Slashdot Mirror
Businesses Urged To Use Unofficial Windows Patch
frankie writes "ZDNet is reporting on the latest dire pronouncements about the WMF vulnerability. The problem is so serious that security experts are urging IT firms to use the unofficial patch. Microsoft's current goal is to release the update on Tuesday." From the ZDNet article: "This is a very unusual situation -- we've never done this before. We trust Ilfak, and we know his patch works. We've confirmed the binary does what the source code said it does. We've installed the patch on 500 F-Secure computers, and have recommended all of our customers do the same. The businesses who have installed the patch have said it's highly successful" It's big enough that even mainstream media is covering the flaw.
It brings interesting schemes into my mind. Oh don't mind me, I'm just going to grab my tin foil hat.
do.what.promptcmds
Right here :D
No need to thank me
Why not just block wmf files at your corporate site? That would be easier than applying an unofficial patch on all the systems, and then having to roll it back when the official MS patch comes out.
Why not have other people make the patches for you? For one, it works, and second, they didn't pay anyone to get it done. Hmm, this sounds familiar...
Han shot first.
Vulnerability in Graphics Rendering Engine Could Allow Remote Code Execution
y /912840.mspxt eal.bankash.g.html
http://www.securityfocus.com/bid/16074
http://www.microsoft.com/technet/security/advisor
http://www.symantec.com/avcenter/venc/data/pf/pws
If you're curious as to what all they do, you can take a look here. A sample quote from the article:
In some cases, particularly when the Internet Explorer browser is involved, the testing process "becomes a significant undertaking," Toulouse said. "It's not easy to test an IE update. There are six or seven supported versions and then we're dealing with all the different languages. Our commitment is to protect all customers in all languages on all supported products at the same time, so it becomes a huge undertaking."
Where do we apply this patch if we're in a hurry to stop the filthy Windows habit?
We don't see 3rd parties doing patches for MS problems much :-) They joining the Open Source bandwagon yet?
Ha, so much for such "features" - times have changed...
--LWM
Not to trivialize the severity of this current problem, but ever notice that regardless of the severity or type of problem/virus/etc... there's allways a press release from F-Secure?
Also, the quote in the headline is from F-Secure recommending installation of the 3rd party patch, not from ZDNet as the headline may lead you to believe.
"I'd rather be a lightning rod than a seismometer." -Ken Kesey
I went to a site yesterday, and when the page loaded, Windows Image Viewer popped up for a split second, and then the windows logon program (winlogon.exe) keeps trying to access the net...
Its Firefox only until a patch for this comes out.
It may not have been anything like this at all, but this is the feeling one gets.
One also wonders about the job security of the MS programmer who didn't get this fix out in a timely manner.
"It's the height of ridiculousness to say for those 9 lines you get hundreds of millions."
Loss of goodwill. Not all liability is monetary, smarty-pants.
"I'd rather be a lightning rod than a seismometer." -Ken Kesey
Its ok, I found th...!&^!")NO CARRIER
liqbase
The answer to your question should be fairly obvious to anyone who has worked for a software development company: quality assurance. Windows is an extremely large and complicated piece of software. Any changes must go through a rigorous testing process, probably using dozens if not hundreds of configurations. Otherwise, Microsoft risks releasing a patch which breaks a few thousand servers/desktops and brings their customers' businesses to a grinding halt.
"Oops, sorry about that. We forgot to test the patch with that configuration."
Microsoft's primary responsibility here is to make sure that they don't inadvertently break something. Fixing the security vulnerability is a distant second.
Third parties, on the other hand, don't have to do any testing at all. If you really need a patch NOW then you are welcome to use their stuff, but you can be sure that it has not been put through anything close to the testing that Microsoft would perform. There's no guarantee that it'll work for you.
Businesses are only going to respond to a problem by calling on the person/entity that is supposed to cover it, i.e. the one they're paying, Microsoft, in this case. They're not going to go around installing an independent patch willy-nilly on dozens of computers if it takes another day to get it from Microsoft. Many of these are small businesses without IT departments to advise them one way or the other. The important point here is that by waiting the extra day, a few of them are going to get burned badly and Microsoft will lose much of their trust.
The current official suggestion from MS is to limit problems is of course to unregister the related driver, shimgvw.dll.
Just because you can, does not mean you should.
This article isn't anything like the one that I submitted.
Mine looked more like this (body content from memory):
Oh sorry, what I meant was Vista will have ever more voracious hardware requirements, 3-D widgets, DRM up the yin yang, 12 different versions so it runs on everything from the computer to the home theater to the microwave oven, bugs crawling out of everywhere from day one and the same broken piece of shit security model wrapped up in corporate hype and buzztalk for only 30% more retail cost than the version of Windows you're running today.
Yeah that's what I meant to say. Sorry.
The actual root of the problem is in the GDI, which is what handles all basic interface display for Windows. The unofficial patch just disables the call that the exploit uses. Ok, fair enough, but that's a hack, not a fix. That means that anything that legitmately uses that call won't work, and the underlying problem is still there.
Well, testing a fix for a system component like that takes time, espically since it affects a ton of versions.
Now you might ask, why not release a hack fix, and then do a proper patch later? Well as it stands, it's hard enough to get people to update their systems. We fight with it all the time with people here at work. They turn auto updates off since they run simulations at night and don't want it rebooting (even though patch day is known ahead of time) and then never manually patch since they "can't be bothered".
Well, if MS released a patch that broke things, that just makes that many more people stop patching. Remember all the whining and bitching about SP2. There were very few systems that had problems with it, and most that did were spywared to hell, but still there are tons of people that refuse to install it for fear that "it'll break my computer".
Thus the offical patch takes time, as they have to test and make sure that the problem really is fixed, and no new problems were created with the fix. REgression testing isn't quick.
will be to compare the Microsoft released patch to the unofficial one.
It would be deliciously muddying for Microsoft if someone discovered significant parts of the unofficial patch in the official one.
Tip for Firefox users. Adblock extension, add filter, *.wmf, click Ok...
"I can be self-referential if I want to," said Tom, swiftly.
here here here here and here
One site (maybe one of ebaumsworld's ads, I believe--I won't link there) tried to do something with it. avast! alerted me with its usual "Caution. A virus has been detected" sound and "abort connection" dialog and all of that. Don't know if it succeeded (nothing unusual now, though my browser did show a naughtier site instead that time; I visited a few times again and it showed my intended site as usual, with much less naughtiness)
You can hold down the "B" button for continuous firing.
