Slashdot Mirror
Trustworthy Computing
Anonymous Coward writes "This is a first: the Internet Storm Center is recommending trustworthy computing. They want you to trust that the unofficial patch for the Windows Metafile Volunerability that is currently being exploited by an IM worm. No patch from Microsoft at this time, and the exploit is arranged in such a manner that it cannot be detected by most intrusion detection systems (the snort rule will peg the CPU on your router) nor filtered by packet-inspecting firewalls (it spans two or more ethernet frames). Not really a whole lot of choice about this one."
As it says in the article, some people in the corporate world won't do it if the patch didn't come from MS. It's sad, really. If I had an exploitable machine around, I would trust their patch.
Plant a tree in a developing country.
What is the over/under for Microsoft getting a patch out for this?
If there is a time to deviate from their monthly patch cycle, this is it. The patch should have been out days ago, yet we are still waiting.
And Microsoft wonders why no one takes their security promises seriously.
It'd be nice to have a computer that I can use the patch on.. Maybe I can Wine it?
Any grammatical or spelling errors above are for comic effect, and do not signify imperfection in the writer.
Sometimes, I really start to think that security is so poor in commercial operating systems, because they want to use protection from all these exploits as the bait to get us into the "trusted computing" cage.
Trusted computing is a farce, because the one thing that *isn't* trusted, is the user.
The theory of relativity doesn't work right in Arkansas.
Yeah because 98% of PC users know how to disable the offending DLL. Heck, 98% of PC users don't even know what a DLL is.
I imagine that I could push out the deregistering fix, and associating WMF with Notepad, but that seems a little extreme because our attack vector has become limited, and our anti-virus is now updated with the newest signatures that detect this exploit.
FTA:
You cannot wait for the official MS patch, you cannot block this one at the border, and you cannot leave your systems unprotected.
This has always been the case with Windows, if I'm not mistaken.
How many late nights, allnighters, and missed holidays have you experienced, thanks to things like ILOVEYOU and Slammer? How many times have you had to clean up the mess created by Microsoft's shitty, unsecure software?
Clearly Microsoft wasn't interested in calling people in over the holidays to whip up a patch for this critical vulnerability-- something that you could go in a couple hours early tomorrow and roll out to the PCs in your organization. They're going to let you suffer. And why should they care? They've already got the money of the company you work for. People are going to return from their holiday vacations tomorrow, load the wrong web page in IE, and get pwned. And you'll be left to clean up the mess. Again. Better pack an extra sandwich with your lunch tomorrow, because you probably won't be getting out at 5.
Windows have produced a datatype that allows people to place executable code into image files? How can they call themselves programmers. Seriously whoever engineered the WMF format should be ashamed.
99 bottles of beer in 175 characte
Today was supposed to be my fifth vacation day this christmas.
I've had two; and decided to come in to the office today to make sure we were patched up against the exploit.
Yes, I took the plunge.
The patch is now deployed in our small office (30 windows PCs atm); and so far so good.
Would I have felt safer if the sourcecode was released? Perhaps.
That said, I'd rather take the ISC's word on the fix than have a guaranteed hell within a couple of days.
The dedication of the people involved with ISC, as well as that of Mr. Guilfanov brightened my start of the new year.
Kudos, people.
Saturday's word was "transferbangle." Today's word is "volunerability." I wonder what tomorrow's word will be!
or Is the original healline post for this thread written in gibberish enhanced by misappropriation of terms and conflation of concepts? How is trusting the unofficial patch conceptually related to "trustworthy computing" and why should packet spanning make it invulenrable to filtering?
Some drink at the fountain of knowledge. Others just gargle.
Reading the article, the ISC (and a few others) say that you *should* disable the DLL. There are two ways, with caveats, listed:
*Unregister the DLL : some apps may actually reregister the DLL.
*Rename/Delete: make sure XP File Protection is off, otherwise it will be replaced. Also, some apps may behave badly.
So, disabling the DLL is a *good* idea -- but may not be a complete solution by itself.
10b||~10b -- aah, what a question!
No flamebait intended, but that's a typical sensationalist misleading Slashdot headline. Noone's advocating "trusted computing" or similar initiatives here; all they do is saying "here's an unofficial fix, and we'd like to recommend even though it *is* unofficial, considering the seriousness of the vulnerability and also considering it was written by a reputable windows expert, namely Ilfak Guilfanov (author of IDA Pro)".
