Slashdot Mirror
New IM Worm Exploiting WMF Vulnerability
An anonymous reader writes "After less than a four days after original mailing list posting there are reports about a new Instant Messaging worm exploiting unpatched Windows Metafile vulnerability. This worm is using MSN to spread, reports Viruslist.com."
These would be good things to know...
http://www.TheGamerNation.com/Forums
Well that didn't take long.
There is information available on temporary fixes from the following sites
http://isc.sans.org/diary.php?rss&storyid=996
http://www.f-secure.com/weblog/#00000760
http://www.grc.com/sn/notes-020.htm
be aware the runnable patch is completely unofficial, the only action microsoft suggest is unregistering a vulnerable dll which only mitigates the most common method of exploitation while not fixing the underlying problem.
NFI how long it will take microsoft to have an official patch out, but from the sans site, it doesnt look promising that it will appear soon.
From MS' site: 4: Block pop-up windows in your browser
My credit union requires that I allow pop-ups! I don't know how many times I've gone to legitimate websites and scratched my head for a while trying to figure out why I wasn't seeing anything - all because I'm blocking pop-ups! Firefox tells you with that little message on top of the window, but you know how it is, after a while, you don't notice it anymore.
You MUST mean MSN Messenger.
Netherlands being the place where it first appeared, and being from Belgium myself, I can say that everybody here simply says 'MSN' when they mean 'MSN Messenger'.
It's more common in europe anyway to use MSN instead of other popular IM networks used thoughout the USA and other countries. IM was never popular with non-geek computer users here and when broadband internet (with a fixed price/month) arrived most teenagers (the primary group of users in europe) all started using MSN Messenger.
Dependency hell? =>
...a dedicated, well-written, well-publicized effort to educate the general public about this sort of thing. We need to establish a meme among the Joe Sixpacks, Moms and Dads, and Grandma Sues of this country that they're foolish if they don't read stories on [whatever].com each week. And on that site, we need to explain, in plain English, [A] what the flaw could do to their computer, [B] what they can do to temporarily/permanently fix the flaw, and [C] what the flaw is due to (99% of the time, this will be 'due to Microsoft software').
Microsoft obviously isn't interested in having an educated user base, or they'd make such a site themselves and advertise it extensively.
Who's with me?
With spending like this, exactly what are "conservatives" conserving?
Beware of this IM-Worm which spreads via MSN using a link to "http://[snip]/xmas-2006 FUNNY.jpg".
Though it's spread mainly in Netherlands as the link sais.
an up to date antivirus should keep you safe.
IM is just a person private email system, period. Try using email, you can even use filters to pick your freinds messages out of the background noise, like inter-departmental mail.
To fix the security risk of IM, either the you give up point to point email that it is to force it though filtering servers (sound like email there again). The Anti-Virus programs on every machine will have to start filtering all that traffic too (wait they are doing this for wmail today also!!)
--
When will people learn that NEW is not always GOOD.
Talk about trolling flamebait. Apple makes money on hardware, not operating systems, so it behooves them to make their operating system work on their hardware. The nice thing about this is that they make some damn nice harware (I'm typing this on a PowerBook), and that they have very little incentive to 'feature-pack' their OS like Microsoft does -- so you get less in the way of quirky 'features', and a hell of a lot of functionality.
Plus, OS X is a Unix, which means it plays nicely with other Unices, and it behaves like a Unix on the command line -- so I get all the power of pipes, vi, Bash, the BSD ports collection (a la Darwinports), gcc, and so on. On the GUI side, it behaves like a Mac -- and I think you'd be hard-pressed to fault Apple for their GUI design.
Best of both worlds; you just have to shell out a slight premium for the hardware, and given that you get a REAL OS with it, I'd say that Mac offers a better bargain for the desktop user than any Dell or Gateway.
--
I Hit the Karma Cap, and All I Got Was This Lousy
Since the first exploit came to light, H.D.Moore of the Metasploit project has reworked the original package they did. The new exploit spits out exploit WMF files that come:
- with a random size;
- no
.wmf extension, (.jpg), but could be any other image extension actually;
- a random piece of junk in front of the bad call; carefully crafted to be larger than the MTU on an ethernet network;
- a number of possible calls to run the exploit are listed in the source;
- a random trailer
This makes it rather hard for antivirus and IDS sigs to detect it, though Snort and the A/V people are working late over their holidays to improve detection.SANS/ISC have provided excellent continued summaries of events around this. Here's their FAQ on the issue.