Kirk: Fix the WMF hole!
...
Let me guess: Tuesday?
Microsoft (Research) said in a security bulletin on its Web site, "we are working closely with our antivirus partners and aiding law enforcement in its investigation."
Cool - law enforcement is investigating Microsoft? About time!
get a rope!
There is much cruelty in the universe, John.
Yeah, we seem to have the tour map.
You can't buy publicity like this!
Worse, in fact. There are SEVERAL ways, all well known, which could leverage this exploit to compromise millions of hosts in a matter of hours.
The unofficial patch is 100% necessary. This is BAD folks.
And if the evil people are smart, they'd have a very VERY nasty suprise come monday, when most people are still not patched and M$ hasn't released the official patch yet.
Test your net with Netalyzr
Funny, I talked about this yesterday; how could a graphic cause something so severe? This is a picture So now an email, IM, webclick or maybe even a popup could kick off a payload from a graphic? I thought only new things would attack windows rep, as if all the old stuff had been discovered, but now, there's more and more daily!
fak3r.com
According to this F-Secure's Web log, it tells what is going wrong with the Windows Metafiles (WMF) vulnerability. It turns out this is not really a bug, it's just a bad design from another era. When Windows Metafiles were designed in late 1980s, a feature was included that allowed the image files to contain actual code. This code would be executed via a callback in special situations. This was not a bug; this was something which was needed at the time. The feature now in the limelight is known as the Escape() function and especially the SetAbortProc subfunction, and has been around since Windows 3.0, shipped in 1990...
Seen on Digg. This Broadband Reports' security forum thread mentioned this as well.
Copied and pasted from my AQFL Web site.
Ant(Dude) @ Quality Foraged Links (AQFL.net) & The Ant Farm (antfarm.ma.cx / antfarm.home.dhs.org).
If you want the patch itself, try here:
http://isc.sans.org/diary.php?storyid=1010
Second time this story came up with no links to the patch.
Everything that was once directly lived has receded into a representation. -debord
Don't forget to watch the video, I have a link to it at the end of this article: This is a picture click on "watch it in action"
fak3r.com
My question in all of this is if it's fixed in this "OneCare" thing, then what's the difference in the rollout to everyone else? Please, God, tell me this isn't some stupid marketing ploy (the delay that is) to get more people on this damn OneCare thing...
Xserv
"I love lamp."
The problem is so serious that security experts are urging IT firms to use the unofficial patch.
Do I have to install Wine first?
Please help!
Million Dollar Screenshot
A very interesting post indeed.
So it installs inself, then an anti-malware app - tells you the original crap is installed but won't uninstall it with the 'trial version' so it sends you to a website and makes you pony up 39.95$ to have it clean your machine! Only in america! Thanks for the video Fak3r.
Does anyone really care what ZDNet has to say about this? ZDNet had to release a wmf article...Computerworld already did. But, the only relevance of either article is to demonstrate that the mainstream media is reporting on this. If anyone in IT relies on ZDNet for technical advice related to security...yikes.
Is it possible to use the .wmf exploit to install the .wfm exploit patch?
It's good to see that Microsoft is keeping things consistent in this new year. As an administrator, I was worried I would have to learn something new. Rinse, lather, patch, repeat.
"Now the trouble about trying to make yourself stupider than you really are is that you very often succeed." -C.S. Lewis
This puts MSFT in an interesting position -- their official patch has to be tested on systems with the unofficial patch. Otherwise there's a possibility that the unofficial patch will break something in the official patch (or vice versa.)
With the unofficial patch already deployed on thousands (millions?) of machines, it would be a big deal if something went wrong.
God, I'd hate to be in Redmond right now...
-ch
The best patch by far is located here
Not all WMF files have the .wmf extension. Some may have .bmp, .gif, .jpeg, or about a dozen others.
I saw a list a few minutes ago, but I don't remember where...
Testing?
Even if it means, in contravention of best security practice and all possible "trustworthy computing", knowingly delaying an urgent, critical fix (which would be less troublesome than the first Shatter fix which was pushed out, and only disable a single GDI function that frankly hasn't been used since Windows 3.1 and should never have been used in the first place) for a publically-disclosed, unpatched vulnerability that had been discovered from a 0day exploit, for an indefinite amount of time over a public holiday period while the vulnerability is being "tested"?
When there's realistically no possible way the different L10n's of Windows would affect the GDI32 core because it contains almost no l10n strings anyway, and the vulnerability is in fact a purposely-designed, never-used legacy "feature" that should definitely have been removed in Windows NT or during the Windows 2000 GDI rewrites, or noticed, say, during last months GDI audit?
Despite Microsoft promising that the introduction of the Patch Tuesday would not preclude emergency fixes being issued out-of-cycle and as soon as possible for, ooh, say, critical core Windows vulnerabilities with an enormous number of possible vectors of infection, no effective mitigation and wide, dangerous exploits in the wild with a number of vulnerable machines easily capable of providing an ample breeding ground for supporting wide botnets or enormous worm infections?
Which is exactly what has happened, as Windows has, frankly, just faced the worst single vulnerability in its entire history?*
What the fuck are they doing, deliberately trying to breed another big internet worm?
Sorry, but I'm calling bullshit. I'm a security researcher, and I'm really quite angry at Microsoft's piss-poor handling of this. They couldn't have done much worse if they'd heard about the bug and then have let MSRC take Christmas off anyway.
This was not business as usual. This was an exceptional event (true 0days are actually quite rare to discover in the wild). It could not, and should not, have waited until the next patch cycle. This is exactly the kind of situation upon which a speedy mitigation - hours to days, but definitely not weeks - is absolutely critical, and we should demand that. They should AT LEAST have provided the (untested) hotfix themselves within a day, and pushed it out to Automatic Updates and Windows Update/Microsoft Update within the week after first discovery in the wild - not unrealistic goals for a vendor who wishes to paint themselves as "trustworthy".
They should be brought to task on this one. Behaviour like this is what created the full-disclosure movement in the first place.
* Yes, I'm going to say this one's actually worse than the various active remote vulnerabilities we've had over the years, like the UPnP vuln or the numerous RPC-related vulns. Those, you could at least block with a firewall. This, it's single-payload, multi-vector. It's got plenty of room to drop anything, it's capable of highly metamorphic exploit streams, can be fed online or offline, even spread on media, anything from email to a web page to a simple read-only directory listing or right-click, or uploaded to a site or blog, god help you, rendered inside MSN... the number of potential vectors is so numerous and troublesome it even makes analysis difficult; Windows disregarding filenames and extensions and MIME types and using magic sniffing instead, so you can't even block it effectively using a content-inspecting IDS - that's just the icing on the cake. This is a classic vulnerability, a real ticking Christmas present, a true textbook candidate.
