Slashdot Mirror
Trustworthy Computing
Anonymous Coward writes "This is a first: the Internet Storm Center is recommending trustworthy computing. They want you to trust that the unofficial patch for the Windows Metafile Volunerability that is currently being exploited by an IM worm. No patch from Microsoft at this time, and the exploit is arranged in such a manner that it cannot be detected by most intrusion detection systems (the snort rule will peg the CPU on your router) nor filtered by packet-inspecting firewalls (it spans two or more ethernet frames). Not really a whole lot of choice about this one."
As it says in the article, some people in the corporate world won't do it if the patch didn't come from MS. It's sad, really. If I had an exploitable machine around, I would trust their patch.
Plant a tree in a developing country.
What is the over/under for Microsoft getting a patch out for this?
If there is a time to deviate from their monthly patch cycle, this is it. The patch should have been out days ago, yet we are still waiting.
And Microsoft wonders why no one takes their security promises seriously.
It'd be nice to have a computer that I can use the patch on.. Maybe I can Wine it?
Any grammatical or spelling errors above are for comic effect, and do not signify imperfection in the writer.
Sometimes, I really start to think that security is so poor in commercial operating systems, because they want to use protection from all these exploits as the bait to get us into the "trusted computing" cage.
Trusted computing is a farce, because the one thing that *isn't* trusted, is the user.
The theory of relativity doesn't work right in Arkansas.
Yeah because 98% of PC users know how to disable the offending DLL. Heck, 98% of PC users don't even know what a DLL is.
I imagine that I could push out the deregistering fix, and associating WMF with Notepad, but that seems a little extreme because our attack vector has become limited, and our anti-virus is now updated with the newest signatures that detect this exploit.
FTA:
You cannot wait for the official MS patch, you cannot block this one at the border, and you cannot leave your systems unprotected.
This has always been the case with Windows, if I'm not mistaken.
How many late nights, allnighters, and missed holidays have you experienced, thanks to things like ILOVEYOU and Slammer? How many times have you had to clean up the mess created by Microsoft's shitty, unsecure software?
Clearly Microsoft wasn't interested in calling people in over the holidays to whip up a patch for this critical vulnerability-- something that you could go in a couple hours early tomorrow and roll out to the PCs in your organization. They're going to let you suffer. And why should they care? They've already got the money of the company you work for. People are going to return from their holiday vacations tomorrow, load the wrong web page in IE, and get pwned. And you'll be left to clean up the mess. Again. Better pack an extra sandwich with your lunch tomorrow, because you probably won't be getting out at 5.
Windows have produced a datatype that allows people to place executable code into image files? How can they call themselves programmers. Seriously whoever engineered the WMF format should be ashamed.
99 bottles of beer in 175 characte
Today was supposed to be my fifth vacation day this christmas.
I've had two; and decided to come in to the office today to make sure we were patched up against the exploit.
Yes, I took the plunge.
The patch is now deployed in our small office (30 windows PCs atm); and so far so good.
Would I have felt safer if the sourcecode was released? Perhaps.
That said, I'd rather take the ISC's word on the fix than have a guaranteed hell within a couple of days.
The dedication of the people involved with ISC, as well as that of Mr. Guilfanov brightened my start of the new year.
Kudos, people.
Not really a whole lot of choice about this one
Sure there is. Don't use MSN to IM, for starters. Don't open e-mail from senders you don't recognize. Don't click on hyperlinks in e-mail without verifying that the URL is really what the text states it is. And if you are in a coporate setting and the Network Admin hasn't blocked IM, you've already got bigger problems to worry about.
Saturday's word was "transferbangle." Today's word is "volunerability." I wonder what tomorrow's word will be!
I'm still not sure myself whether or not I will install this unofficial patch.
.wmf-file.
:-P ).
Reasons for not installing it:
-I'm behind a router and use a firewall, virus scanner and several anti-spyware programs.
-I don't visit any suspicious websites (though this is probably not limited to 'suspicious' websites.
-I use Firefox for browsing, which (if I remember correctly) is not directly affected, unless you accept to run the
My possible reasons for installing this patch beforehand:
-I don't know if the virus scanner and anti-spyware programs will pick this up in time.
-I have exams in two weeks from now. I don't have the time to spend hours on end to remove crap like this (and yes, I do have time to type this message
Oh, and patch tuesday, is that tomorrow or next week?
Join the anonymous, help develop the network: http://www.i2p2.de
or Is the original healline post for this thread written in gibberish enhanced by misappropriation of terms and conflation of concepts? How is trusting the unofficial patch conceptually related to "trustworthy computing" and why should packet spanning make it invulenrable to filtering?
Some drink at the fountain of knowledge. Others just gargle.
Reading the article, the ISC (and a few others) say that you *should* disable the DLL. There are two ways, with caveats, listed:
*Unregister the DLL : some apps may actually reregister the DLL.
*Rename/Delete: make sure XP File Protection is off, otherwise it will be replaced. Also, some apps may behave badly.
So, disabling the DLL is a *good* idea -- but may not be a complete solution by itself.
10b||~10b -- aah, what a question!
No flamebait intended, but that's a typical sensationalist misleading Slashdot headline. Noone's advocating "trusted computing" or similar initiatives here; all they do is saying "here's an unofficial fix, and we'd like to recommend even though it *is* unofficial, considering the seriousness of the vulnerability and also considering it was written by a reputable windows expert, namely Ilfak Guilfanov (author of IDA Pro)".
And for that matter, there's no mention of "the Snort rules will hog your router's CPU", either - that's total rubbish, probably made up by the article submitter. And it slipped, too, since the Slashdot "editors" never care to actually edit stories before they publish them.
Shame on you, Hemos!
quidquid latine dictum sit altum videtur.
Not really a whole lot of choice about this one.
OK, that just makes it too easy.
*awaits avalanche of "Linux is the cure"-style replies*
Which, of course, is correct, as it's not affected by this, but not suitable more than as a worn joke, as many organizations can't make the switch easily either for lack of own competence, will to hire those who have, lacking software compatibility and/or counterparts, etc.
Beware: In C++, your friends can see your privates!
They want you to trust that the unofficial patch for the Windows Metafile Volunerability that is currently being exploited by an IM worm.
The problem there (aside from the FP's atrocious grammar) comes from how the "unofficial" patch will interact with MS's eventual real fix.