This is looking truly horrible. On Tuesday morning zillions of Windows desktops will be fired up for the first time in a week or two. This thing's already in widespread use by a number of malware distribution networks for the usual reasons. As such it's a nightmare for network and system admins with Windows machines to look after (and us security people trying to provide advice & assistance for them...) But the stealth nightmare is that this is an absolute jackpot for the less visible targetted attacks, such as those emanating from China for the past couple of years (google around, Slashdot and Schneier have covered this as well as many other places.) There are also the opportunistic types who see an easy opportunity to pwn some key machines where they work, say. I will stick my neck out here and make a prediction. Virtually all organisations with Windows machines are effectively wide open to total compromise by a reasonably informed person. That means much of the IT dept as well as significant numbers of the 'interested poweruser' types, developers with a casual interest in security,.. anyone who's heard of this and is capable of running the findingm, running and using the new exploit, basically. Of course we're all tweaking our IDSes and antivirus, locking things down as tight as possible in the 48 hours remaining, but... *shudder*
For ten years I've been waiting for Microsoft's luck to run out. This is about #3 on my list of catastrophic MS incidents. There aren't many ways things could be worse.
It will be a good time to be running Linux on work machine, though :)
Microsoft recommends, for the time being to just
regsvr32 -u %windir%\system32\shimgvw.dll
BUT according to this analysis, the real fault lies with gdi32.dll ! How the hell do you get rid of that? It's about as deeply embedded in windows as, say, glibc is in Linux distributions..
SCO employee? Check out the bounty
First of all your comment is largely off-topic, causing mine to be as well, but I am only responding to this because I could not bear to read what you wrote and not answer (Mods, please be compassionate!)
You are addressing to largely unrelated issues as one, Freedom of software, and usefulness of the company. Allow me to address them seperately.
The former (Freedom) is a much bigger problem with Windows than Macs, at least with Mac OSX. Sure, they both use proprietary code, but at least Mac OSX uses some Free software.
The latter (usefulness) is very subjective. No doubt Microsoft would think they are useful, while Apple thinks they are. As much as I do not like Microsoft, I am going to have to say that it *and* Apple were both useful, if not so much now. They did start a revolution of computing at home. Unfortunately, it has taken a bad path over the years, but it is the same sort of idea.
As a final note I would like to ask, why did you think you would get +5 funny? I find nothing funny about what you wrote.
... when Hulkamania runs wild on you? Oh, wait, WMF. Never mind.
the link they give for it doesn't work --_--. anyone care to post it?
It's unofficial, but it works.
http://www.hexblog.com/2005/12/wmf_vuln.html
I'm impressed at the timing on this one -- it hits during the slowest time of the year.
I figure the exploiters, even if they aren't the fastest in the bunch, will have massive penetration by the time people start modifying their systems to protect themselves.
So I'm wondering if the bad guys knew about this one for a while and just waited until now to spring it, or did the Microsoft customers just get profoundly unlucky.
Steve Jobs is probably laughing away over this one.
http://www.thebricktestament.com/the_law/when_to_
Ah, Slashdot... where the first post is modded "redundant".
What we need now is for someone to find a remote exploit in a popular webserver and combine both exploits into a worm, 'cause then we're all really fucked.
Belief is the currency of delusion.
That's right, Timmy. Your purely subjective opinion is the ONE TRUE WAY. You let those dirty conservatives know it, Timmy. I'm proud of ya.
Slashdot - where whining about luck is the new way to make the world you want.
I've noticed numerous TGP porn sites have been trying to get me to open a WMF file (Not that I uh.... would know about this first hand or anything ;p). Didn't think there was anything to it until seeing this article- my guess is it's being used to install crapware of some kind.
lucky I'm using Linux.
but somebody can finish this joke... it has to do with a hacked Windows PC... I am teh lose today.
"and on the 7th day 'after' Christmas my true-love gave to me"
Doesn't this virus still require the user to click a link? It's not fully automated?
Why are so many people making it sound like the end of the world?
you just have to shell out a slight premium for the hardware, and given that you get a REAL OS with it
A real OS that won't run a large proportion of the software people want to run. It doesn't matter how good it is it's how practical it is that counts. I'd quite like an Apple myself but it can't do everything that I want my Windows box to do. Same reason that I have a Linux partition rather than a solely Linux box.
Does a Christian soccer team even need a goalkeeper?
An exploit of "gdi32.dll" using a WMF file for the attack was documented back in November. Does this new exploit use the same attack approach?
