http://www.msnbc.com/news/849418.asp?0cv=CB10&cp1=1
Yep...if you are a Windows XP user and download MP3s, this is very important.
"A newly-discovered flaw in Windows XP puts digital music users at risk, Microsoft Corp. announced Wednesday. A bug in Microsoft?s flagship operating system software allows computer attackers to craft MP3 or WMA music files that give them control of listeners? computers. Simply browsing to a Web page or folder where such an MP3 file is stored would be enough to invoke the malicious code, and allow an attacker to create, modify, or delete data on the victim?s computer. The flaw was discovered in a research lab by security firm Foundstone Inc. CEO George Kurtz said he believes it?s the first such vulnerability impacting sound file formats.
Digital music files come with attached information, or attributes, which describe the name of the song, the sample rate and other basic file information. An attacker can insert malicious code in that data which causes a ?buffer overrun,? causing the computer to surrender control to the attack.
Victims need not be induced to play the infected music file to cause an attack. Because of the way Windows file Explorer reads the attribute information, simply hovering over an infected music file?s icon is enough to cause the buffer overrun. Accessing a folder where the file lives would also invoke the malicious program, as would visiting a Web site where the file is stored.
Only Windows XP users are vulnerable, but users of other operating systems can act as ?carriers,? because infected MP3 files will play like normal music files to them. They could unwittingly pass an infected file along to a Windows XP user, who could then be attacked, Kurtz said."
So, considering that most users don't even check Windows Update on their "Start Menu," this is one of those instances where you should. There is a patch for this vulnerability available.
Melon
Yep...if you are a Windows XP user and download MP3s, this is very important.
"A newly-discovered flaw in Windows XP puts digital music users at risk, Microsoft Corp. announced Wednesday. A bug in Microsoft?s flagship operating system software allows computer attackers to craft MP3 or WMA music files that give them control of listeners? computers. Simply browsing to a Web page or folder where such an MP3 file is stored would be enough to invoke the malicious code, and allow an attacker to create, modify, or delete data on the victim?s computer. The flaw was discovered in a research lab by security firm Foundstone Inc. CEO George Kurtz said he believes it?s the first such vulnerability impacting sound file formats.
Digital music files come with attached information, or attributes, which describe the name of the song, the sample rate and other basic file information. An attacker can insert malicious code in that data which causes a ?buffer overrun,? causing the computer to surrender control to the attack.
Victims need not be induced to play the infected music file to cause an attack. Because of the way Windows file Explorer reads the attribute information, simply hovering over an infected music file?s icon is enough to cause the buffer overrun. Accessing a folder where the file lives would also invoke the malicious program, as would visiting a Web site where the file is stored.
Only Windows XP users are vulnerable, but users of other operating systems can act as ?carriers,? because infected MP3 files will play like normal music files to them. They could unwittingly pass an infected file along to a Windows XP user, who could then be attacked, Kurtz said."
So, considering that most users don't even check Windows Update on their "Start Menu," this is one of those instances where you should. There is a patch for this vulnerability available.
Melon