Saturday, July 14, 2007

Flaws found in Windows-based media players

Microsoft Windows users need to watch out for several flaws in non-Microsoft media players, security experts said.

Apple Computer and RealNetworks have both issued fixes for their Windows software to patch serious security vulnerabilities. Apple released Quicktime 6.5.2 on Wednesday to plug two holes in its Windows media player. On Tuesday RealNetworks advised users of its RealPlayer 10, RealPlayer 10.5 and RealOne Player software to use the "Check for Updates" feature to download the latest patch.

One of the flaws in Apple's Quicktime player affects Mac OS X users as well, but the company patched the problems at the end of September.

"It was fixed for all Mac OS X users at the end of September, and this fixes it for Windows users as well," said an Apple spokesman.

The updated Quicktime program is the latest fix for Apple's computer software. The company typically releases one update a month, and in September published fixes for 15 components of the Mac OS X operating system.

The flaw in RealNetworks' software could allow an attacker to run code on the victim's computer by dressing up a malicious program as a graphics theme, or skin, for the player. The flaw--found independently by two security firms, eEye Digital Security and Next-Generation Security Software--is similar to a problem found in August in Winamp's media-playing software.

eEye previously found a flaw in RealNetwork's software for Windows and Linux that could have allowed a malicious program disguised as a movie to run on the victim's computer.


http://articles.techrepublic.com.com/5100-22_11-5432173.html

Download: Resource pack for financial management of IT

TechRepublic contributor Peter Hennigan has provided five recent articles offering advice on everything from leasing to IT investments. We’ve gathered those articles into one convenient download and included valuable resources, such as spreadsheets and checklists, to help you put Hennigan’s advice to use immediately.

Download the compilation, and you’ll have the following articles at your fingertips:

* “Portfolio management keeps IT aligned with business strategy”
Hennigan explains how to apply the principles of financial portfolio management to IT investments.
* “Weigh the benefits of leasing decisions to the enterprise and its units”
Understand all the risks that you should factor into the decision to finance IT hardware.
* “Apply this framework to establish a solid acquisition process”
Every acquisition of technology brings some degree of business risk; being organized and prepared is the best way to control it. Learn the key elements to adequately assessing the risks involved, and discover why building a framework is the first step to take.
* “When it comes to IT investment, CIOs need to take the helm”
Hennigan explains that CIOs should couple a take-charge attitude with thoroughly analyzed IT investments to accomplish their major objectives.
* “Targeted communication drives the budget process”
Use these tips from Hennigan to create a smooth budgeting process by preparing thorough financial planning tailored to communicate specifically and effectively to each business unit or stakeholder involved.
* “Follow this model for effective IT cost management”
Hennigan provides a dual view method of cost analysis to allow CIOs to frame cost structures in terms of function and category.

To help you put the advice in these articles to work immediately, we’ve also included the following resource documents:

* IT chart of accounts spreadsheet
* Leasing term checklist
* Checklist for mapping ROI values
* IT cost center budget model spreadsheet
* Template for technical acquisitions


About the author
Hennigan has spent more than 20 years in analytical, sales, financial, and IT roles. Most recently, he has been focused on helping IT organizations optimize their financial management. Prior to launching his consultancy, Technology Contract Solutions, he spent over a decade in senior management positions in the IT department at Liberty Mutual Group.

Lock IT Down: Critical flaw in Windows Media Player could compromise systems

Microsoft has released a new patch for several versions of Windows Media Player, one of the most common programs used for multimedia playback in the business world. The threat, which is rated Critical, is related to the way the software handles downloading of the decorative “skins” for the popular multimedia player.

Details
MS03-017, “Flaw in Windows Media Player Skins Downloading Could Allow Code Execution,” addresses the newly discovered vulnerability in Media Player versions 7.1 and 8. Skins are XML files used to control the graphics that alter the appearance of Media Player. They are merely decorative and the vulnerability isn’t actually related to the skins themselves, which are still considered harmless.

Skin files are normally downloaded to the Temporary Internet Files folder in part to speed loading of the often large graphics files and also because these files are allocated locations dynamically. That makes it impossible (or at least quite difficult) for an attacker to predict where on the computer they are located, reducing the possibility of an attacker remotely accessing the PC.

Applicability
Microsoft Windows Media Player 7.1 and version 8 (the one that comes with Windows XP) are affected. No versions of Media Player 9 are vulnerable to this flaw. Since earlier versions of Media Player are no longer supported, Microsoft did not test them and makes no guarantee that versions prior to 7.1 are free of this vulnerability.

Risk level--critical
Exploiting this flaw could allow an attacker to download arbitrary code to a system and load it into the Startup folder or take other actions.

Mitigating factors
If the target computer has a newer version of Outlook or Outlook Express installed or has applied the recommended security patches to older versions, it will be much more difficult to exploit this threat because users would have to be tricked into opening a malicious e-mail or visit a bogus Web site. See MS03-017 for more details about this. Even if successful, the attacker could run programs only in the security context of the user; therefore, the level of the threat depends on whether the user has administrator or lower-level of privileges.

Fix--install the patch
It’s important to note that there’s nothing actually wrong with any skins themselves, so there is no need to ban them or attempt to locate all of them and remove them from networked or stand-alone PCs in the workplace (or home systems). The problem is in the way Media Player 7.1 and 8 actually download the files.

The patch corrects the faulty way in which Media Player validates the address used in downloading files. Without the patch, a malformed URL could trick the computer into downloading what appears to be a skin but is actually malicious code.

Final word
Many companies are now sending company video clips to users rather than simple e-mails, and Media Player is the preferred tool to play back streaming video on Windows-based computers. Media Player may also be used to play back audio recordings of lectures, speeches, or pep talks from management. So even if your company isn’t making use of Media Player, you should know that many others are.

I probably don’t have to tell you that some bored end users are likely to want to spice up these presentations by downloading some different skins for the player just to personalize their work environment a bit. Therefore, you need to be aware that users could potentially be tricked into downloading malicious files disguised as Windows Media Player skins.


http://articles.techrepublic.com.com/5100-6264_11-5034959.html