Comment removed based on user account deletion
Right, sorry for the typo.
No one said that using something other than Windows would solve all security problems, only this one. The grandparent was entirely correct in its observation.
Get a patch here: http://www.hexblog.com/2005/12/wmf_vuln.html
All the necessary information and explanation (plus q/a) is here. This is the only hope at present. Good luck to everyone on Jan 2 when this thing takes over the world.
Why in the world would a WMF file need to be able to execute a script? And aren't most of Microsoft's vulnerabilities related to the wanton running of scripts without a user being aware that it's happening?
if everybody bought their grandma an iMac, there would be a lot more exploits on them then there are now. As many as wintel boxes? Probably not. But more than there are now.
Have you been touched by his noodly appendage?
If you're an IT pro and you're running Windows at home, you should have your boxes imaged so you can just unhook from the net, image, apply the fix, take a new image and hook back up to the net. Seven boxen shouldn't take you more than a couple hours -- less if you use a standard image.
If you're setting this up for the first time, don't forget to redirect "My Documents" to a different partition, or better yet a server with a backup regime. Oh, yeah, and choose the "Activate Windows over the phone" option before you make your first image so you don't have to re-activate each time.
If you're an IT pro and you're not using Windows at home, take the extra hours and spend some holiday time with your friends and family. Life is short.
Help stamp out iliturcy.
Twelve IRC bots spying,
Eleven worms-a-wriggling,
Ten Paypal phishes,
Nine ActiveX holes,
Eight Blaster variants,
Seven Sony rootkits,
Six keystroke loggers,
Five porn diallers!
Four Exploit.WMFs,
Three Mytobs,
Two Bifrose-Ds,
And a homepage stuck on goatse.
(You, ettlz, rock.)
You can hold down the "B" button for continuous firing.
i would guess its like a situation of choosing to be haunted by
1 a sixth circle poltergeist that sometimes does nice stuff for you
and
2 a ninth circle deamon that not only gets hostile with you but always has hordes of Imps trashing your place
aka "the lesser of two evils"
Any person using FTFY or editing my postings agrees to a US$50.00 charge
Microsoft Word? Microsoft Excel? Powerpoint? Outlook (Entourage)? Photoshop? Quicken? Dreamweaver? Firefox? Illustrator? InDesign? GoLive? Flash, Freehand, Fireworks? Or most anything not native that will run under Virtual PC?
I just bought a Powerbook recently, and have everything covered that I had running on my Dell. So I guess I'm not sure what major software is missing that most people want to run...
Oh. You must mean GAMES. Okay, but personally, I'd get a "real" computer, and then buy a PS2 or XBox to pound on...
Any sect, cult, or religion will legislate its creed into law if it acquires the political power to do so.
I can understand spreading the fact that the exploit exists. I could maybe argue whether or not you should spread info on the exploit. I can barely see why one would make an example exploit.
But why would someone make a program specifically designed to make an undetectable/untraceable version of the exploit?
I can only see harm coming from this.
And I'm sorry, but "because it's there" doesn't work when you know there's only negative outcomes of what you do.
http://lkml.org/lkml/2005/8/20/95
Oddly enough, tools like Skype seem to do it right from the ground up,
well apart from the fact they rely on abusing thier users bandwidth to support users behind firewalls yes.
note: i'm known as plugwash most places but i screwd up registering that here somehow in the past and now can't register
Oh. You must mean GAMES. Okay, but personally, I'd get a "real" computer, and then buy a PS2 or XBox to pound on...
some people like consoles and i must admit there are a few console games that i quite like but no console even comes close to the back catalogue of PC games (though admittedly a lot of those can be hard to make work on the non-dos versions of windows) and even if they did very few console games support mods or even custom maps and internet play is a pretty new feature for consoles (yet its something the PC has been doing for years).
note: i'm known as plugwash most places but i screwd up registering that here somehow in the past and now can't register
lol no im not a wmf worm!
In Soviet Russia, backwards is everything.
It doesn't have to be major software though does it? It just has to be a device with Windows-only drivers that you need to use or an app that will never be ported to anything but the latest version of Windows. You forget that people use PCs for all sorts of things and that a lot of things will only work with a Windows box. Otherwise I'd be typing this in Linux right now instead of being in Windows about to log on to my favourite MMORPG which only runs on Windows.
All those apps above either exist natively or can run with Crossover. That isn't the case with everything though, the above-mentioned MMORPG refuses to run under WINE, Cedega or Crossover.