And for that matter, there's no mention of "the Snort rules will hog your router's CPU", either - that's total rubbish, probably made up by the article submitter. And it slipped, too, since the Slashdot "editors" never care to actually edit stories before they publish them.
Shame on you, Hemos!
quidquid latine dictum sit altum videtur.
Of course they don't know what a DLL is. Windows has been marketed as a consumer OS, it was designed to be used by people without a clue. By default you can't even see the DLLs. People shouldn't need to have IT qualifications to use a computer, it should be secure enough for them to use it. What you are suggesting (to use a car metaphor and probably get flamed for it) is that people should need to strip and reassemble an engine to get a drivers liscence.
99 bottles of beer in 175 characte
I love the way the story starts 'Anonymous Coward writes', with an email address link to the author.
I wouldn't call what they are offering as trusted computing. They are not
the manufacturers of the OS, so whatever they are offering is NOT trusted computing.
Since it's a typical binary patch you have to trust them that this
patch won't hose your system or make you pwned by these or other folks.
As a long time Linux user, I find this situation appalling. If I were stuck
using a Windows box I would be pissed off by this. Look, when I want to upgrade
my box, I just do a apt-get update; followed by either apt-get dist-upgrade
or use synaptic. I know my sources (I select them myself), I know that the reality
checks exist (gpg keys, outside sources verifying the software, etc.). I know
I'm not getting hosed when I install software from my usual Debian repositories.
Do any of you windows folks know these security folks? Do you have any
reality checks that you can apply against this binary patch? What control do
you think you have of your operating system?
I guess if you haven't been a Linux user for a long time you might not understand
the depth of how bad your security model is when you're stuck with windows.
--Johnny
I believe this is because _any_ image is vulnerable to infection. Because Microsoft checks the header for every image file and treats it as WMF if the header matches, all jpegs, gifs, and pngs are potential vectors for the disease. A router that has to inspect _every_ image that is surfed by users behind it will immediately turn into a bottleneck.
A couple of the other comments here seem to miss this very important point:
It's not just files with ".wmf" at the end. Any image file will get unwrapped by Microsoft code and the callback will get executed. Woof.
They want you to trust that the unofficial patch for the Windows Metafile Volunerability that is currently being exploited by an IM worm.
:|.
OK, tell me how that sentence is supposed to make sense. Come on
Arrrrrrr
..that if we all were running "trustworthy" computers, this problem would be much, much worse than it is now. Imagine that now instead of having a patch that's already been made by someone else while we sit and wait for Microsoft to get off their asses, we now have to wait on Microsoft, who still hasn't shown up.
Instead of having *some* machines patched, we'd have none. This late after the exploit has been released, and a zero-day attack has happened, we'd see no respite.
If you try to argue that Trustworthy computers wouldn't allow this to be exploited, what if the trustworthy compontent itself was exploited? As the Xbox and soon the Xbox 360 have shown, the more complex the hardware, the more complicated the bugs are. Microsoft's betting that the hardware complexity can outgrow the programmer's abilities to crack it, but if there's any truth in the world, it's that if it can be engineered, it can be destroyed. So imagine if this virus was actually signed by Microsoft through the exploit. How would this look for their company? How can you save face from a disaster like that?
No, trusted computers aren't the answer, just more secure computers, with better code. And the fact of the matter is, the more eyes that are on the code, the better it is, and that's why Open Source will always succeed. No amount of cryptography will help you if there's a hole in your crypto system.
"Victory means exit strategy, and it's important for the President to explain to us what the exit strategy is." G.W.Bush
So we have to explain the joke again:
The title comes from the original note in the Handler's Diary. You see, it creates a mental tension between "Trustworth Computing", the lack of an official patch and ISC's "Please, trust us". It makes some readers smile.
Think users are bad in the corporate sector? Wait until everyone gets back to the college dorms after winter break with their completely unpatched computers. And all the people who have new computers that they got over the holidays. It wouldn't matter if Microsoft had patched it last week, I guarantee that the student users who need it won't have it.
