daveleau
12-19-2000, 12:03 AM
This was sent to me via email. It is long and scary and I thought you guys would be interested...
> That Sound You Hear May Be Media Player Introducing a Virus Into Your
> Coputer
> Livingston, Brian
> December 16, 2000
>
> JUST WHEN You thought it was safe to play music on your PC, a new virus
> threat has emerged. This one runs secretly when you play what you thought
> was an ordinary Windows Media Player file or when you visit a Web site
that
> plays the file automatically.
>
> New viruses, of course, appear every day. But this one is different. The
> Media Player file that makes this threat possible - known as an ASX or
> Active Stream Redirector file isn't an executable program. It's supposedly
> just data. What's next? Plain-text files that introduce a virus to your PC
> when you open the text in Notepad? Nothing would surprise me anymore,
> although I don't think anyone's found a way to compromise Notepad yet.
>
> But the weakness in Media Player illustrates the kinds of problems that
> arise from Microsoft's insistence on bundling more and more applications
> into Windows.
>
> I wrote in my Sept. 11 column ("Windows Me,You Jane: How do you tame the
new
> 800pound gorilla from Microsoft?" www .infoworld.com/printlinks) that
> Microsoft had bundled Media Player 7 into Windows Me in such a way that
the
> player could not be easily uninstalled. Presumably, the Redmond, Wash.,
> company did this to wipe out competing players from Real Networks and
> others.
>
> I demonstrated how to remove Media Player and other flotsam from Windows
Me
> and Windows 98, using Win98 Lite (see www.981ite.net/products (http://www.981ite.net/products) .html). But
> most people will never perform this kind of surgery on their operating
> system. So we're left with a new security flaw to guard against.
>
> The ASX virus threat occurs because versions 6.4 and 7.0 of Media Player
> don't prevent an ASX file from running hidden executable code. This code
can
> install and run any software it wishes on your machine. This software, in
> turn, can do anything you have the privileges to do, according to a
bulletin
> from Watchguard Technologies (www .watchguard.com). This includes sending
> e-mail and modifying or deleting any files you can access. If you have
> privileges on a network, the virus can access those files too.
>
> Ordinarily, an ASX file doesn't contain any streaming media. Instead, it's
> used to point to a location on an intranet or Internet site from which
media
> files are run.
>
> But this doesn't make things any less dangerous. An ASX file can be run
> automatically when you visit a Web page. A malicious Web site operator
might
> use it to plant a Trojan horse on as many PCs as possible in order to gain
> access to confidential information.
>
> An ASX file can also run automatically in an e-mail message you receive.
As
> we've seen from the Melissa virus and others, a harmful e-mail can easily
be
> made to look like amessage from a trusted friend.
>
> Once upon a time, a virus could infect your PC via e-mail only if you
opened
> a malicious attachment. And, like any data file, an ASX file can in fact
be
> sent to you as an attachment.
>
> However, as I've written before, viruses can now run without you opening
an
> attachment. The default settings of Microsoft Outlook and Outlook Express
> automatically run harmful code in HTML e-mail you receive. Simply viewing
an
> HTML message in these and some other e-mail applications can open a
browser
> window. This, in turn, executes an ASX file on your PC.
>
> I explained in my Dec. 27, 1999, column ("'Moles' are one thing, but
> malicious e-mails are an even worse form of Web
> abuse,"www.infoworld.com/printlinks) how you can disable "mobile code"
from
> running in your e-mail and your browser. The procedure restricts programs
> using ActiveX and Java from executing without your knowledge. Fortunately,
> Microsoft has released patches that fix the ASX problem. (They also guard
> against, of all things, graphical overlays called skins" that have been
> hacked to carry viruses.)
>
> The patches and a FAQ that explains the problem in more detail are
available
> at www.microsoft.com/technet/security (http://www.microsoft.com/technet/security) /bulletin/ MS00-090.asp.
>
> Another interesting view of this problem is available from Ollie
Whitehouse,
> who reported the issue to Microsoft. He provides sample code that
> illustrates the security flaw using Windows 2000 with Service Pack 1 as an
> example. (Go to www.securityfocus.com (http://www.securityfocus.com) /archive/l/146639.)
>
> The biggest issue, of course, is when Microsoft will require outside
> security audits before releasing new products. The ASX virus flaw is the
> 90th security weakness reported on Microsoft's Web site this year alone.
At
> some point, even companies that are addicted to Microsoft products will
say
> "enough."
>
> Get Livingston free by e-mail
>
> You can now receive this column every Monday, free by e-mail. Go to
> www.iwsub (http://www.iwsub) scribe.com/newsletters and click Window Manager.