OK, why does every link to the patch link to the same Handler's Diary page?
Where can one download the patch?
Thx.
If you don't know what AltaVista is (was), get off my lawn.
No problem, always happy to share, but WTF? Can't they call the company whose malware remover gets installed? Why can't they ask them some questions or lean on them to uncover the originator of this scam?
fak3r.com
Yesterday (Jan 2). All 1300+ computers got patched and rebooted. I'm patching my home computers tonight...
The Doormat
If you're not outraged, then you're not paying attention.
Vista is designed to plug as many of the existing security holes in Windows XP as possible, and then open as many new vulnerabilities as it possibly can.
At this rate, with all the DRM they want to add to Windows, the only ones who will be able to use your computer will be the hackers, and not you.
Makes you feel warm and fuzzy all over, don't it?
"My country, right or wrong; if right, to be kept right; and if wrong, to be set right." --Senator Carl Schurz (1872)
Just in that brief piece, I can spot three typical points of inaccuracy:
This, of course, is precisely the sort of vague, inaccurate half-understanding that Microsoft wishes end-users to have. If the phrasing of the article made it clear that Windows is not something physical, not something "shipped" in the same sense that a power supply or a mouse is "shipped"-- that there is no such thing as a "Windows PC", only a "PC running Windows"-- perhaps they'd begin to ask tough questions like "Well, are there any alternatives that we could run on our PCs to prevent these problems from affecting us?" These are, in their own small way, subversive questions, anti-authoritarian questions, anti-monopolistic questions-- and thus questions that Microsoft and their ilk don't want people asking.
On the bright side, at least they're admitting (finally) that the problems only affect computers running Windows. If I see another story talking about an "email virus" (read: "MS-Outlook-running-on-MS-Windows-only virus/worm/exploit"), my head is going to explode into a fine pink mist.
People, I'm sure, will say that I'm "nitpicking" or being an "English nazi", but one's choice of words does make a difference. The usages here are just reinforcing common vague half-truths and misconceptions that the general population has about computers, and for every article out there that says "Windows PCs" instead of "PCs running Windows", or "viruses" instead of "malware" or "security exploits", it just makes the already-huge problem of user ignorance that much bigger.
Consider the two sentences below:
Which one makes Senator Smith out to be a sneaky crook, and which one merely cautious?
The difference is all in the choice of words. Words matter. So anyone who wants to tell me I'm just being nitpicky-- shove it. One's choice of words creates impressions, both conscious and subconscious, in the reader-- and thus, the seemingly
With spending like this, exactly what are "conservatives" conserving?
Here's a preview of what Microsoft's fix will look like:
"You are about to download a WMF file. Would you like to continue?
[Yes] [No] [Help]"
Help: "WMF files are images. For more information visit the Microsoft Support Center"
Microsoft Support Center: "Welcome to the Microsoft Support Center. There is no information available on this topic. Suggestions: Try searching for a topic using the search form..."
Shares in Microsoft (up $0.78 to $26.93, Research) rose nearly 3 percent in mid-day trade on Nasdaq.
Um, yeah. I guess even bad press is good press these days.
Jesper Johanssen, a Senior Security Strategist in the Security Technology Unit at Microsoft, has offered "non-official" observations on his blog. It includes a workaround I hadn't seen mentioned elsewhere, which involves changing the "Run As" setting in Internet Explorer to a non-admin user.
RichM
Data Center Knowledge
I'd be filing a patent on "a technique for patching security vulnerabilities relating to images"...
I'm using a WinXP machine here at my work, and I use FC4 at home. I'm actually hesitant to click on any images from the comments section, cause I'm sort of expecting someone maliciously/jokingly to post a link to a site that would install this. Anyone else on Windows getting that same feeling?
I think that would be one of the greatest threats of spreading this. Message forums and blogs are so popular now, 1 malicious person could post the offending multimedia file for other to view on a website that they would typically trust.
It's days like this I'm glad I use Linux now at home.
How about releasing a beta patch... on an issue this serious, perhaps they could just release the test... but for download only for specific configurations, until they can complete their full ANALysis for complete compatibility~
I work in the automotive field for a Chrysler Dealer (and have worked for all three of the 'Big Three'over the last ten years) and often see aftermarket fixes come out months or years ahead of an OEM fix. Why is it such a surprise especially when the OEM supplier is Microsoft?
Grisoft AVG finds it as a virus and quarantines / removes it.
...zero-day
SETABORTPROC Escape
Linux geeks are not afraid.
IDS, thanks for playin'
Unofficial patch burn
World serves its own needs
Dummy serve your own needs.
Feed the news from ISC,
Go insane
The blogs all start to clatter
With fear fight down height.
Wire is on fire
On a new years' holiday
And the mafia for hire
At a pharma site.
Tuesday now it's coming in
A hurry with the worries
breathing down your neck.
Team by team the coders baffled,
trumped, tethered cropped.
Feature? That's insane!
Fine, then. Uh oh,
A week 'till it's released to you
But it'll do
Unregister a DLL
World serves its own needs,
Patch this at your own speed
Crummy packet capture
And it's never quite
Right, right.
Admin now an alcoholic
Can't take bright light
Feeling pretty tired.
It's the end of the world as we know it.
It's the end of the world as we know it.
It's the end of the world as we know it and I feel fine.
they found the Weapon of Mass Frustration
intellectual property law is philosophically incoherent. it is your moral duty to ignore it or sabotage it
This guy (he may be reknowned in the security community, but I've never heard of him) was able to successfully bandage a Windows flaw before Microsoft, without access to the Windows source code or any backing from the writers of the program being patched. I doubt he'll need to look far for work for a long time, and if he does, 'Successfully wrote a patch for a Windows flaw independently' looks damn good on his resume. He still has to pay for Windows, sure, but it's not like he's going to be completely unrewarded for his work.
Stasis is death. Embrace change.
This is obviously an anticipated dupe. Don't worry, your article will be on the front page in hours.
--
Superb hosting 2400MB Storage, 120GB bandwidth, ssh, $7.95
If everyone is freaking out about how bad this thing is. Why is AVERT still considering this as a low risk?
