Slashdot Mirror
Trustworthy Computing
Anonymous Coward writes "This is a first: the Internet Storm Center is recommending trustworthy computing. They want you to trust that the unofficial patch for the Windows Metafile Volunerability that is currently being exploited by an IM worm. No patch from Microsoft at this time, and the exploit is arranged in such a manner that it cannot be detected by most intrusion detection systems (the snort rule will peg the CPU on your router) nor filtered by packet-inspecting firewalls (it spans two or more ethernet frames). Not really a whole lot of choice about this one."
As it says in the article, some people in the corporate world won't do it if the patch didn't come from MS. It's sad, really. If I had an exploitable machine around, I would trust their patch.
Plant a tree in a developing country.
What is the over/under for Microsoft getting a patch out for this?
If there is a time to deviate from their monthly patch cycle, this is it. The patch should have been out days ago, yet we are still waiting.
And Microsoft wonders why no one takes their security promises seriously.
It'd be nice to have a computer that I can use the patch on.. Maybe I can Wine it?
Any grammatical or spelling errors above are for comic effect, and do not signify imperfection in the writer.
Sometimes, I really start to think that security is so poor in commercial operating systems, because they want to use protection from all these exploits as the bait to get us into the "trusted computing" cage.
Trusted computing is a farce, because the one thing that *isn't* trusted, is the user.
The theory of relativity doesn't work right in Arkansas.
FTA:
You cannot wait for the official MS patch, you cannot block this one at the border, and you cannot leave your systems unprotected.
This has always been the case with Windows, if I'm not mistaken.
How many late nights, allnighters, and missed holidays have you experienced, thanks to things like ILOVEYOU and Slammer? How many times have you had to clean up the mess created by Microsoft's shitty, unsecure software?
Clearly Microsoft wasn't interested in calling people in over the holidays to whip up a patch for this critical vulnerability-- something that you could go in a couple hours early tomorrow and roll out to the PCs in your organization. They're going to let you suffer. And why should they care? They've already got the money of the company you work for. People are going to return from their holiday vacations tomorrow, load the wrong web page in IE, and get pwned. And you'll be left to clean up the mess. Again. Better pack an extra sandwich with your lunch tomorrow, because you probably won't be getting out at 5.
Windows have produced a datatype that allows people to place executable code into image files? How can they call themselves programmers. Seriously whoever engineered the WMF format should be ashamed.
99 bottles of beer in 175 characte
Today was supposed to be my fifth vacation day this christmas.
I've had two; and decided to come in to the office today to make sure we were patched up against the exploit.
Yes, I took the plunge.
The patch is now deployed in our small office (30 windows PCs atm); and so far so good.
Would I have felt safer if the sourcecode was released? Perhaps.
That said, I'd rather take the ISC's word on the fix than have a guaranteed hell within a couple of days.
The dedication of the people involved with ISC, as well as that of Mr. Guilfanov brightened my start of the new year.
Kudos, people.
Saturday's word was "transferbangle." Today's word is "volunerability." I wonder what tomorrow's word will be!
Reading the article, the ISC (and a few others) say that you *should* disable the DLL. There are two ways, with caveats, listed:
*Unregister the DLL : some apps may actually reregister the DLL.
*Rename/Delete: make sure XP File Protection is off, otherwise it will be replaced. Also, some apps may behave badly.
So, disabling the DLL is a *good* idea -- but may not be a complete solution by itself.
10b||~10b -- aah, what a question!
No flamebait intended, but that's a typical sensationalist misleading Slashdot headline. Noone's advocating "trusted computing" or similar initiatives here; all they do is saying "here's an unofficial fix, and we'd like to recommend even though it *is* unofficial, considering the seriousness of the vulnerability and also considering it was written by a reputable windows expert, namely Ilfak Guilfanov (author of IDA Pro)".
And for that matter, there's no mention of "the Snort rules will hog your router's CPU", either - that's total rubbish, probably made up by the article submitter. And it slipped, too, since the Slashdot "editors" never care to actually edit stories before they publish them.
Shame on you, Hemos!
quidquid latine dictum sit altum videtur.
