Slashdot Mirror
Trustworthy Computing
Anonymous Coward writes "This is a first: the Internet Storm Center is recommending trustworthy computing. They want you to trust that the unofficial patch for the Windows Metafile Volunerability that is currently being exploited by an IM worm. No patch from Microsoft at this time, and the exploit is arranged in such a manner that it cannot be detected by most intrusion detection systems (the snort rule will peg the CPU on your router) nor filtered by packet-inspecting firewalls (it spans two or more ethernet frames). Not really a whole lot of choice about this one."
As it says in the article, some people in the corporate world won't do it if the patch didn't come from MS. It's sad, really. If I had an exploitable machine around, I would trust their patch.
Plant a tree in a developing country.
What is the over/under for Microsoft getting a patch out for this?
If there is a time to deviate from their monthly patch cycle, this is it. The patch should have been out days ago, yet we are still waiting.
And Microsoft wonders why no one takes their security promises seriously.
It'd be nice to have a computer that I can use the patch on.. Maybe I can Wine it?
Any grammatical or spelling errors above are for comic effect, and do not signify imperfection in the writer.
Sometimes, I really start to think that security is so poor in commercial operating systems, because they want to use protection from all these exploits as the bait to get us into the "trusted computing" cage.
Trusted computing is a farce, because the one thing that *isn't* trusted, is the user.
The theory of relativity doesn't work right in Arkansas.
...just disabling the offending .DLL. I mean it's not like people are actively using MS image viewer. There are plenty of better products.
What?
Could someone elucidate please?
Not true.
I imagine that I could push out the deregistering fix, and associating WMF with Notepad, but that seems a little extreme because our attack vector has become limited, and our anti-virus is now updated with the newest signatures that detect this exploit.
FTA:
You cannot wait for the official MS patch, you cannot block this one at the border, and you cannot leave your systems unprotected.
This has always been the case with Windows, if I'm not mistaken.
How many late nights, allnighters, and missed holidays have you experienced, thanks to things like ILOVEYOU and Slammer? How many times have you had to clean up the mess created by Microsoft's shitty, unsecure software?
Clearly Microsoft wasn't interested in calling people in over the holidays to whip up a patch for this critical vulnerability-- something that you could go in a couple hours early tomorrow and roll out to the PCs in your organization. They're going to let you suffer. And why should they care? They've already got the money of the company you work for. People are going to return from their holiday vacations tomorrow, load the wrong web page in IE, and get pwned. And you'll be left to clean up the mess. Again. Better pack an extra sandwich with your lunch tomorrow, because you probably won't be getting out at 5.
Windows have produced a datatype that allows people to place executable code into image files? How can they call themselves programmers. Seriously whoever engineered the WMF format should be ashamed.
99 bottles of beer in 175 characte
Today was supposed to be my fifth vacation day this christmas.
I've had two; and decided to come in to the office today to make sure we were patched up against the exploit.
Yes, I took the plunge.
The patch is now deployed in our small office (30 windows PCs atm); and so far so good.
Would I have felt safer if the sourcecode was released? Perhaps.
That said, I'd rather take the ISC's word on the fix than have a guaranteed hell within a couple of days.
The dedication of the people involved with ISC, as well as that of Mr. Guilfanov brightened my start of the new year.
Kudos, people.
Not really a whole lot of choice about this one
Sure there is. Don't use MSN to IM, for starters. Don't open e-mail from senders you don't recognize. Don't click on hyperlinks in e-mail without verifying that the URL is really what the text states it is. And if you are in a coporate setting and the Network Admin hasn't blocked IM, you've already got bigger problems to worry about.
Since the only link to the patch appears on the SANS front page (and not on the blog page for some reason), here's a copy of it.
MD5: 14d8c937d97572deb9cb07297a87e62a
Saturday's word was "transferbangle." Today's word is "volunerability." I wonder what tomorrow's word will be!
I'm still not sure myself whether or not I will install this unofficial patch.
.wmf-file.
:-P ).
Reasons for not installing it:
-I'm behind a router and use a firewall, virus scanner and several anti-spyware programs.
-I don't visit any suspicious websites (though this is probably not limited to 'suspicious' websites.
-I use Firefox for browsing, which (if I remember correctly) is not directly affected, unless you accept to run the
My possible reasons for installing this patch beforehand:
-I don't know if the virus scanner and anti-spyware programs will pick this up in time.
-I have exams in two weeks from now. I don't have the time to spend hours on end to remove crap like this (and yes, I do have time to type this message
Oh, and patch tuesday, is that tomorrow or next week?
Join the anonymous, help develop the network: http://www.i2p2.de
or Is the original healline post for this thread written in gibberish enhanced by misappropriation of terms and conflation of concepts? How is trusting the unofficial patch conceptually related to "trustworthy computing" and why should packet spanning make it invulenrable to filtering?
Some drink at the fountain of knowledge. Others just gargle.
No flamebait intended, but that's a typical sensationalist misleading Slashdot headline. Noone's advocating "trusted computing" or similar initiatives here; all they do is saying "here's an unofficial fix, and we'd like to recommend even though it *is* unofficial, considering the seriousness of the vulnerability and also considering it was written by a reputable windows expert, namely Ilfak Guilfanov (author of IDA Pro)".
And for that matter, there's no mention of "the Snort rules will hog your router's CPU", either - that's total rubbish, probably made up by the article submitter. And it slipped, too, since the Slashdot "editors" never care to actually edit stories before they publish them.
Shame on you, Hemos!
quidquid latine dictum sit altum videtur.
Not really a whole lot of choice about this one.
OK, that just makes it too easy.