Speaking as a poor sap who has to fix these computers, I have one thing to say: "Thanks for the easy money". And a heads up to all you dorm technicians, get ready to start burning virus CDs.
They don't have to.
.bat file that does the deed for the cluefully challenged.
1. Write a 1 line
2. Package and publish as a Hotfix and push to Windows Update.
3. ???
4. Profit!
"98%" of PC Users don't know how a patch works any more than they know how to disable a DLL. I'm sure they don't even know how scheduling works. Shockingly, the inner workings of a computer are as mysterious to the average user as a woman's body is to a slashdot reader. We should all just give up on them, because we don't need Joe Sixpack to drive the tech economy so we can actually afford to have computers and affordable bandwidth. Just tell them to put it back in the box, return it to BestBuy, and tell the clerk they're too fucking stupid to own a computer. The GP post suggested a method that apparently works for disabling the vulnerability. This information is useful to the slashgeeks who will end up servicing the computers of friends, family, and co-workers one way or another. A quick heads-up now on this saves a few hours later when after some porn surfing (it just popped up and it wouldn't let me close it) or email attachment (I didn't open it) you end up removing the worm and all the damage it did anyway.
Waiting for ad.doubleclick.net...
It's not just files with ".wmf" at the end. Any image file will get unwrapped by Microsoft code and the callback will get executed.
Yes. You see, when the HTTP 1.1 protocol was being developed, they made it a solid rule - you MUST NOT GUESS the content-type when it's supplied.
Anybody want to hazard a guess as to what Internet Explorer and everything that uses its rendering engine does? Yep, that's right, it ignores the standard and guesses.
That means that instead of having to check <1% of images going through your firewall/proxy (WMFs and unlabelled content), you have to check 100% of them. Heck of a job, Billy-boy!
From http://www.viruslist.com/en/weblog?discuss=1768925 30&return=1:
"... Going back to the wmf vulnerability itself, we see number of sites mention that shimgvw.dll is the vulnerable file. This doesn't seem correct as it's possible to exploit a system on which shimgvw.dll has been unregistered and deleted. The vulnerability seems to be in gdi32.dll... "
I don't know who's more of an idiot -- the submitter or the "editor" who accepted this turd of an article summary.
Fun with Anagarams! LADS HOST, SHALT DOS. HAS DOLTS. AD SLOTHS, HATS SOLD. ASS HO, LTD.
Sure, people needs lives (e.g., vacation, time off, etc.).
And so do those who work as network administrator etc..
I can tell you that many a company that takes internal security seriously has had people working on this over the last weekend to make sure they are as safe as can be when everyone starts working today.
MS could have had a few employees working on this during the hollidays, get it properly fixed, and have an update installed with windows update.. as it is, they got a few thousand people working on implementing workarounds and unofficial fixes instead. Lots of extra work that has to be undone when the official fix is there.
Don't open e-mail from senders you don't recognize.
What would this accompolish? Since around 1999 or 2000, the vast majority of viruses and trojans have grabbed all the email addresses in someone inbox, address book, etc. and sent themselves out using a random return address from this list. There is a good bet that any virus/trojan you get will have a known return address in it, however it is just as good a bet that it will not be the address of the person infected.
Geeze, here it is 2006 and people still think that the return address in unsigned email means ANYTHING.
And if you are in a coporate setting and the Network Admin hasn't blocked IM, you've already got bigger problems to worry about.
It really seems sad that the norm is to block reasonable communication tools (I use IM almost exclusively for work related communication) simply because corporate America is infatuated with Microsoft despite the massive security headaches they cause.
Off topic, I'm really getting annoyed with Microsoft admins where I work constantly complaining about IE problems. I'm starting to ask these people how many times they had to put their hand on a hot stove when they were children before they decided it was a bad idea. Is pattern recognition a skill that we as a society just no longer have?
Finkployd
according to Microsoft
That sounds like they must have some kind of patch out there, or are they hoping to get more users "hooked" on OneCare ?Otherwise, this statement doesn't make sense :
Maybe I'm being picky, but I think all their customers have a quite urgent need, right now !Written from the sublime security of Fedora Core, thanks.
How?
The patch came as an EXE (InnoSetup), and to get at the source you need to install it... At which point an executable has already been run, *and* a DLL has been dropped to %systemroot%\system32 and schedule to load for any subsequent apps that load user32.dll (according to the description anyway).