Of course they don't know what a DLL is. Windows has been marketed as a consumer OS, it was designed to be used by people without a clue. By default you can't even see the DLLs. People shouldn't need to have IT qualifications to use a computer, it should be secure enough for them to use it. What you are suggesting (to use a car metaphor and probably get flamed for it) is that people should need to strip and reassemble an engine to get a drivers liscence.
99 bottles of beer in 175 characte
FTFA
.WMF images?
* Should I just block all
This may help, but it is not sufficient. WMF files are recognized by a special header and the extension is not needed. The files could arrive using any extension, or embeded in Word or other documents.
I love the way the story starts 'Anonymous Coward writes', with an email address link to the author.
I believe this is because _any_ image is vulnerable to infection. Because Microsoft checks the header for every image file and treats it as WMF if the header matches, all jpegs, gifs, and pngs are potential vectors for the disease. A router that has to inspect _every_ image that is surfed by users behind it will immediately turn into a bottleneck.
A couple of the other comments here seem to miss this very important point:
It's not just files with ".wmf" at the end. Any image file will get unwrapped by Microsoft code and the callback will get executed. Woof.
They want you to trust that the unofficial patch for the Windows Metafile Volunerability that is currently being exploited by an IM worm.
:|.
OK, tell me how that sentence is supposed to make sense. Come on
Arrrrrrr
It's a thing called sarcasm. MS are the ones pushing "trustworthy computing" but are showing that at a time like this, they can't be trusted to do the right thing.
Be a real patriot: Question authority. Think for yourself. Formulate your own conclusions.
You are absolutely correct, sir. This aricle has absolutely nothing to do with "trustworthy computing," (aside from the use of the word "trust"). It is perhaps interesting that the headline was enough to persuade me to read the summary, and click the link to the story. Maybe, in some strange way, they're demonstrating how the exploit works.
Everything I've ever learned the hard way was based on a statistically invalid sample.
..that if we all were running "trustworthy" computers, this problem would be much, much worse than it is now. Imagine that now instead of having a patch that's already been made by someone else while we sit and wait for Microsoft to get off their asses, we now have to wait on Microsoft, who still hasn't shown up.
Instead of having *some* machines patched, we'd have none. This late after the exploit has been released, and a zero-day attack has happened, we'd see no respite.
If you try to argue that Trustworthy computers wouldn't allow this to be exploited, what if the trustworthy compontent itself was exploited? As the Xbox and soon the Xbox 360 have shown, the more complex the hardware, the more complicated the bugs are. Microsoft's betting that the hardware complexity can outgrow the programmer's abilities to crack it, but if there's any truth in the world, it's that if it can be engineered, it can be destroyed. So imagine if this virus was actually signed by Microsoft through the exploit. How would this look for their company? How can you save face from a disaster like that?
No, trusted computers aren't the answer, just more secure computers, with better code. And the fact of the matter is, the more eyes that are on the code, the better it is, and that's why Open Source will always succeed. No amount of cryptography will help you if there's a hole in your crypto system.
"Victory means exit strategy, and it's important for the President to explain to us what the exit strategy is." G.W.Bush
So we have to explain the joke again:
The title comes from the original note in the Handler's Diary. You see, it creates a mental tension between "Trustworth Computing", the lack of an official patch and ISC's "Please, trust us". It makes some readers smile.
Think users are bad in the corporate sector? Wait until everyone gets back to the college dorms after winter break with their completely unpatched computers. And all the people who have new computers that they got over the holidays. It wouldn't matter if Microsoft had patched it last week, I guarantee that the student users who need it won't have it.
Speaking as a poor sap who has to fix these computers, I have one thing to say: "Thanks for the easy money". And a heads up to all you dorm technicians, get ready to start burning virus CDs.
From http://www.viruslist.com/en/weblog?discuss=1768925 30&return=1:
"... Going back to the wmf vulnerability itself, we see number of sites mention that shimgvw.dll is the vulnerable file. This doesn't seem correct as it's possible to exploit a system on which shimgvw.dll has been unregistered and deleted. The vulnerability seems to be in gdi32.dll... "
I don't know who's more of an idiot -- the submitter or the "editor" who accepted this turd of an article summary.