*awaits avalanche of "Linux is the cure"-style replies*
Which, of course, is correct, as it's not affected by this, but not suitable more than as a worn joke, as many organizations can't make the switch easily either for lack of own competence, will to hire those who have, lacking software compatibility and/or counterparts, etc.
Beware: In C++, your friends can see your privates!
They want you to trust that the unofficial patch for the Windows Metafile Volunerability that is currently being exploited by an IM worm.
The problem there (aside from the FP's atrocious grammar) comes from how the "unofficial" patch will interact with MS's eventual real fix.
I certainly don't consider myself a Microsoft apologist, but I KNOW that anyone who installs this patch, then discovers some bizarre (potentially very serious) problem from Microsoft's solution, will bitch loudly that Microsoft should have taken the interim fix into consideration. These same people currently bitch that Microsoft should throw caution to the wind and issue a fix ASAP, out of their normal patch cycle and without adequate testing.
Personally, I don't see the problem with temporarily unregistering the affected DLL... I NEVER view thumbnails through explorer (slows it down beyond belief), and MS's built-in image viewing/printing software lacks even the basic editing capabilities necessary to print "grandma" rather than "a grandma-like dark smear, 27 unknown people, and 90% sky".
I love the way the story starts 'Anonymous Coward writes', with an email address link to the author.
I wouldn't call what they are offering as trusted computing. They are not
the manufacturers of the OS, so whatever they are offering is NOT trusted computing.
Since it's a typical binary patch you have to trust them that this
patch won't hose your system or make you pwned by these or other folks.
As a long time Linux user, I find this situation appalling. If I were stuck
using a Windows box I would be pissed off by this. Look, when I want to upgrade
my box, I just do a apt-get update; followed by either apt-get dist-upgrade
or use synaptic. I know my sources (I select them myself), I know that the reality
checks exist (gpg keys, outside sources verifying the software, etc.). I know
I'm not getting hosed when I install software from my usual Debian repositories.
Do any of you windows folks know these security folks? Do you have any
reality checks that you can apply against this binary patch? What control do
you think you have of your operating system?
I guess if you haven't been a Linux user for a long time you might not understand
the depth of how bad your security model is when you're stuck with windows.
--Johnny
The very best response that our collective wisdom can create is contained in this advice - unregister shimgvw.dll and use the unofficial patch. You need to trust us.
Trust you? You can't even put the "unofficial" patch there on the page, or write the one-liner needed to unregister the dll (I know it, but the corporate types you want to try and convince of this don't). Where can you get the unofficial patch?
I believe this is because _any_ image is vulnerable to infection. Because Microsoft checks the header for every image file and treats it as WMF if the header matches, all jpegs, gifs, and pngs are potential vectors for the disease. A router that has to inspect _every_ image that is surfed by users behind it will immediately turn into a bottleneck.
A couple of the other comments here seem to miss this very important point:
It's not just files with ".wmf" at the end. Any image file will get unwrapped by Microsoft code and the callback will get executed. Woof.
Sounds like an nth complexity binary loop sort of problem to me.
They want you to trust that the unofficial patch for the Windows Metafile Volunerability that is currently being exploited by an IM worm.
:|.
OK, tell me how that sentence is supposed to make sense. Come on
Arrrrrrr
Migrate to Linux.
Our company did last year, city of Vienna did as well as many other companies and organizations, it should work out very nicely for you too. Our former XP users love KDE.
No need to put yourself through pains when you can improve security, save money and achieve some level of vendor independence all at the same time.
The title come directly from the ISC's Handler's Diary post that uses it as a joke, to reflect the fact that they will ask people to trust them on this one. Quote:"I find myself in the very peculiar position of having to say something that I don't believe has ever been said here in the Handler's diary before: "Please, trust us.".
They loved it so much you posted anonymously, in your room, with the lights out, under a blanket?
BeauHD. Worst editor since kdawson.
If it is, I can live without it.
What is the calculation that Windows users -- esp. businesses -- make that allows them to keep on using Windows?
When I had to pick an OS, I did research and picked one that I felt was secure enough for my needs. Windows didn't make my cut.
Somehow the Windows folks keep on choosing to use Windows, even though after the WMF exploit is history, they'll just be waiting for yet another "shoe to drop".
I understand that legacy apps/data formats get you locked-in to Windows, but doesn't "remote exploit" concern you enough to make you think "must switch!"?
http://www.thebricktestament.com/the_law/when_to_
ISC is advocating the "trust us!" model of computing by posting a patch that we basically have no option but to apply, without posting the source code.
Let me know if there are any other half-assed jokes that you can't understand, I'll try and work them out for you too.
vvj
..that if we all were running "trustworthy" computers, this problem would be much, much worse than it is now. Imagine that now instead of having a patch that's already been made by someone else while we sit and wait for Microsoft to get off their asses, we now have to wait on Microsoft, who still hasn't shown up.
Instead of having *some* machines patched, we'd have none. This late after the exploit has been released, and a zero-day attack has happened, we'd see no respite.
If you try to argue that Trustworthy computers wouldn't allow this to be exploited, what if the trustworthy compontent itself was exploited? As the Xbox and soon the Xbox 360 have shown, the more complex the hardware, the more complicated the bugs are. Microsoft's betting that the hardware complexity can outgrow the programmer's abilities to crack it, but if there's any truth in the world, it's that if it can be engineered, it can be destroyed. So imagine if this virus was actually signed by Microsoft through the exploit. How would this look for their company? How can you save face from a disaster like that?
No, trusted computers aren't the answer, just more secure computers, with better code. And the fact of the matter is, the more eyes that are on the code, the better it is, and that's why Open Source will always succeed. No amount of cryptography will help you if there's a hole in your crypto system.