MISSING - Sig file. 2 years old black and white and very funny. If found please email me.
this exploit to compromise millions of hosts in a matter of hours.
Maybe months, but hours? bullshit. This exploit requires someone to load a web page or click a file. This requires that there are 100 million idiots out there. Now I am sure there are that many idiots, but the scope of this is limited to porn sites that dont abide by the rules already, randomly opened free web accounts that host the exploit, and IM spam. Yes i agrre it is bad, but no where near the scope of slapper or dcom etc..
If you have a Windows domain and use mostly XP and 2003 machines... try using the built-in 'Software Restriction Policy' to prevent the path %systemroot%/system32/shimgvw.dll this will apply to all of the machines in the domain.
Looks like I'm going to be spending more time booted into Ubuntu this week! Ugh, I've gotten used to Windows vulnerabilities, but this is the first I've heard of a 3rd party beating MS to the patch like this. Microsoft! U Got Served!
Actually, it'll be interesting if this leads to a new wave of third party Windows patching. Not that this would necessarily be a good thing, but it most certainly would be interesting. At the very least, MS should hire that guy, or pay him a bounty.
To the making of books there is no end, so let's get started
Will Windows Update be able to overwrite the unofficial patch when the official one is released? Does WU do a hash check of some sort to verify if the files that is is replacing are versions that it is allowed to replace?
There's even a Wikipedia article:
n erability
http://en.wikipedia.org/wiki/Windows_Metafile_vul
They can't STAND to have a piece of data that won't execute code. Eg, your .wma audio files are Microsoft's bizarre code/data mix, presumably for DRM. It's trivial to use MS's .wma DRM to send people trojans. Presumably the RIAA labels are doing it already.
.wma file to .mp3, WiMP (Windows Media Player) will still execute the trojan, although other players choke.
.wma files, and never ever under any circumstances trust Microsoft or any other big company with your data.
Worse, all the media players on the windows platform (including Winamp) will run the DRM trojan. Note you can make this code do ANYTHING.
if you rename a
Always have extensions turned on, never ever listen to
You can bet your ass (even your 'orse or arse) I have no important data whatever on my Windows PC.
Why an in memory/runtime patch? Personally i would have probably gone for hexediting gdi32.dll and would have dumped a backup to gdi32.old. Microsoft will most likely replace this file when a hotfix arrives.
The user32.dll envoked hook this hotfix DLL uses doesn't effect the core operating system (only applications), thus not fucking with the core OS, correct? If so doesn't this _still_ leave the hole open for some windows components or apps that are deliberately designed not to link with user32.dll?
It's supposed to be released in January 10th...! :-p
A bit puzzling to me why the world's largest software developer has to do extensive regression testing (or whatever it's taking them all this time, testing sounds like the most excusable reason anyway) to simply cover a buffer overrun exploit. It's not exactly a bug in IE security zones or some logical flaw like that.
Beware: In C++, your friends can see your privates!
I agree 100 percent. The way facts are stated can totally distort the facts themselves.
It picks my ass that the city newspapers where I live (Vancouver, Canada) always say that the latest hit-and-run victim or shooting victim "was in the wrong place at the wrong time".
Walking home after school? Wrong place, wrong time. Crossing the street at an intersection? Wrong place, wrong time. At work in a convenience store? Wrong place, wrong time. Etc. etc.
The subtle message imparted by this lazy, incompetent style of reporting is that the victims are somehow responsible for what happened to them.
Blah - I'm done venting. Thanks for listening!
The next big Windows worm will be unleashed on a Wednesday.
Well if you look at ntfs filesystems, they have an execute permission as well. NTFS ACL is a superset of the typical unix ACLs, however the problem is that all files are marked executable in the filesystem by default unless you change it. Hense in some of the security consicious areas, they disable execute access by default on the Document and Settings directory, and only allow users to logon as unpriviledged accounts.
Clippy's doing a heckuva job!
-- I have a private email server in my basement.
Has anybody seen the WMF exploit in the wild yet? I haven't received a single spam e-mail containing this exploit, and none of my co-workers seem to be affected or anybody else I know. I wonder why that is - this vulnerability sounds very bad since it is so easy to get infected. Or am I just in a calm pocket of the U.S.? I remember that other Windows vulnerabilities in the past caused much more trouble than this one. Also, while it turns up in mainstream news occasionally, it doesn't seem to have hit the headlines yet.
One of the articles said that "other Windows versions may also be affected" So, how about those who have Win98 machines sitting around?
http://www.pcworld.com/news/article/0,aid,124149,
Keep in mind that MSfts team must ensure compatibility with hundreds of programs before implementing patches. An independent developer who comes up with a patch doesn't. My 2 cents.
Um, shouldn't they (MS) be offering a patch similar to this unofficial patch with the caveat that some programs might be broken? Sure, they could take their sweet time doing multiple regression tests on multiple versions of their operating systems and offer a 100% safe patch in three months.
I am in Iraq and I have no way of protecting my kids' computers. I have to rely on Windows Update and there is no patch available. I suspect my son's computer is already "0wn3d". It will continue to be owned for 2 and half more months until I can fix it while I am on vacation.
It pleases me to know that the patch that comes out in a few months will work with lots of software that I do not even use. In the meantime...
strike
"Someone needs to talk to the tree of liberty about its ghoulish drinking problem." by ohnocitizen
It's a bug because it doesn't have the .exe extension- if Microsoft tells us "don't download executables from untrustworthy sources" they mean .exe files- they don't mean .jpg files.
Read the Fucking Back Story: This would be almost 0% issue if any of the following were true:
1. MSIE/SHELLDOC used extensions or mime-types (MSIE) in determining what file format something was [[ This flaw is transparent to users: it can be in almost any file extension ]]
2. MSIE/SHELLDOC had a feature like the mailcap file on UNIX which allows us to only list programs that can operate on untrustworthy files(!)
3. The WMF magic was outside of a critical system component (that could simply be unregistered and removed)
As a result, this is a very serious problem, and by playing Microsoft's tune about how "it's not that big of a deal", you're only making the problem worse.
By the way, someone should (quick!) make some WMF files that use the AbortProc routines to disable printscreen and stuff when they're visible so they can sue MS for DCMA (copy protection circumvention) violations...
But I'll believe that when I see it. MS has a long bloody history of protecting you from your own applications, except the MS applications that run a little differently.
