Slashdot Mirror

Since the summary did not provideth, here's a link to the actual site: http://port25.technet.com/

There's an update on the MS Security Response Center blog:

http://blogs.technet.com/msrc/archive/2006/03/29/4 23560.aspx

Did anyone notice this line in the blog that was attached to the orginal posting?

We're going to continue to look into this but remind you also that safe browsing practices can help here, like only visiting trusted websites, etc.
-- Technet

So, I guss we should all avoid serch engines and just stick to our bookmarks for a while, huh.
When I say we, I mean those of you still using IE...fools.

I'd be a little more worried if I was Brad. That feature your boss wants to know who's responsible for..what if it's 'Clippy'???

Worse...Brad cops to being responsible for the component in SQL Server exploited by the Slammer worm. It's not clear if he actually wrote the buffer code vulnerable to overrun, or he just owns fixing it now.

The blog talked about in the article is here: http://blogs.technet.com/bluehat

Did Microsoft Know this BUG was present?

Answer from Microsoft's own statement:

"The potential danger of this type of metafile record was recognized and some applications (Internet Explorer, notably) will not process any metafile record of type META_ESCAPE, the overall type of the SetAbortProc record."

Entire Statement Located here:

http://blogs.technet.com/msrc/archive/2006/01/13/4 17431.aspx

What does this mean?

It means that at some point in the past Microsoft had full knowledge that Meta-Files were capable of executing custom code when they were being rendered and displayed for "Non-Printer Errors". It took a programing effort to modify Internet Explorer to be "Sand Boxed" from Meta-Files to restrict it from executing the custom code contained in them.

So, Microsoft also knew that just the act of rendering and displaying a Meta-File, would/could execute custom code, and that the same would/could be done while displaying such Meta-Files via Explorer for example when it encountered one of these in a folder ("With or Without") thumbnail view being on.

Now, they also knew that these files could be embedded in Microsoft Office documents, in Microsoft Word, In other 3rd party applictions, viewers and WINE for example.

As They "Sand Boxed" IE from this threat ("Which they left in place") did they warn corporations, users that this BUG still was being allowed to execute custom code and could be delivered using many methods, contained in documents, via email, via downloads, via floppy, CD, DVD?

It is no longer a question that this BUG became a supported FEATURE, the question is why was it allowed to remain?

When your House is flooding, do you build a LEVY ("Sand Box IE") around your house, when you can see very clearly that the water main ("The GDI Libraries") in your front yard is spewing water?

Worse, you already know that you have made a programming effort to "Sand Box" your Browser IE, from this threat ("You Leave in Place") you also PORT it to your new Operating system Vista?

WHY? That answer we will may never know.

One suggestion is they did this to support current clients using this, the questions would be, who were they? Why were they allowed to use unsupported and undocumented features in Meta-Files, and was it worth the exposure of Millions of computers World Wide if this was the case?

Actually since i was one to the really early people up that morning ... EMF is the way the exploit gets out of it's box after all ... check the afformentioned http://blogs.technet.com/msrc/archive/2006/01/13/4 17431.aspx for further reading

On a sidenote : Yaiks, by the way ... some nutty memory keeps popping up that, way back in windows really early versions, there was this virus wich did a nasty show with the GDI before zapping your windows unoperational, could it be, still, after all these years ? Vague, unreliable i figure, stressed ...

my point being ? well it did get passed around by WMF, later 'secured' by EMF and the new DLL model or something like that it was, figure it was a magazine article documenting this.

And already had a link refuting the claim that an invalid record size is necessary: http://blogs.technet.com/msrc/archive/2006/01/13/4 17431.aspx

Read more closely. Where does Microsoft actually say that Gibson is wrong? Gibson claimed that Windows XP would read a .wmf file and begin executing a portion of the data file contents as executable code if a metafile record was encountered with a length of one byte. Since the minimum length of a valid metafile record is 6 bytes, Gibson suggests that the behavior was intentional rather than an accident. Microsoft doesn't actually SAY in their response that any of what Gibson claims is wrong:

Gibson: Except that, when I was pursuing this and finally got it to work, what Windows did when it encountered this Escape function, followed by the SETABORTPROC metafile record, was it jumped immediately to the next byte of code and began to execute it. That is, it was no longer interpreting my metafile records record by record, which is the way metafiles are supposed to be processed.

Microsoft: If you are seeing that you can only trigger it with an incorrect value, it's probably because your SetAbortProc record is the last record in the metafile.

Gibson: It turns out that the only way to get Windows to misbehave in this bizarre fashion is to set the length to one, which is an impossible value. I tried setting it to zero. It didn't trigger the exploit. I tried setting it to two, no effect. Three, no effect. Nothing, not even the correct length. Only one.