I certainly don't consider myself a Microsoft apologist, but I KNOW that anyone who installs this patch, then discovers some bizarre (potentially very serious) problem from Microsoft's solution, will bitch loudly that Microsoft should have taken the interim fix into consideration. These same people currently bitch that Microsoft should throw caution to the wind and issue a fix ASAP, out of their normal patch cycle and without adequate testing.
Personally, I don't see the problem with temporarily unregistering the affected DLL... I NEVER view thumbnails through explorer (slows it down beyond belief), and MS's built-in image viewing/printing software lacks even the basic editing capabilities necessary to print "grandma" rather than "a grandma-like dark smear, 27 unknown people, and 90% sky".
Of course they don't know what a DLL is. Windows has been marketed as a consumer OS, it was designed to be used by people without a clue. By default you can't even see the DLLs. People shouldn't need to have IT qualifications to use a computer, it should be secure enough for them to use it. What you are suggesting (to use a car metaphor and probably get flamed for it) is that people should need to strip and reassemble an engine to get a drivers liscence.
99 bottles of beer in 175 characte
I love the way the story starts 'Anonymous Coward writes', with an email address link to the author.
I wouldn't call what they are offering as trusted computing. They are not
the manufacturers of the OS, so whatever they are offering is NOT trusted computing.
Since it's a typical binary patch you have to trust them that this
patch won't hose your system or make you pwned by these or other folks.
As a long time Linux user, I find this situation appalling. If I were stuck
using a Windows box I would be pissed off by this. Look, when I want to upgrade
my box, I just do a apt-get update; followed by either apt-get dist-upgrade
or use synaptic. I know my sources (I select them myself), I know that the reality
checks exist (gpg keys, outside sources verifying the software, etc.). I know
I'm not getting hosed when I install software from my usual Debian repositories.
Do any of you windows folks know these security folks? Do you have any
reality checks that you can apply against this binary patch? What control do
you think you have of your operating system?
I guess if you haven't been a Linux user for a long time you might not understand
the depth of how bad your security model is when you're stuck with windows.
--Johnny
I believe this is because _any_ image is vulnerable to infection. Because Microsoft checks the header for every image file and treats it as WMF if the header matches, all jpegs, gifs, and pngs are potential vectors for the disease. A router that has to inspect _every_ image that is surfed by users behind it will immediately turn into a bottleneck.
A couple of the other comments here seem to miss this very important point:
It's not just files with ".wmf" at the end. Any image file will get unwrapped by Microsoft code and the callback will get executed. Woof.
Sounds like an nth complexity binary loop sort of problem to me.
They want you to trust that the unofficial patch for the Windows Metafile Volunerability that is currently being exploited by an IM worm.
:|.
OK, tell me how that sentence is supposed to make sense. Come on
Arrrrrrr
So perhaps instead of using this as another opportunity to post your sig with the stupid referral link, you could explain to them how it's done.
BeauHD. Worst editor since kdawson.
*faints*
The title come directly from the ISC's Handler's Diary post that uses it as a joke, to reflect the fact that they will ask people to trust them on this one. Quote:"I find myself in the very peculiar position of having to say something that I don't believe has ever been said here in the Handler's diary before: "Please, trust us.".
They loved it so much you posted anonymously, in your room, with the lights out, under a blanket?
BeauHD. Worst editor since kdawson.
If it is, I can live without it.
What is the calculation that Windows users -- esp. businesses -- make that allows them to keep on using Windows?
When I had to pick an OS, I did research and picked one that I felt was secure enough for my needs. Windows didn't make my cut.
Somehow the Windows folks keep on choosing to use Windows, even though after the WMF exploit is history, they'll just be waiting for yet another "shoe to drop".
I understand that legacy apps/data formats get you locked-in to Windows, but doesn't "remote exploit" concern you enough to make you think "must switch!"?
http://www.thebricktestament.com/the_law/when_to_
..that if we all were running "trustworthy" computers, this problem would be much, much worse than it is now. Imagine that now instead of having a patch that's already been made by someone else while we sit and wait for Microsoft to get off their asses, we now have to wait on Microsoft, who still hasn't shown up.
Instead of having *some* machines patched, we'd have none. This late after the exploit has been released, and a zero-day attack has happened, we'd see no respite.
If you try to argue that Trustworthy computers wouldn't allow this to be exploited, what if the trustworthy compontent itself was exploited? As the Xbox and soon the Xbox 360 have shown, the more complex the hardware, the more complicated the bugs are. Microsoft's betting that the hardware complexity can outgrow the programmer's abilities to crack it, but if there's any truth in the world, it's that if it can be engineered, it can be destroyed. So imagine if this virus was actually signed by Microsoft through the exploit. How would this look for their company? How can you save face from a disaster like that?
No, trusted computers aren't the answer, just more secure computers, with better code. And the fact of the matter is, the more eyes that are on the code, the better it is, and that's why Open Source will always succeed. No amount of cryptography will help you if there's a hole in your crypto system.
"Victory means exit strategy, and it's important for the President to explain to us what the exit strategy is." G.W.Bush
So we have to explain the joke again:
The title comes from the original note in the Handler's Diary. You see, it creates a mental tension between "Trustworth Computing", the lack of an official patch and ISC's "Please, trust us". It makes some readers smile.
because the os you pick will have no exploits ever
did you forget to take your meds?
...because the IM side of things had a limited spread in the Netherlands. The main jump off for this thing was rotating banner ads (along with about six billion pics on Myspace by this stage of the game)..
I have read the source and compiled it before installing, of course I trust it ;-)
Think users are bad in the corporate sector? Wait until everyone gets back to the college dorms after winter break with their completely unpatched computers. And all the people who have new computers that they got over the holidays. It wouldn't matter if Microsoft had patched it last week, I guarantee that the student users who need it won't have it.
Speaking as a poor sap who has to fix these computers, I have one thing to say: "Thanks for the easy money". And a heads up to all you dorm technicians, get ready to start burning virus CDs.
OK, start->run->cmd.exe
/u shimgvw.dll' without the quotes and press enter. You will see a notice telling you that the DLL has been unregistered.
In the console window, type 'regsvr32
That's adding something to the conversation BTW. Do us a favour and quit trying to use slashdot for your own profitable gain.
BeauHD. Worst editor since kdawson.
They don't have to.