I've managed to read the source after installing it... but if it was bad, I'd've already been hosed by that point.
You are mistaken. If you look at the 8086 (and 8088) design you'll see the segment registers which could be used to separate data from code memory. I believe the current x86 processors still retain these registers. Of course, using memory segments was a pain and the OS designers (probably pressured by application developers) stopped using them in preference to the flat memory model.
To say the Intel designers didn't know about HW protection is incorrect.
Personally, I don't see the problem with temporarily unregistering the affected DLL...
Because the flaw isn't in the image previewer used by the shell, it's in GDI32 which is a core OS component and can't be unregistered. Unregestering the image previewer will prevent a lot of attack vectors, sure, but there are probably others.
What's evil about this one is not that someone couldlure you to a rigged speical website but that they can reach out and get you. For example, they can just take out a banner add from double click and have this rigged jpeg displayed on tens of millions of computers. Or they could post it as a picture on FLikkr and hope it gets into the rotation for a picture of the day. get it into google images. Post it on a bulliten board that allows thumbnail jpegs. Lots of ways to get the code onto trusted web sites.
Some drink at the fountain of knowledge. Others just gargle.
I wonder if anyone is going to be able to patch Win98 against this? There are still a lot of machines and this vulnerability could make them essentially useless and force an upgrade. While we would all love for them to upgrade to Linux or OS X it is more likely that they will shell out for WinXP and MS will benefit from a windfall of sales as a result of their inept programming. If someone produced a workable patch this would at least allow people to keep using their computers without pouring more money down the MS bottomless pit.
"I have the attention span of a strobe lit goldfish, please get to the point quickly!"
In some DRM scenarios, the TPM chip is also used to prove to your software that the OS has not been modified. Unless you have the skills to hack that software, your bought and paid for TPM programs may refuse to work any longer.
;)
A much tougher case would be the "rely on others" programs where you have to prove to an external instance that your system has not been hacked. Take the "death to game cheaters" implementations as an example:
Want to fix your vulnerable Windows with a non-official patch?
World Of Warcraft II won't let you play anymore
I also don't believe this is temporary. Except in the sense that TPM might be (hopefully!) a colossal failure in the market. And considering the current vulnerability, this looks like more than a slight theoretical risk to me.
C - the footgun of programming languages
The fix can be applied in the automatic mode using the following command line:
/VERYSILENT /SUPPRESSMSGBOXES
/LOG="file" switch can be added to the command line to create a log file.
wmffix_hexblog13.exe
These switches do not suppress dialog boxes about installation errors.
The
[from http://www.hexblog.com/2005/12/wmf_vuln.html ]
There's a MSI version in the works as well.
>I think I know English pretty well, and...
fixed.
I work for a very small company, probably typical of thousands of other very small companies. Our company is too small to afford a full-time IT staff; I'm the entire IT department, and it's a very small part of my job. I'm the IT guru because I'm the only one there who knows a DLL from a dungheap.
I have formal training in computers, but so long ago that the field was still called EDP and time-sharing was a big deal. I've spent years learning what I know about Windows and Windows networks, in my spare time. It would take me years more to reach a similar level of expertise with a brand-new OS. And until I reached that level, we'd be more vulnerable than with Windows.
My company has about a dozen computers, including a single domain server with no backup server. We have about $60,000 invested in software (other than OS's) that will only run under Windows. We have no hardware to set up a test server, no money (or time) to spend on unsuccessful experiments.
The only person in our company who has ever used Linux is our 21-year-old secretary. We have one Unix machine, which I despise, because its desktop GUI is primitive and its command interface makes MS-DOS look well-designed and intuitive.
I rarely get to spend more than two or three hours a week on network maintenance, security monitoring, and research combined. If I hadn't automated them I wouldn't have time to do file backups some weeks. I have no time to spend trying to research the seventeen hundred different distros of Linux available, or whether Wine will support our COM+-dependent network applications--or whether the WMF exploit still applies if we run Windows applications on Linux.
We can't afford to have a regular support contract with a local computer-specialist firm. That's assuming we could even find someone in town we can trust--the overpriced morons who did our last batch of installations gave us a two-NIC server with only one NIC enabled (so no firewall), and set up user workstations with the Administrator password left blank!
