A newly-discovered flaw in Windows XP puts digital music users at risk, Microsoft Corp. announced Wednesday. A bug in Microsoft’s flagship operating system software allows computer attackers to craft MP3 or WMA music files that give them control of listeners’ computers. Simply browsing to a Web page or folder where such an MP3 file is stored would be enough to invoke the malicious code, and allow an attacker to create, modify, or delete data on the victim’s computer.
THE FLAW WAS discovered in a research lab by security firm Foundstone Inc.
CEO George Kurtz said he believes it’s the first such vulnerability impacting sound file formats.
Digital music files come with attached information, or attributes, which describe the name of the song, the sample rate and other basic file information. An attacker can insert malicious code in that data which causes a “buffer overrun,” causing the computer to surrender control to the attack.
Victims need not be induced to play the infected music file to cause an attack. Because of the way Windows file Explorer reads the attribute information, simply hovering over an infected music file’s icon is enough to cause the buffer overrun. Accessing a folder where the file lives would also invoke the malicious program, as would visiting a Web site where the file is stored.
Only Windows XP users are vulnerable, but users of other operating systems can act as “carriers,” because infected MP3 files will play like normal music files to them. They could unwittingly pass an infected file along to a Windows XP user, who could then be attacked, Kurtz said.
“That makes the odds of it circulating even better,” he said.
Microsoft released a patch to protect users from the flaw on Wednesday, declaring the flaw “critical,” its most severe rating. The patch can be downloaded for free from Microsoft’s Web site.
(MSNBC is a Microsoft - NBC joint venture.)
Kurtz said users of music-swapping services like KaZaa should be wary of the discovery, and should install Microsoft’s patch before downloading new music files.
“Certainly, services like Kazaa are the perfect attack vector for infected MP3 files,” he said. “Because of the ubiquity of MP3 files and the popularity of XP it’s serious. People need to take it seriously and apply the patch.”
The flaw is certain to add to the already complicated conversations surrounding the downloading of digital music on the Internet. Popular file-swapping services like KaZaa are the menace of the recording industry, which claims the sites hurt real-world album sales. The industry also points out that anonymous file-swapping services can be dangerous, since users don’t really know what they are downloading from the other side of an Internet connection. The Foundstone discovery bolsters that argument.
Foundstone also announced Wednesday a similar flaw with digital music jukebox software Winamp. The software can also be attacked by malicious code placed in music files, giving control of the victim’s computer to the attacker. Patches for Winamp are to be made available at that company’s Web site.