>
> Livingston, Brian
> Copyright InfoWorld Publications, Inc. Dec 11, 2000
> That Sound You Hear May Be Media Player Introducing a Virus Into Your
> Coputer
> Livingston, Brian
> December 16, 2000
>
> JUST WHEN You thought it was safe to play music on your PC, a new virus
> threat has emerged. This one runs secretly when you play what you thought
> was an ordinary Windows Media Player file or when you visit a Web site
that
> plays the file automatically.
>
> New viruses, of course, appear every day. But this one is different. The
> Media Player file that makes this threat possible - known as an ASX or
> Active Stream Redirector file isn't an executable program. It's supposedly
> just data. What's next? Plain-text files that introduce a virus to your PC
> when you open the text in Notepad? Nothing would surprise me anymore,
> although I don't think anyone's found a way to compromise Notepad yet.
>
> But the weakness in Media Player illustrates the kinds of problems that
> arise from Microsoft's insistence on bundling more and more applications
> into Windows.
>
> I wrote in my Sept. 11 column ("Windows Me,You Jane: How do you tame the
new
> 800pound gorilla from Microsoft?" www .infoworld.com/printlinks) that
> Microsoft had bundled Media Player 7 into Windows Me in such a way that
the
> player could not be easily uninstalled. Presumably, the Redmond, Wash.,
> company did this to wipe out competing players from Real Networks and
> others.
>
> I demonstrated how to remove Media Player and other flotsam from Windows
Me
> and Windows 98, using Win98 Lite (see www.981ite.net/products (http://www.981ite.net/products) .html). But
> most people will never perform this kind of surgery on their operating
> system. So we're left with a new security flaw to guard against.
>
> The ASX virus threat occurs because versions 6.4 and 7.0 of Media Player
> don't prevent an ASX file from running hidden executable code. This code
can
> install and run any software it wishes on your machine. This software, in
> turn, can do anything you have the privileges to do, according to a
bulletin
> from Watchguard Technologies (www .watchguard.com). This includes sending
> e-mail and modifying or deleting any files you can access. If you have
> privileges on a network, the virus can access those files too.
>
> Ordinarily, an ASX file doesn't contain any streaming media. Instead, it's
> used to point to a location on an intranet or Internet site from which
media
> files are run.
>
> But this doesn't make things any less dangerous. An ASX file can be run
> automatically when you visit a Web page. A malicious Web site operator
might
> use it to plant a Trojan horse on as many PCs as possible in order to gain
> access to confidential information.
>
> An ASX file can also run automatically in an e-mail message you receive.
As
> we've seen from the Melissa virus and others, a harmful e-mail can easily
be
> made to look like amessage from a trusted friend.
>
> Once upon a time, a virus could infect your PC via e-mail only if you
opened
> a malicious attachment. And, like any data file, an ASX file can in fact
be
> sent to you as an attachment.
>
> However, as I've written before, viruses can now run without you opening
an
> attachment. The default settings of Microsoft Outlook and Outlook Express
> automatically run harmful code in HTML e-mail you receive. Simply viewing
an
> HTML message in these and some other e-mail applications can open a
browser
> window. This, in turn, executes an ASX file on your PC.
>
> I explained in my Dec. 27, 1999, column ("'Moles' are one thing, but
> malicious e-mails are an even worse form of Web
> abuse,"www.infoworld.com/printlinks) how you can disable "mobile code"
from
> running in your e-mail and your browser. The procedure restricts programs
> using ActiveX and Java from executing without your knowledge. Fortunately,
> Microsoft has released patches that fix the ASX problem. (They also guard
> against, of all things, graphical overlays called skins" that have been
> hacked to carry viruses.)
>
> The patches and a FAQ that explains the problem in more detail are
available
> at www.microsoft.com/technet/security (http://www.microsoft.com/technet/security) /bulletin/ MS00-090.asp.
>
> Another interesting view of this problem is available from Ollie
Whitehouse,
> who reported the issue to Microsoft. He provides sample code that
> illustrates the security flaw using Windows 2000 with Service Pack 1 as an
> example. (Go to www.securityfocus.com (http://www.securityfocus.com) /archive/l/146639.)
>
> The biggest issue, of course, is when Microsoft will require outside
> security audits before releasing new products. The ASX virus flaw is the
> 90th security weakness reported on Microsoft's Web site this year alone.
At
> some point, even companies that are addicted to Microsoft products will
say
> "enough."
>
> Get Livingston free by e-mail
>
> You can now receive this column every Monday, free by e-mail. Go to
> www.iwsub (http://www.iwsub) scribe.com/newsletters and click Window Manager.
>
> Livingston, Brian
> Copyright InfoWorld Publications, Inc. Dec 11, 2000