"Victory means exit strategy, and it's important for the President to explain to us what the exit strategy is." G.W.Bush
So we have to explain the joke again:
The title comes from the original note in the Handler's Diary. You see, it creates a mental tension between "Trustworth Computing", the lack of an official patch and ISC's "Please, trust us". It makes some readers smile.
Here.
because the os you pick will have no exploits ever
did you forget to take your meds?
...because the IM side of things had a limited spread in the Netherlands. The main jump off for this thing was rotating banner ads (along with about six billion pics on Myspace by this stage of the game)..
I have read the source and compiled it before installing, of course I trust it ;-)
Think users are bad in the corporate sector? Wait until everyone gets back to the college dorms after winter break with their completely unpatched computers. And all the people who have new computers that they got over the holidays. It wouldn't matter if Microsoft had patched it last week, I guarantee that the student users who need it won't have it.
Speaking as a poor sap who has to fix these computers, I have one thing to say: "Thanks for the easy money". And a heads up to all you dorm technicians, get ready to start burning virus CDs.
It's not just files with ".wmf" at the end. Any image file will get unwrapped by Microsoft code and the callback will get executed.
Yes. You see, when the HTTP 1.1 protocol was being developed, they made it a solid rule - you MUST NOT GUESS the content-type when it's supplied.
Anybody want to hazard a guess as to what Internet Explorer and everything that uses its rendering engine does? Yep, that's right, it ignores the standard and guesses.
That means that instead of having to check <1% of images going through your firewall/proxy (WMFs and unlabelled content), you have to check 100% of them. Heck of a job, Billy-boy!
WTF are you trying to say:
"They want you to trust that the unofficial patch for the Windows Metafile Volunerability that is currently being exploited by an IM worm."
Possibly the worst story ever.
I think the problem is the timing: Holiays. However, I do agree that MS people should be called in to work on this serious patch. I can't wait to see the messy outcomes tomorrow (back to work, school, etc).
:(
Sure, people needs lives (e.g., vacation, time off, etc.). Just reimburse those later on (if not, then the employer isn't good). They really need to get this fixed, tested, and released ASAP. So far, MS is not doing a good job as usual.
Ant(Dude) @ Quality Foraged Links (AQFL.net) & The Ant Farm (antfarm.ma.cx / antfarm.home.dhs.org).
Don't be deceived by the headline! To see how ugly this beast really is, take a look at Ross Anderson's excellent TC FAQ http://www.cl.cam.ac.uk/~rja14/tcpa-faq.html. It's the best investment you can make (20 minutes) to get informed on computer ethics, and now is the time to be informed.
I just wanted to point out that I hate Slashdot.
:P
Why?
Because we have our first real new oxymoron of this century, and I can't help but laugh every time I see it. In fact I nearly snorted milk through my nose this morning.
Trustworthy Computing. Pfft.
Karma: Chameleon (mostly due to the fact that you come and go).
I don't know who's more of an idiot -- the submitter or the "editor" who accepted this turd of an article summary.
Fun with Anagarams! LADS HOST, SHALT DOS. HAS DOLTS. AD SLOTHS, HATS SOLD. ASS HO, LTD.
Erg. in the post above, "pr0n" should read "pr0n^H^H^H^H" ... why the hell does /. disable strikethrough??
I know the title was meant partially as a joke. However this is exaclty the kind of thing you _COULD_NOT_ do if a computer was enabled with trustworthy computing. You could never apply a patch from an "untrusted/third party" source.
Because Microsoft checks the header for every image file and treats it as WMF if the header matches, all jpegs, gifs, and pngs are potential vectors for the disease.
Deja vu... wasn't this the basis behind the vulnerability a couple of years back, caused by the integration of the browser into the OS?
Something like sending EXEs with text headers, so that the browser saw the text part and regarded it as safe, blindly passing it to the file handling engine (whatever it's called) which looked at the EXE extension and executed it. After all, the browser would have flagged it if it were dangerous, right? :-/
Can't find examples of evolution? No matter, neither could Dawkins
Anyone who "trusts" the likes of Microsoft running their computer deserve all they get, quite frankly.
according to Microsoft
That sounds like they must have some kind of patch out there, or are they hoping to get more users "hooked" on OneCare ?Otherwise, this statement doesn't make sense :
Maybe I'm being picky, but I think all their customers have a quite urgent need, right now !Written from the sublime security of Fedora Core, thanks.
I think I know english pretty good. And my brain filters out even the worst spelling errors such that I know what they mean when they say 'Volunerability'. But I really can't make heads or tails of this 'sentence', if you can call it that. WTF does this mean?
why the hell does /. disable strikethrough??
Imagine fifty posts per story, completely in strikethrough. That's why it's disabled.
So far so good, and isn't this what the RESTORE function of Windows is about. Better safe than sorry, IMO. Bruce
Bruce
I don't understand the elevated fear that this unofficial patch may cause some problem in the future, compared to the certainty that doing nothing will compared to the certainty that some MS official fixes cause problems of their own.
Yes there is a likelihood this could breaksomething down the road, just as de-registering shimgvw.dll might cause some other problem - probably with in-house apps later on too. That's pretty much the nature of security though, isn't it?
You are mistaken. If you look at the 8086 (and 8088) design you'll see the segment registers which could be used to separate data from code memory. I believe the current x86 processors still retain these registers. Of course, using memory segments was a pain and the OS designers (probably pressured by application developers) stopped using them in preference to the flat memory model.
To say the Intel designers didn't know about HW protection is incorrect.