Microsoft: The vulnerability can be triggered with correct or incorrect size values.

Even though the Microsoft guy claims he is going to "get rather technical here" he never specifies what he considers an 'incorrect' or 'correct' size value to be. More importantly, he never refutes the claim that a record with a length of one byte would always cause Windows to spawn a new thread and begin executing 'data' as code.

Wrong!! RTFA! It was 'WMF Support' that was introduced in Windows 3.0. The 'vulnerability' didn't come (according to Microsoft) until "...all that GDI functionality was allowed to be called from metafiles." There is nothing inherently insecure about a .wmf file, it is the *way* that the records in it are processed in Windows XP that creates the vulnerability.

You can rest easy with your Windows 3.0 as it is is secure against the .wmf security access.

Quote From Microsoft:

Entire Statement Here:

http://blogs.technet.com/msrc/archive/2006/01/13/4 17431.aspx

"potential danger of this type of metafile record was recognized and some applications (Internet Explorer, notably) will not process any metafile record of type META_ESCAPE, the overall type of the SetAbortProc record. That restriction is the reason it's not possible to exploit this vulnerability by simply referencing an image directly in HTML. IE just won't process it"

So we KNEW that wmf files COULD execute code during rending and BUFF-UP IE and leave the "BUG/Back-Door" as is in the GDI Library?

Everyone KNEW, WINE would be ported Bug-for-Bug ("Puts his sun glasses on, suddenly seeing a Bright LIGHT in the distance from afar ;-)")

**COUGH** Hey, this is around the same time "Magic Lantern" FBI lingo got started, NICE FIX Microsoft ;-)

From the Microsoft Security Center Blog, facts about "the recent WMF issue" and SetAbortProc.

Now that the monthly release has passed and people are deploying the updates I wanted to take a moment to discuss some things related to questions we've been receiving on the recent WMF issue. (Which was addressed in MS06-001).
http://blogs.technet.com/msrc/archive/2006/01/13/4 17431.aspx

His conclusions once again are completely incorrect.

See the following post for why this occured.

http://blogs.technet.com/msrc/archive/2006/01/13/4 17431.aspx

I swear to god I hate the slashdot rating system that allows anyone not related to a posting to get moderated +5 but the people most related to a posting have to just sit there unmoderated.

"I'd just like Microsoft to explain themselves this one time. Completely, thouroughly, honestly. Then they can tell us what they will do to ensure it won't happen again"

We did. Dunno why no one points this out, but:

http://blogs.technet.com/msrc/archive/2006/01/13/4 17431.aspx

Not sure how you can ask for much more of an explanation that that.

S.

We've blogged about this already providing the background of the bug:

http://blogs.technet.com/msrc/archive/2006/01/13/4 17431.aspx

I emailed Zonk about it but I don't think he's had a chance to update the posting.

Long story short the idea that this is intentional rests on the premise that only an incorrect value produces the vuln. That is totally wrong, both correct and incorrect values trip the vulnerability. Besides doesn't it seem odd to create a backdoor that would require the user to first visit a website? What, were we going to take out a superbowl ad suggesting people visit www.microsoft.com so we could...uh...what exactly?

S.

More info in this Microsoft Security Resource Center (MSRC) blog post.

The best part is the response from Lennart Wistrand yesterday on the MS Security Response blog. "As it turns out, these crashes are not exploitable but are instead Windows performance issues that could cause some WMF applications to unexpectedly exit." -- Lennart Wistrand http://blogs.technet.com/msrc/archive/2006/01/09/4 17198.aspx

One gets the feeling that the MS programmer didn't want to come in over the New Year's holiday to work on some piece of legacy code...

Tom -- go back and read the history of AJAX in, say, Wikipedia. You'll find that Microsoft invented AJAX, incorporating it into IE 5.5 to support OWA. There's a cool article in the Exchange Blog by Jim van Eaton which talks about the history, too. (Yes, the people in the story he tells are real. I've met all of them at one time or another.) Then, go look at Microsoft's financials for last quarter. You'll find that of the seven product units, only three are not wildly profitable. (And MED, while not wildly profitable, is basically break even.) Of the four profitable units, Server and Tools breaks out into several large groups, including Exchange (which is profitable), SQL Server (which is profitable), Windows Server (which is a version of Windows, and so is covered by your "windows and office" meme), and Developer Division (which is profitable). MSN is profitable. So, what was that about "only two profitable products"?

Microsoft should now have released a patch to Microsoft Antispyware and also have their monthly Malicious Software Removal Tool (which customers running XP Automatic Updates will have automatically run) detect and delete the Sony rootkit. IMHO, very cool (if they did it, can someone confirm?)