I loathe Microsoft, and have since I first saw Windows 3.11. But what possible reason do I have for trusting the claims of Red Hat or Debian more? What research I can do is hardly reassuring. Remember Saturday's story here: researchers found 812 flaws in the Windows operating system, 2,328 problems in various versions of the Unix/Linux operating systems (Mac included)?
I didn't choose Windows; I inherited it and have no resources to replace it. My company didn't really choose Windows; it was forced on us by the marketplace. Be realistic! My wife just bought an Apple, and the first thing she installed on it was the OS-X version of MS Office, necessary for compatibility with her company.
Maybe in another ten years Linux will be enough of a force that applications will be written for cross-compatibility, but little companies like mine can't wait that long. We have to use what we can, right now.
I figure by 2030 or so my 6-digit UID will be something to brag about.
...to do what they do best. Which is why I use a different OS and suggest others do so as well.
What does Microsoft do best? Why, get the money out of the pockets of suckers, of course.
Suckers.
Cheers!
Everything in the Universe sucks: It's the law!
There seems to be a lot of confusion in this thread regarding these two terms. It isn't that surprising, since they are both purposely misleading, but still.
// oskar
"Trustworthy computing" is Microsoft's bullshit name for their so-called initiative to start taking security seriously. It was under this banner that Bill sent all his coders to secure coding seminars so they could learn what a buffer overflow is. The article is ironic in its title: that Microsoft have failed to find such a glaring issue as a native image format that purposely allows images to execute arbitrary code, and that they have not offered a patch even now when exploits are in the wild since almost a week, shows how trustworthy they really are.
"Trusted computing", on the other hand, is the bullshit name for a nefarious scheme involving hardware and software whereby control over PCs should be taken out of the hands of their owners, and given to the software and hardware vendors. This is sometimes claimed to be about security, but is actually motivated by DRM and DRM only (the name is short for "Trusted Client Computing" and comes from the ability of DRM vendors to trust that your computer, the client, will obey their directions).
The people pushing "trusted computing" are actually not so much Microsoft as Intel and IBM: Microsoft completely support the concept of trying to put the freely programmable computer back in the bottle, but they have had their own ideas about implementation (their version was first called "Palladium", but when they realized that it is bad to have a recognizable name for something customers actually don't want it was renamed "Next Generation Secure Computing Base" and after that it was renamed to nothing at all so they can be snuck into the coming versions of Windows without people noticing.)
The WMF file is really a list of Windows drawing functions to call, along with their parameters.
Guess what else uses this.
There are in-memory and on-disk WMF files. Some are used by apps for repainting the screen. Some are used by apps for printing; Windows printing is based on the WMF. You want error handling with printing, right?
Now, I'm not saying how to fix this unless Microsoft shares some cold hard cash with me, but there are reasonable solutions. It's just not as simple as patching out the feature.
Some wikis probably don't check file content.
Wikipedia tries to block stuff like this, but I don't think it is all that reliable. They just use the UNIX file command to see if a file matches the file extension.
WMF files start with 0x01 0x00, are are unrecognized by the file command.
JPEG starts with 0xff, so that won't do. Well, there are other formats to try.
F-Secure has more on it: http://www.f-secure.com/weblog/#00000761
Windows Metafiles are a file representation of drawing commands. They are more flexible than bitmaps and get used quite a lot in things like for caching images of every OLE object embedded inside a MS word or powerpoint document. There just happens to be one operation to set a callback when a printing aborts which can be saved to a WMF file, which, when followed by something to abort the rendering, lets you jump to the nominated location.
This back door is built into windows from version 3.0 onwards. Any app that displays WMF images from untrusted sources (lotus notes, maybe msword, even google desktop search) is vulnerable. This is potentially code red for the desktop.
I have the patch on all my systems, the author works for IDA, the debugger tool, and is well respected. I dont care whether IT central will push it out or not; I think they ought to before the back to work/school event causes major worm attacks using it. It will be pretty embarrassing for microsoft though -a third-party emergency fix for windows, in the same year that Vista, "Windows Secured" is due to ship.
> Geeze, here it is 2006 and people still think that the return address in unsigned
> email means ANYTHING.