The assertion that packet filtering firewalls cannot block this attack is just plain wrong. For instance, Check Point, and probably other firewall manufacturers, had a block for this attack back in April of 04. Firewalls aren't just the freeware open source flavor of the month gang. Some corporations actually buy more advanced tools that have features beyond blocking a given port.
i c/2005/cpai-28-Dec.html
Reference: http://www.checkpoint.com/defense/advisories/publ
news for nerds, stuff that matters? this 'trusted computing' article was posted in the late afternoon yesterday. THEN it was news. now its too late. there are thousands of compromised systems per hour now. I've already logged a dozen infected machines on our intranet.
Windows is to blame yet again for a ridiculous infection vector. Microsoft have a fix for this - their nice new shiny OneCare system. lets not blame THEM for the crap code in the first place, eh? Sure, amny of you will go on about the cost of moving several hundred machines to Linux... but you'll bear the brunt of this cost incident...and again and again. learn now folks! just make that damn move . you'll be moving to Vista otherwise. and that will come with new waves of pain.
as for AV. the payload and structure can change. AV isnt effective for this. the unofficial patch is reasonable (thanks for the sourcecode) but its a situation that shoukdnt have occured in the furst place. did they not do a full code audit on the whole GDI and WMF stuff after the summer fun and games? no. they were coding OneCare bits and pieces and planning the Vista subscription model.
And quit yanking chains.
"They want you to trust that the unofficial patch for the Windows Metafile Volunerability that is currently being exploited by an IM worm."
They want us to trust that the patch does what? eat my pc?
80 CC D8 AF AE D3 AB 54 B7 2E CE 67 C7
What's evil about this one is not that someone couldlure you to a rigged speical website but that they can reach out and get you. For example, they can just take out a banner add from double click and have this rigged jpeg displayed on tens of millions of computers. Or they could post it as a picture on FLikkr and hope it gets into the rotation for a picture of the day. get it into google images. Post it on a bulliten board that allows thumbnail jpegs. Lots of ways to get the code onto trusted web sites.
Some drink at the fountain of knowledge. Others just gargle.
I have patched all my clients by hand; the patch requires user interaction via two or three manual mouse clicks. [It also requires a reboot, BTW.]
Has anyone automated the thing so that it can be pushed to hundreds [or thousands] of clients via something like Novell Zenworks, Microsoft SMS Server, or IBM Tivoli?
I know that e.g. Zenworks has a "diff" mechanism that will isolate a "before/after" differential, but that's a lot of work, and frankly it's a little bit of a kludge [no offense to Novell].
I wonder if anyone is going to be able to patch Win98 against this? There are still a lot of machines and this vulnerability could make them essentially useless and force an upgrade. While we would all love for them to upgrade to Linux or OS X it is more likely that they will shell out for WinXP and MS will benefit from a windfall of sales as a result of their inept programming. If someone produced a workable patch this would at least allow people to keep using their computers without pouring more money down the MS bottomless pit.
"I have the attention span of a strobe lit goldfish, please get to the point quickly!"
I suppose everyone is thinking that "Volunerability" is a misspelled word. In actuality, it is a portmanteau word, as those used in the Jabberwocky. I am going to use this from now on to describe bugs and holes in Windows.
Volume + Vulnerability = Volunerability
lovely! Snicker Snack!
THAT DOES NOT WORK.
Read the ISC posts re the DLL re-registering. Opening the WMFs in certain apps will cause them to re-register the DLL, open the file, and infect you. See the Lotus Notes updates for an example of such an app.
In some DRM scenarios, the TPM chip is also used to prove to your software that the OS has not been modified. Unless you have the skills to hack that software, your bought and paid for TPM programs may refuse to work any longer.
;)
A much tougher case would be the "rely on others" programs where you have to prove to an external instance that your system has not been hacked. Take the "death to game cheaters" implementations as an example:
Want to fix your vulnerable Windows with a non-official patch?
World Of Warcraft II won't let you play anymore
I also don't believe this is temporary. Except in the sense that TPM might be (hopefully!) a colossal failure in the market. And considering the current vulnerability, this looks like more than a slight theoretical risk to me.
C - the footgun of programming languages
I'm trying to figure out why the people who designed this architecture didn't realize that putting this level of functionality down at the OS was NOT a good idea. This shouldn't be used as a justification for "Trusted Computing," it should be used as a prime example of what happens when one vendor decides to tightly couple all manner of functionality with its OS. I realize they might not have seen this when the WMF format was implemented, but the reason for implementing it this way most likely had something to do with Microsoft's monopolistic mindset.
It seems to me that the client should be responsible for ALL failures of this nature- what would have been so difficult about simply returning a result code?
Use border firewalls to rewrite the first few bytes of all files matching the magic number for WMF. That number is 9AC6CDD7h, according to MS http://www.fileformat.info/format/wmf/egff.htm. If the WMF recognition is based entirely on magic, then damaging the file and changing the extension should block recognition and therefore processing. Don't have control of a firewall to test it myself, sorry. -JD
They want you to trust that the unofficial patch for the Windows Metafile Volunerability that is currently being exploited by an IM worm.
Hey, what is that supposed to mean? I suppose the above should be
They want you to trust their unofficial patch for the Windows Metafile Volunerability that is currently being exploited by an IM worm.
Since my first language Italian , (that comes from Latin, and is quite picky about sentences construction), it took me quite some time to understand; I suppose that the above was not a problem for anglosaxon people, since nobody seemed to notice....
...to do what they do best. Which is why I use a different OS and suggest others do so as well.
What does Microsoft do best? Why, get the money out of the pockets of suckers, of course.
Suckers.
Cheers!
Everything in the Universe sucks: It's the law!
Just dont use MS products on the internet, that includes MSN,IE and Outlook.