Does a Christian soccer team even need a goalkeeper?
e.g. is there a way for a remote user to make it display a wmf without the recipiants consent?
note: i'm known as plugwash most places but i screwd up registering that here somehow in the past and now can't register
I've got a big box of old PC games but as you said, w/o a DOS-based Win95-class system (which I no longer own) I can't play most of them anyway. And it will be interesting to see what "Virtual PC" options become available on the x86-based Macs. It could well be that one could have the best of both worlds...
Any sect, cult, or religion will legislate its creed into law if it acquires the political power to do so.
at least back to +3 so anyone who reads it will see the clarification. as it stands this is very uninformitive.
note: i'm known as plugwash most places but i screwd up registering that here somehow in the past and now can't register
...to block AIM & MSN chat, and all their clones, at the corporate firewall. Before it was simply a time wastage issue...now it's a big security risk.
Most people's favorite MMORPG already runs under OSX. ;)
GLaDOS for President 2016! "Well here we are again. It's always such a pleasure." -- GLaDOS, 2011
I think switching OSs is a less difficult proposition for someone who has time to read slashdot than picking up your family and moving is for someone who can barely feed his or her own kids.
THIS THING CAN TURN ON A DIME, MACROSSZERO STYLE ALSO FUCK BETA, ~NYORON
I'm willing to bet that if you took a survey of 100 random mac users, the majority would say that the OS is the reason they got it, not the hardware.
Apple seems to agree with me: They're changing over to the same hardware that Windows PCs run on.
GLaDOS for President 2016! "Well here we are again. It's always such a pleasure." -- GLaDOS, 2011
NOD32 (www.nod32.com) catches it. Supposedly McAfee can catch it as well, but Norton doesn't.
Hunt your preferred prey at Aliens vs Predator MUD. Join the war at avpmud.com port 4000
From http://isc.sans.org/diary.php?rss&storyid=994 :
. exe Our own Tom Liston reviewed the patch and we tested it. The reviewed and tested version is available here (now at v1.3, MD5: 14d8c937d97572deb9cb07297a87e62a). THANKS to Ilfak Guilfanov for providing the patch!!
1. Microsoft has not yet released a patch. An unofficial patch was made available by Ilfak Guilfanov. http://handlers.sans.org/tliston/wmffix_hexblog13
2. You can unregister the related DLL.
3. Virus checkers provide some protection.
To unregister the DLL:
* Click Start, click Run, type "regsvr32 -u %windir%\system32\shimgvw.dll" (without the quotation marks), and then click OK.
* A dialog box appears to confirm that the un-registration process has succeeded. Click OK to close the dialog box.
Horns are really just a broken halo.
I know next to nothing about Instant Messaging clients, but is it possible that an employee could have left his computer powered on, and logged into windows, and with an IM client running on his desktop, and could that IM client then download this worm automatically [without any manual user input, such as clicking on a link]?
I.e. might it be the case that when Admins return from New Years' vacation [Monday, or Tuesday, or whenever], there could be [quite literally] MILLIONS of infected desktops?
And I trust downloading a DLL that injects into gdi32...why? I'll just do what I always do to avoid viewing pictures that I don't need (goatse, web beacons, etc.).
Who is this guy and why should I trust him? Or better yet, is the code open-source, or is the exact method publicly available so I can write my own hook?
Mind you, the only ones who know enough of the Windows internals to pull such a stunt are Microsoft employees, and I seriously doubt they'd risk a stunt like that. Especially as they'd likely be on said chair when Microsoft's CEO lobbed it off the roof.
It's a small world and it smells funny; I'd buy another if it wasn't for the money; Take back what I paid (SoM)
Ok, ignore my other message, I trust him.
The SANS guys have reverse engineered it and given it the thumbs up if that's any help to you : http://isc.sans.org/diary.php?storyid=999
So, you're saying they lose money on the OS? I don't think so. They release more upgrades, which you must pay for, than Microsoft. That's for sure.
You may have been only talking about yourself, but it made it sound like there were no options for anyone... like the Mac.
How ironic you actually used the word "switch".
Unless you NEED to run Autocad or something along those lines, there are very few people anymore who really cannot switch to a Mac.
"There is more worth loving than we have strength to love." - Brian Jay Stanley
There's an old joke that goes, "I've got a bridge for sale. Great deal on dis bridge!"
Point being that Microsoft has always promised very high and delivered extremely low. You're more fortunate than most since you know about and use alternatives. In userland, most of them are just recently realizing that they been sold "da bridge."