Well, yeah. I had to explain to two coworkers just last week that the scary messages they were getting weren't really from eBay, and they were quite surprised. (So I told them that if they were concerned that they might need to check their eBay accounts, to use the bookmarks they usually use to go there, because they would know that those really go to eBay. The link in this message only says it goes to eBay, and really it goes someplace else, to another site. Such gasps of outrage and astonishment as I then heard, you'd have thought I was telling them that their husbands lied about the business trip and were really with in Las Vegas with girlfriends.)
This is at least partly because of the way mailreaders present the data. Instead of showing the headers as part of the message (which is, essentially, how they're transmitted), most mail readers parse the headers and present certain pieces of data from them (the From address, for instance) separately from the message, as metadata. Well, yeah, it *is* metadata in a sense, but the way it's presented makes it appear, to the casual user, as if it's something the mailreader knows about the message, rather than something the message claims about itself. Other critical headers, such as Receives:, are not shown at all (unless the user specifically goes looking for them in a "Show All Headers" or "View Message Source" option or somesuch.
There are, of course, good solid usability reasons why these things are the way they are, but it doesn't take a doctor of psychology to tell you what people are going to think as a result.
Personally I'd like to see the information parsed out of the headers, especially the sender information, labelled just a little differently, e.g., "Claims to be From:". I'm not sure that would entirely solve the problem, but it might help a little. I'm also deeply annoyed that our ISP's mail server accepts HTML messages for delivery (if we had our own mail server in house it sure wouldn't), and that all the decent, deployable, user-friendly mail clients I can find happily render and display HTML mail. Even recent versions of Pegasus cannot, as near as I can determine, be configured to show the source or treat the HTML as an attachment.
Cut that out, or I will ship you to Norilsk in a box.
I built my own release.
The code is only 200 lines, and is primarily patching logic with a switch in there. The biggest risk is that it patches the wrong place and doesnt provide protection, the next that it doesnt uninstall. Those are hard to test.
it cannot be detected by most intrusion detection systems (the snort rule will peg the CPU on your router) nor filtered by packet-inspecting firewalls (it spans two or more ethernet frames).
You *can* run 2 instances of snort in-line to get around this CPU-pegging issue.
Not really a whole lot of choice about this one.
There is always choice - have you considered a defense-in-depth multi-layered approach? I'm taking the following steps
1. unregister the ms pic and fax viewer dll
2. make WMF file extension default to an erroneous app like notepad
3. turn DEP up a notch
4. turn off downloads in IE if you must use it (set default security settings to HIGH)
5. block all WMF files at the perimiter
6. keep antivirus up to date and consider frequent manual updates and scans of key machines
These things in combo with being vigilant over the next few days should keep you and your corporate networks safe. There are even MSI versions of the patch for mass distribution.
Horns are really just a broken halo.
I'm the author of the hotfix and one could expect me to say 'yes, please go ahead and install it on your corporate network with thousands of machines'.
But I won't say that.
First of all deploying any software on a large network is a serious task. It should be carefully planned and performed with the correct (read: responsible) approach.
The hotfix must be tested on as many machines as possible. Possible negative consequences must be determined and decided upon if they are acceptable or not.
In short, more rigorous testing is required.
-------
Ilfak Guilfanov, the author of the hotfix
I rarely get to spend more than two or three hours a week on network maintenance, security monitoring, and research combined.
OK, so you're not a full-time IT guy. That's cool. But if you can't manage 12 machines and only $60K worth of vendor lock-in, then you absolutely, positively need some outside help. It's not an issue of whether you can afford it; at this point, I'd say you have to.
But what possible reason do I have for trusting the claims of Red Hat or Debian more? What research I can do is hardly reassuring. Remember Saturday's story [...]?
I did, but I don't think you did, because it was thoroughly debunked within the first 10 replies.
Let me put that another way. The article you're reading right now is full of stories about people going in on the holidays to patch their Windows systems. How many stories did you hear about Unix admins rushing in this weekend? All of last month? All of last year? So far this millennium? The latest unpatch{ed,able} Windows exploit is set to cause more work for the people who have to manage affected systems than the rest of us have had in the last five years.
But you can choose to believe whomever you want. As for me, I'm enjoying my four-day weekend and relaxing by reading about stuff that doesn't affect me. Hope your new year goes this well!
