Trustworthy Computing

Anonymous Coward writes "This is a first: the Internet Storm Center is recommending trustworthy computing. They want you to trust that the unofficial patch for the Windows Metafile Volunerability that is currently being exploited by an IM worm. No patch from Microsoft at this time, and the exploit is arranged in such a manner that it cannot be detected by most intrusion detection systems (the snort rule will peg the CPU on your router) nor filtered by packet-inspecting firewalls (it spans two or more ethernet frames). Not really a whole lot of choice about this one."

Some won't

[SavoWood]

As it says in the article, some people in the corporate world won't do it if the patch didn't come from MS. It's sad, really. If I had an exploitable machine around, I would trust their patch.

Re:Some won't

[Professor_UNIX]

As it says in the article, some people in the corporate world won't do it if the patch didn't come from MS. It's sad, really. If I had an exploitable machine around, I would trust their patch.

But you're probably coming at it from a different mindset. If you're used to open source software you probably regularly trust patches from people who you otherwise wouldn't know simply because they released the patch as open source. You probably figure SOMEONE out there must know how to read the thing to determine if it's malicious and would throw up a red flag if they found something.

With Windows users they're not used to that level of trust, even when it involves a patch that includes source code. How many Windows desktops do you know of that have Visual Studio on them to compile this patch from scratch to verify the binary version isn't malicious? Coming from a UNIX world, not having a compiler on your system just seems weird, but Windows users are trained to trust in their binary patches and cross their fingers.

Over/Under

[chrisgeleven]

What is the over/under for Microsoft getting a patch out for this?

If there is a time to deviate from their monthly patch cycle, this is it. The patch should have been out days ago, yet we are still waiting.

And Microsoft wonders why no one takes their security promises seriously.

Re:Over/Under

[mwvdlee]

In theory they could have the render-failure code run in a sandbox environment.

Re:Over/Under

[Malor]

Dude, how old are you? I was *there* at the time. Nobody thought about security in networks back then. Hardly anyone thought about security, period. Regular Windows barely even DID networking... they added that later in Windows for Workgroups. (heh, and it still barely did networking :)) Networks were weird and unusual. They were isolated, not tied together, and everyone just assumed you could trust anyone you could run a LAN cable to.

Modems existed, sure, but a FAST modem at the time was 19200 baud. People didn't use that to network. Before the Internet arrived, people used modems to call BBSes. When the Internet arrived in my town, it didn't offer SLIP or PPP... you dialed in and ran programs at the Unix shell prompt. There WAS NO LONG DISTANCE NETWORKING, except on the part of a few eggheads in academia. The concept of a worldwide network was something out of science fiction. In 1990, people would have given the ideas of a global network just ten years later and an invasion from Mars about equal credence.... ie, nearly none.

I assume you're too young to remember, but Microsoft had a huge revelation awhile after Netscape had that first monster IPO. "Wow! This internet thing.... it matters!" And THEN they started revamping all their single-user stuff to go on the Net.

In hindsight, it's very easy to see that they should have started really thinking about this in 1993 or 94, when the Net was first really making headway.... people liked it. A lot. Not figuring it out until 95 was pretty darn boneheaded on their part. And then in their rush to get on the Net and take it over, they made a lot of really, really stupid mistakes. And we're still paying for them.

But fer chrissake, the design of WMF... Microsoft is supposed to magically realize that the long-distance network between about five thousand academics is going to *take over the entire world*? When they were designing WMF, they had probably never even *heard of* ARPANET.

So yes, they DO get a pass on this. Their really serious errors were in trying to push '95 and '98 onto the Net, and writing all that functionality into Office that didn't need to be there. They didn't feel they had time to do it right, so they did it quick to grab the market. From 95 on.... the blame is entirely theirs. It was obvious what would happen.

But in 1991? You're high if you think security was much of an issue back then. DOS had *NO* security. None whatsoever. Neither did 3.1, 95 or 98. (well, 95 and 98 had a tiny bit of security, but it was a thin veneer). And everyone got along just fine, at the time. The only time security was needed was when you were in a corporate environment. Nobody talked from one computer to another, it was all from the workstations to the servers.

The only people that needed security at the time, in other words, were big businesses, and they ran Netware. Other than that, if you wanted to secure your data, you locked your computer up.