Fun with Anagarams! LADS HOST, SHALT DOS. HAS DOLTS. AD SLOTHS, HATS SOLD. ASS HO, LTD.
Sure, people needs lives (e.g., vacation, time off, etc.).
And so do those who work as network administrator etc..
I can tell you that many a company that takes internal security seriously has had people working on this over the last weekend to make sure they are as safe as can be when everyone starts working today.
MS could have had a few employees working on this during the hollidays, get it properly fixed, and have an update installed with windows update.. as it is, they got a few thousand people working on implementing workarounds and unofficial fixes instead. Lots of extra work that has to be undone when the official fix is there.
Don't open e-mail from senders you don't recognize.
What would this accompolish? Since around 1999 or 2000, the vast majority of viruses and trojans have grabbed all the email addresses in someone inbox, address book, etc. and sent themselves out using a random return address from this list. There is a good bet that any virus/trojan you get will have a known return address in it, however it is just as good a bet that it will not be the address of the person infected.
Geeze, here it is 2006 and people still think that the return address in unsigned email means ANYTHING.
And if you are in a coporate setting and the Network Admin hasn't blocked IM, you've already got bigger problems to worry about.
It really seems sad that the norm is to block reasonable communication tools (I use IM almost exclusively for work related communication) simply because corporate America is infatuated with Microsoft despite the massive security headaches they cause.
Off topic, I'm really getting annoyed with Microsoft admins where I work constantly complaining about IE problems. I'm starting to ask these people how many times they had to put their hand on a hot stove when they were children before they decided it was a bad idea. Is pattern recognition a skill that we as a society just no longer have?
Finkployd
according to Microsoft
That sounds like they must have some kind of patch out there, or are they hoping to get more users "hooked" on OneCare ?Otherwise, this statement doesn't make sense :
Maybe I'm being picky, but I think all their customers have a quite urgent need, right now !Written from the sublime security of Fedora Core, thanks.
I wonder if anyone is going to be able to patch Win98 against this? There are still a lot of machines and this vulnerability could make them essentially useless and force an upgrade. While we would all love for them to upgrade to Linux or OS X it is more likely that they will shell out for WinXP and MS will benefit from a windfall of sales as a result of their inept programming. If someone produced a workable patch this would at least allow people to keep using their computers without pouring more money down the MS bottomless pit.
"I have the attention span of a strobe lit goldfish, please get to the point quickly!"
In some DRM scenarios, the TPM chip is also used to prove to your software that the OS has not been modified. Unless you have the skills to hack that software, your bought and paid for TPM programs may refuse to work any longer.
;)
A much tougher case would be the "rely on others" programs where you have to prove to an external instance that your system has not been hacked. Take the "death to game cheaters" implementations as an example:
Want to fix your vulnerable Windows with a non-official patch?
World Of Warcraft II won't let you play anymore
I also don't believe this is temporary. Except in the sense that TPM might be (hopefully!) a colossal failure in the market. And considering the current vulnerability, this looks like more than a slight theoretical risk to me.
C - the footgun of programming languages
The fix can be applied in the automatic mode using the following command line:
/VERYSILENT /SUPPRESSMSGBOXES
/LOG="file" switch can be added to the command line to create a log file.
wmffix_hexblog13.exe
These switches do not suppress dialog boxes about installation errors.
The
[from http://www.hexblog.com/2005/12/wmf_vuln.html ]
There's a MSI version in the works as well.
I work for a very small company, probably typical of thousands of other very small companies. Our company is too small to afford a full-time IT staff; I'm the entire IT department, and it's a very small part of my job. I'm the IT guru because I'm the only one there who knows a DLL from a dungheap.
I have formal training in computers, but so long ago that the field was still called EDP and time-sharing was a big deal. I've spent years learning what I know about Windows and Windows networks, in my spare time. It would take me years more to reach a similar level of expertise with a brand-new OS. And until I reached that level, we'd be more vulnerable than with Windows.