Who logs in to gdm? Not I, said the duck.
The best description I've found of the WMF format is here. Based on this information, it looks as if a filter can look at the first four bytes of a file and identify it as a WMF document with very few false positives.
Doing this with discrete files might not be too bad. Applying this check to every part of a MIME document, or to various compressed file formats, could get very painful.
From my PoV, this is ignoring the damage that will be done by those infected machines whilst they are infected, *and* the risk that some local (or remote) Dr Evil types will use stealth custom exploits to own vital bits of our infrastructure, install backdoors, then clean up after themselves. When the a/v detects come on-stream, the backdoored machines will turn up clean (not that we'd do anything to them if it reported infections, on all but the absolutely most sensitive machines... in fact, even those wouldn't be touched, as the "asset owners" (it's that kind of corp) will say that they can't afford the downtime, and are paranoid about something breaking during a rebuild...
Sometimes I wonder why I bother. Sometimes... in the long dark 3am of my soul... the thought crosses my mind that a really evil exploit that visibly damages a company would be a good thing, "pour encourages les autres". Sometimes... when it gets really bad... I think that they might be right - that the cost of fixing this outweighs the cost of any damage - any visible damage, anyway.
There seems to be a lot of confusion in this thread regarding these two terms. It isn't that surprising, since they are both purposely misleading, but still.
// oskar
"Trustworthy computing" is Microsoft's bullshit name for their so-called initiative to start taking security seriously. It was under this banner that Bill sent all his coders to secure coding seminars so they could learn what a buffer overflow is. The article is ironic in its title: that Microsoft have failed to find such a glaring issue as a native image format that purposely allows images to execute arbitrary code, and that they have not offered a patch even now when exploits are in the wild since almost a week, shows how trustworthy they really are.
"Trusted computing", on the other hand, is the bullshit name for a nefarious scheme involving hardware and software whereby control over PCs should be taken out of the hands of their owners, and given to the software and hardware vendors. This is sometimes claimed to be about security, but is actually motivated by DRM and DRM only (the name is short for "Trusted Client Computing" and comes from the ability of DRM vendors to trust that your computer, the client, will obey their directions).
The people pushing "trusted computing" are actually not so much Microsoft as Intel and IBM: Microsoft completely support the concept of trying to put the freely programmable computer back in the bottle, but they have had their own ideas about implementation (their version was first called "Palladium", but when they realized that it is bad to have a recognizable name for something customers actually don't want it was renamed "Next Generation Secure Computing Base" and after that it was renamed to nothing at all so they can be snuck into the coming versions of Windows without people noticing.)
I still wait for someone to make a Frist Psot with a Beowulf cluster of exploit img tags. That ought to change those change browser statistics.
Subject says it all.
The WMF file is really a list of Windows drawing functions to call, along with their parameters.
Guess what else uses this.
There are in-memory and on-disk WMF files. Some are used by apps for repainting the screen. Some are used by apps for printing; Windows printing is based on the WMF. You want error handling with printing, right?
Now, I'm not saying how to fix this unless Microsoft shares some cold hard cash with me, but there are reasonable solutions. It's just not as simple as patching out the feature.
It was, though not by MS. The Hexblog hotfix is 200 lines of code (he includes the source), including comments.
But did you (or the OP) check whether the sourcecode matches the binary patch?
Did you audit the sourcecode for security leaks which might have been maliciously inserted?
I'm still trying to figure out what people mean by 'social skills' here.
Some wikis probably don't check file content.
Wikipedia tries to block stuff like this, but I don't think it is all that reliable. They just use the UNIX file command to see if a file matches the file extension.
WMF files start with 0x01 0x00, are are unrecognized by the file command.
JPEG starts with 0xff, so that won't do. Well, there are other formats to try.
What the fuck are you on pal?
Can I have some????
i mean, did you actually compile the firmware for them?
who knwos what could have happened between the factory development machine and best buy
NOT!
In Opera, I can toggle "show images". If I set that to show no images, can I assume that is an effective workaround? Drawbacks are, it won't help with images embedded in files, and it breaks a lot of websites (some label their buttons, others just say 'image'). I wonder if Lynx runs under XP?
F-Secure has more on it: http://www.f-secure.com/weblog/#00000761
Windows Metafiles are a file representation of drawing commands. They are more flexible than bitmaps and get used quite a lot in things like for caching images of every OLE object embedded inside a MS word or powerpoint document. There just happens to be one operation to set a callback when a printing aborts which can be saved to a WMF file, which, when followed by something to abort the rendering, lets you jump to the nominated location.
This back door is built into windows from version 3.0 onwards. Any app that displays WMF images from untrusted sources (lotus notes, maybe msword, even google desktop search) is vulnerable. This is potentially code red for the desktop.
I have the patch on all my systems, the author works for IDA, the debugger tool, and is well respected. I dont care whether IT central will push it out or not; I think they ought to before the back to work/school event causes major worm attacks using it. It will be pretty embarrassing for microsoft though -a third-party emergency fix for windows, in the same year that Vista, "Windows Secured" is due to ship.
I have the december beta on vmware; I need a safe version of the exploit to test it. I bet all vista does is stop the third party hotfix from working
Listen up "ciroKnight" you hopeless, mother-fucking retard.
You clearly know N O T H I N G about large-scale, enterprise computing, so please fuck off and die (painfully, slowly and quietly, if possible) please.
Get ye gone!
As a long-time Linux advocate, I must admit to a little Schadenfreude in the latest WMF exploit, however as a responsible member of the security community, I think we have to take this problem very seriously.
Whilst Microsoft may indeed publish an official patch in the next few days, they have no way to push it out to all the vulnerable systems. Savvy admins may have already applied the unofficial patch, and kudos to them.