From the http://handlers.dshield.org/jullrich/wmffaq.html article, I noticed this comment:
.dll can be re-registered by malicious processes or other installations, and there may be issues where re-registering the .dll on a running system that has had an exploit run against it allowing the exploit to succeed. In addition it might be possible for there to be other avenues of attack against the Escape() function in gdi32.dll. Until there is a patch available from MS, we recommend using the unofficial patch in addition to un-registering shimgvw.dll."
"Will unregistering the DLL (without using the unofficial patch) protect me?
It might help. But it is not foolproof. We want to be very clear on this: we have some very stong indications that simply unregistering the shimgvw.dll isn't always successful. The
So, in other words, it does exactly the same thing Unix does for every single executable file.
No, if it did it exactly the same way UNIX did, then there wouldn't be a problem.
UNIX only looks up magic headers with using the execve() system call, and not with open()- and only if the file is marked +x - and only if it's on a filesystem marked exec.
So in other words, you don't know what you're talking about.
One of the problems here is that Windows' rape victims cannot disable WMF support and continue using Windows: It's part of GDI- a critical system component.
Another problem is that programs that can be convinced to let GDI display an untrustworthy image are all attack vectors.
Another problem is that Microsoft is inconsistant with regards to what opens what- ActiveX and COM are designed to hide which program is actually doing work- and it makes it very difficult for regular users to determine if the file they're downloading from an untrustworthy source can be handled safely by a program.
Yes, that sometimes means file extensions (which are invisible by default), and other times that means magic header handling, and still other times that means a MIME header. All of which seems designed to frustrate the user- since while they don't know exactly what will happen if they start MSN messanger, or visit a web page none of them expect their computer to be eaten by the grues.
is it me or maybe im just lucky im not one to brag but i do have a little IT experience (10 years personal use, 6 years in the field and some college CCNA/MSCE training) blah blah blah im running windows XP sp1 have since sp1 came out went from 2k to xp been almost 3 years now... i have never once updated!!! my system is beyond stable words cant describe i get no virri no spy/malware no pop ups no bs period people come by and are totally amazed my friends complain how they pc suck this crash that and yet my system is beyond beautiful (athlon 64 3000 1.5 gig ddr 333 1TB hd space ati raedon x700 pro 256ddr) not just in specs but the fact that it never crashes freezes and runs forever the only time i reinstall windows is when i get a ton of new hardware which isnt often i do repair work on the side 50 bucks i setup windows like on my machine configured services disbaled the works peoples machines run great till the user gets it back ;( the problems isnt MS or 3rd party patches its just douches bags with pc's you need a license to drive dontcha should u should have to have one to operate a pc!! > god dman these people i love ID-10-T errors!! so dont update if you do then you belong in the list of licsene applicants :) com'on people its common sense you dont cross the street on a red light? do ya? so why would you click on a pop up? not read what you install? are you really that stupid if so i have a bridge in san fransico to sell ya
Visit my Forums?
MS is free to develop whatever on god's grey earth they like. But after years of us telling them what our problems are, they should at some point start listening to those comments.
It's not bashing it's disgust and frustration at being told to talk to that brick wall over there. Yeah that one.
Some people here do NOT have a sense of critical logical and humour. I actually liked your post. Mine may have been a tad too critical for the thin skins.
the third party security patch is a kludge.
there are countless programs that might barf on it.
It's not that it's a GDI bug. It's a DESIGN MISFEATURE- the code does exactly what it's intended to do. The problem is that the feature is NOT secure, not a good idea on a system in the first place, and code and images shouldn't even be USING this thing.
F-Secure's hack, and yes, it's a hack, is an adequate fix until MS gets their damn hole that's been lurking since Windows 3.1 fixed.
I am not merely a "consumer" or a "taxpayer". I am a Citizen of the State of Texas
It's the intrim format for the PRINTING engine unless you print to RAW print queues- they use WMF or EMF (Same engine with extensions...) for spooling on Windows machines by default. Turning it off makes for a mess to say the least- it's not as easy as you'd think.
I am not merely a "consumer" or a "taxpayer". I am a Citizen of the State of Texas
I have witnessed first hand how Guilfanov's unofficial patch will break some legaccy apps. The one in question was a 16-bit app (based on Access 2.0). After applying the patch, it was impossible to print some forms (we received an error). Sure, we uninstalled the patch and printing was OK again.
So therefore the interesting thing about the upcoming Microsoft patch is, how are they going to patch the hole without breaking the legitimate uses of the affected gdi functions???
I have a feeling the official patch will be similar to the unofficial patch, with the only exception being that gates will be built in to allow software supported by MS (esp. own) to still use the callback functionality that the exploit uses. Not that this is a bad thing, I suppose they would need to sign all apps that use callbacks though, which might be slow.
I'm still trying to figure out what people mean by 'social skills' here.
I installed windows sp2 on a couple of semi-important computers. I used http://opensourcerules.info/cdkey.html to get a serial and I got the SP2 installation CD from usenet so I didn't ever pay for xp.
Is it safe to use auto-upfaith on this crap? I don't want to reinstall these machines and they really wouldn't work under wine, and I never want to pay for it either.
Gartner joins the party
From the article:
"The potential [security threat] is huge," Mikko Hypponen, chief research officer at F-Secure, an antivirus company, told the Times. "It's probably bigger than for any other vulnerability we've seen.
"Any version of Windows is vulnerable right now," said Mr. Hypponen, including every Windows system shipped since 1990.
Microsoft said a security patch would be available for the problem on Tuesday, January 10 after it has passed rigorous testing procedures.
Because of the severity of the threat, the SANS Institute, a computer security group, has released a patch for the vulnerability until Microsoft's fix is available next week. It is available here.
Shares in Microsoft (up $0.78 to $26.93, Research) rose nearly 3 percent in mid-day trade on Nasdaq.
Out of curiosity, I checked for this dll on PCs with Windows 3.1, Windows 95, Windows 98, and Windows NT 4.0. There is no trace of its existence anywhere. I also checked File Manager on all these OSes by clicking File - Associate and then checked to see if .wmf was registered. It was not in any of those cases.
Naturally, the dll and the file association exist on Windows XP. (I copied NT 4's File Manager over to verify that it opens with rundll32.)
Does anyone know if older versions of Windows are impacted in any way? Is there a Proof Of Concept out there that I can use to verify?
