Windows XP Home Edition, XP Pro, XP Tablet users: READ NOW!

[GoldbergWWE]

Thanks to a newly found flaw in Windows XP, two of the most popular audio file formats can be used by crackers to take control of remote PCs. Users only need to hover their mouse pointers over the icons for malicious MP3 or Windows Media files to execute the attacker's code, Microsoft Corp. said in a bulletin published Wednesday.
The vulnerability lies in the Windows Shell, which is the portion of the operating system responsible for defining the user's desktop as well as organizing files and folders and enabling the OS to start applications. An unchecked buffer in a function used by the shell to extract custom attribute data from audio files enables an attacker to create a malicious MP3 or Windows Media file and use it to run code on a remote user's machine.

MP3 files are traded and shared by the millions on sites and peer-to-peer networks all over the Internet. Users commonly download and play files posted by people they've never met, and there is essentially no practical way of verifying the content of these files to ensure that they're not corrupted. The Windows Media format is somewhat less popular than the MP3 format, but is still quite prevalent online.

To exploit the vulnerability, an attacker can do one of three things: host the malicious file on a Web site or on a network share or send it to a user in an HTML mail message. If a user hovered the mouse pointer over the file or the folder containing the file--on a Web page or on the local disk--the code would execute. A user would need to open or preview a mail message containing the code to execute it in the e-mail attack scenario.

Users Peeved at Microsoft Security Effort

A successful attack would either cause the Windows Shell to fail or would run the attacker's code on the user's machine.

The vulnerability is found in Windows XP Home Edition, XP Pro, XP Tablet PC Edition and XP Media Center Edition. The patch for the vulnerability is located here.

-G

[Veggita2099]

I run the patch and got a file not found error during installation. How nice.

[EverStoned]

Okay, first off, those MP3's only exist in lab conditions (for now).

2nd off, how retarted do you have to be to have you netbios settings in such a weak shape security wise that they can be toppled by Mp3's goddamit!

[kaze]

i wonder why it doesnt affect pro

[az_bont]

i wonder why it doesnt affect pro

The vulnerability is found in Windows XP Home Edition, XP Pro, XP Tablet PC Edition and XP Media Center Edition

[kaze]

i wonder why it doesnt affect pro

The vulnerability is found in Windows XP Home Edition, XP Pro, XP Tablet PC Edition and XP Media Center Edition

ok so im blind.....

[BlackAura]

How is that even possible? The guys who coded the shell must have been blind drunk, or something. Still, the shell is certainly the worst part of Windows XP. The OS itself is quite good, but the UI is really, really bad.

[|darc|]

Already patched it like a week ago

[AmadeusZull]

hey kaze whos that cute girl in your avatar?

[Mugworm_Griblick]

hey kaze whos that cute girl in your avatar?

its me

[Wagh]

Already patched it like a week ago

yeah this bug was found AGES ago. If you updated your xp you would know this...

[AmadeusZull]

hey kaze whos that cute girl in your avatar?

its me

suck my c.ock Griblick.

[toastman]

Okay, first off, those MP3's only exist in lab conditions (for now).

2nd off, how retarted do you have to be to have you netbios settings in such a weak shape security wise that they can be toppled by Mp3's goddamit!

NetBios settings are by default weak.