Dewey, what part of this looks like authorities should be involved?
I've removed:
:) |scroll lock||scroll lock| (KVM)
ActiveX for streaming video
AOL ART Image Format Support
Intel Indeo codecs
Media Center
MIDI audio support
Movie Maker
Old CDPlayer and Sound Recorder
Speech Support
Windows Media Player
Windows Media Player 6.4
Client for Netware Networks
FrontPage Extensions
Internet Connection Wizard
Internet Explorer
Internet Explorer Core
IP Conferencing
MSN Explorer
Netmeeting
Outlook Express
Vector Graphics Rendering (VML)
Windows Messenger
Desktop Cleanup Wizard
Framework
Help
Out of Box Experience (OOBE)
Shell Media Handler
Tour
Web View
Zip Folders
Fax Services
Imapi
Indexing Service
System Restore
(nliteos.com)
AND I AM STILL VULNERABLE!???
Perhaps I should switch to linux
The AC is correct, Internet Explorer will look at up to 256 bytes of each data stream returned (images, html, etc) and attempt to "guess" the MIME type.
An interesting fix for this problem- Rather than having your hardware router/firewall sniff all the packets, you could write a pluggable MIME filter registered to ALL image types on your PC (Google it for more info- I've done a lot of research on MIME filters and Asynchronous Pluggable Protocols for IE, but I'm too lazy to dig it all up right now). If the MIME filter examines the returned image data stream and sees evidence of the WMF exploit, trash the stream and substitute your own image (maybe a jpeg of a skull and crossbones). If registered as a permanent MIME filter it would have the benefit of blocking the exploit in anything that uses IE as a rendering engine- which includes many e-mail applications (Outlook!), and some IM apps.
I looked at doing this myself, but dropped it assuming MS would have created a fix by now. Maybe I should start working on it again....
Urge to post... fading... fading... RISING!... fading... fading... gone.
...several thousand times already: Thanks for the patch!
In an interview with an anonymous MiroScoft employee, it has been reported that MS has found a working fix!
"We've all turned off our computers, and are sitting on our hands. This has effectively blocked all intrusion attempts."
When asked when the fix would be distributed, he replied:
"Once the threat has passed, it will be safe for us to turn our computers back on and email everyone with instructions for turning their computers off and sitting on their hands. Until that time comes, we're asking everyone to be patient."
The checkpoint page you point to just lists this as a vulnerability and gives a password protected link to "FULL ADVISORY and SOLUTION" (caps theirs). Since I don't have a checkpoint login, I have no clue as to what they are saying. I therefore have no reason whatever to believe that they have anything to offer.
I do not want a patch that is untested, and could cause even more hell. You really think, they could have created a patch, and tested it well to be deployed on 200+ million machines connected to Windows update, and not have any bad effects on other apps. /NoExecute=OptOut to the options, and kick in a restart. Atleast that is a better thing to do than trust a random untested patch.
If you look at the patches realeased by others, they also say it might break applications, and you might have problems with it etc. I do not think MS has that option while creating a patch.
Microsoft accpeted there was a flaw, posted information about it, told you about workarounds. If you want to be protected just turn on DEP on all applications. Want to do it on multiple machines, use scripts to edit boot.ini and add
{
I think the problem is the timing: Holiays.
}
If they can force, er, "encourage" microserfs to pull 60 to 100 hour workweeks away from their families for months at a time to squeeze more features into Winbloat Vista and Microsoft Office, certainly they can ask one or two developers and QA folks to implement a security patch and roll it out quickly as at least a BETA release?
reason 8,181,842 I quit running Windows.
The Christian Right is Neither (Christian nor right). See: Matthew 23, Matthew 25, Ezekiel 16:48-50
Q: Why do folks still use Windows?
/., play games and do some serious stuff once in a while. So I run Windows XP on my desktop (instead of Linux or FreeBSD, although my other computer is an Apple Powerbook running OS X). I sit behind a hardware firewall, have autoupdates turned on, run a memory-resident virus scanner and antispyware scanner, use Firefox and Thunderbird - and I've never, ever had a security problem.
Short answer: It easily runs everything I want it to. The Linux user experience is significantly worse than Windows.