However, the biggest problem is the great masses of unpatched systems that will never receive an official or unofficial patch. For them, I am afraid the only solution is a fix which exploits the vulnerability to patch the system automatically. If this is not done, it will exacerbate the problem of DDOS botnets and Spam relays, making life even worse for the rest of us.
Experienced security people will recall this has been done before. I suspect this may be the only way to patch enough of the vulnerable systems that won't be protected either by Microsoft's efforts or those of a competent admin. Any takers?
Paul Gillingwater
MBA, CISSP, CISM
Win31, still 16 bit, used the intel segments to manage memory. you had to alloc separate code and data segments, and use an API call, PrestoChangoSelector to flip it. The segments were only 64K and special 'huge' pointers were needed to do the proper arithmetic on a set of sequentially allocated segments.
That went away in 32 bit mode, because 32 bits was all we needed, and because 'flat' is simpler to work with. And because security in winnt was about untrusted users on trusted 'enterprise' systems, not trusted users with untrusted data.
I built my own release.
The code is only 200 lines, and is primarily patching logic with a switch in there. The biggest risk is that it patches the wrong place and doesnt provide protection, the next that it doesnt uninstall. Those are hard to test.
it cannot be detected by most intrusion detection systems (the snort rule will peg the CPU on your router) nor filtered by packet-inspecting firewalls (it spans two or more ethernet frames).
You *can* run 2 instances of snort in-line to get around this CPU-pegging issue.
Not really a whole lot of choice about this one.
There is always choice - have you considered a defense-in-depth multi-layered approach? I'm taking the following steps
1. unregister the ms pic and fax viewer dll
2. make WMF file extension default to an erroneous app like notepad
3. turn DEP up a notch
4. turn off downloads in IE if you must use it (set default security settings to HIGH)
5. block all WMF files at the perimiter
6. keep antivirus up to date and consider frequent manual updates and scans of key machines
These things in combo with being vigilant over the next few days should keep you and your corporate networks safe. There are even MSI versions of the patch for mass distribution.
Horns are really just a broken halo.
Comment removed based on user account deletion
I'm the author of the hotfix and one could expect me to say 'yes, please go ahead and install it on your corporate network with thousands of machines'.
But I won't say that.
First of all deploying any software on a large network is a serious task. It should be carefully planned and performed with the correct (read: responsible) approach.
The hotfix must be tested on as many machines as possible. Possible negative consequences must be determined and decided upon if they are acceptable or not.
In short, more rigorous testing is required.
-------
Ilfak Guilfanov, the author of the hotfix
I've removed:
:) |scroll lock||scroll lock| (KVM)
ActiveX for streaming video
AOL ART Image Format Support
Intel Indeo codecs
Media Center
MIDI audio support
Movie Maker
Old CDPlayer and Sound Recorder
Speech Support
Windows Media Player
Windows Media Player 6.4
Client for Netware Networks
FrontPage Extensions
Internet Connection Wizard
Internet Explorer
Internet Explorer Core
IP Conferencing
MSN Explorer
Netmeeting
Outlook Express
Vector Graphics Rendering (VML)
Windows Messenger
Desktop Cleanup Wizard
Framework
Help
Out of Box Experience (OOBE)
Shell Media Handler
Tour
Web View
Zip Folders
Fax Services
Imapi
Indexing Service
System Restore
(nliteos.com)
AND I AM STILL VULNERABLE!???
Perhaps I should switch to linux
We noticed. It's just that comments about grammar get modded down. Apparently, grammar is of little concern here. Unfortunate for us all.
The AC is correct, Internet Explorer will look at up to 256 bytes of each data stream returned (images, html, etc) and attempt to "guess" the MIME type.
An interesting fix for this problem- Rather than having your hardware router/firewall sniff all the packets, you could write a pluggable MIME filter registered to ALL image types on your PC (Google it for more info- I've done a lot of research on MIME filters and Asynchronous Pluggable Protocols for IE, but I'm too lazy to dig it all up right now). If the MIME filter examines the returned image data stream and sees evidence of the WMF exploit, trash the stream and substitute your own image (maybe a jpeg of a skull and crossbones). If registered as a permanent MIME filter it would have the benefit of blocking the exploit in anything that uses IE as a rendering engine- which includes many e-mail applications (Outlook!), and some IM apps.
I looked at doing this myself, but dropped it assuming MS would have created a fix by now. Maybe I should start working on it again....
Urge to post... fading... fading... RISING!... fading... fading... gone.
I was wondering how many people are out there who have their compilers set up and ready to compile it, seems there are quite a few.
I'm still trying to figure out what people mean by 'social skills' here.
TFReadMe text on the patch states that it is suitable for 2000/XP/2003, but it says nothing about Windows 98 or prior. The vulnerability affects prior versions of Windows, including those outside of active product support by Microsoft. Has anyone tested the patch on Windows 98 or 95 for NT4? If so, what have been your results? I maintain a rather large number of legacy systems here (for regular people, not for a company) still running 98SE, and I'd like to be able to protect them without forcing them to switch to 2000 (XP has a heck of a time on a P233 with 64MB, which is often the best these people can afford). Even the workaround doesn't seem to work right in 98.....is there even a regsvr32 command in that?
Stasis is death. Embrace change.
...several thousand times already: Thanks for the patch!
since when is snort installed on routers?
In an interview with an anonymous MiroScoft employee, it has been reported that MS has found a working fix!
"We've all turned off our computers, and are sitting on our hands. This has effectively blocked all intrusion attempts."