.bat file that does the deed for the cluefully challenged.
1. Write a 1 line
2. Package and publish as a Hotfix and push to Windows Update.
3. ???
4. Profit!
"98%" of PC Users don't know how a patch works any more than they know how to disable a DLL. I'm sure they don't even know how scheduling works. Shockingly, the inner workings of a computer are as mysterious to the average user as a woman's body is to a slashdot reader. We should all just give up on them, because we don't need Joe Sixpack to drive the tech economy so we can actually afford to have computers and affordable bandwidth. Just tell them to put it back in the box, return it to BestBuy, and tell the clerk they're too fucking stupid to own a computer. The GP post suggested a method that apparently works for disabling the vulnerability. This information is useful to the slashgeeks who will end up servicing the computers of friends, family, and co-workers one way or another. A quick heads-up now on this saves a few hours later when after some porn surfing (it just popped up and it wouldn't let me close it) or email attachment (I didn't open it) you end up removing the worm and all the damage it did anyway.
Waiting for ad.doubleclick.net...
It's not just files with ".wmf" at the end. Any image file will get unwrapped by Microsoft code and the callback will get executed.
Yes. You see, when the HTTP 1.1 protocol was being developed, they made it a solid rule - you MUST NOT GUESS the content-type when it's supplied.
Anybody want to hazard a guess as to what Internet Explorer and everything that uses its rendering engine does? Yep, that's right, it ignores the standard and guesses.
That means that instead of having to check <1% of images going through your firewall/proxy (WMFs and unlabelled content), you have to check 100% of them. Heck of a job, Billy-boy!
From http://www.viruslist.com/en/weblog?discuss=1768925 30&return=1:
"... Going back to the wmf vulnerability itself, we see number of sites mention that shimgvw.dll is the vulnerable file. This doesn't seem correct as it's possible to exploit a system on which shimgvw.dll has been unregistered and deleted. The vulnerability seems to be in gdi32.dll... "
People shouldn't need to have IT qualifications to use a computer, it should be secure enough for them to use it.
Yeah, I wonder when we'll see such an OS though. Usually it involves tradeoffs for security at the cost of features; something big business often aren't very interested in. I feel all popular *nix OS'es are out of the picture still, but they may be getting there, perhaps in the generation of distributions to follow Ubuntu. Ubuntu still means considerable digging on forums if you want to do something "advanced", such as connecting a special peripheral. Not at the fault of the distro or OS per se, but at the support. Still, that doesn't make it less of a problem. Is OS X perhaps closer to this vision? Or is it that just because it's less common, and not something we can merit the OS itself for being?
Beware: In C++, your friends can see your privates!
WTF are you trying to say:
"They want you to trust that the unofficial patch for the Windows Metafile Volunerability that is currently being exploited by an IM worm."
Possibly the worst story ever.
I think the problem is the timing: Holiays. However, I do agree that MS people should be called in to work on this serious patch. I can't wait to see the messy outcomes tomorrow (back to work, school, etc).
:(
Sure, people needs lives (e.g., vacation, time off, etc.). Just reimburse those later on (if not, then the employer isn't good). They really need to get this fixed, tested, and released ASAP. So far, MS is not doing a good job as usual.
Ant(Dude) @ Quality Foraged Links (AQFL.net) & The Ant Farm (antfarm.ma.cx / antfarm.home.dhs.org).
Don't be deceived by the headline! To see how ugly this beast really is, take a look at Ross Anderson's excellent TC FAQ http://www.cl.cam.ac.uk/~rja14/tcpa-faq.html. It's the best investment you can make (20 minutes) to get informed on computer ethics, and now is the time to be informed.
I don't know who's more of an idiot -- the submitter or the "editor" who accepted this turd of an article summary.
Fun with Anagarams! LADS HOST, SHALT DOS. HAS DOLTS. AD SLOTHS, HATS SOLD. ASS HO, LTD.
Erg. in the post above, "pr0n" should read "pr0n^H^H^H^H" ... why the hell does /. disable strikethrough??
I know the title was meant partially as a joke. However this is exaclty the kind of thing you _COULD_NOT_ do if a computer was enabled with trustworthy computing. You could never apply a patch from an "untrusted/third party" source.
Why should people be allowed to operate a dangerous machine in public without a good understanding of how it works. If your engine sezies on the innerstate in front of me I COULD DIE. If people knew how an engine worked they'd have a much better understanding of when it needs critical attention. I think people SHOULD be required to know basic engine mechanics to drive a car. You are expected to know that stuff to get a pilots license for instance.
Repeal the 17th Amendment TODAY! Also Please Read http://www.gnu.org/philosophy/right-to-read.html
Because Microsoft checks the header for every image file and treats it as WMF if the header matches, all jpegs, gifs, and pngs are potential vectors for the disease.
Deja vu... wasn't this the basis behind the vulnerability a couple of years back, caused by the integration of the browser into the OS?
Something like sending EXEs with text headers, so that the browser saw the text part and regarded it as safe, blindly passing it to the file handling engine (whatever it's called) which looked at the EXE extension and executed it. After all, the browser would have flagged it if it were dangerous, right? :-/
Can't find examples of evolution? No matter, neither could Dawkins
OK, start->run->cmd.exe
/u shimgvw.dll' without the quotes and press enter. You will see a notice telling you that the DLL has been unregistered.
/u %windir%\system32\shimgvw.dll' without the quotes.
In the console window, type 'regsvr32
One step too much, and possibly incorrect.
start->run
in the dialogbox type 'regsvr32
You will get a popup confirming that the dll has been deregistered.
according to Microsoft
That sounds like they must have some kind of patch out there, or are they hoping to get more users "hooked" on OneCare ?Otherwise, this statement doesn't make sense :
Maybe I'm being picky, but I think all their customers have a quite urgent need, right now !Written from the sublime security of Fedora Core, thanks.
I think I know english pretty good. And my brain filters out even the worst spelling errors such that I know what they mean when they say 'Volunerability'. But I really can't make heads or tails of this 'sentence', if you can call it that. WTF does this mean?
So far so good, and isn't this what the RESTORE function of Windows is about. Better safe than sorry, IMO. Bruce
Bruce
I don't understand the elevated fear that this unofficial patch may cause some problem in the future, compared to the certainty that doing nothing will compared to the certainty that some MS official fixes cause problems of their own.