Extrapolating from that mindset to 'talking to every computer in the world', in advance, would be nearly impossible. Even having BEEN there, it's hard to wrap my head around how different things were back then.

Re:Over/Under

[angulion]

There's a mountain of code that was written just to work, not to worry about being handed malicious data. If a user passed bad values to a system call and it crashed, oh well. It was their fault for doing it. It's not like they had anything to gain from it, after all. They owned the computer. Why on earth would the computer need to protect itself from its owner?

It is new, it is called DRM.

Re:Over/Under

[mce]

That of someone with a 3-digit /. UID obviously... :-)

More to the point: I was there too (I got on the net - the real one, that is, not just BBs-es - in 1988). IMHO, both grandparent posters were right.

The net was very real back then, and multi-user machines were in common use in engineering (I used graphical DomainOS Apollo workstations for my master's thesis, while we mostly still had an experimental and barely usable X11R2 floating about on some of the non-Apollo workstations). But security was indeed very lax in those days. We pulled some amazing pranks on each other back then and didn't really see the true potential impact of what we could do. It was just "having fun amongst the good guys at each other's expense". The bad guys were the ones that wrote viruses for MS-DOS. But since everyone knew that MS-DOS was a toy for kids, it really didn't matter. Once the kid's clever enough to write viruses would grow up a bit and go to college, they'd surely repent. And since they were that clever around computers, they'd be eagerly welcomed "on the job" as soon as they had a CS degree of their own.

Hell, the only security X had was xhost. Get past that, something horribly trivial (especially if open remote access to X is the default as it used to be), and you can do anything you want with people's machines and easily captured passwords. We didn't even need buffer overflows or callback-based image formats to get anything nasty done back then... :-)

My first real understanding of what was about to happen came "only" in 1991 when I spent a year in the Belgian Navy (conscripted) and when one day I had to pull the plug on the network of an entire Navy school due to some stupid but harmless virus that was spreading through the network. Up to that point' I'd never seen standard PC's and any sort of network in ome combination. So that day I really did "see some of the light".

But even so I didn't really get it yet. Back then I thought I'd done a very good job: stopped the spread, got the network cleaned, and defined some rules about not bringing "aboard" untrusted floppies that weren't needed for the job. Now I know what a fool I was: I'd been on the real Internet for several years; I'd just seen "live" what a network could do when combined with MicroSoft toyware; but since that particular school was not on the Internet (after all, they were not using UNIX :-), I imagined that things would be and remain under control if only people would implement a few rules about bringing in floppy disks form home. Real computer users didn't use PCs anyway... Silly me!

Re:Over/Under

[cpu_fusion]

I completely agree. Anyone with a basic understanding of computer security would be able to see this was a wide open gaping hole. And according to the news sites I've seen, it's been in Windows for 15 years.

ANY DECENT AUDIT of such an "important" piece of code should have seen this with big flashing red signs. Registering a callback in a DATA DOCUMENT is patently stupid.

I agree with you that the real question is: who has known about this and for how long?

Because of how easy it is to get someone to view one of these files, how silent and universally easy the callback is (doesn't even need a stack or heap overflow!!!), how easily it can evade intrusion detection signatures, how rediculously easy it would be for an expoloiter to erase their tracks after breaking in -- it is downright scandalous.

Microsoft, organized crime, the NSA, North Korea, the zit-faced kid across the street could have used this bug to: spy on competitors, spy on the government, spy on YOU. And you'd never know. And only now after 15 years is it getting fixed, because HACKERS revealed it.

This should be the pearl harbor for data security. This should be on every tech blog. There should be congressional hearings. People should be talking under oath about this.

Re:Over/Under

[0WaitState]

Ah, the fun with "melt"--I think every first-time Apollo user got hit with that one.

Just to make my points more briefly, by MS-Dos 3.0 it was well known that one needed a virus scanner/disk cleaner. And the internet worm of 1988 was devastating. I still assert that by the end of the 80s O/S vendors had no excuse for ignoring security concerns. Unixes slowly got better (took Sun until about 1995 to clean up the easy SunOS hacks), but the Microsoft platforms didn't. VMS could be locked down, though often wasn't.

Sometimes I think they do it on purpose

[User+956]

Sometimes, I really start to think that security is so poor in commercial operating systems, because they want to use protection from all these exploits as the bait to get us into the "trusted computing" cage.