When asked when the fix would be distributed, he replied:
"Once the threat has passed, it will be safe for us to turn our computers back on and email everyone with instructions for turning their computers off and sitting on their hands. Until that time comes, we're asking everyone to be patient."
The checkpoint page you point to just lists this as a vulnerability and gives a password protected link to "FULL ADVISORY and SOLUTION" (caps theirs). Since I don't have a checkpoint login, I have no clue as to what they are saying. I therefore have no reason whatever to believe that they have anything to offer.
Read it carefully - "you are protected from KNOWN MALWARE" that uses the vulnerability. Ie: standard AV response. They haven't fixed the flaw, but they are rolling out signatures to protect against known malware as and when it pops up.
As someone said previously, this only shows the biggest mistake ever made by Microsoft on their product: to make everything, abso-fucking-tely everything executable.
I do not want a patch that is untested, and could cause even more hell. You really think, they could have created a patch, and tested it well to be deployed on 200+ million machines connected to Windows update, and not have any bad effects on other apps. /NoExecute=OptOut to the options, and kick in a restart. Atleast that is a better thing to do than trust a random untested patch.
If you look at the patches realeased by others, they also say it might break applications, and you might have problems with it etc. I do not think MS has that option while creating a patch.
Microsoft accpeted there was a flaw, posted information about it, told you about workarounds. If you want to be protected just turn on DEP on all applications. Want to do it on multiple machines, use scripts to edit boot.ini and add
Users of PivX PreEmpt have been protected from all vectors of WMF exploits (and others) since December 7th. You can buy a 3-pack for $60 at pivx.com
The reason for this there is an http module in snort which only captures the first 300 bytes of the request for (what I assume to be) speed reasons.
In order to detect this exploit, you have to disable this module. Not too bad unless your IDS is watching thousands upon thousands of requests in which case in order to check the full requests, it can easily take a lot of CPU power.
Last I heard the recommended action was to run one instance of snort with all our normal rules and this module enable, and one with only the wmf rule and the module disabled.
ND
This statement is forty-five characters long.
I unregistered and renamed the shimgvw DLL and turned Windoze Restore off, so it can't be re-registered. However, the real culprit gdi32 DLL is too important to be deregistered and some applications call that one directly.
Oh well, what the hell...
Yes, wine appears to be vulnerable. I don't know of any web page with an example WMF file where you can easily test it, but in principle, the necessary WMF support is present in Wine.
I will grant that this will stop "many" types of cheats. It will still be useless because the cheaters will adopt the remainder. proxy aimbots and the like.
You seem to be ignoring - willfully or not - that the fundamental model of trusting MS is broken. Making that model more severe by forcing trust compounds the brokenness. It Has Been Shown that MS will be late with patches. It Has Been Shown that they are not proficient at security and will remain so until the market penalties are severe. What is the point of requiring official binaries when the binaries are going to be broken for weeks at a time? The net WILL be flooded with spam by those who RELIED on the official binaries. You have it so amazingly backward I wonder if you previewed the post.
MS blew it. They have added to their terrible reputation and I'm just not interested anymore.
There's also an outlook to your position I find frankly weird: that there is an official source of goodness. The "right" and correct version of the dll to run at this time is clearly the unofficial patch. The right version of a file to run in the future is going to be the one that reduces your chances of being 0wn3d, not the one with the pedigree. THis is "duh" territory.
Microsoft says Windows 98 is vulnerable. They say nothing about older releases, which are unsupported now.
The WMF feature was part of Windows 3.0 back in 1990. What do you think?
Fortunately for such users, a 720 kB floppy or Netware network is probably required for infection. Modern exploits are going to rely on modern OS features too. Windows 3.0 isn't about to run a Windows XP rootkit that probably expects TCP/IP and the existance of an Administrator account.
This is probably the biggest vulnerability ever in terms of the sheer number of vulnerable machines.
Trusted computing, Trustworthy computing, yada yada, back to the headline here, Unless you can recall the last three times the Internet Storm Center explicitly asked for your trust and then abused it?! you might want to grab this temporary patch and thank Ilfak Guilfanov for writing it and SANS for vetting and distributing quickly and efficiently. "We have very carefully scrutinized this patch. It does only what is advertised, it is reversible, and, in our opinion, it is both safe and effective." ...yeah, we've ALL heard that from the ISC alot, NOT.
I'm calling bullshit. You can't have set up your windows systems securely and still be able to use them. It's one of those easy proofs. If the user can load a .wmf, the user's computer is not secure. If you haven't spent the holiday working on it, it's because you've made the decision not to care.
This could be a struggling real estate business. The poster could be a realtor. If a real IT professional is hired, the place goes bankrupt.
Got it now?
Alternately, this could be: the vet's office, a small independent hotel, an eye doctor's office, a mom-and-pop restuarant, a car dealer, a large hair salon, a childcare center, a christmas tree farm...
Whatever it is, hiring somebody extra might break the budget.
wehntrust is free for home use: http://wehntrust.com/ (be sure to read the faq under "support")
Also demonstrated at blackhat: Ozone HIPS: Unbreakable Windows
Here's the faq: http://www.securityarchitects.com/faqs.html
If you want to see to believe, grab some archived malware at http://www.offensivecomputing.net/ (free login to use the archives), make some windows VMs and take snapshots/archive them, attack them with the threat du jour with and without a hips installed. Note results.
Enjoy.
http://www.lafkon.net/tc/trusted-computing.torrent
"Persistence is annoying success." - ghee22 11:28:1999 - 10:53:PM
Someone releases a wmf exploit which is designed to install the hexblog wmf fix? It seems logical enough.