Yes there is a likelihood this could breaksomething down the road, just as de-registering shimgvw.dll might cause some other problem - probably with in-house apps later on too. That's pretty much the nature of security though, isn't it?
You are mistaken. If you look at the 8086 (and 8088) design you'll see the segment registers which could be used to separate data from code memory. I believe the current x86 processors still retain these registers. Of course, using memory segments was a pain and the OS designers (probably pressured by application developers) stopped using them in preference to the flat memory model.
To say the Intel designers didn't know about HW protection is incorrect.
The assertion that packet filtering firewalls cannot block this attack is just plain wrong. For instance, Check Point, and probably other firewall manufacturers, had a block for this attack back in April of 04. Firewalls aren't just the freeware open source flavor of the month gang. Some corporations actually buy more advanced tools that have features beyond blocking a given port.
i c/2005/cpai-28-Dec.html
Reference: http://www.checkpoint.com/defense/advisories/publ
"They want you to trust that the unofficial patch for the Windows Metafile Volunerability that is currently being exploited by an IM worm."
They want us to trust that the patch does what? eat my pc?
80 CC D8 AF AE D3 AB 54 B7 2E CE 67 C7
Granted you could do it in the run dialog, but the rest works just fine. Did you bother to test it before chiming in?
BeauHD. Worst editor since kdawson.
but the rest works just fine. Did you bother to test it before chiming in?
Yes, and in most cases it works. That said, I doubt it works in all cases, and I am pretty sure that both Microsoft and ISC (and others) explicitly include the path for a reason...
What's evil about this one is not that someone couldlure you to a rigged speical website but that they can reach out and get you. For example, they can just take out a banner add from double click and have this rigged jpeg displayed on tens of millions of computers. Or they could post it as a picture on FLikkr and hope it gets into the rotation for a picture of the day. get it into google images. Post it on a bulliten board that allows thumbnail jpegs. Lots of ways to get the code onto trusted web sites.
Some drink at the fountain of knowledge. Others just gargle.
I have patched all my clients by hand; the patch requires user interaction via two or three manual mouse clicks. [It also requires a reboot, BTW.]
Has anyone automated the thing so that it can be pushed to hundreds [or thousands] of clients via something like Novell Zenworks, Microsoft SMS Server, or IBM Tivoli?
I know that e.g. Zenworks has a "diff" mechanism that will isolate a "before/after" differential, but that's a lot of work, and frankly it's a little bit of a kludge [no offense to Novell].
I wonder if anyone is going to be able to patch Win98 against this? There are still a lot of machines and this vulnerability could make them essentially useless and force an upgrade. While we would all love for them to upgrade to Linux or OS X it is more likely that they will shell out for WinXP and MS will benefit from a windfall of sales as a result of their inept programming. If someone produced a workable patch this would at least allow people to keep using their computers without pouring more money down the MS bottomless pit.
"I have the attention span of a strobe lit goldfish, please get to the point quickly!"
Which is?
BeauHD. Worst editor since kdawson.
THAT DOES NOT WORK.
Read the ISC posts re the DLL re-registering. Opening the WMFs in certain apps will cause them to re-register the DLL, open the file, and infect you. See the Lotus Notes updates for an example of such an app.
In some DRM scenarios, the TPM chip is also used to prove to your software that the OS has not been modified. Unless you have the skills to hack that software, your bought and paid for TPM programs may refuse to work any longer.
;)
A much tougher case would be the "rely on others" programs where you have to prove to an external instance that your system has not been hacked. Take the "death to game cheaters" implementations as an example:
Want to fix your vulnerable Windows with a non-official patch?
World Of Warcraft II won't let you play anymore
I also don't believe this is temporary. Except in the sense that TPM might be (hopefully!) a colossal failure in the market. And considering the current vulnerability, this looks like more than a slight theoretical risk to me.
C - the footgun of programming languages
I'm trying to figure out why the people who designed this architecture didn't realize that putting this level of functionality down at the OS was NOT a good idea. This shouldn't be used as a justification for "Trusted Computing," it should be used as a prime example of what happens when one vendor decides to tightly couple all manner of functionality with its OS. I realize they might not have seen this when the WMF format was implemented, but the reason for implementing it this way most likely had something to do with Microsoft's monopolistic mindset.
It seems to me that the client should be responsible for ALL failures of this nature- what would have been so difficult about simply returning a result code?
They want you to trust that the unofficial patch for the Windows Metafile Volunerability that is currently being exploited by an IM worm.
Hey, what is that supposed to mean? I suppose the above should be
They want you to trust their unofficial patch for the Windows Metafile Volunerability that is currently being exploited by an IM worm.
Since my first language Italian , (that comes from Latin, and is quite picky about sentences construction), it took me quite some time to understand; I suppose that the above was not a problem for anglosaxon people, since nobody seemed to notice....
OK, since I'm certain we're not actually going to GET an answer, here it is: When no path is specified, the system32 directory is used. Ergo, it's not required to enter a path unless the file you're trying to unregister exists somewhere other than the system32 directory.
Perhaps you could enlighten us about which cases (following your statement 'in most cases it works') this fails.
This is what I love about slashdot - you'll get a thousand people attempting to add their pearls of wisdom, and very, very few who actually have any idea what it is they're talking about. Doubly so when it comes to Windows.
BeauHD. Worst editor since kdawson.
...to do what they do best. Which is why I use a different OS and suggest others do so as well.
What does Microsoft do best? Why, get the money out of the pockets of suckers, of course.
Suckers.
Cheers!
Everything in the Universe sucks: It's the law!
The best description I've found of the WMF format is here. Based on this information, it looks as if a filter can look at the first four bytes of a file and identify it as a WMF document with very few false positives.
Doing this with discrete files might not be too bad. Applying this check to every part of a MIME document, or to various compressed file formats, could get very painful.
There seems to be a lot of confusion in this thread regarding these two terms. It isn't that surprising, since they are both purposely misleading, but still.
// oskar
"Trustworthy computing" is Microsoft's bullshit name for their so-called initiative to start taking security seriously. It was under this banner that Bill sent all his coders to secure coding seminars so they could learn what a buffer overflow is. The article is ironic in its title: that Microsoft have failed to find such a glaring issue as a native image format that purposely allows images to execute arbitrary code, and that they have not offered a patch even now when exploits are in the wild since almost a week, shows how trustworthy they really are.