Trusted computing is a farce, because the one thing that *isn't* trusted, is the user.

Shows how much MS cares for its customers.

How many late nights, allnighters, and missed holidays have you experienced, thanks to things like ILOVEYOU and Slammer? How many times have you had to clean up the mess created by Microsoft's shitty, unsecure software?

Clearly Microsoft wasn't interested in calling people in over the holidays to whip up a patch for this critical vulnerability-- something that you could go in a couple hours early tomorrow and roll out to the PCs in your organization. They're going to let you suffer. And why should they care? They've already got the money of the company you work for. People are going to return from their holiday vacations tomorrow, load the wrong web page in IE, and get pwned. And you'll be left to clean up the mess. Again. Better pack an extra sandwich with your lunch tomorrow, because you probably won't be getting out at 5.

Programmers?

[Claire-plus-plus]

Windows have produced a datatype that allows people to place executable code into image files? How can they call themselves programmers. Seriously whoever engineered the WMF format should be ashamed.

Re:Programmers?

[iBod]

Obviously you know nothing about CPU architecture. Like the designers of the x86 series, you think you have to invent the wheel from scratch, when so many better wheel-designers have already done the job for you.

An 'arbitrary jump' is fine inside your own address-space, so long as you jump to storage you own, AND you have requested, AND have the 'key' to, AND is marked 'executable' in your current key/ring.

Jeeze! The mainframe guys had this figured out decades ago.

Don't trust the coder first - trust the computer architect first!

Re:Programmers?

[clem.dickey]

But IIRC, IBM's S/360 key-controlled storage did not distinguish "read" from "execute." The storage keys were originally used to separate users in a single address space, since S/360 had only one address space.

I don't think you could guard against execution (separately from read, on a S/360 successor) until IBM introduced data spaces. Execution is limited to data space 0, and if you don't let a program write to that space you are OK. But even now, though the architecture *can* separate read/write space from execution space, do mainframe OSes take advantage of that?

Is it just me

[goombah99]

or Is the original healline post for this thread written in gibberish enhanced by misappropriation of terms and conflation of concepts? How is trusting the unofficial patch conceptually related to "trustworthy computing" and why should packet spanning make it invulenrable to filtering?

Re:Is it just me

[BushCheney08]

It's a thing called sarcasm. MS are the ones pushing "trustworthy computing" but are showing that at a time like this, they can't be trusted to do the right thing.

Re:Is it just me

[Tim+C]

And what's the right thing? Rushing out an untested patch as fast as possible that either doesn't fix things or even makes them worse? Or is it taking your time to make sure that you get it right and don't end up making an even bigger mess of things?

Re:Is it just me

[darkonc]

The point about "trustworthy computing" is that you are giving over control of your computer to some other semi-random person who can then force your computer to do, or not do, whatever they want it to.

It all comes down to the question: Who do you trust? A company like Microsoft that has made billions of dollars with sometimes shady and even outright illegal business practices, or a bunch of diehard security enthusiasts who just hate to see their (and other people's) computers hacked?

No matter how you answer the question, it's likely to be an obvious answer.
For you.

Shame on Hemos

[slavemowgli]

No flamebait intended, but that's a typical sensationalist misleading Slashdot headline. Noone's advocating "trusted computing" or similar initiatives here; all they do is saying "here's an unofficial fix, and we'd like to recommend even though it *is* unofficial, considering the seriousness of the vulnerability and also considering it was written by a reputable windows expert, namely Ilfak Guilfanov (author of IDA Pro)".

And for that matter, there's no mention of "the Snort rules will hog your router's CPU", either - that's total rubbish, probably made up by the article submitter. And it slipped, too, since the Slashdot "editors" never care to actually edit stories before they publish them.

Shame on you, Hemos!

Re:What's wrong with...

[Claire-plus-plus]

Of course they don't know what a DLL is. Windows has been marketed as a consumer OS, it was designed to be used by people without a clue. By default you can't even see the DLLs. People shouldn't need to have IT qualifications to use a computer, it should be secure enough for them to use it. What you are suggesting (to use a car metaphor and probably get flamed for it) is that people should need to strip and reassemble an engine to get a drivers liscence.

Why do folks still use Windows?

[putko]

What is the calculation that Windows users -- esp. businesses -- make that allows them to keep on using Windows?

When I had to pick an OS, I did research and picked one that I felt was secure enough for my needs. Windows didn't make my cut.