Sure wish I had bought that Apple stock a few years ago, doh!
Everything in the Universe sucks: It's the law!
You confuse the definition of hardware.
I bought a Mac for the OS. So I agree with such a statement, but as for the hardware, people want to buy hardware that 'just works'.
I spent several hours today getting a video card working on a Windows XP machine. The entire process was stupid. The error messages were useless (and wrong). The FAQs I read hinted at the issues, but didn't address them. In the end, to get the video drivers to do anything I needed to install new drivers for everything else on the system. (Which, without good cause I am reluctant to do as they could conceivably break something that is working just fine.). [and even this didn't solve the problem till I put the old video card in, cleaned out all the attempted install of drivers, re-installed the new video card and re-ran the entire process.]
The process to get hardware working on a Mac, in my experience, is far easier and less troublesome. It smees to be far better controlled and thought out. Less ad-hoc.
That is something I am entirely willing to pay for. (And also why I don't run Linux, which suffers the same issues...)
completely agreed. it also shows something of a lack of effort on microsoft's part. i believe that the problem has still not been fixed with an official patch (others have to do the dirty work) and i think the vulnerability was known about four days ago! That is unheard of on open source systems because their creators aren't busy marketing the newest XBox game. I recommend gaim or naim (if you don't mind console) for the aim and everything. I hear Trillian is good but have not gotten around to trying it yet. I believe it is for windows, no? Probably has better protection against this stuff than MSN does though (that doesn't say too much...) (-hrair-)
Beware of the shining wires...
Uh, if anything, OS X comes with *more* stuff "bundled" than Windows.
On the GUI side, it behaves like a Mac -- and I think you'd be hard-pressed to fault Apple for their GUI design.
The Dock ? Generall sluggishness on anything but fire-breathing G5s ? An inability to decided what their applications should look like and why ?
Best of both worlds; you just have to shell out a slight premium for the hardware, and given that you get a REAL OS with it, I'd say that Mac offers a better bargain for the desktop user than any Dell or Gateway.
This should be pretty funny. Just why isn't Windows a "REAL OS" ?
I have seen in the past week our work increase 5 fold because of this exploit. What is normally a very slow time of the year for us has become very busy for us and it's making me nervous myself.
I know next to nothing about IM/RSS software, so I am just speculating here.
But suppose you had some IM/RSS client [MSN, AOL, Yahoo, whatever] that had an image rendering aspect to it. For example, suppose your IM/RSS client were capable of rendering the JPGs in an HTML message.
Then it seems to me that if you had such an IM/RSS client running on your desktop, and if someone knew your IM/RSS handle, then they could send you an IM/RSS message with very elementary instructions for downloading the evil file:
and you'd be hosed without ever having clicked on any link. And if the worm were really smart, it could then install "thttpd" trivial http daemons to spread itself internally on any corporate network [via each person's IM/RSS "address book"].If that's true, and if lots of employees left their computers running and logged into windows with such "automatic" IM/RSS clients running on the desktop, then Tuesday or Wednesday morning [or whenever people decide to come back from their New Year's vacation], there could be literally MILLIONS of infected machines.
So the question: Are there IM/RSS clients that can download files automatically?
I've noticed numerous TGP porn sites have been trying to get me to open a WMF file (Not that I uh.... would know about this first hand or anything
In this particular instance, I think I'd choose first hand knowledge over second hand knowledge.
You are arguing "because it's there". Why did someone do it? Because they could. Or, go to back to the mountain climbing roots of the original quote, because then others would know it can be done (and you've done it).
It doesn't take an example to show it can be done, thanks. Believe it or not, even Microsoft understands software is mutable.
A simple explanation is plenty.
As to your comment that the people we really need to worry about won't even be affected by this: history has shown this not to be true.
Apparently the attackers aren't awesome programmers because history has shown that the real danger comes after a sample exploit is made, not when the info becomes known.
Again, I just don't see why someone would need to make the most evil version of this possible and distribute the source code.
http://lkml.org/lkml/2005/8/20/95
Not sure if this is the case for anyone else, but I've found that while i can previous thumbnails, ACDSee (latest version) no longer works, giving an "internal error" message and a white screen, instead of the image. Still, better than getting pwned.
Is there an extension that will at least keep the Firefox toolbars and menus available in pop-ups even if the Javascript prohibits it?
So we're talking niche app's and/or hardware? That seems to be a bit different than the original statement regarding a OS that won't run a large proportion of the software people want to run...