"Trusted computing", on the other hand, is the bullshit name for a nefarious scheme involving hardware and software whereby control over PCs should be taken out of the hands of their owners, and given to the software and hardware vendors. This is sometimes claimed to be about security, but is actually motivated by DRM and DRM only (the name is short for "Trusted Client Computing" and comes from the ability of DRM vendors to trust that your computer, the client, will obey their directions).
The people pushing "trusted computing" are actually not so much Microsoft as Intel and IBM: Microsoft completely support the concept of trying to put the freely programmable computer back in the bottle, but they have had their own ideas about implementation (their version was first called "Palladium", but when they realized that it is bad to have a recognizable name for something customers actually don't want it was renamed "Next Generation Secure Computing Base" and after that it was renamed to nothing at all so they can be snuck into the coming versions of Windows without people noticing.)
The WMF file is really a list of Windows drawing functions to call, along with their parameters.
Guess what else uses this.
There are in-memory and on-disk WMF files. Some are used by apps for repainting the screen. Some are used by apps for printing; Windows printing is based on the WMF. You want error handling with printing, right?
Now, I'm not saying how to fix this unless Microsoft shares some cold hard cash with me, but there are reasonable solutions. It's just not as simple as patching out the feature.
It was, though not by MS. The Hexblog hotfix is 200 lines of code (he includes the source), including comments.
But did you (or the OP) check whether the sourcecode matches the binary patch?
Did you audit the sourcecode for security leaks which might have been maliciously inserted?
I'm still trying to figure out what people mean by 'social skills' here.
Some wikis probably don't check file content.
Wikipedia tries to block stuff like this, but I don't think it is all that reliable. They just use the UNIX file command to see if a file matches the file extension.
WMF files start with 0x01 0x00, are are unrecognized by the file command.
JPEG starts with 0xff, so that won't do. Well, there are other formats to try.
In Opera, I can toggle "show images". If I set that to show no images, can I assume that is an effective workaround? Drawbacks are, it won't help with images embedded in files, and it breaks a lot of websites (some label their buttons, others just say 'image'). I wonder if Lynx runs under XP?
F-Secure has more on it: http://www.f-secure.com/weblog/#00000761
Windows Metafiles are a file representation of drawing commands. They are more flexible than bitmaps and get used quite a lot in things like for caching images of every OLE object embedded inside a MS word or powerpoint document. There just happens to be one operation to set a callback when a printing aborts which can be saved to a WMF file, which, when followed by something to abort the rendering, lets you jump to the nominated location.
This back door is built into windows from version 3.0 onwards. Any app that displays WMF images from untrusted sources (lotus notes, maybe msword, even google desktop search) is vulnerable. This is potentially code red for the desktop.
I have the patch on all my systems, the author works for IDA, the debugger tool, and is well respected. I dont care whether IT central will push it out or not; I think they ought to before the back to work/school event causes major worm attacks using it. It will be pretty embarrassing for microsoft though -a third-party emergency fix for windows, in the same year that Vista, "Windows Secured" is due to ship.
>>And you are tested on all of these things before you are granted a driver's license.
I liken it more to riding a bike than to driving a car. Yes there are laws governing a bike on the road but they're largely ignored both by riders, drivers and law enforcement (ymmv). Likewise, there are 'rules of the road' for computer use. Likewise they are largely ignored by users, suppliers and administrators ***. Training consists mostly of learn-by-doing. Skills improvement mostly static after initial success. Maintenance often relegated to 'I turn up the headphone volume so I don't hear that noise', until something breaks. Knowledge of design detail relegated to 'that gear doesn't work right so I just skip it'.
It seems to me reasonable to have cut Microsoft some slack with '95, but as of Windows ME they should have nailed down the training and design to produce reliable and safe 'appliances' as they marketed them. Win2k is a joke perpetrated on both home users and business users alike in that installations required writing to system areas that required admin account. Even with XP Microsoft did not get it right.
Yes, there would have been monetary cost to Microsoft and 'pain' to novice users, but to not have driven a conversion to safe computing is nothing less than willful neglect of the most serious kind.
Too much elitism exists in the debate. Don't you think that Joe User would *agree* to run as user-mode if given the basic facts that it prevents most exploits (and an OS that allows Application installation of -not software, which is mostly trojan, but Applications- the software the user has decided s/he wants) and that it protects private data in their own protected home?
Do we need a licensing beauracracy to enforce that? I don't think so. And I don't think an IT degree is needed on the part of users. User mode, out/inbound firewalling, more carefull system lib programming... that would swat 90% of the issues. Possibly even achieve the computer-as-appliance goal that we all share (admitted or not).
-rsh
*** - users; when was the last time you sent an attachment to a group of people who might not know you, say an internal corporate email alias. suppliers; Windows. administrators; users allowed to run as god
I have the december beta on vmware; I need a safe version of the exploit to test it. I bet all vista does is stop the third party hotfix from working
Why not just use an ACL on it?
As a long-time Linux advocate, I must admit to a little Schadenfreude in the latest WMF exploit, however as a responsible member of the security community, I think we have to take this problem very seriously.
Whilst Microsoft may indeed publish an official patch in the next few days, they have no way to push it out to all the vulnerable systems. Savvy admins may have already applied the unofficial patch, and kudos to them.
However, the biggest problem is the great masses of unpatched systems that will never receive an official or unofficial patch. For them, I am afraid the only solution is a fix which exploits the vulnerability to patch the system automatically. If this is not done, it will exacerbate the problem of DDOS botnets and Spam relays, making life even worse for the rest of us.
Experienced security people will recall this has been done before. I suspect this may be the only way to patch enough of the vulnerable systems that won't be protected either by Microsoft's efforts or those of a competent admin. Any takers?
Paul Gillingwater
MBA, CISSP, CISM
Win31, still 16 bit, used the intel segments to manage memory. you had to alloc separate code and data segments, and use an API call, PrestoChangoSelector to flip it. The segments were only 64K and special 'huge' pointers were needed to do the proper arithmetic on a set of sequentially allocated segments.
That went away in 32 bit mode, because 32 bits was all we needed, and because 'flat' is simpler to work with. And because security in winnt was about untrusted users on trusted 'enterprise' systems, not trusted users with untrusted data.
I built my own release.
