stoid said:Ouch. I really hope that they get their act together with Vista. I just don't even understand how a computer loading an image can think it reasonable to execute code therein. I mean under what circumstances would such a capability be used in normal use? It's like unpacking a new set of multimedia speakers and being thrilled that they threw in a 'pack of salt'.
Here's your sign.
Les Kern said:* What is DEP (Data Execution Protection) and how does it help me?
With Windows XP SP2, Microsoft introduced DEP. It protects against a wide range of exploits, by preventing the execution of 'data segements'. However, to work well, it requires hardware support. Some CPUs, like AMD's 64 Bit CPUs, will provide full DEP protection and will prevent the exploit.
MongoTheGeek said:The thing is that the Mac OS has had at least 3 different holes like this patched in the past... jpeg's, png's, and tiff's all had buffer over run vulnerabilities that could cause arbitrary code execution.
http://docs.info.apple.com/article.html?artnum=301528
http://docs.info.apple.com/article.html?artnum=300667
There are others as well.
mkrishnan said:
ewinemiller said:You can tell if you have it on an XP sp2 machine by looking at the Data Execution Protection tab of the Performance Options dialog available from System Properties. There's a note at the bottom of the dialog that says whether or not it's hardware supported.
The difference is that those bugs, not "nice features". These WMFs are actually designed to be able to run arbitrary code.MongoTheGeek said:The thing is that the Mac OS has had at least 3 different holes like this patched in the past... jpeg's, png's, and tiff's all had buffer over run vulnerabilities that could cause arbitrary code execution.
http://docs.info.apple.com/article.html?artnum=301528
http://docs.info.apple.com/article.html?artnum=300667
There are others as well.
I've said it here and I'll say it again - wow, an exploit. No one caresewinemiller said:Here's one from a couple of weeks ago announced in iTunes and Quicktime
http://www.securitytracker.com/alerts/2005/Dec/1015396.html
It is Apple's code, impacts both OSX and Windows, and I believe it is still unpatched.
Buffer overflows are everyone's problem.
It will be nice when all the hardware and OSs you can buy support Data Execution Protection.
mkrishnan said:Ahhhhh, thanks. I use neither a recent top-of-the-line Windows computer nor XP/SP2.... But I was wondering...because it was the P4 architecture that was mentioned, and the Pentium-M is based on the PIII architecture....
But this means that almost no currently active Windows laptops support DEP, right?
So, on New Year's Day, my wife and I drove down to her uncle's house to have dinner with her aunt and uncle, her parents, and some other family members. We're sitting around chatting before the meal, and my father-in-law asks me: "So, Lyle, what's with this news about that new Windows security problem where in can get in there and attack your computer?" (Like many of you, I am my extended family's designated computer guy.)FoxyKaye said:<sarcasm>Wow, Windows has major security flaws, who knew?</sarcasm>
pknz said:Need I remind you that Windows itself is a virus.
Les Kern said:A time-sucking, money-grabbing, productivity-reducing ABOMINATION of a virus.
"Right now, the situation is bad, but it could be much worse. The potential for problems is bigger than we have ever seen," Hypponen said. "We estimate 99 percent of computers worldwide are vulnerable to this attack."
mkrishnan said:I'm pretty sure that's not *quite* accurate.
You've probably read it, but there was a study done by Kevin Mitnick and others where they put various XP boxes on the net, and the average was 4 minutes to be sploited in some wayJFreak said:seriously; every single windows pc that is connected to internet is vulnerable, and will always be. the only way to protect a windows system is to disconnect it from the network and use it behind locked doors. preferably having an armed guard watching your back while you try to work un-connected -- he should have orders to knock you down if you try to set up a network...
greatdevourer said:You've probably read it, but there was a study done by Kevin Mitnick and others where they put various XP boxes on the net, and the average was 4 minutes to be sploited in some way
mkrishnan said:I think this was the same study where they put various Macs in the hands of consumers, and the consumers were irresistibly compelled to order an iPod of some kind in an average of four minutes.