Any sect, cult, or religion will legislate its creed into law if it acquires the political power to do so.
Being a security specialist, I can see how this would alarm you, but I think it's not so bad. There have been numerous 0-day IE exploits before and the world hasn't ended.
First of all, this worm requires SOME form of user interaction...they either must go to a website that uses it, or be chatting on specific IM app and get a malicious message. Second of all, due to the fact that 95% (yes, I pulled that stat out of my ass but I'm sure it's close) of Windows users run as admin, these exploits all assume admin privs and this fall flat on their face if run by a non admin user.
In a corporate setting users will normally (I HOPE) not be running as admin, which would effectively kill most if not all of the worms due to the fact that they assume admin rights, and AV apps are fully capable of deteting and blocking the actions of this exploit if they do get through.
There will be a patch soon, we will all apply it to our corporate networks and the world will continue to spin.
I don't always use unix-like operating systems; but when I do, I prefer FreeBSD.
WMF IS a script. now with root exploit goodness. :)
This ignores the fact that they're still the ultimate in proprietary lock-in.
But not in any useful way (I hate how unix has become a buzzword.)
So? You can on windows with cygwin too. That doesn't mean it's very useful. The power of unix is how all the systems are interoperable open and modular and everything is controllable from the commandline. With MacOS, it's like having a unix emulator strapped on the side of a run of the mill proprietary desktop platform.
You obviously hang around with a lot of Apple apologists and armchair UI experts.
Malike Bamiyi wanted my assistance.
I got my first taste of personal computers in 1999, I got a laptop with Windows 98se and had nothing but problems. I determined that it was broken-i.e. a poorly designed tool. The majority of the people I questioned about this said, "it's just the way it is, accept it." I am not one to keep a broken tool-as I build houses among other things (http://my.opera.com/emotional1/albulms/), so I searched around and someone suggested Linux. As I had no computer experience it seemed to me that it did not matter which way I went-Linux or Microsoft-I would have to learn. That has been over five years ago and I have many computers and just recently switched my mother to Linux-because it just works. BTW My mother is very practical-she just wants it to work-I can't blame her. Microsoft is very busy trying to hold on to it's market share which has always appeared to be more important than spending much needed resources on its basic tool-Windows OS-any version. I am grateful every day that I made the right choice- and when a friend asks me if I will fix their computer I tell them I will fix it by replacing Windows. I feel for you, it sucks when you buy something that 'sort of' works, only to find out that they are already focussing on the next version-which will follow the same tired pattern, instead of fixing what they shipped 'unfinished' in the first place. It is nice that some guy wrote a patch to fix this, that's the kind of spirit that I have found using Linux over these past years--BTW I do contribute money to the projects that I use frequently and am available to spread the word that there is an alternative to Windows.
Life is a gift. And my Karma couldn't possibly be 'Positive'
DosBox works under OS X too.
After all, I am strangely colored.
The process to get hardware working on a Mac, in my experience, is far easier and less troublesome. It smees to be far better controlled and thought out. Less ad-hoc.
Of course, on the other hand there are very few Macs out there where you could even install a new video card. You don't have to support all kinds of strange hardware when most of your computers come with everything integrated and very little expandability. I'll take the upgrade woes and inexpensive commodity hardware over a disposable computer appliance.
It's odd but I've noticed a lack of Microsoft cheerleading over the past couple of days. I'm sure as soon as a patch is made for this latest Windows exploit the cheerleading with resume with the usual vociferous putridity. Shine on!
Life is a gift. And my Karma couldn't possibly be 'Positive'
A Driver, on the other hand, is a piece of software that tells the OS how to interface with hardware. Usually they are shipped with either the OS or the product itself. They are also OS dependant.
Part of the problem with Windows is that the drivers that actually ship with Windows are considerably out of date. A number of them have not been upgraded since the initial launch in 2001. This is why each product from motherboards on down comes with a drivers disc. These discs are not there just there to file in a case and ignore.
Linux distrubutions are a different ballgame. They tend to have a hardware auto-discovery program that runs on boot. From there, it tells the kernel which drivers (kernel modules) to load. Since almost all drivers in Linux are written by the kernel team, actually hitting a conflict between drivers written by the kernel team is rare.
ATI and NVidia cards are the exception to the kernel team written driver rule. These two companies don't want anyone to know how their drivers work, so they ship them as pre-compiled binaries. However, it's not guaranteed to be shipped in a particular distribution.
Even though OSX only has a limited subset of hardware (as pointed out by toddestan) that it has to deal with, not everything Just Works.