The code is only 200 lines, and is primarily patching logic with a switch in there. The biggest risk is that it patches the wrong place and doesnt provide protection, the next that it doesnt uninstall. Those are hard to test.
I'm curious. Did the option of using one of the workarounds posted in the Microsoft Security Advisory (912840) article come up?
Running "regsvr32 -u %windir%\system32\shimgvw.dll" or even removing the DLL from the system seems like a reasonable workaround while the official patch is being tested by Microsoft.
it cannot be detected by most intrusion detection systems (the snort rule will peg the CPU on your router) nor filtered by packet-inspecting firewalls (it spans two or more ethernet frames).
You *can* run 2 instances of snort in-line to get around this CPU-pegging issue.
Not really a whole lot of choice about this one.
There is always choice - have you considered a defense-in-depth multi-layered approach? I'm taking the following steps
1. unregister the ms pic and fax viewer dll
2. make WMF file extension default to an erroneous app like notepad
3. turn DEP up a notch
4. turn off downloads in IE if you must use it (set default security settings to HIGH)
5. block all WMF files at the perimiter
6. keep antivirus up to date and consider frequent manual updates and scans of key machines
These things in combo with being vigilant over the next few days should keep you and your corporate networks safe. There are even MSI versions of the patch for mass distribution.
Horns are really just a broken halo.
Comment removed based on user account deletion
I'm the author of the hotfix and one could expect me to say 'yes, please go ahead and install it on your corporate network with thousands of machines'.
But I won't say that.
First of all deploying any software on a large network is a serious task. It should be carefully planned and performed with the correct (read: responsible) approach.
The hotfix must be tested on as many machines as possible. Possible negative consequences must be determined and decided upon if they are acceptable or not.
In short, more rigorous testing is required.
-------
Ilfak Guilfanov, the author of the hotfix
I've removed:
:) |scroll lock||scroll lock| (KVM)
ActiveX for streaming video
AOL ART Image Format Support
Intel Indeo codecs
Media Center
MIDI audio support
Movie Maker
Old CDPlayer and Sound Recorder
Speech Support
Windows Media Player
Windows Media Player 6.4
Client for Netware Networks
FrontPage Extensions
Internet Connection Wizard
Internet Explorer
Internet Explorer Core
IP Conferencing
MSN Explorer
Netmeeting
Outlook Express
Vector Graphics Rendering (VML)
Windows Messenger
Desktop Cleanup Wizard
Framework
Help
Out of Box Experience (OOBE)
Shell Media Handler
Tour
Web View
Zip Folders
Fax Services
Imapi
Indexing Service
System Restore
(nliteos.com)
AND I AM STILL VULNERABLE!???
Perhaps I should switch to linux
The AC is correct, Internet Explorer will look at up to 256 bytes of each data stream returned (images, html, etc) and attempt to "guess" the MIME type.
An interesting fix for this problem- Rather than having your hardware router/firewall sniff all the packets, you could write a pluggable MIME filter registered to ALL image types on your PC (Google it for more info- I've done a lot of research on MIME filters and Asynchronous Pluggable Protocols for IE, but I'm too lazy to dig it all up right now). If the MIME filter examines the returned image data stream and sees evidence of the WMF exploit, trash the stream and substitute your own image (maybe a jpeg of a skull and crossbones). If registered as a permanent MIME filter it would have the benefit of blocking the exploit in anything that uses IE as a rendering engine- which includes many e-mail applications (Outlook!), and some IM apps.
I looked at doing this myself, but dropped it assuming MS would have created a fix by now. Maybe I should start working on it again....
Urge to post... fading... fading... RISING!... fading... fading... gone.
I was wondering how many people are out there who have their compilers set up and ready to compile it, seems there are quite a few.
I'm still trying to figure out what people mean by 'social skills' here.
TFReadMe text on the patch states that it is suitable for 2000/XP/2003, but it says nothing about Windows 98 or prior. The vulnerability affects prior versions of Windows, including those outside of active product support by Microsoft. Has anyone tested the patch on Windows 98 or 95 for NT4? If so, what have been your results? I maintain a rather large number of legacy systems here (for regular people, not for a company) still running 98SE, and I'd like to be able to protect them without forcing them to switch to 2000 (XP has a heck of a time on a P233 with 64MB, which is often the best these people can afford). Even the workaround doesn't seem to work right in 98.....is there even a regsvr32 command in that?
Stasis is death. Embrace change.
...several thousand times already: Thanks for the patch!
In an interview with an anonymous MiroScoft employee, it has been reported that MS has found a working fix!
"We've all turned off our computers, and are sitting on our hands. This has effectively blocked all intrusion attempts."
When asked when the fix would be distributed, he replied:
"Once the threat has passed, it will be safe for us to turn our computers back on and email everyone with instructions for turning their computers off and sitting on their hands. Until that time comes, we're asking everyone to be patient."
The checkpoint page you point to just lists this as a vulnerability and gives a password protected link to "FULL ADVISORY and SOLUTION" (caps theirs). Since I don't have a checkpoint login, I have no clue as to what they are saying. I therefore have no reason whatever to believe that they have anything to offer.
Read it carefully - "you are protected from KNOWN MALWARE" that uses the vulnerability. Ie: standard AV response. They haven't fixed the flaw, but they are rolling out signatures to protect against known malware as and when it pops up.
I do not want a patch that is untested, and could cause even more hell. You really think, they could have created a patch, and tested it well to be deployed on 200+ million machines connected to Windows update, and not have any bad effects on other apps. /NoExecute=OptOut to the options, and kick in a restart. Atleast that is a better thing to do than trust a random untested patch.
If you look at the patches realeased by others, they also say it might break applications, and you might have problems with it etc. I do not think MS has that option while creating a patch.
Microsoft accpeted there was a flaw, posted information about it, told you about workarounds. If you want to be protected just turn on DEP on all applications. Want to do it on multiple machines, use scripts to edit boot.ini and add
.....I think people SHOULD be required to know basic engine mechanics to drive a car. .....
/. geeks would still be paying many times the price of the mass produced hardware we enjoy today.
/. look down their noses on the clueless, unwashed mass of computer users out there because even basic knowledge about the workings of computers is absent. The fact is that OSX is much safer, easier to network and a lot nicer to look at than malware infested Windows. Such a user could install OSX 10.4 on a two year old Mac without a hitch and be connected to the net without help from an "expert". Doing that with a Windows box does require such an expert. Finding and installing a driver for the video was a hassle also. I hope that with VISTA, MS will finally come up with an OS that is at least as good and secure as OSX is today.