Somehow the Windows folks keep on choosing to use Windows, even though after the WMF exploit is history, they'll just be waiting for yet another "shoe to drop".

I understand that legacy apps/data formats get you locked-in to Windows, but doesn't "remote exploit" concern you enough to make you think "must switch!"?

Re:Why do folks still use Windows?

[Fortran+IV]

What is the calculation that Windows users -- esp. businesses -- make that allows them to keep on using Windows?

I usually stay out of the Windows/Linux/Mac arguments, but I'm afraid you just don't understand my world.

I work for a very small company, probably typical of thousands of other very small companies. Our company is too small to afford a full-time IT staff; I'm the entire IT department, and it's a very small part of my job. I'm the IT guru because I'm the only one there who knows a DLL from a dungheap.

I have formal training in computers, but so long ago that the field was still called EDP and time-sharing was a big deal. I've spent years learning what I know about Windows and Windows networks, in my spare time. It would take me years more to reach a similar level of expertise with a brand-new OS. And until I reached that level, we'd be more vulnerable than with Windows.

My company has about a dozen computers, including a single domain server with no backup server. We have about $60,000 invested in software (other than OS's) that will only run under Windows. We have no hardware to set up a test server, no money (or time) to spend on unsuccessful experiments.

The only person in our company who has ever used Linux is our 21-year-old secretary. We have one Unix machine, which I despise, because its desktop GUI is primitive and its command interface makes MS-DOS look well-designed and intuitive.

I rarely get to spend more than two or three hours a week on network maintenance, security monitoring, and research combined. If I hadn't automated them I wouldn't have time to do file backups some weeks. I have no time to spend trying to research the seventeen hundred different distros of Linux available, or whether Wine will support our COM+-dependent network applications--or whether the WMF exploit still applies if we run Windows applications on Linux.

We can't afford to have a regular support contract with a local computer-specialist firm. That's assuming we could even find someone in town we can trust--the overpriced morons who did our last batch of installations gave us a two-NIC server with only one NIC enabled (so no firewall), and set up user workstations with the Administrator password left blank!

I loathe Microsoft, and have since I first saw Windows 3.11. But what possible reason do I have for trusting the claims of Red Hat or Debian more? What research I can do is hardly reassuring. Remember Saturday's story here: researchers found 812 flaws in the Windows operating system, 2,328 problems in various versions of the Unix/Linux operating systems (Mac included)?

Somehow the Windows folks keep on choosing to use Windows...

I didn't choose Windows; I inherited it and have no resources to replace it. My company didn't really choose Windows; it was forced on us by the marketplace. Be realistic! My wife just bought an Apple, and the first thing she installed on it was the OS-X version of MS Office, necessary for compatibility with her company.

Maybe in another ten years Linux will be enough of a force that applications will be written for cross-compatibility, but little companies like mine can't wait that long. We have to use what we can, right now.

Re:Why do folks still use Windows?

[Just+Some+Guy]

My company has about a dozen computers, including a single domain server with no backup server. We have about $60,000 invested in software (other than OS's) that will only run under Windows.

I rarely get to spend more than two or three hours a week on network maintenance, security monitoring, and research combined.

OK, so you're not a full-time IT guy. That's cool. But if you can't manage 12 machines and only $60K worth of vendor lock-in, then you absolutely, positively need some outside help. It's not an issue of whether you can afford it; at this point, I'd say you have to.

But what possible reason do I have for trusting the claims of Red Hat or Debian more? What research I can do is hardly reassuring. Remember Saturday's story [...]?

I did, but I don't think you did, because it was thoroughly debunked within the first 10 replies.

Let me put that another way. The article you're reading right now is full of stories about people going in on the holidays to patch their Windows systems. How many stories did you hear about Unix admins rushing in this weekend? All of last month? All of last year? So far this millennium? The latest unpatch{ed,able} Windows exploit is set to cause more work for the people who have to manage affected systems than the rest of us have had in the last five years.

But you can choose to believe whomever you want. As for me, I'm enjoying my four-day weekend and relaxing by reading about stuff that doesn't affect me. Hope your new year goes this well!

Re:Why do folks still use Windows?

Q: Why do folks still use Windows?

Short answer: It easily runs everything I want it to. The Linux user experience is significantly worse than Windows.