I submitted an article about this a few weeks ago, it was rejected for some reason. Probably too many Sony stories already. ;^)

AC due to mod. But yes, sadly few people realise that Microsoft *invented* AJAX, they just didn't call it that.

Read this. Notice how Outlook Web Access is what got XMLHTTPRequest into Internet Explorer?

I quote: "The OWA prototype was demo'd to Billg and he loved it. This gave us enough momentum to get a component that we needed to be installed by IE5 that we called XMLHTTP. XMLHTTP was born and implemented by the OWA dev effort of Shawn Bracewell. Exchange funded the effort by having OWA development build XMLHTTP in partnership with the Webdata team in SQL server."

In fact, if you've ever got your head around the ill-fated InterDev (few people did, certainly the majority of book authors had no idea at all!), you'd realise that MS have been looking at async calls from client to server for a long time. They were designing a model so client javascript could just do someobject.method(); and "someobject" existed on the server, not the client!

Computer Associates does. As does Microsoft Defender. I couldnt find anything about Lavasoft. Also I didnt see anything on Symantec, other than that Sony is an OEM partner

Windows is a 32-bit shell for a 16-bit extension to an 8-bit operating system designed for a 4-bit microprocessor by a 2-bit company that can't stand one bit of competition.

I submitted an article a few days ago about how Microsoft is going to remove the Sony XCP rootkit from Windows computers using AntiSpyware and automatic updates through the Malicious Software Removal Tool. Story was rejected. I fully expected to see someone mentioning it in a Slashback but apparently not.

Now, I can understand them rejecting articles, I've had my fair share in the past. But does Slashdot dislike Microsoft that much that they wouldn't post something that will effectively close the rootkit story next month, and instead keep posting about how bad it is?

Microsoft(!) declared Sony's XCP software to be malware, and said they'd remove it in the forthcoming December update of the Malicious Software Removal Tool, as it violated "objective criteria". Check out the MS Anti-Malware team's blog for more fun.

<obligatory> And I submitted this yesterday, but apparently the editors didn't think it was worth mentioning, instead going for a dubious LGPL angle that was debunked in at least two previous discussions. <sigh/> </obligatory>

On a related note, it looks like Microsoft have decided to add detection/removal of the Sony rootkit to Anti-Spyware (details here - though it sounds like the non-rootkit DRM part won't be touched).

AJAX was invented by Microsoft in 1998 so they could write a decent Outlook web client.

So technically, it's only 7 years old.

(shhh... don't tell taco... his head will explode if he learned that Google didn't invent it)

Longhorn server might get the GUI'less option that we've wanted for sometime. Somewhat limited but it's a start. ... "The first is to allow the server to be installed in a mode where it doesn't have a GUI or any of the other stuff required to run the GUI. This reduces the server footprint quite dramatically, but only a handful of server roles can run on the box in this mode and there's definitely a tradeoff from an administration POV... http://blogs.technet.com/windowsserver/archive/200 5/10/14/412534.aspx

Vith a view to that 802.1x has been broken (http://blogs.technet.com/steriley/archive/2005/08 /11/409021.aspx) and requires a cryptography layer to prevent rogue hosts from connecting to the network, I'd consider NAC breakable for now.

And in fact we have some evidence that this wasn't the reason...

http://blogs.technet.com/msrc/archive/2005/08/06/4 08741.aspx

I HATE those ignorant posters.

Check: http://blogs.technet.com/msrc/archive/2005/08/06/4 08741.aspx

It's totally wrong. F**k.

An article on Slashdot is saying that Monad was pulled from Windows Vista due to the virus story. This is 100% incorrect. One had nothing to do with the other. Monad is probably going to be a longer term project than Windows.

A clue should've been the title of the article linked to: "A virus for Windows Vista? Wrong."

From TFA:
"First of all, in examining the details of the reports, there is no Windows Vista virus described in them. ...The viruses do not attempt to exploit a software vulnerability and do not encompass a new method of attack."

If one had read either of the two articles linked, one would realize that the so-called "viruses" are nothing more than malicious scripts. No software hole is exploited; the viruses are no more dangerous than any arbitrary piece of code running on your system.

They are not viruses; they only have the privileges that a user gives them. They're the same as any other executable file.

If a stranger sends you an executable, be it a script or a compiled program, and you run it, you're already in trouble. These scripts are nothing special.

Did the article author even read what he was submitting? The author states, "because of the possible virus threat that targets Monad the shell will not be included in Windows Vista", which could not be more deliberately misleading, and is contracted by both articles he links to!

"Helping Microsoft understand open Source..." is what Barnaby claims as his job description, too. Prior to drinking the MS Cruel-Aid, Barnaby worked for Red Hat. Now he is a model Microsoft shill, he toes the company line without fail.