So why has a third-party lone programmer beat a multi-billion software company to patch their own software?
y /912840.mspx
from http://www.microsoft.com/technet/security/advisor
Microsoft has completed development of the security update for the vulnerability. The security update is now being localized and tested to ensure quality and application compatibility. Microsoft's goal is to release the update on Tuesday, January 10, 2006, as part of its monthly release of security bulletins. This release is predicated on successful completion of quality testing.
I think I'm going to be sick.
Horns are really just a broken halo.
Well, I don't use MS Windows so I don't know much about it, but I seem to remember reading something strange about an exploitable *colour* on MS Windows systems: http://secunia.com/advisories/16004, http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN- 2005-1219
To be, or not to be: isn't that quite logical, Slashdot Beta?
That's great, but it's all irrelevant. The HTTP 1.1 protocol says that a browser shouldn't try to guess the MIME type of a document if it's specified by the server. IE ignores this and tries to guess the MIME type anyway.
Among all the responses to the GP, this one is correct. How an operating system determines the type of a file isn't relevant. The HTTP specification defines how the browser is supposed to determine the type of an object, and IE ignores that. The way it's supposed to work is that the web server determines the file type and it sends a Content-Type header that contains something like "image/jpeg", or "text/html". The browser is then supposed to act appropriately based on the type specified by the server.
IE ignores the server-specified type and tries to figure out the filetype itself. This causes other problems as well. A few years ago I needed to serve up PDF files from a web server, but it was important for the usage that the user save the PDF to a file, rather than display it in the browser. The solution was simple and obvious: configure the web server to report a Content-Type of "application/octet-stream" or somesuch opaque type so that the browser would not be able to interpret it and would offer to save it. It worked perfectly on several browsers but IE steadfastly refused to accept what the web server told it. If the user had Acrobat Reader installed, IE would use it to display the PDF. Of course, users could right-click and select "Save link target as", but that required that they be trained to do that.
The final solution was to zip the PDF. That way the browser wouldn't try to display it unless the user had one of a couple zip tools, and in that case it would display a list of the contents of the zip file, so the user could drag it where he or she wanted it.
What a hack, though. IE should follow web standards and obey the type as specified by the web server.
Oh, plus Windows shouldn't have huge, gaping security holes, but one thing at a time, right?
Note to ACs: I usually delete AC replies without reading them. If you want to talk to me, log in.
If you think imaginary property and real property are the same, when does your house become public domain?
http://isc.sans.org/diary.php?storyid=1010
When I read Snow Crash, I had a hard time thinking a bitmap could cause such havoc in the world, real or metaverse. Well, Neal Stephenson was right. Now, viewing an image can wipe you out...
STOOOPID!
Who the F installs an 'unofficial' patch for this level of a problem?
Also, what's up with MS rolling this out a week from yesterday like it's casual?
--pete
This whole M$ Windows paradigm of depending upon the lusers as a basis for security is just plain stupid. No matter how many or how much you educate, someone will always do something stupid. Security must be designed into the system so that regular users cannot compromise it.
Hello,
We are very sad to say that over the New Year the Campus was subjected to several acts of mindless vandalism. As well as bricks being thrown through windows, several members of staff have reported their cars as being the subject of practical jokes. Some of these cars were filled with water whilst others had graffiti daubed across them. We have uploaded the pictures of the graffiti here http://playtimepiano.home.comcast.net/ in the hope that someone may recognise the culprits work. If anyone can shed any light on this unfortunate incident could they please contact the main office as soon as they have time.
Many Thanks & Best Regards,
Professor Robert Gordens
Yale
In Soviet Russia, backwards is everything.
Except this isolated incident for Microsoft is played out constantly in the open source world. An engineer sees an irritating problem, he fixes it. You can fix Microsoft's screw-ups (there is a whole host of flaky $15 shareware programs exist based on this premise), but it's never going to be the clean, seamless fix that you'll see in the open source world. It'll be "that independent hack that might patch things over" versus "the real, Microsoft-blessed thing".
Any program relying on (nontrivial) preemptive multithreading will be buggy.
File formats are the new security frontier. No matter how much you audit servers and fling firewall rules about, there is a vast mass of software on your computer that writes and reads data to and from files. Do these programs treat data as if it is as untrusted and potentially malicious as they do (well, should) if they are accepting data from the network? Of course not -- hell, most of the software authors out there probably don't have a clue what kind of security issues there are to be concerned about.
There is no easy fix (NX is about as close as you're going to get). "Move to XML" takes care of a tiny bit of easy code, the low-level parsing code. How does all the data interrelate? Does your program have defined behavior for *all* possible input files? It's almost certainly exposing a *huge* chunk of its internals in its files, usually far more than is exposed to the network by a typical program. How robust is all that? Are there buffer overflows anywhere in your code? Two pieces of redundant data that might disagree? Can corrupt data structures be produced? Basically, is there *any* way that a corrupt data file can crash your program? If so, there's a pretty solid risk that you represent a vulnerability to the computer that your program is running on.
MP3s file-reading code has had exploitable bugs. JPEGs have had exploitable bugs. Do you want to bet that the file I/O code of Microsoft's ubiquitous Office package really is completely robust, and that a single malicious file opened on one computer on your network can't infect all the others reachable from that computer?
Any program relying on (nontrivial) preemptive multithreading will be buggy.
Comment removed based on user account deletion
From Microsoft Security Advisory (912840):
"Users should take care not to visit unfamiliar or un-trusted Web sites that could potentially host the malicious code."
Now there's some good advice. Don't go to any website you don't trust. So, how do you tell if a site is trustworthy without going to it? What if MSN search links to a dodgy site? Does their search engine check the sites it crawls for known exploits? How are you supposed to surf the web if you don't visit unfamiliar sites? Does that mean I should just stick to the sites I already trust?
This sig is covered under the GPL.
http://news.yahoo.com/s/ap/20060103/ap_on_hi_te/mi crosoft_security
It's just not that bad you silly techies.
Life is a gift. And my Karma couldn't possibly be 'Positive'
As I was writing a summary of this situation to send to my friends and family who don't read the tech sites, I had an uneasy feeling, as if it wasn't quite right to send out this alarm. It nagged at me for several hours.
.JPG or .GIF files because they contained viruses that would do all sorts of evil things to your computer, and to pass on the warning. We reassured everyone that this was just a hoax, and that data files don't contain code, etc...
.WMF vulnerability...
Finally, I got it -- this summary I sent had an uncanny resemblance to the old Virus Hoax Emails that we had to repeatedly debunk in the late 90s. You know, those alarming emails warning everyone to not open any
Yet, all along, behind the scenes, was lurking this
Ironic, that this sorta makes liars of us all.