People learning how to drive a car USED to have to know more about the inner workings and people who use early computer USED to need to know about the arcane aspects of computers. Nowadays, both cars and computers are commodity technologies, the inner workings of which have become too complex for most users to have to or want to understand. That aside from the cost issue, this is why small airplanes are not as numerous as they could be. People will use a technology if some aspect makes it easier to do something than it was before. E-mail is simpler, faster and more convenient than post office mail. If it were not, then it would not be used. If, in order to to get on the Information Highway, an expensive course and a stiff exam were required, the disadvantages of that would keep most using the post office or phone. All
It seems that most reader here on
All theory is gray
Users of PivX PreEmpt have been protected from all vectors of WMF exploits (and others) since December 7th. You can buy a 3-pack for $60 at pivx.com
The reason for this there is an http module in snort which only captures the first 300 bytes of the request for (what I assume to be) speed reasons.
In order to detect this exploit, you have to disable this module. Not too bad unless your IDS is watching thousands upon thousands of requests in which case in order to check the full requests, it can easily take a lot of CPU power.
Last I heard the recommended action was to run one instance of snort with all our normal rules and this module enable, and one with only the wmf rule and the module disabled.
ND
This statement is forty-five characters long.
I unregistered and renamed the shimgvw DLL and turned Windoze Restore off, so it can't be re-registered. However, the real culprit gdi32 DLL is too important to be deregistered and some applications call that one directly.
Oh well, what the hell...
An ACL to block all WMF files? That is a start, but a WMF file need not use a .wmf extension. It is identified the UNIX way, with a magic number, so it could just as well be called .jpg or .wtf...
Oh well, what the hell...
I will grant that this will stop "many" types of cheats. It will still be useless because the cheaters will adopt the remainder. proxy aimbots and the like.
You seem to be ignoring - willfully or not - that the fundamental model of trusting MS is broken. Making that model more severe by forcing trust compounds the brokenness. It Has Been Shown that MS will be late with patches. It Has Been Shown that they are not proficient at security and will remain so until the market penalties are severe. What is the point of requiring official binaries when the binaries are going to be broken for weeks at a time? The net WILL be flooded with spam by those who RELIED on the official binaries. You have it so amazingly backward I wonder if you previewed the post.
MS blew it. They have added to their terrible reputation and I'm just not interested anymore.
There's also an outlook to your position I find frankly weird: that there is an official source of goodness. The "right" and correct version of the dll to run at this time is clearly the unofficial patch. The right version of a file to run in the future is going to be the one that reduces your chances of being 0wn3d, not the one with the pedigree. THis is "duh" territory.
Microsoft says Windows 98 is vulnerable. They say nothing about older releases, which are unsupported now.
The WMF feature was part of Windows 3.0 back in 1990. What do you think?
Fortunately for such users, a 720 kB floppy or Netware network is probably required for infection. Modern exploits are going to rely on modern OS features too. Windows 3.0 isn't about to run a Windows XP rootkit that probably expects TCP/IP and the existance of an Administrator account.
This is probably the biggest vulnerability ever in terms of the sheer number of vulnerable machines.
If you read back, I stated that I assume MS and ISC explicitly included the path. This made me doubt that it always defaults to the system32 directory. If there is a guarantee that it always defaults to that then there is no problem obviously, but that I don't know.
Trusted computing, Trustworthy computing, yada yada, back to the headline here, Unless you can recall the last three times the Internet Storm Center explicitly asked for your trust and then abused it?! you might want to grab this temporary patch and thank Ilfak Guilfanov for writing it and SANS for vetting and distributing quickly and efficiently. "We have very carefully scrutinized this patch. It does only what is advertised, it is reversible, and, in our opinion, it is both safe and effective." ...yeah, we've ALL heard that from the ISC alot, NOT.
I'm calling bullshit. You can't have set up your windows systems securely and still be able to use them. It's one of those easy proofs. If the user can load a .wmf, the user's computer is not secure. If you haven't spent the holiday working on it, it's because you've made the decision not to care.
No, an ACL to block usage of that DLL.
Removing the DLL works poorly, because Windows will helpfully restore it for you.
Unregistering the DLL works poorly, because Lotus Notes and other programs will reregister it for you.
Setting an ACL on the DLL to mark it "everybody - no access" should work great.
This could be a struggling real estate business. The poster could be a realtor. If a real IT professional is hired, the place goes bankrupt.
Got it now?
Alternately, this could be: the vet's office, a small independent hotel, an eye doctor's office, a mom-and-pop restuarant, a car dealer, a large hair salon, a childcare center, a christmas tree farm...
Whatever it is, hiring somebody extra might break the budget.
Except SYSTEM may bypass Everyone-Deny ...
10b||~10b -- aah, what a question!
wehntrust is free for home use: http://wehntrust.com/ (be sure to read the faq under "support")
Also demonstrated at blackhat: Ozone HIPS: Unbreakable Windows
Here's the faq: http://www.securityarchitects.com/faqs.html
If you want to see to believe, grab some archived malware at http://www.offensivecomputing.net/ (free login to use the archives), make some windows VMs and take snapshots/archive them, attack them with the threat du jour with and without a hips installed. Note results.
Enjoy.
The question then becomes: will Windows auto-restore notice the permissions?
(or do you suggest people are logging in as a SYSTEM account?)
"Little does he know, but there is no 'I' in 'Idiot'!"
Actually, I'm concerned that services (like MS Fax, an AV product, a filesystem indexer) running as SYSTEM may reregister the DLL, and then either the same service or another use it. Once the DLL is registered and loaded, I don't think the Filesystem ACL will do any good. Too bad there are no "in-memory" execution ACLs!
Out of curiousity, as I can't tell from the Linux box I type this at: does Everyone-Deny block "Administrator" ?
10b||~10b -- aah, what a question!
Lucky, then, you can 'format' the 'C drive' in under a second.
Any grammatical or spelling errors above are for comic effect, and do not signify imperfection in the writer.
Sure, Everyone-Deny blocks the Administrator.
