back to article Media player users beware: more vulns ahead

Security researchers are warning that popular media players offered by Microsoft and AOL are vulnerable to attacks that can completely compromise a user's PC. Attack code has already been released for the bug, which has been confirmed in a codec used by older versions of Windows Media Player, made by Microsoft, and in AOL's …


This topic is closed for new posts.
  1. system

    Move vulnerabilities?

    Perhaps it should read "more vulns"?

    Aside from that, Media Player Classic isn't made by M$. It's made by Gabest.

  2. Stephen B Streater

    Back to Java then

    If people can't trust their media player, they can always run a Java one. Safe, reliable, upgradeable.

  3. Andy

    One man's mead...

    "Taking care not to click on suspicious links in browsers and email programs should suffice"

    If we could trust the general population to do this then we wouldn't have viruses, exploits and other malware running around the world like wildfire. WE (as reg readers) are neither the kind to get exploited by this and nor are we the kind to whom the advice is directed. But you have to remember, a lot of people are stupid and, even more importantly, a lot of seemingly intelligent people become stupid in the face of technology. They elevate someone to the role of 'knows computers' just because they know where the on switch is and if they can manage to order something from Amazon or find the lyrics to an old song on Google then they become revered as IT Gods.

  4. Jamie Peterson

    sys 49152?

    SYS 49152 eh? Ahhh.. the good old days of the Commodore 64....

  5. Antony Riley
    Thumb Down

    Pwned Again

    I suspect anything short of disabling the codec would leave you vulnerable to webpages with embeded media at least via Internet exploder, so their advice is probably more correct than the advice presented in this article.

  6. Anonymous Coward

    Re: Back to Java then

    I think you missed out Slow, Inefficient, Resource hogging?

  7. Not That Andrew

    Re: Re: Back to Java then

    > think you missed out Slow, Inefficient, Resource hogging?

    So no different from WMP then?

  8. Duncan

    Winamp version 3.5?

    I assume you mean 5.3 - there is no such thing as 3.5, Winamp 3 died before it got that far.

  9. Anonymous Coward

    Winamp not vulnerable

    The exploit linked to appears to be an older exploit for 5.32, the comment at the bottom of the exploit actually states that it was patched by the vendor in at least 5.5, released back in October. And from a quick glance, seemed to be a completely different issue. Secunia also reports no unpatched vulnerabilities in Winamp:

    However, if the problem is with the 3ivx product, which is a directshow filter. And is installed on the machine, and Winamp is configured to use 3ivx instead of its built in MP4 decoder, then I'd assume you could still cause an exploit via 3ivx. The same is true of ANY directshow enabled media player. Which counts pretty much any media player on windows utilising the windows media/directx api, including embedded media in IE and Firefox and Opera.

    However, 3ivx is not a part of any of the reported applications, so would only be installed should a user have done so, either knowingly, or unknowingly via one of those "codec packs".

  10. Colin Millar
    Thumb Up

    WMP 6.4 = Win 95?

    Win 95 on the web?

    That must be fun

  11. system

    RE: WMP 6.4 = Win 95?

    Actually, if you don't want all your resources eaten by the various functions and eye candy included in the newer versions, 6.4 is a good little player.

    It's also included as part of XP, under Program Files\Windows Media Player\mplayer2.exe

    If you know and trust the source of all your videos, and don't run IE or have it plugged in to firefox, it's even safe :-P

    Presumably, using it with ffdshow to display divx/xvid, it wouldn't matter about IE or playing untrusted videos, as ffdshow uses it's own libs instead of seperate codecs. I could be wrong though.

  12. Phil Rigby
    Paris Hilton

    Try mplayer - open source, Windows version, own codecs...

    I guess there'll be 100's of 'skiddies out there now downloading "maliciously crafted" Paris Hilton videos. But then again, anything with her in it is malicious... I always feel like I've been infected with something after seeing The Simple Life.

  13. Rob

    Crafted for....

    Sounds like it's been specifically crafted for those dodgy people that download dodgy vids off the net. The Media Players concerned are all packaged in the ACE Mega Codecs Pack which contains pretty much every popular codec going.

  14. Gordon Fecyk

    "We are not in the business of scaring people." -- Symantec

    Since El Reg's moderators won't take a standardized form for critiquing their standardized security articles, I'll just have to go all out on the biggest flaw in this article:

    It quotes a computer security firm with a financial interest in publicizing this problem.

    This still rates a 6 out of 10 on the BS Meter: "We're here to protect you." But any rating from 4 ("We're not in the business of scaring people") and up may apply.

  15. BitTwister

    @One man's mead...

    > If we could trust the general population to do this [not clicking on "suspicious" links] then we wouldn't have viruses, exploits and other malware running around the world like wildfire.

    Surely the point is that if the software was properly written - even just *slightly better* written - then it wouldn't matter WHAT people clicked on. Even "suspicious" links. (whatever *they* are - do you have some way of spotting them in advance?)

  16. Stephen B Streater

    Back to Java then (again)

    Once you get to full frame rate video with plenty of CPU power to spare, it doesn't matter much how much resources a media player takes.

    A Ferrari on a motorway goes pretty much the same speed as a mini. What matters is that it arrives without breaking down - or perhaps a better analogy in the case of a virus is to arrive without the road ahead being destroyed. Reliability and security come with Java.

  17. Anonymous Coward

    re: Back to Java then (again)

    Lemme see: the issue is that there's some sort of unchecked input vulnerability in the 3ivx codec; since it leads to a stack-smashing attack it's almost certainly a buffer overflow. Care to explain again how writing the media player in [insert fashionable language du jour] here is going to make a blind bit of difference. Or are you positing that the world's codecs should all be re-written in Java - a language which, let's not forget, is oh so suited to bit-twiddling, coming second only to COBOL in that particular race.

    Here's 5 pence; feel free to go buy yourself a clue then once you're done you can come back and join the conversation.

  18. Stephen B Streater

    Java strikes back

    I admit writing codecs in ARM machine code was quite fun, particularly when it came to bit twiddling, but codecs these days don't need that much bit twiddling. With a modern JIT, Java isn't that different in performance to C++ - with similar bitwise operators too.

    I'd be very intrigued by a Cobol media player - though it wouldn't be much use as my browser can't run Cobol! But it can run my Java media player, as can almost every browser on the planet. And without buffer overflows.

This topic is closed for new posts.

Biting the hand that feeds IT © 1998–2019