When I had to pick an OS, I did research and picked one that I felt was secure enough for my needs. Windows didn't make my cut.

What are you doing to make Windows insecure? Downloading unmarked executables from newsgroups and executing them? Running Outlook and double-clicking on every attachment you receive? Running without a firewall?

Let me rephrase your quote:

When I had to pick an OS, I did research and picked one that I felt was compatible enough for my needs. Linux didn't make my cut.

The last time I tried Linux (and I have, I really have), it didn't support all my hardware out of the box. Hardware support should simply work instead of having to recompile my kernel 36 times trying to figure out the correct settings (there were none, I had unsupported hardware). How ancient is that? And then I hated the distribution wars - the infighting over which was the "best way" to do something - the way that distro X does things completely differently from distro Y to the extent that they're binary and logically incompatible to the detrement of the user - and you end up hating both distros as neither of them uses a solution that makes sense for the user.

Then there's the sheer hypocracy of KDE - instead of supporting Microsoft, it's supporting Trolltech, but nobody seems to understand that ought to be just as much of an ethical problem. Trolltech are no better than Microsoft when it comes to trying to leverage a monopoly. The pond may be smaller, but if Linux ever takes off, Trolltech gets a free ride. Except that Linux will never take off while Trolltech are stunting commercial growth and charging $4000 per seat for commercial development licences - Microsoft couldn't have a more unlikely ally in supressing Linux.

And as far as a free OS, I found FreeBSD to be significantly better than Linux as it's logically organized and the maintainers are mature adults compared to the screaming teenagers of the Linux world.

Although neither Linux or FreeBSD run the games or applications that I want to play. If they reliably (and with no messing around) ran the very latest games (eg: World Of Warcraft), tax and financial software (eg: Taxcut and MS Money) - with full support for my graphics card, sound card and printer - I'd take another look. I did once manage to get Unreal Tournament 2003 running under Linux (which was the game I was into at the time) with full 3D acceleration, but the sound was delayed about 2 seconds so it was unplayable.

But given that I no longer use my computer for the sole purpose of messing with my computer, I'm sick of that shit not working. 15 years ago it would have been a fun challenge to "stick it to the man" and "rebel" against Microsoft, but I no longer care. I want as little maintainability as possible - I simply want to be able to read email, yell at people on /., play games and do some serious stuff once in a while. So I run Windows XP on my desktop (instead of Linux or FreeBSD, although my other computer is an Apple Powerbook running OS X). I sit behind a hardware firewall, have autoupdates turned on, run a memory-resident virus scanner and antispyware scanner, use Firefox and Thunderbird - and I've never, ever had a security problem.

Well the truth is....

[ciroknight]

..that if we all were running "trustworthy" computers, this problem would be much, much worse than it is now. Imagine that now instead of having a patch that's already been made by someone else while we sit and wait for Microsoft to get off their asses, we now have to wait on Microsoft, who still hasn't shown up.

Instead of having *some* machines patched, we'd have none. This late after the exploit has been released, and a zero-day attack has happened, we'd see no respite.

If you try to argue that Trustworthy computers wouldn't allow this to be exploited, what if the trustworthy compontent itself was exploited? As the Xbox and soon the Xbox 360 have shown, the more complex the hardware, the more complicated the bugs are. Microsoft's betting that the hardware complexity can outgrow the programmer's abilities to crack it, but if there's any truth in the world, it's that if it can be engineered, it can be destroyed. So imagine if this virus was actually signed by Microsoft through the exploit. How would this look for their company? How can you save face from a disaster like that?

No, trusted computers aren't the answer, just more secure computers, with better code. And the fact of the matter is, the more eyes that are on the code, the better it is, and that's why Open Source will always succeed. No amount of cryptography will help you if there's a hole in your crypto system.

Re:Well the truth is....

[frankie]

what if the trustworthy compontent itself was exploited?

There's no "if" about it. The vulnerable component is a genuine Microsoft DLL, shipped as part of Windows, intended to render an official Windows file format. If you were running a "Trusted"(tm) PC, this DLL would 0WNZ0R you with no way out.

Re:Well the truth is....

[ultranova]

There's no "if" about it. The vulnerable component is a genuine Microsoft DLL, shipped as part of Windows, intended to render an official Windows file format. If you were running a "Trusted"(tm) PC, this DLL would 0WNZ0R you with no way out.