My company has about a dozen computers, including a single domain server with no backup server. We have about $60,000 invested in software (other than OS's) that will only run under Windows. We have no hardware to set up a test server, no money (or time) to spend on unsuccessful experiments.
The only person in our company who has ever used Linux is our 21-year-old secretary. We have one Unix machine, which I despise, because its desktop GUI is primitive and its command interface makes MS-DOS look well-designed and intuitive.
I rarely get to spend more than two or three hours a week on network maintenance, security monitoring, and research combined. If I hadn't automated them I wouldn't have time to do file backups some weeks. I have no time to spend trying to research the seventeen hundred different distros of Linux available, or whether Wine will support our COM+-dependent network applications--or whether the WMF exploit still applies if we run Windows applications on Linux.
We can't afford to have a regular support contract with a local computer-specialist firm. That's assuming we could even find someone in town we can trust--the overpriced morons who did our last batch of installations gave us a two-NIC server with only one NIC enabled (so no firewall), and set up user workstations with the Administrator password left blank!
I loathe Microsoft, and have since I first saw Windows 3.11. But what possible reason do I have for trusting the claims of Red Hat or Debian more? What research I can do is hardly reassuring. Remember Saturday's story here: researchers found 812 flaws in the Windows operating system, 2,328 problems in various versions of the Unix/Linux operating systems (Mac included)?
I didn't choose Windows; I inherited it and have no resources to replace it. My company didn't really choose Windows; it was forced on us by the marketplace. Be realistic! My wife just bought an Apple, and the first thing she installed on it was the OS-X version of MS Office, necessary for compatibility with her company.
Maybe in another ten years Linux will be enough of a force that applications will be written for cross-compatibility, but little companies like mine can't wait that long. We have to use what we can, right now.
I figure by 2030 or so my 6-digit UID will be something to brag about.
There seems to be a lot of confusion in this thread regarding these two terms. It isn't that surprising, since they are both purposely misleading, but still.
// oskar
"Trustworthy computing" is Microsoft's bullshit name for their so-called initiative to start taking security seriously. It was under this banner that Bill sent all his coders to secure coding seminars so they could learn what a buffer overflow is. The article is ironic in its title: that Microsoft have failed to find such a glaring issue as a native image format that purposely allows images to execute arbitrary code, and that they have not offered a patch even now when exploits are in the wild since almost a week, shows how trustworthy they really are.
"Trusted computing", on the other hand, is the bullshit name for a nefarious scheme involving hardware and software whereby control over PCs should be taken out of the hands of their owners, and given to the software and hardware vendors. This is sometimes claimed to be about security, but is actually motivated by DRM and DRM only (the name is short for "Trusted Client Computing" and comes from the ability of DRM vendors to trust that your computer, the client, will obey their directions).
The people pushing "trusted computing" are actually not so much Microsoft as Intel and IBM: Microsoft completely support the concept of trying to put the freely programmable computer back in the bottle, but they have had their own ideas about implementation (their version was first called "Palladium", but when they realized that it is bad to have a recognizable name for something customers actually don't want it was renamed "Next Generation Secure Computing Base" and after that it was renamed to nothing at all so they can be snuck into the coming versions of Windows without people noticing.)
The WMF file is really a list of Windows drawing functions to call, along with their parameters.
Guess what else uses this.
There are in-memory and on-disk WMF files. Some are used by apps for repainting the screen. Some are used by apps for printing; Windows printing is based on the WMF. You want error handling with printing, right?
Now, I'm not saying how to fix this unless Microsoft shares some cold hard cash with me, but there are reasonable solutions. It's just not as simple as patching out the feature.
Some wikis probably don't check file content.
Wikipedia tries to block stuff like this, but I don't think it is all that reliable. They just use the UNIX file command to see if a file matches the file extension.
WMF files start with 0x01 0x00, are are unrecognized by the file command.
JPEG starts with 0xff, so that won't do. Well, there are other formats to try.
F-Secure has more on it: http://www.f-secure.com/weblog/#00000761
Windows Metafiles are a file representation of drawing commands. They are more flexible than bitmaps and get used quite a lot in things like for caching images of every OLE object embedded inside a MS word or powerpoint document. There just happens to be one operation to set a callback when a printing aborts which can be saved to a WMF file, which, when followed by something to abort the rendering, lets you jump to the nominated location.