When I had to pick an OS, I did research and picked one that I felt was secure enough for my needs. Windows didn't make my cut.
What are you doing to make Windows insecure? Downloading unmarked executables from newsgroups and executing them? Running Outlook and double-clicking on every attachment you receive? Running without a firewall?
Let me rephrase your quote:
When I had to pick an OS, I did research and picked one that I felt was compatible enough for my needs. Linux didn't make my cut.
The last time I tried Linux (and I have, I really have), it didn't support all my hardware out of the box. Hardware support should simply work instead of having to recompile my kernel 36 times trying to figure out the correct settings (there were none, I had unsupported hardware). How ancient is that? And then I hated the distribution wars - the infighting over which was the "best way" to do something - the way that distro X does things completely differently from distro Y to the extent that they're binary and logically incompatible to the detrement of the user - and you end up hating both distros as neither of them uses a solution that makes sense for the user.
Then there's the sheer hypocracy of KDE - instead of supporting Microsoft, it's supporting Trolltech, but nobody seems to understand that ought to be just as much of an ethical problem. Trolltech are no better than Microsoft when it comes to trying to leverage a monopoly. The pond may be smaller, but if Linux ever takes off, Trolltech gets a free ride. Except that Linux will never take off while Trolltech are stunting commercial growth and charging $4000 per seat for commercial development licences - Microsoft couldn't have a more unlikely ally in supressing Linux.
And as far as a free OS, I found FreeBSD to be significantly better than Linux as it's logically organized and the maintainers are mature adults compared to the screaming teenagers of the Linux world.
Although neither Linux or FreeBSD run the games or applications that I want to play. If they reliably (and with no messing around) ran the very latest games (eg: World Of Warcraft), tax and financial software (eg: Taxcut and MS Money) - with full support for my graphics card, sound card and printer - I'd take another look. I did once manage to get Unreal Tournament 2003 running under Linux (which was the game I was into at the time) with full 3D acceleration, but the sound was delayed about 2 seconds so it was unplayable.
But given that I no longer use my computer for the sole purpose of messing with my computer, I'm sick of that shit not working. 15 years ago it would have been a fun challenge to "stick it to the man" and "rebel" against Microsoft, but I no longer care. I want as little maintainability as possible - I simply want to be able to read email, yell at people on
What you are saying is that fixing broken Windows takes up so much of your time, that you can't afford to look at an alternative. Stand still and think about it for a moment.
The fact is that you can install almost any shrink wrapped Linux distribution, do a default installation and have almost zero support issues for the next year. Honestly, I almost never patch my Linux servers and only upgrade them every 3 years.
In a small business situation, any Linux box is as reliable as a refrigerator. Just leave it alone and it will keep working for a long, long time.
Think of that ancient UNIX machine you talked about - how much effort do you invest in maintaining it? Pretty much zero huh? After all, you don't even know how it works. Now imagine if all your computers were that reliable...
Oh well, what the hell...
I will grant that this will stop "many" types of cheats. It will still be useless because the cheaters will adopt the remainder. proxy aimbots and the like.
You seem to be ignoring - willfully or not - that the fundamental model of trusting MS is broken. Making that model more severe by forcing trust compounds the brokenness. It Has Been Shown that MS will be late with patches. It Has Been Shown that they are not proficient at security and will remain so until the market penalties are severe. What is the point of requiring official binaries when the binaries are going to be broken for weeks at a time? The net WILL be flooded with spam by those who RELIED on the official binaries. You have it so amazingly backward I wonder if you previewed the post.
MS blew it. They have added to their terrible reputation and I'm just not interested anymore.
There's also an outlook to your position I find frankly weird: that there is an official source of goodness. The "right" and correct version of the dll to run at this time is clearly the unofficial patch. The right version of a file to run in the future is going to be the one that reduces your chances of being 0wn3d, not the one with the pedigree. THis is "duh" territory.
It took about 8 seconds to unregister the DLL from all systems on the network (Go active directory!) and limit applications ability to load it.
How many people can read hex if only you and dead people can read hex?
the unofficial patch fixes the vulnerability through shimgvw.dll, which us win98 users dont have. but the actual problem is in GDI32.dll which is required for windows to function. so basically we're SOL atm.
info
.
. hmmm