You have it backwards. If you were running a DRM'd PC, this DLL would allow you to retake your own computer.

Remember, security flaws are only bad when security is protecting you. DRM protects Disney against you, so any hole in a DRM'd computers security makes it more, not less, valuable to its owner.

Maybe, in ten years time when only DRM'd computers are legal to buy, and attempt to install anything but Windows Whatever into them is a crime punishable by death, we will yet end up praising Microsofts total incompetence with anything resembling security.

Re:Well the truth is....

[ciroknight]

Huh? I am not aware of any current implementations of "trustworthy computing" that would prevent you applying this sort of patch. The TPM chip and the like simply let you prove things about the configuration of your computer to other computers (and lock data to a particular machine) - by all means, go wild, do whatever you want to your own computer. Just don't expect to then be able to lie about it to others. If you then rely on others for various things who refuse to trust you because you're loading patch DLLs into every process then you may have a problem yes, but this is only temporary and the benign applications of such a technology (death to game cheaters!) IMHO outweigh the very slight theoretical risks.

So let's say I'm JoeISP. Hi JoeISP you might say, I'd laugh and go about my business. Some nasty cruel internet underdwellers would go about writing their programs as they do today, and start delivering their payloads to people over my network. I can't really stop them from doing this; there's simply too much data that goes through my network to look at every packet and assure that the content isn't executable or worse, a virus. I can take some countermeasures, but not to many. Nope, it's the end users who have to be trusted.

So over there is Miss Jane. She loves the internet, and her newly bought Laptop from Dell with a pretty new TPM chip in it. She's a customer as JoeISP, and I love her for it, she pays me a pretty penny a month she could be getting for free if her neighbor would share his wireless access point, but sadly for Jane, her computer doesn't detect that his WAP has a TPM chip, and her operating system says to her that even if the network weren't protected by WPA2, she still wouldn't be allowed to connect to it because it isn't a Trusted connection. She shrugs it off.

So, Jane goes about checking her email when she sees a really funny picture her aunt sent her. Oh boy that's funny she said, and she saves the picture on her desktop so she can look at it later, or maybe even send it to a friend! But what's this? Her computer suddenly locks up tighter than a steel drum and a little popup tells her that "Windows Trusted Computing has detected unauthorized code in memory, and will not allow it to be executed." But she wants to save the image! She dismisses the popup, and saves it again, same message.

She is disheartened and goes to Trusted Go^W Microsoft Search to find an answer. Turns out, lots of people have been having this same exact problem, and nobody knows why. Some guy with a pocket protector and glasses tell them to reboot their computers, go into their BIOS and turn off TPM protection, and she does.

Now when she gets back on the Internet (this of course, assuming that she can, more on this in a minute), she saves the picture and poof, she's now got the exploit running on her machine. Her virus protector (assuming she has one) goes haywire! Of course, Windows File Protection make certain that she can't easily select the file and delete it, after all, it is a running executable now. (Or, even if WFP *did* allow it, most viruses these days are smart enough to break virus protectors in a way that they can't remove the virus on their own, even if their data files are up to date).

She's smarter than your average bear, however, and is able to go to another computer and get back on the internet. She finds a patch for the bug, and a clean up tool that allows her to remove the code from the image. "Goodie" she thinks.

She goes back to the other machine, fixes the DLL, turns back on TPM, and goes to get on the internet.

My ISP (remember me, JoeISP?) instantly alerts an error. Someone has connected to our network with TPM on, but has modified their files! Our policy is not to let those people on our network at all, since that's what Microsoft told us to do. So we block her MAC and continue about our day. She calls in later, furious that she can't get the Internet to work in her house anymore. Any attempts to quell her ar

Corporate? Try college.

[mendaliv]

Think users are bad in the corporate sector? Wait until everyone gets back to the college dorms after winter break with their completely unpatched computers. And all the people who have new computers that they got over the holidays. It wouldn't matter if Microsoft had patched it last week, I guarantee that the student users who need it won't have it.

Speaking as a poor sap who has to fix these computers, I have one thing to say: "Thanks for the easy money". And a heads up to all you dorm technicians, get ready to start burning virus CDs.

In English please...

[samj]

WTF are you trying to say:

"They want you to trust that the unofficial patch for the Windows Metafile Volunerability that is currently being exploited by an IM worm."

Possibly the worst story ever.