In in-memory ACL shouldn't be needed. The filesystem one should be checked whenever an app, uh, connects to the DLL. If this were not true then users could view each other's DLLs.
http://www.lafkon.net/tc/trusted-computing.torrent
"Persistence is annoying success." - ghee22 11:28:1999 - 10:53:PM
Someone releases a wmf exploit which is designed to install the hexblog wmf fix? It seems logical enough.
turn off downloads in IE if you must use it (set default security settings to HIGH)
I tried this using the straightforward, widely recommended procedure, but when I try it again it is still on MEDIUM, even after reboot. This is a year-old XP laptop.
I've done a bit of searching but can't find any mention of this problem.
I suppose I should just tell my wife not to use her machine until further notice.
Last night I spent four hours trying to clean a friends' computer who had opened an e-mail carelessly. One hour was for bitching him and making him feel very sorry.
:)
The last three hours were spent trying to fix the problem, using free antivirus scanners, online free antivirus checks, free spyware removal, patches and fixes given away for free on the internet.
See a pattern here? No commercial antivirus was able to detect the problem. I had to install (and then remove, anyway) software that was built and given away for free to fix it.
Windows XP was "genuine", but this won't help solve the problem. I'm still asking myself why pay for an operating system with such problems, but more than that why should we give money to a corporation that is bashing GNU/Linux and free software as a cancer and still depends on it to fix its own troubles.
Oh, yes, I suggested him a Mac. At least he will pay for something more usable. Otherwise, he'd have to pay me to install and set up a linux box. Unfortunately, there's no free lunch any more
-- There are two kind of sysadmins: Paranoids and Losers. (adapted from D. Bach)
Hmm. But how much of the time are you actually using IE? I think if you happened to see a site saying 'viwed best with IE,' and was not trusted, with the current situation, would not do so. Or at least do it in a seperate user account.
Any grammatical or spelling errors above are for comic effect, and do not signify imperfection in the writer.
I'm more worried about a service reregistering the DLL on startup, then other services or user-space apps using the (now vulnerable) service.
10b||~10b -- aah, what a question!
which was hooked up to a 300 baud BellNorthern modem (that puppy CO$T big time but the university could afford it.)
It wasn't being used as much more than a glass teletype and emails were the only distribution method (this was way before the web) but it was still possible to trash someone's computer with a virus.
Microsoft definitely does not get a pass on this.
The problems and the solutions existed before Microsoft ever ripped off Dartmouth for their BASIC interpreter.
Microsoft has always been just bad. Bad for everything. Bad for every body.
Wake up!
Bill Gates took $100,000,000,000 out of YOUR pockets with illegal, anti-trust double dealing. Flat out theft of YOUR money.
And you're wondering why you're stuck with crap? God! How naive.
MSBPodcast.com The opinions expressed here are my own. If you don't like 'em... Think up your own stuff.
Basically, it exposed the entire system (because it had no idea of root and user accounts) to any two part malware.
.exe from somewhere somehow (any method could do since the 'payload' would be made to lie dormant) and the other part could be something which could pass underected through the filters since it was purposefully flawed but not malformed.
One part delivered the
Making ActiveX components from VB ensured that the payload would run correctly when activated. It might be self destructive or it might be spyware. Either way, you're screwed.
MSBPodcast.com The opinions expressed here are my own. If you don't like 'em... Think up your own stuff.
On Tuesday, December 27, 2005, Microsoft became aware of public reports of malicious attacks on some customers involving a previously unknown security vulnerability in the Windows Meta File (WMF) code area in the Windows platform. http://www.microsoft.com/technet/security/advisor
all Microsoft's security updates must pass a series of quality tests, including testing by third parties, to assure customers that they can be deployed effectively in all languages and for all versions of the Windows platform with minimum down time
Microsoft encourages users to exercise caution when they open e-mail and links in e-mail from untrusted sources.
An attacker who successfully exploited this vulnerability could only gain the same user rights as the local user
Advisory Status: Issue Confirmed, Security Update Planned
If common sense were common everyone would have it.
There is no version of MS anything that will read the disk upon insertion. You have to click the drive in moderm windows versions, or poll the drive with 'dir' or some other function in older versions. Mac on the other hand reads the disk immediately (usually to check for the file system type) which does represent a bigger hole with floppies than with windows based machines.
You are completely mistaken, unless you are defining "disk" as "only floppy disks, specifically excluding CD, DVD, removable USB media, Zip drives, LS-120, etc." Why you would do that baffles me, since floppy disks are as dead as Betamax these days.
Mac OS 9 and X DO mount all drives when they are connected or when a removable disk is inserted. MOUNT.
Mac OS 9 and X DO NOT execute anything from any disk upon insertion, EVER. They mount the disk.
Windows 95 and up have a "feature," on by default unless you edit the registry or use TweakUI or a similar utility, or hunt through various obscure Windows dialogs, which upon connecting of hard drives, or insertion of removable discs besides floppies:
A: Mount the filesystem.
B: Check for the existence of autorun.inf in the drive root;
C: Assign any icon given in autorun.inf to the drive in Explorer;
D: Execute any programs, from the disc or elsewhere, requested by autorun.inf.
Google for "autorun.inf" if you want more details on how to use this.
This is probably what the behavior the grandparent was referring to.
Floppies are probably only excluded from autorun.inf because the cheap bargain-basement 3.5" floppy drives in all Windows PCs since the beginning of time are incapable of notifying the OS when a disk has been inserted. The OS would have to poll constantly to automatically mount the disk. These drives also do not have a motor to eject the disc when the OS is finished with it. Contrast this with the floppy drives in every floppy-bearing Mac since the beginning--they had both software eject AND OS notification of disk insertion.
A less likely explanation for why MS didn't enable this behavior for floppies might have (surprisingly) been security--in 1995, a CD was something you bought from a large company, which wouldn't let a virus get onto it, while a floppy was what you constantly used to transport all your data. A smart virus, any fool can see, would have exploited the autorun.inf to infect any floppies you used, and the first time the drive was accessed they would execute. Obviously now things are different, but it is still much harder for a virus to infect Write-once media, especially since most burned CDs are burned by a user's choice of burning software. USB keys, however, would be a good attack vector, especially for a deliberate malware-spreader. I use autorun.inf on my USB key to apply a custom icon (a photo of my USB key). Makes for easy recognition in "My Computer" when on someone else's machine with 5 other drives on it.