This back door is built into windows from version 3.0 onwards. Any app that displays WMF images from untrusted sources (lotus notes, maybe msword, even google desktop search) is vulnerable. This is potentially code red for the desktop.
I have the patch on all my systems, the author works for IDA, the debugger tool, and is well respected. I dont care whether IT central will push it out or not; I think they ought to before the back to work/school event causes major worm attacks using it. It will be pretty embarrassing for microsoft though -a third-party emergency fix for windows, in the same year that Vista, "Windows Secured" is due to ship.
> Geeze, here it is 2006 and people still think that the return address in unsigned
> email means ANYTHING.
Well, yeah. I had to explain to two coworkers just last week that the scary messages they were getting weren't really from eBay, and they were quite surprised. (So I told them that if they were concerned that they might need to check their eBay accounts, to use the bookmarks they usually use to go there, because they would know that those really go to eBay. The link in this message only says it goes to eBay, and really it goes someplace else, to another site. Such gasps of outrage and astonishment as I then heard, you'd have thought I was telling them that their husbands lied about the business trip and were really with in Las Vegas with girlfriends.)
This is at least partly because of the way mailreaders present the data. Instead of showing the headers as part of the message (which is, essentially, how they're transmitted), most mail readers parse the headers and present certain pieces of data from them (the From address, for instance) separately from the message, as metadata. Well, yeah, it *is* metadata in a sense, but the way it's presented makes it appear, to the casual user, as if it's something the mailreader knows about the message, rather than something the message claims about itself. Other critical headers, such as Receives:, are not shown at all (unless the user specifically goes looking for them in a "Show All Headers" or "View Message Source" option or somesuch.
There are, of course, good solid usability reasons why these things are the way they are, but it doesn't take a doctor of psychology to tell you what people are going to think as a result.
Personally I'd like to see the information parsed out of the headers, especially the sender information, labelled just a little differently, e.g., "Claims to be From:". I'm not sure that would entirely solve the problem, but it might help a little. I'm also deeply annoyed that our ISP's mail server accepts HTML messages for delivery (if we had our own mail server in house it sure wouldn't), and that all the decent, deployable, user-friendly mail clients I can find happily render and display HTML mail. Even recent versions of Pegasus cannot, as near as I can determine, be configured to show the source or treat the HTML as an attachment.
Cut that out, or I will ship you to Norilsk in a box.
I'm the author of the hotfix and one could expect me to say 'yes, please go ahead and install it on your corporate network with thousands of machines'.
But I won't say that.
First of all deploying any software on a large network is a serious task. It should be carefully planned and performed with the correct (read: responsible) approach.
The hotfix must be tested on as many machines as possible. Possible negative consequences must be determined and decided upon if they are acceptable or not.
In short, more rigorous testing is required.
-------
Ilfak Guilfanov, the author of the hotfix
Did you miss the fact that blocking .wmf files/extensions means nothing for XP users? Because XP took a page from the 'magic bytes' of Unix and recognizes .wmf files from the image header, it can (and will) in some circumstances render them regardless of the extension. So naming it .bbb will bypass your perimeter filters completely.
I've removed:
:) |scroll lock||scroll lock| (KVM)
ActiveX for streaming video
AOL ART Image Format Support
Intel Indeo codecs
Media Center
MIDI audio support
Movie Maker
Old CDPlayer and Sound Recorder
Speech Support
Windows Media Player
Windows Media Player 6.4
Client for Netware Networks
FrontPage Extensions
Internet Connection Wizard
Internet Explorer
Internet Explorer Core
IP Conferencing
MSN Explorer
Netmeeting
Outlook Express
Vector Graphics Rendering (VML)
Windows Messenger
Desktop Cleanup Wizard
Framework
Help
Out of Box Experience (OOBE)
Shell Media Handler
Tour
Web View
Zip Folders
Fax Services
Imapi
Indexing Service
System Restore
(nliteos.com)
AND I AM STILL VULNERABLE!???
Perhaps I should switch to linux