mers2
Premium,MVM
join:2004-03-20
USA
clubs:
 ·AT&T U-Verse
| Heads Up - Flaw for Viewpoint Media Player Posted.
»blogs.zdnet.com/security/?p=636
» Exploit posted for Viewpoint Media Player flaw
Exploit posted for Viewpoint Media Player flaw
08:33AM Thursday Nov 08 2007 by lilhurricane
Tipped by TheJoker See Profile
Ryan Naraine
Exploit code for an unpatched vulnerability in the widely distributed Viewpoint Media Player has been posted on the Internet, putting millions of Internet Explorer users at risk of code execution attacks.
The exploit, available at Milw0rm.com, takes advantage of a stack-based buffer overflow in the Viewpoint browser plug-in that sits on millions of computers thanks to bundling deals with AOL, AIM, Netscape and Adobe.
--
Team Discovery
|
|
lilhurricane
Crunchin' For Cures
Premium,Mod
join:2003-01-11
Purple Zone
clubs:
 ·Comcast
Host:
TV over IP
Software
RCN
Inside Insight
Team Discovery
1 edit | Thanks Mary, and thanks to TheJoker  for submitting to SCU news  |
|
KachiWachi
join:2004-02-12
PA, USA
| reply to mers2
There used to be a way to find out what version of Viewpoint you had installed (some fancy keystrokes when you got to their webpage).
I forget what they are. 
Does this "command" still exist?
Thanks. |
|
lilhurricane
Crunchin' For Cures
Premium,Mod
join:2003-01-11
Purple Zone
clubs:
·Comcast
Host:
TV over IP
Software
RCN
Inside Insight
Team Discovery
|
Software Update
The Viewpoint Media Player is designed to check for the availability of software updates to ensure that you have the latest product improvements.
When the Viewpoint Media Player checks for the availability of an update, basic information about the product version and installed components are sent anonymously to Viewpoint. This step determines whether new, free software is available for download.
Not sure about fancy keystrokes
--
~Safe Hex~ Team Discovery ~ Project Hope ~ Like A Hurricane~ |
|
planet
join:2001-11-05
Olmsted Falls, OH | Thanks. Got Viewpoint on 2 of my computers. Never use it. Uninstalled it. |
|
KachiWachi
join:2004-02-12
PA, USA
| I found the command string.
"Viewpoint Support sez -
Cntl + Alt + Shift + Left Click on the content that requires the VMP. A window should appear that tells you all of the components you have, and what version they are."
Test page - »www.viewpoint.com/technologies/v···eo.shtml
Click on one of the "balls" below the text that says - "Viewpoint Media Player Features - Click to View Features Below"
Thanks. |
|
sivran
Long Live The Suite
Premium
join:2003-09-15
Arlington, TX
clubs:
·RoadRunner Cable
| reply to mers2
I always thought of Viewpoint as kinda shady anyway. I seem to recall it being installed alongside such lovely applications as Kazaa, and some web games
--
Think outside the fox...Seamonkey |
|
KachiWachi
join:2004-02-12
PA, USA
| I think there might be a typo here -
AxMetaStream.dll v3.3.2.26 should be v3.2.2.26
Source: »developer.viewpoint.com/dc/relea···ve.shtml
Thanks. |
|
planet
join:2001-11-05
Olmsted Falls, OH
·Cox HSI
| reply to sivran
quote:
I always thought of Viewpoint as kinda shady anyway. I seem to recall it being installed alongside such lovely applications as Kazaa, and some web games
Yeah, I know, on my one Gateway pc, it came installed along with the Wild Tangent Games. I uninstalled the Games and their associated Web Driver when I first got the pc. I'm not sure how it got on my Dell pc but likely came with it. Gone on both now!  |
|
redwolfe_98
join:2001-06-11 | reply to mers2
viewpoint has always been bundled with AOL, at least up until the recent new version of AOL.. i don't know if viewpoint is bundled with the new version of AOL, or not.. |
|
KachiWachi
join:2004-02-12
PA, USA | @redwolfe_98 -
It is...as far as AIM is concerned (check the developer link I posted above). |
|
mers2
Premium,MVM
join:2004-03-20
USA
clubs:
·AT&T U-Verse
| said by KachiWachi :@redwolfe_98 - It is...as far as AIM is concerned (check the developer link I posted above). It looks like it's also installed with AIM, which will affect a lot of people. I wonder if AOL also packaged it with their new release of Netscape? I don't see it on the list and don't use it, but it used to be packaged in the older versions.
--
Team Discovery
|
|
Libra
Premium
join:2003-08-06
USA
| reply to mers2
I have viewpoint media on both computers, and the XP has
AxMetaStream.dll v3.2.2.26  . AOL is on the computer. Does anyone know what will be broken if I remove viewpoint media?
(I'm not aware of using it, but I guess it just loads?)
Also, I went to Kachi's test page with the Seamonkey browser on both computers and it said I needed Viewpoint to view the page, so it's not in Seamonkey.
Thanks.
Sincerely, Libra |
|
KachiWachi
join:2004-02-12
PA, USA | IIRC, if you uninstall the VMP, it will re-install itself when AOL/AIM is launched...but don't quote me on this.
Thanks. |
|
Libra
Premium
join:2003-08-06
USA
| Hi Kachi,
In a search I found that with AOL, AIM etc. you have to shut them down first. As far as AOL is concerned, it said to remove VMP from add/remove, then go into AOL Program files and in the jiti folder delete the VMP.exe. I haven't tried this. I don't know what it will break in AOL and I don't want to mess up my daughter's AOL.
Is there a way to tell when this VMP is being used?
At the VMP site they mention a VMP Control Panel in Control Panel - but I don't have that either.
Thanks.
Sincerely, Libra |
|
planet
join:2001-11-05
Olmsted Falls, OH
·Cox HSI
| quote:
if you uninstall the VMP, it will re-install itself when AOL/AIM is launched...but don't quote me on this.
I checked my daughter's laptop after uninstalling VMP. She uses AIM and VMP hasn't reinstalled itself; she is using a limited account. I uninstalled VMP with the admin account. Not sure if that would effect things or not. |
|
Libra
Premium
join:2003-08-06
USA | Thanks planet. I found out that VMP has to do with superbuddies and IM wallpaper, etc. in the AOL client. I'll leave it be. Hopefully since it's run in a limited account it won't cause problems.
Sincerely, Libra |
|
KachiWachi
join:2004-02-12
PA, USA
|  I just found out something rather disturbing while speaking with Viewpoint Support.
Even though you have your VMP preferences set not to update, they have something called "just-in-time"...which will auto-update your VMP without asking (if an update is required by the material you are viewing).
The problem is that NO WARNING is given to the user when this update is required.
Just another example of "drive-by" downloading.
Sigh. |
|
mers2
Premium,MVM
join:2004-03-20
USA
clubs: | If I had this program - and I don't - this information would have it gone within 2 minutes. This is typical of AOL, which is why I don't use any of their products.
--
Team Discovery
|
|