Since this latest Microsoft hole exists way back to 1990 on all versions of Windows and that MS helped build OS/2 way back when, does this problem affect OS/2 at all???
turn off downloads in IE if you must use it (set default security settings to HIGH)
I tried this using the straightforward, widely recommended procedure, but when I try it again it is still on MEDIUM, even after reboot. This is a year-old XP laptop.
I've done a bit of searching but can't find any mention of this problem.
I suppose I should just tell my wife not to use her machine until further notice.
Last night I spent four hours trying to clean a friends' computer who had opened an e-mail carelessly. One hour was for bitching him and making him feel very sorry.
:)
The last three hours were spent trying to fix the problem, using free antivirus scanners, online free antivirus checks, free spyware removal, patches and fixes given away for free on the internet.
See a pattern here? No commercial antivirus was able to detect the problem. I had to install (and then remove, anyway) software that was built and given away for free to fix it.
Windows XP was "genuine", but this won't help solve the problem. I'm still asking myself why pay for an operating system with such problems, but more than that why should we give money to a corporation that is bashing GNU/Linux and free software as a cancer and still depends on it to fix its own troubles.
Oh, yes, I suggested him a Mac. At least he will pay for something more usable. Otherwise, he'd have to pay me to install and set up a linux box. Unfortunately, there's no free lunch any more
-- There are two kind of sysadmins: Paranoids and Losers. (adapted from D. Bach)
which was hooked up to a 300 baud BellNorthern modem (that puppy CO$T big time but the university could afford it.)
It wasn't being used as much more than a glass teletype and emails were the only distribution method (this was way before the web) but it was still possible to trash someone's computer with a virus.
Microsoft definitely does not get a pass on this.
The problems and the solutions existed before Microsoft ever ripped off Dartmouth for their BASIC interpreter.
Microsoft has always been just bad. Bad for everything. Bad for every body.
Wake up!
Bill Gates took $100,000,000,000 out of YOUR pockets with illegal, anti-trust double dealing. Flat out theft of YOUR money.
And you're wondering why you're stuck with crap? God! How naive.
MSBPodcast.com The opinions expressed here are my own. If you don't like 'em... Think up your own stuff.
Basically, it exposed the entire system (because it had no idea of root and user accounts) to any two part malware.
.exe from somewhere somehow (any method could do since the 'payload' would be made to lie dormant) and the other part could be something which could pass underected through the filters since it was purposefully flawed but not malformed.
One part delivered the
Making ActiveX components from VB ensured that the payload would run correctly when activated. It might be self destructive or it might be spyware. Either way, you're screwed.
MSBPodcast.com The opinions expressed here are my own. If you don't like 'em... Think up your own stuff.
On Tuesday, December 27, 2005, Microsoft became aware of public reports of malicious attacks on some customers involving a previously unknown security vulnerability in the Windows Meta File (WMF) code area in the Windows platform. http://www.microsoft.com/technet/security/advisor
all Microsoft's security updates must pass a series of quality tests, including testing by third parties, to assure customers that they can be deployed effectively in all languages and for all versions of the Windows platform with minimum down time
Microsoft encourages users to exercise caution when they open e-mail and links in e-mail from untrusted sources.
An attacker who successfully exploited this vulnerability could only gain the same user rights as the local user
Advisory Status: Issue Confirmed, Security Update Planned
If common sense were common everyone would have it.
There is no version of MS anything that will read the disk upon insertion. You have to click the drive in moderm windows versions, or poll the drive with 'dir' or some other function in older versions. Mac on the other hand reads the disk immediately (usually to check for the file system type) which does represent a bigger hole with floppies than with windows based machines.
You are completely mistaken, unless you are defining "disk" as "only floppy disks, specifically excluding CD, DVD, removable USB media, Zip drives, LS-120, etc." Why you would do that baffles me, since floppy disks are as dead as Betamax these days.
Mac OS 9 and X DO mount all drives when they are connected or when a removable disk is inserted. MOUNT.
Mac OS 9 and X DO NOT execute anything from any disk upon insertion, EVER. They mount the disk.
Windows 95 and up have a "feature," on by default unless you edit the registry or use TweakUI or a similar utility, or hunt through various obscure Windows dialogs, which upon connecting of hard drives, or insertion of removable discs besides floppies:
A: Mount the filesystem.
B: Check for the existence of autorun.inf in the drive root;
C: Assign any icon given in autorun.inf to the drive in Explorer;
D: Execute any programs, from the disc or elsewhere, requested by autorun.inf.
Google for "autorun.inf" if you want more details on how to use this.
This is probably what the behavior the grandparent was referring to.
Floppies are probably only excluded from autorun.inf because the cheap bargain-basement 3.5" floppy drives in all Windows PCs since the beginning of time are incapable of notifying the OS when a disk has been inserted. The OS would have to poll constantly to automatically mount the disk. These drives also do not have a motor to eject the disc when the OS is finished with it. Contrast this with the floppy drives in every floppy-bearing Mac since the beginning--they had both software eject AND OS notification of disk insertion.
A less likely explanation for why MS didn't enable this behavior for floppies might have (surprisingly) been security--in 1995, a CD was something you bought from a large company, which wouldn't let a virus get onto it, while a floppy was what you constantly used to transport all your data. A smart virus, any fool can see, would have exploited the autorun.inf to infect any floppies you used, and the first time the drive was accessed they would execute. Obviously now things are different, but it is still much harder for a virus to infect Write-once media, especially since most burned CDs are burned by a user's choice of burning software. USB keys, however, would be a good attack vector, especially for a deliberate malware-spreader. I use autorun.inf on my USB key to apply a custom icon (a photo of my USB key). Makes for easy recognition in "My Computer" when on someone else's machine with 5 other drives on it.