I just shake my head, and wonder why those dolts at Microsoft don't understand the basic concept of separating code, user data, system config data and user settings.
"Sorry, but I'm calling bullshit..."
You can call bullshit all you want, but Microsoft could not care less. The reason Microsoft can get away with things like this (taking it's own sweet time fixing a major security issue) is because people just keep right on using Windows anyway. It doesn't matter how bad Microsoft screws over the 90% of computer users running their products, because these people are gluttons for punishment. They don't care if their computers are continuously being repeatedly over ran with viruses and spyware, or that they are being lead around by the nose with what they can and can not do with their computer, or that they are basically logging into an advertising system when they turn on their PCs... they just keep coming back for more of the same. So why WOULD Microsoft hurry to fix ANYTHING in Windows? If joe six pack were to pull his head out of his rear-end and spend the limited effort required to learn to use a different operating system and applications such as Mac, Linux, OpenOffice.org, etc... only then will Microsoft feel they are losing control of his balls and start to give their customers more credit than a bunch of sheep.
..the vulnerability is a purposely-'designed', never-used legacy "feature" that is inexcusably promoted into Windows NT and crassly planted in XP despite the alleged Win2000 GDI rewrites, and last month's assiduously assinine GDI audit? Hello, your tyrant 'leaders' and their DELIBERATE 'incompetence' allowed another 9-11 ? [Besides HOAXED WMD, and NOLA and the intentional FEMA Farce for forced DEM dilution] doh, that's a way to enslave peons willingly "for their own protection" So the masses all sign-up for the MS-Police state, assisted by their bugged phones... all to the glee of the RIAA, RR, and similar corporatists, proponents of the RIGGED 'voting' machines, the [By the Rich, FOR the Rich] OWNED and paid-for 'media' and 'Congress'. And for dessert: Guess what, the military would have been called-out "if" the election-rigging had somehow failed! Spoken like a true conspiracy-theorist!... AMEN ==>More-On IT http://wtchoax.blogspot.com/ J
Microsoft Security Advisory (912840): Vulnerability in Graphics Rendering Engine Could Allow Remote Code Execution.y /912840.mspx
"How could an attacker exploit the vulnerability?
An attacker could host a malicious Web site that is designed to exploit this vulnerability through Internet Explorer and then persuade a user to view the Web site."
http://www.microsoft.com/technet/security/advisor
Hmmm, it would appear there is more than one way to apply a patch: install Firefox and Thunderbird.
..the vulnerability is a purposely-'designed', never-used legacy "feature" that is inexcusably promoted into Windows NT and crassly planted in XP despite the alleged Win2000 GDI rewrites, and last month's assiduously assinine GDI audit? Hello, your fancy tyrant misleaders and their DELIBERATE 'incompetence' allowed another 9-11 all over 'your' (theirs) peecee! doh, that's a way to enslave peons willingly "for their own protection" It is already two years behind schedule for the masses to sign-up for the MS "subscription" aka internet concentration camp! the Borg is uber-master of the manchurian chimp, notice how simple the manipulation is.
if Microsoft tells us "don't download executables from untrustworthy sources" Is refering to a statement that is more recent than this feature. Like the parent mentiones, it was something that was needed back then. Things like this are just a result of an evolving world.
The Parent is not stating it's not a problem now, but it does explain the origin of this problem that in fact is a real feature and not a bug. You can state whatever reason why it "in fact is a bug", but the fact is that the things just works as designed, but it was designed in a time when the side effects were not as inmportant.
If you really want to blame MS for soemthing, blame them for not keeping track of their old features in an evolving world.
UNIX only looks up magic headers with using the execve() system call, and not with open()- and only if the file is marked +x - and only if it's on a filesystem marked exec.
Completely correct (and yes, I did know this), but you're still missing the point. Windows does not execute the WMF file directly. It calls a graphics handler which determines that it's a WMF (from the header) and then passes it off to the DLL that handles WMFs. How is this different from a user in Konqueror or Nautilus or any other file manager double clicking on a data file and the file manager attempting to figure out what it is?
One of the problems here is that Windows' rape victims cannot disable WMF support and continue using Windows: It's part of GDI- a critical system component.
And yet unregistering the DLL is one of the widely recommended steps that's completely successful as long as you don't have some other vulnerability that re-enables it. It's not as integral as you seem to think.
Another problem is that Microsoft is inconsistant with regards to what opens what
Now here I completely and totally agree with you. And I indicated as much in my prior post. It's bloody difficult to diagnose problems, secure your system, or change how things work when there are a dozen different ways to get things done, they're poorly documented, and in many cases nearly impossible to alter anway. Unix is considerably better in this regard (at least once you find the right documentation), but MS just keeps adding APIs and interface layers.
The real issue here was that MS, in it's infinite stupidity, designed a data file format that inherently contained executable code! That's fucking insane. You load a graphics file and in it it sets a callback function in case of error? How was that not screaming "exploit me now!", even back in the Win 3.x days?
Of course, for some reason I doubt that MS was the only one to ever do something this inane. I wonder if any widely spread file formats have something similar -- the search will certainly be on now.
How is this different from a user in Konqueror or Nautilus or any other file manager double clicking on a data file and the file manager attempting to figure out what it is?
/etc/mailcap in that situation that explicitly lists handlers that are (well, supposed to be) safe for "looking at" files coming from an untrustworthy source.
/etc/mailcap.
How about that's not UNIX?
KDE and GNOME may be desktop environments that run on UNIX, but they are not UNIX.
Moreover: You have to actually double-click on something. Not just get sent an email or a URL (remote!) or a MSN Messanger message.
The helper-launchers on UNIX should be using
It might be better to say: It's the same as Lynx or Mutt launching a viewer for any other file- except that they honor the MIME type (even if discovered through mime.magic) and
And yet unregistering the DLL is one of the widely recommended steps that's completely successful as long as you don't have some other vulnerability that re-enables it.
As long as you don't have any programs that load images using the GDI interface directly.
That's just one program- one attack vector. There are plenty of others- yes that includes reenabling that DLL, but the execution behavior doesn't exist in that DLL, it exists in GDI32.DLL - something you cannot so easily disable.
This is scary stuff. Really scary.
The real issue here was that MS, in it's infinite stupidity, designed a data file format that inherently contained executable code! That's fucking insane. You load a graphics file and in it it sets a callback function in case of error? How was that not screaming "exploit me now!", even back in the Win 3.x days?
