Slashdot Mirror
Trustworthy Computing
Anonymous Coward writes "This is a first: the Internet Storm Center is recommending trustworthy computing. They want you to trust that the unofficial patch for the Windows Metafile Volunerability that is currently being exploited by an IM worm. No patch from Microsoft at this time, and the exploit is arranged in such a manner that it cannot be detected by most intrusion detection systems (the snort rule will peg the CPU on your router) nor filtered by packet-inspecting firewalls (it spans two or more ethernet frames). Not really a whole lot of choice about this one."
FTA:
You cannot wait for the official MS patch, you cannot block this one at the border, and you cannot leave your systems unprotected.
This has always been the case with Windows, if I'm not mistaken.
You are absolutely correct, sir. This aricle has absolutely nothing to do with "trustworthy computing," (aside from the use of the word "trust"). It is perhaps interesting that the headline was enough to persuade me to read the summary, and click the link to the story. Maybe, in some strange way, they're demonstrating how the exploit works.
Everything I've ever learned the hard way was based on a statistically invalid sample.
From http://www.viruslist.com/en/weblog?discuss=1768925 30&return=1:
"... Going back to the wmf vulnerability itself, we see number of sites mention that shimgvw.dll is the vulnerable file. This doesn't seem correct as it's possible to exploit a system on which shimgvw.dll has been unregistered and deleted. The vulnerability seems to be in gdi32.dll... "
Sure, people needs lives (e.g., vacation, time off, etc.).
And so do those who work as network administrator etc..
I can tell you that many a company that takes internal security seriously has had people working on this over the last weekend to make sure they are as safe as can be when everyone starts working today.
MS could have had a few employees working on this during the hollidays, get it properly fixed, and have an update installed with windows update.. as it is, they got a few thousand people working on implementing workarounds and unofficial fixes instead. Lots of extra work that has to be undone when the official fix is there.
It's probably a hard problem to patch. From what I've gathered, this is a feature of WMFs, not a bug. They were designed before people even knew what the Internet was. WMFs, apparently, have the ability to specify code to be run on a failure to render. So the bad guys give you a bad WMF file, cleverly renamed as JPG, and stick it in an ad banner. You browse a site (with any browser), Windows fails to render the WMF (which it will recognize even if the filename says JPG), runs the specified failure code, and you're hacked. That fast.
Changing code that's this deeply buried in Windows is risky. The interpreter for WMF is one of the remnants of code left over from single-user computers, and they'll have to test changes very thoroughly. They're GOING to break things with this patch, because they're removing a designed-in feature. They're probably working feverishly to figure out how to minimize the damage, but some damage is inevitable. And the problem could be far worse than it appears; that DLL could be riddled with problems. It may not have been audited in many years.
This is yet another example of how you can't retrofit security; the first Windows versions were designed when security wasn't even an issue, when the Internet was barely a twinkle in Al Gore's eye. There's a mountain of code that was written just to work, not to worry about being handed malicious data. If a user passed bad values to a system call and it crashed, oh well. It was their fault for doing it. It's not like they had anything to gain from it, after all. They owned the computer. Why on earth would the computer need to protect itself from its owner?
With the advent of the Net, Microsoft decided to both stay backward-compatible and extend what they had onto the Internet. And their focus for many years was on new features, not security. Essentially every security person at the time warned them -- stridently -- against the choices they were making. It was obviously going to be a trainwreck. This is just the latest in that ongoing collision between a single-user operating system and exposure to every computer in the world.
This particular exploit is BY FAR the worst one yet...even very competent administrators, doing everything exactly as they should, can get nailed by this one. As bad as this is, though, it's not like they're going to stop here.
Trying to retrofit security onto the Win3.1/Win95 model is like trying to use scotch tape to make cheesecloth waterproof. No matter how much tape you use, even if it's a lot more tape than cloth, it will ALWAYS leak. It might hold water for a bit, but leaks will constantly spring up. They've added tremendous functionality in the NT/2k/XP kernels which can limit what users can do and limit the possible scope of compromises, but many many programs (especially games) require administrator privs just to run. So most people run as Administrator even though they shouldn't. And that makes hacks like this one very easy and *extremely* damaging.
Hopefully Microsoft will get a patch out fast.... they certainly must understand how overwhelmingly bad this problem is. The fact that they're reacting slowly is likely an indication that it's hard to fix.
If this *were* a stack overflow, you'd have a good point.
However, the WMF format allows you to embed a code in it that basically says "when you've finished drawing this, call the function at this address to execute it". The reason that this exists is that WMF was not originally intended to be a file format. It was intended to allow Windows applications to record the steps necessary to draw an object, so they could do it again later (presumably using less processing at that point because everything's precalculated).
according to Microsoft
That sounds like they must have some kind of patch out there, or are they hoping to get more users "hooked" on OneCare ?Otherwise, this statement doesn't make sense :
Maybe I'm being picky, but I think all their customers have a quite urgent need, right now !Written from the sublime security of Fedora Core, thanks.
With stuff like this in their closet, one surely can understand at least to some extent why they advocate closed source. The feature in question is likely well documented, and thus reasonably "open", but the idea of what might happen if crackers get access to all the non-safe zombie code that dates from their pre-history truly must horrify them.
Linux user since early January 1992.
Some wikis probably don't check file content.
Wikipedia tries to block stuff like this, but I don't think it is all that reliable. They just use the UNIX file command to see if a file matches the file extension.
WMF files start with 0x01 0x00, are are unrecognized by the file command.
JPEG starts with 0xff, so that won't do. Well, there are other formats to try.
> Geeze, here it is 2006 and people still think that the return address in unsigned
> email means ANYTHING.
Well, yeah. I had to explain to two coworkers just last week that the scary messages they were getting weren't really from eBay, and they were quite surprised. (So I told them that if they were concerned that they might need to check their eBay accounts, to use the bookmarks they usually use to go there, because they would know that those really go to eBay. The link in this message only says it goes to eBay, and really it goes someplace else, to another site. Such gasps of outrage and astonishment as I then heard, you'd have thought I was telling them that their husbands lied about the business trip and were really with in Las Vegas with girlfriends.)
This is at least partly because of the way mailreaders present the data. Instead of showing the headers as part of the message (which is, essentially, how they're transmitted), most mail readers parse the headers and present certain pieces of data from them (the From address, for instance) separately from the message, as metadata. Well, yeah, it *is* metadata in a sense, but the way it's presented makes it appear, to the casual user, as if it's something the mailreader knows about the message, rather than something the message claims about itself. Other critical headers, such as Receives:, are not shown at all (unless the user specifically goes looking for them in a "Show All Headers" or "View Message Source" option or somesuch.
There are, of course, good solid usability reasons why these things are the way they are, but it doesn't take a doctor of psychology to tell you what people are going to think as a result.
Personally I'd like to see the information parsed out of the headers, especially the sender information, labelled just a little differently, e.g., "Claims to be From:". I'm not sure that would entirely solve the problem, but it might help a little. I'm also deeply annoyed that our ISP's mail server accepts HTML messages for delivery (if we had our own mail server in house it sure wouldn't), and that all the decent, deployable, user-friendly mail clients I can find happily render and display HTML mail. Even recent versions of Pegasus cannot, as near as I can determine, be configured to show the source or treat the HTML as an attachment.
Cut that out, or I will ship you to Norilsk in a box.