Trust Worthy

I know the title was meant partially as a joke. However this is exaclty the kind of thing you _COULD_NOT_ do if a computer was enabled with trustworthy computing. You could never apply a patch from an "untrusted/third party" source.

Re:TFA conclusion is BS

[finkployd]

Don't open e-mail from senders you don't recognize.

What would this accompolish? Since around 1999 or 2000, the vast majority of viruses and trojans have grabbed all the email addresses in someone inbox, address book, etc. and sent themselves out using a random return address from this list. There is a good bet that any virus/trojan you get will have a known return address in it, however it is just as good a bet that it will not be the address of the person infected.

Geeze, here it is 2006 and people still think that the return address in unsigned email means ANYTHING.

And if you are in a coporate setting and the Network Admin hasn't blocked IM, you've already got bigger problems to worry about.

It really seems sad that the norm is to block reasonable communication tools (I use IM almost exclusively for work related communication) simply because corporate America is infatuated with Microsoft despite the massive security headaches they cause.

Off topic, I'm really getting annoyed with Microsoft admins where I work constantly complaining about IE problems. I'm starting to ask these people how many times they had to put their hand on a hot stove when they were children before they decided it was a bad idea. Is pattern recognition a skill that we as a society just no longer have?

Finkployd

Win98 patch?

[GreatDrok]

I wonder if anyone is going to be able to patch Win98 against this? There are still a lot of machines and this vulnerability could make them essentially useless and force an upgrade. While we would all love for them to upgrade to Linux or OS X it is more likely that they will shell out for WinXP and MS will benefit from a windfall of sales as a result of their inept programming. If someone produced a workable patch this would at least allow people to keep using their computers without pouring more money down the MS bottomless pit.

Your TPM software might refuse to run

[Lonewolf666]

In some DRM scenarios, the TPM chip is also used to prove to your software that the OS has not been modified. Unless you have the skills to hack that software, your bought and paid for TPM programs may refuse to work any longer.

A much tougher case would be the "rely on others" programs where you have to prove to an external instance that your system has not been hacked. Take the "death to game cheaters" implementations as an example:
Want to fix your vulnerable Windows with a non-official patch?
World Of Warcraft II won't let you play anymore ;)

I also don't believe this is temporary. Except in the sense that TPM might be (hopefully!) a colossal failure in the market. And considering the current vulnerability, this looks like more than a slight theoretical risk to me.

there is always choice

[Heembo]

it cannot be detected by most intrusion detection systems (the snort rule will peg the CPU on your router) nor filtered by packet-inspecting firewalls (it spans two or more ethernet frames).

You *can* run 2 instances of snort in-line to get around this CPU-pegging issue.

Not really a whole lot of choice about this one.

There is always choice - have you considered a defense-in-depth multi-layered approach? I'm taking the following steps
1. unregister the ms pic and fax viewer dll
2. make WMF file extension default to an erroneous app like notepad
3. turn DEP up a notch
4. turn off downloads in IE if you must use it (set default security settings to HIGH)
5. block all WMF files at the perimiter
6. keep antivirus up to date and consider frequent manual updates and scans of key machines

These things in combo with being vigilant over the next few days should keep you and your corporate networks safe. There are even MSI versions of the patch for mass distribution.

What did they do wrong

[badriram]

I do not want a patch that is untested, and could cause even more hell. You really think, they could have created a patch, and tested it well to be deployed on 200+ million machines connected to Windows update, and not have any bad effects on other apps.
If you look at the patches realeased by others, they also say it might break applications, and you might have problems with it etc. I do not think MS has that option while creating a patch.
Microsoft accpeted there was a flaw, posted information about it, told you about workarounds. If you want to be protected just turn on DEP on all applications. Want to do it on multiple machines, use scripts to edit boot.ini and add /NoExecute=OptOut to the options, and kick in a restart. Atleast that is a better thing to do than trust a random untested patch.

Re:can't remove the callback feature

[r00t]

It doesn't look all that obsolete in Microsoft's documentation.

CERT may think the function is obsolete, but that doesn't mean
that apps no longer depend on it. Stuff breaks if you go ripping
pieces out of an ABI. Somebody's critical business app might
even depend on the function.

Re:Deploying to many machines is hard

[plopez]

What you have said should be SOP for any fix on any large network. Even vendors can get it wrong, so testing is always important.