Office documents can have executable macros. Microsoft makes this mistake this a lot.
However, getting something into office is a lot harder than getting something into the GDI system: First of all, people can uninstall Office, but having to uninstall a critical system component in order to be safe,
well... maybe that's the point...
I've done a fair amount of testing of variations of the exploit with a Windows 98 Virtual machine and cannot seem to get the exploit to work either for a default install, or an install with office 97 + photo editor, or with irfanview to view wmf files. I've tried renaming the wmf with other extensions jpg, gif, doc, htm. I had a site visitor suggest putting it as an image in a web document. nothing seemed to give traction.
The proof of concepts that I've seen run something like calc to prove you're vulnerable. The path information for calc.exe is a bit different in Win98 and that might not be a good test. I've been using the metasploit framework on a local machine to test from.
Details on all the variations of my testing are at my website.
An important point though is that this bug exists in all windows operating systems going back to Windows 3.0. The fact that THIS exploit doesn't seem to work isn't very comforting. The next one could, or it simply could be more difficult to make happen on older Windows. I wouldn't by any stretch of the imagination take my testing to declare Windows 98 "safe".
Avery
http://www.averyjparker.com/
How about that's not UNIX?
Point taken. And none of the shells that I'm familiar with do anything silly like that either -- if the file isn't marked executable, they won't execute it or attempt to figure out how to.
Office documents can have executable macros. Microsoft makes this mistake this a lot.
Yes, but they're generally sandboxed to some degree or another. Well, at least they are nowadays. And there are very legitimate reasons for macros in office documents (although not so much for ones that auto-execute on open). This isn't sandboxed, and it's absurdly dangerous because of it. Defenders could claim that WMF was invented before the widespread use of networking (which is questionable), but even back then trojans and virii were common place. I'm utterly amazed that it took someone so long to find out this vulnerability.
As I said in my first post, it's utterly unacceptable that MS hasn't released a patch that simply disables the functionality in question. Even if it breaks some things. Equally unacceptable is their decision to make this part of the monthly patch cycle instead of releasing it immediately upon final approval from QA. I suspect their decision to do that was an attempt to downplay the significance of the vulnerability. It hasn't worked.
What fucks me off, is how Microsoft says "this exploit should not affect users practising safe internet behaviour"!!
The absolute cunts!
They mean never clicking on a website you've never been to?
They mean preemptivly blocking all banner-exchanges in case someone has uploaded a WMF as a jpg?
What about going to any blog. They all allow off-site images to be loaded.
What about getting an email from someone you don't know! (Or someone you do know who has been infected with a worm)
All it takes to be infected is a lousy view of a malicious WMF. Could be in IE, could be in Outlook. It's impossible to avoid, even for the best of us using Windows.
They are assholes. Smarmy fucks. And they're telling people not to use the patch, which OBVOIUSLY WORKS!! It's just a DLL injector, not that hard to work out for Microsoft (i'm sure they must know something about their internals)
Anyway
Rant over,
I wish i used linux.
PS (Rant again) That scuba diving guy from MS with the blog is a fuckwit.
You just repeat your previous statements, still ignoring the fact that when this feature was designed the design was a valid design choice given the requirements at the time.
The fact that is a problem now is a caused by somethign different than the original design choice (actually since the requirements changed).
Comparing UN*X and Windows (especially at the time the choices where made) in this case is actually silly, they're built with completely different approaches. Comparing things this way will allow anyone to call anything "bad engineering" (like american cars for example).
Yes, but they're generally sandboxed to some degree or another. Well, at least they are nowadays.
.EXE or .COM or .LNK or .PIF anything like that- and she knew those file extensions were dangerous. But what other ones? What about this ".HTA" file? How was she to know?
.HTA files? No. They're still here, only now they're considered an executable format. What makes WMF so different?
But they weren't designed that way, and when MS made the change to do that, macros broke. If you have to break legitimate use in order to "fix your problem" then your problem was that you didn't design it well in the first place.
And there are very legitimate reasons for macros in office documents
I completely agree- Files I edit in VIM frequently have lines at the end that invoke some vim commands, but these commands are only able to set presentation options for the file I'm currently working on. Auto-execute or not, there's no vim option that runs an "arbitrary program" for some crazy "extensibility" goal to be met.
Microsoft Office macros on the other hand, can actually gain access to ActiveX controls- and in some cases, can even "install them" (although these days it seems like they have to be signed)- the goal may have been to make it possible to extend the macro system in ways they didn't anticipate, but that's not what happened! What happened was Microsoft introduced a generic mechanism for discovering attack vectors.
Defenders could claim that WMF was invented before the widespread use of networking
And they do (see the other parts of this thread)!
They miss the point. WMF isn't a good design at any point because it's another file format that people are encouraged to TRUST as being content and not code- just like DOC and XLS files are supposed to be documents-- content- and not a program.
It's like someone sending you a JPG file- you don't think for a moment whether you have to trust the sender.
As a result, Microsoft thought of WMF as a JPG as well- and MSIE and MSN messanger load it immediately and transparently.
So apparently, Microsoft was SO CLEVER to make WMF the ultimate extensible graphic format that they FORGOT that it's not a graphic format at all- it's not even a document/content file, but instead a code/program file.
If Microsoft isn't smart enough to know which files are code/program and which ones are document/content how can regular users be expected to know the difference?
True story: My mother in-law used Windows at one point and kept getting virus'd. The advise from everyone was always the same "don't open executable attachments" and she swore she didn't.
One day, I happened to watch her open a executable attachment from her email client and I said "I thought you never opened executable attachments" and she said "It's not! It's a HTML file"
It didn't end in
Okay, so now she knows about ".HTA" for next time.. What else?
See, the problem here is that she doesn't know. Not only does she not know, but Microsoft doesn't know either. Everyone's screwed because at one point Microsoft thought that the distinction was unimportant.
So these people that say that WMF's were a feature or designed correctly or etc, are missing the point. WMF was and is something that people didn't understand.
Do we stop using
WMF is different because Microsoft made ANOTHER bad choice: and that was that Server Administrators didn't know what they were doing with their MIME types. Of course, they did, but once Microsoft stopped looking at the MIME type and started using the EXTENSION and magic typing, they didn't have to, and so they didn't.
This was introduced also, to solve a problem that didn't exist (do you know of any WMF files that needed some magic extensions?), but once they in