why change a good thing!

"exploited in the wild" - Where else is this new nasty going to be exploited??!

0
0
Stop

Stick with Windows, all will be calm again

Stay with Windows, don't look to OS X or Linux, there is nothing to see over there.

Everything will be right, Redmond is looking into the problem and all will be fixed and calm again.

Peace!

0
0
Stop

This is not an Apple component

Before people start blaming Apple for this because the vulnerability mentions QuickTime, note that the problem is with the QuickTime Movie Parser Filter that Microsoft provides with DirectShow pre Vista. The QuickTime Movie Parser Filter is Microsoft software used for working with QuickTime 2.0 files and older.

0
0
Linux

Just how bad does Windows have to get?

No matter how bad Windows is revealed to be, or how good the alternatives are, there will always be those who are can't bear to give up on what they spent so much time learning. In the mid 90's I worked with someone who'd learnt his computing using DOS and when Windows 95 came out was simply too terrified to give up DOS (even though Windows 95 was an excellent version of DOS). His idea of teaching people to use word processing was to show them EDLIN! The excuse he used was that the new OS wouldn't run games or "business apps" properly. The real reason was that he'd invested so much emotion in learning DOS that the arrival of a new OS made his knowledge seem obsolete and threatened his psychological equilibrium.

0
0

To the people suggesting the switch is difficult ...

6) Migrate all your old data.

Like when you upgrade Windows and it feels the need to trash everything on the way in?

7) Take a course on learning how to use linux

If you need a course to switch to Ubuntu from Windows you probably shouldn't be using a computer.

8) Spend a month attempting to find/learn programs which did the same as your previous windows programs.

It doesn't take a month; most are installed by default on Ubuntu.

9) Spend another week learning/re-configuring your machine to dual boot as you realise that half your business/engineering/accounting software and none of your games will run on linux

Configuring dual boot adds less than 15 seconds to an Ubuntu install, assuming you want to tweak the configuration. A week my arse. By comparison, note that Windows cannot set up a dual boot configuration with an existing Linux installation or even resize partitions during installation (as far as I recall, but I"m prepared to stand corrected if they've fixed this with Vista / 7.

10) Another half day to give up, uninstall linux and reinstall all the apps you were used to.

Actually most users will find that Windows is harder to install and get running. No full end-to-end GUI installer, no Live CD. No office applications installed by default after you reinstall. Product activation. Etc., etc.

... and ...

3) Tap DEL (or as appropriate) during boot.

Not required; my BIOS is configured to boot from optical first if a disk is there. Not my doing, but the hardware manufacturer's. Also, please note, you'll need to do this to install Windows too.

4) Find appropriate settings, Under Advanced Cmos settings ?, and select Boot From CD as first option.

Again, you can't blame Linux for your BIOS menus. Mind you, on my PC this is under 'Boot order' which seems reasonable enough.

5) Select boot from HDD0 as second option.

Again, should be easier than that with a modern BIOS. Mine labels this option 'Internal hard drive' and also has this as the default setting anyway.

6) Insert Live CD

A Windows Live CD? Really? Where can I get one of those?

7) Save settings and exit, F10 Y, ?

Oh...... silly me. It's Windows. Autorun/Autoplay will sort things for you.

1) Insert LiveCD.

Again I say, a Windows Live CD? Or a Linux one? Are you telling me Windows Autoplay will understand how to boot a Linux Live CD? Or boot a Windows DVD so you can have a play with it without installing?

0
0
Paris Hilton

Re: @ Chris Matchett

I wouldn't say that Microsoft fixed this vulnerability in newer and current OSes (according to Microsoft, XP is still a current OS so your argument is flawed from the beginning!) - they simply didn't include the affected component in versions of DirectX released with Win2K8 and Vista. That doesn't mean however that they fixed it... capiche?

Additionally, I'd disagree with the implication you're making that this vulnerability isn't serious because it affects systems that are at least 7 years old now. That means that, as well as the operating system, the vulnerability has been around for a long time too. It hasn't been disclosed until now - possibly because any cases of it being exploited weren't public until now- but we'll never know when Microsoft were made aware of it. Maybe they only became aware of it very recently... maybe they knew flippin' ages ago but decided it wasn't in their interest to disclose it. Who knows? We never will.

The "security by obscurity" model that Microsoft continues to adhere to means that these vulnerabilities can remain hidden from the user base for potentially years. However, that's not to say that the Bad Guys aren't aware of such vulnerabilities and secretly using them.