GLaDOS for President 2016! "Well here we are again. It's always such a pleasure." -- GLaDOS, 2011
"reverse engineered"?
:( It was a single file, would have been pretty easy to read it and make sure it doesn't look like it does anything malicious, *then* compile it...
You do realize that the installer at hexblog dumps the source to the "install dir"? (The actual useful DLL goes into system32 instead...)
It would have been nice to have the option to get just the sources w/o the installer though
The 'patch' requires a reboot
Just thought I'd point that out for all you windows guys who worry about their up-time.
[Fuck Beta]
o0t!
JPG, PNG, GIF etc. all have headers that should surely be checked before displaying the picture. Do IE not do this?
In short, do i have to actively click a "Open this file" dialog on the browser?
Is this reversable? I don't see an option to re-register a dll using this command..
IMs and email are exactly the same. The only apparent differences are in the implementations and the default (and available) settings for the clients, as well as the meta-communication functions of most IM clients that simply duplicate the features of 'what are you doing right now' systems of the past such as finger. My email client can pop up a notice the second I recieve new mail, and even give me a text box to type a reply into. My IM client can store messages for me to read at my leisure. I can check my email on the web. I can check my stored IMs on the web. I can turn off my email client. I can turn off my IM client. Either way I can respond immediately or wait an hour. Either way the person on the other end has no idea what I am doing if I do not want them to.
How about the (at least) $500 you'll spend switching to the Mac? Not to mention the costs of repurchasing software like Office and Photoshop if you use those sorts of programs.
The system cost depends on if you were going to buy a new PC anyway, or if you are buying a new computer for someone else (like a business or a parent).
Furthermore most programs offer free crossgrades - Photoshop is one, and I think Office is at least reduced in price (not sure about that).
Switching to Linux means Photoshop or Office will not run at all - you can use replacements but they are not (quite yet) as compatible - I use Open Office all the time so I know how close it is but it's not quite there yet.
But really Linux is by any measure just not as easy to switch to as the Mac is right now. For some users it will be OK, for businesses with existing PC's I think it's perfect, but for lots of single users it's just not as good an idea at the moment (though it's getting there).
"There is more worth loving than we have strength to love." - Brian Jay Stanley
But then again, when it was discovered that there was a simple way to get into Hondas using a pencil, did people go out and explain what it was? This actually happened in about 1994, and Honda fixed the problem once informed of it. But were the details widely publicized? No.
/etc/passwd file on a modern UNIX machine. Do you see your crypted password in there? No? Well, perhaps there's a lesson to be learned there about whether obscurity really does have some value.
As to me offering "security through obscurity", you're trying to make a phrase fit that doesn't fit. Security through obscurity is to design a system where simply not knowing something is the security. Here I am merely speaking of not telling EVERYONE all the details of a security flaw while the company that is responsible fixes it. I didn't say you shouldn't tell Microsoft. I didn't say Microsoft shouldn't explain there is a vulnerability. I didn't even preclude details of the vulnerability being given out. I didn't even preclude someone writing an exploit to show it can be done.
What I did was condemn writing the most evil version of the exploit possible before the patch is even released, and then giving out the code so others can do it too!
You say it's to make virus scanners better. By making it bigger than an MTU, presumably to make sniffing firewalls better. Well, what about those of us who don't have sniffing firewalls? Am I well served by a metaexploit being written? And additionally, you say this will let people recognize the exploiters (worms) better. How are they supposed to do that? This program makes all the versions of its exploits look different. For that matter, how can someone even tell a legitmate user of this escape sequence from a worm? There are literally an infinite number of ways to write code that does identical things (exploit and propagate). So how can a program inspect code that is used with this escape command to tell if it propagates? Answer, it CANNOT. Even by running it you can't be sure, maybe you just didn't give it the right conditions under which to trigger.
The only thing that can be done is pattern matching, and this metaexploit defeats that.
Honestly, MS is just going to have to remove this feature and deal with the fallout. We just have to give them a little time to do it before handing weapons to those with criminal intent. It's like selling arms. It does increase fighting, even though in theory, people could already have made weapons to take out their greivances upon other.
Perhaps this flaw has been being used for years to get into machines. How does that excuse this? This metaexploit is neither going to undo that, nor is it likely to get MS to fix it faster. It just might get more people hurt before MS can write and test a fix.
In short, I do understand there are already some people who exploited this hole. But there's no reason to make the problem worse. And that's what releasing this code will do.