One of the great things about open sourced software is that it opens it up to be scrutinised by a million pairs of eyes... sure some bad people may look through the code to try and find flaws, but they do that with Windows, OS X, etc... in any case. I'd rather have millions of the Good Guys actively looking for and fixing bugs rather than expecting Microsoft or Apple to pick these things up once the code is already written and out there (which they weren't able to do before it got released so what makes them more likely to do so afterwards?).

ps - anyone else getting very bored of the tedious OS flame wars that are becoming too commonplace at El Reg? This ain't Slashdot.... I thought we were all IT professionals.

Paris.... cause she's not adverse to opening herself up for scrutiny by millions of pairs of IT geeks' eyes either.

0
0
Anonymous Coward

A title is required

I don't want to get all fanboi-y, but all these "but linux is hard" complaints are rather outdated. I've recently moved my notioriously computer-scaredy housemate over to linux (linuxmint, the even-friendlier, and much prettier, version of ubuntu), and she loves it. She doesn't care what the OS is, she runs her windows games under wine without knowing what she's doing - they just work, and that's all that matters. She browses the web, writes documents, manages her photos, does email, prints stuff, watches iPlayer, uses Spotify, blah blah blah - it all just works.

Every so often, I have to help her with something. But usually only ever once, because - being a human being, she's capable of learning and the logical, consistent and above all human-readable nature of linux means learning is a lot easier. I get a LOT fewer requests for support over the six months she's been using linux than I ever did when she was running windows, which she's been doing for almost ten years. What I do get is comments like "isn't this linux thingy clever" and "my computer feels so much faster". For my part, I don't have to worry about her picking up anything nasty from browsing around the internet, nor do I have to run around installing patches and fixes and so on - apt does that all for me. From my point of view, and from my housemate's point of view, using linux is a no-brainer.

Not trying to make any judgements about which OS is bestest or anything, just saying that the old preconceptions about linux being hard to use are a bit outdated now. In my experience, it's far simpler to install - and to run - than Windows is for the vast majority of cases. Yes, sometimes the less mainstream stuff can take a bit more effort, but then it's not like everything under Windows is always entirely effort-free. Whether that makes linux 'better' or not is a moot point. I'm sure other people can argue all day about that, I don't really care. It's better for me, and it's better for my housemate and that's all I can say with any certainty.

Just for the record, installing linux these days is, as Camilla would like:

1) Insert LiveCD.

2) Follow On Screen Instructions. (which include "Would you like your current bookmarks/addressbook/filez/etc migrating to your new linux install?")

Honestly that simple. You don't need to mess about booting from CD, it'll all just happen using - wait for it - Autoplay. Not hard. Easy. Also, DT, most users don't need a course to learn how to use a windowing gui. They already can. They can click a menu, drag-and-drop a file, make a folder and fill it up, open a downloaded file, etc - and that's all most people need to do. I have the same low opinion of users as anyone who's worked in IT support, yet even I don't think they're so stupid they can't manage using some slightly different-coloured windows/menus.

Oh, and Eddie - my computer does actual work, under my instruction. I'm an IT professional, and I use linux in my job because, for me, it means I can get more work done for less effort. For me. Your experience might be different. Attitudes like yours are just as bad as the freetard's default whine about "teh 3vil Micr0$0ftz".

0
0
Thumb Up

@Marketing Ploy ?

Exactly what I was thinking, have I really become that jaded by MS antics lately?

Sorry Bill and Steve, but we know you need to dump the older installs so you can move forward, but why not stop allowing backwards compatability junk in each new revison, rework a new O/S ala Apple?

Oh no of course you can't, you would lose all that loverly wonga from the businesses who need to you to maintain the backwards compatibility else they would all simply load up Ubuntu and run Wine to keep those 10-15 year old 16 bit Windows apps going!

Bill and Steve B, you made you're beds, now lie in them!

0
0
Silver badge
Thumb Up

@Charley

You or the Reg have got to put that on a T-Shirt, that is the best, neat little comment I have read all day!

Well done sir!

0
0

There is a fix!

If there is a fix for this, then which haven't MS pushed it out using Windows Update?

0
0
Anonymous Coward

@ Geoff

"If you need a course to switch to Ubuntu from Windows you probably shouldn't be using a computer."

so with that comment i will admit you hit the nail on the head, but you hit the nail into your own head.

A high perentage of windows users are NOT TECH SAVVY, they get confused by mice and double clicking let alone anything else. Comments like yours just reinforce the fact that windows is better for the average users becuase hte average user WOULD need a course/book to help them switch to anything else anyway! let alone anything that requires command line and can't be done with a double click.

0
0

Page:

This topic is closed for new posts.