Additional note on "security through obscurity". The first major proponents of this were the people who decided that UNIX shouldn't hide passwords, instead just 1-way crypt them and store the results in a publically readable file (passwd). Well, guess what, they were wrong. UNIX got greatly boned by this decision. It was wrong for two reasons.
1. Because it allowed offline and parallel dictionary attacks on user passwords.
2. Because it meant that you couldn't use any "shared secret" type of authentication, because UNIX didn't know your password. It could recognize it if you sent your password to it, but it didn't actually know it. This led to a lot of difficulties with protocols like POP and FTP sending your password in the clear.
Take a look in your
http://lkml.org/lkml/2005/8/20/95
Can Microsoft Windows AntiSpyware (Beta) program protect our system from this problem?
You don't even have to download the patch! It just tried to display patch.jpg.wmf, and then my system was patched! Must have self healed or something...
Well that's nice that they are the same in your setup. But what about the 200 million other users who don't have their email integrated into their life like you do. For them IM is much more convenient and practical.
Unregistered or incorrectly registered DLLs are the cause of a quite a lot of Windows problems (so if you have random problems with image viewing in the shell after running that command, you know why).
What's stopping Microsoft from running IE in some sort of a sandbox? That keeps all those apps running but IE would be a lot safer, and IE is mostly where the viruses are getting in.
No sig today...
No we aren't. We're talking most games, lots of apps and lots of devices. Look I think that Macs are great but calling people stupid for not wanting a system that costs more and doesn't run everything they want it to is a bit much really. People buy x86 systems with Windows because they know that it will run everything they throw at it albeit with all the 'joys' of malware and random crashing at the same time. My point was never that Windows is better, it's just so entrenched that either the EU taking Win32 off MS or a complete technological shift is going to move it.
Does a Christian soccer team even need a goalkeeper?
A WMF file *is* a script, it's a vector language like postscript.
And aren't most of Microsoft's vulnerabilities related to the wanton running of scripts without a user being aware that it's happening?
Quite often, but this is just a good old programming error.
I am trolling
Do all anti MS /.folk now have these images as their IM avatar?
"you should have used linux, like i told you to"
Oh yeah? Linux too.
Browsing with classic discussion, noscript, at -1 and nested
no hidden comments and I only mod UP
Yes, the bad guys have apparently been exploiting this for a little while. That's something we can agree upon.
But why does releasing the most evil version of it possible help anything?
I can see how it hurts, it helps those with criminal intent but no brains in making versions of the exploit that can't be detected.
But how does it help? It doesn't help make scanners better, as scanners have to pattern match and this defeats pattern matching. It doesn't help pressure MS, as they surely have a fire lit under them already.
Again, I ask not why would the "good guys" write an exploit, but why would they need to write a version meant to be undetectable? They are good guys, they don't have anything to hide, so why hide? You don't need to hide to see how the exploit works.
http://lkml.org/lkml/2005/8/20/95
So they have a few different options checked. The available options are still the same, as is the range of behaviors.
Big deal. If anything, that's part of the problem.
.wmfs. It just happens that the code in some cases might be evil. How do you analyze code to tell if it is evil? Answer, you cannot. There are literally infinite combinations of instructions that are evil.
Again, what does this help?
As to being merely *hard* to detect, I would say otherwise, well, at least as a practical matter.
Perhaps you don't understand this exploit. This isn't a buffer overflow issue, it's a legitimate part of the file format. You can embed code in
So, you could just look for the use of this escape sequence (that says code follows), and flag that as problematic. You'll flag legitimate uses too, but do you have any choice? And given that this is the way you have to do it, how does making variants of code designed to be difficult to pattern match help you see this escape sequence?
Again, I just don't see how this helps anybody but the bad guys, 100% disclosure or no.
http://lkml.org/lkml/2005/8/20/95
The image could be the text Got Firefox? No? You have now.
There you go, an antibody - uses the virus' vector to immunise the recipient.Or perhaps Trojan Hearse?
I just didn't like the analogy. It was a little grandiose.
You could have made the same point by talking about getting a new car/coffee maker/whatever if they issue a recall w/free repairs on some part or something.
THIS THING CAN TURN ON A DIME, MACROSSZERO STYLE ALSO FUCK BETA, ~NYORON
vulgarly: "don't trust the firewall filters, don't trust the antivirus vendors, don't wait for Microsoft. Install the patch immediately. If you are running a Windows operating system the patch doesn't support, time to shut it off and wait."
--
Keylogger killed my marriage, but saved my life.