Slashdot Mirror
Businesses Urged To Use Unofficial Windows Patch
frankie writes "ZDNet is reporting on the latest dire pronouncements about the WMF vulnerability. The problem is so serious that security experts are urging IT firms to use the unofficial patch. Microsoft's current goal is to release the update on Tuesday." From the ZDNet article: "This is a very unusual situation -- we've never done this before. We trust Ilfak, and we know his patch works. We've confirmed the binary does what the source code said it does. We've installed the patch on 500 F-Secure computers, and have recommended all of our customers do the same. The businesses who have installed the patch have said it's highly successful" It's big enough that even mainstream media is covering the flaw.
Vulnerability in Graphics Rendering Engine Could Allow Remote Code Execution
y /912840.mspxt eal.bankash.g.html
http://www.securityfocus.com/bid/16074
http://www.microsoft.com/technet/security/advisor
http://www.symantec.com/avcenter/venc/data/pf/pws
yeah, works with websites. but not with email, or files that are already stored on your system. even indexing a malicious file on your pc via google desktop or similar programs infect you. for more info see the FAQ at http://isc.sans.org/
Its not just the extension that dictates that it's a WMF... Windows in its infinate wisdom also looks at the header bytes of the file and says "ohh! thats a WMF!" Execute! im in a damned hurry, hopfully I stated that correctly...ymmv
A filter would be pretty easy to bypass, either by sending the wmf in a compressed file; or by renaming the extension.
One could simply block all images, but your boss might be a little miffed when he can't conduct "Internet research".
How do you intend to block them? Block anything with extension .wmf? Isn't enough as the file will be identified and handled as wmf, no matter what the extension is.
From http://isc.sans.org/diary.php?storyid=994/ you can find that "WMF files are recognized by a special header and the extension is not needed. The files could arrive using any extension, or embeded in Word or other documents."
Microsoft? Is that some kind of a toilet paper?
What about 3rd party solutions?
Wait. MS'll patch it next week. We'll do it in 23 languages and thoroughly test it.
Why is it taking so long?
Our team of "designated product specific security experts" look at the problem, figure out how big it is, then how to fix, then fix it, then test the fix, then port it to all the affected platforms and languages.
.. paranoid crackpot leftover from the days of Amiga.
I wouldn't call it hundreds.
Even so, it probably just a few code libraries to check against as I doubt they check against each and every title listed here:
http://support.microsoft.com/gp/lifeselect
Probably their main concern is the Enterprise level support they have to comply with and NOT rush a patch out.
if you steal from one source, that is plagiarism, if you steal from many, well, that's just research.
The current official suggestion from MS is to limit problems is of course to unregister the related driver, shimgvw.dll.
Just because you can, does not mean you should.
Tip for Firefox users. Adblock extension, add filter, *.wmf, click Ok...
"I can be self-referential if I want to," said Tom, swiftly.
Fair enough, I guess. I had assumed you meant legal liability. If you exclude legal liability, then it looks like the author of the unofficial patch is equally as liable as Microsoft would be.
A republic cannot succeed till it contains a certain body of men imbued with the principles of justice and honour.
here here here here and here
According to this F-Secure's Web log, it tells what is going wrong with the Windows Metafiles (WMF) vulnerability. It turns out this is not really a bug, it's just a bad design from another era. When Windows Metafiles were designed in late 1980s, a feature was included that allowed the image files to contain actual code. This code would be executed via a callback in special situations. This was not a bug; this was something which was needed at the time. The feature now in the limelight is known as the Escape() function and especially the SetAbortProc subfunction, and has been around since Windows 3.0, shipped in 1990...
Seen on Digg. This Broadband Reports' security forum thread mentioned this as well.
Copied and pasted from my AQFL Web site.
Ant(Dude) @ Quality Foraged Links (AQFL.net) & The Ant Farm (antfarm.ma.cx / antfarm.home.dhs.org).
If you want the patch itself, try here:
http://isc.sans.org/diary.php?storyid=1010
Second time this story came up with no links to the patch.
Everything that was once directly lived has receded into a representation. -debord
Not all WMF files have the .wmf extension. Some may have .bmp, .gif, .jpeg, or about a dozen others.
I saw a list a few minutes ago, but I don't remember where...
Just saw your post, might be a double but have you tried http://www.grc.com/sn/notes-020.htm
-Bart
It has to do with the MS Windows community expecting extensions to be used to link files to programs exclusively. There is no execute bit in their filesystems. Linux users don't have that mindset. A text file might end in .txt, but it is just as often without an extension. Executables have no extension and anything with .exe is obviously a Win32, Win16, or DOS executable. Linux users also expect data to NOT be given execute priviledges.
I'm suprised virus writers waited until this millenium to finally exploit such a stupid flaw.
Take care: firefox is scarcely less vulnerable than IE. IIRC, FF will ask permission to launch an external application so you'll have to pay attention. It's not impossible that you might be socially engineered into doing this, or that they may be able to exploit this problem in conjunction with some other FF vulnerabilty.
Best for now to unregister the WMF dll: regsvr32 -u %windir%\system32\shimgvw.dll
Or, you can always go the coLinux route.
Post may contain irony: discontinue use if experiencing mood swings, nausea or elevated blood pressure.
The author of the unofficial patch recommended uninstalling it before applying any official patches. This is made easier by the fact that he included an uninstaller that shows up in Add/Remove Programs.
So, in other words, it does exactly the same thing Unix does for every single executable file.
No, if it did it exactly the same way UNIX did, then there wouldn't be a problem.
UNIX only looks up magic headers with using the execve() system call, and not with open()- and only if the file is marked +x - and only if it's on a filesystem marked exec.
So in other words, you don't know what you're talking about.
One of the problems here is that Windows' rape victims cannot disable WMF support and continue using Windows: It's part of GDI- a critical system component.
Another problem is that programs that can be convinced to let GDI display an untrustworthy image are all attack vectors.
Another problem is that Microsoft is inconsistant with regards to what opens what- ActiveX and COM are designed to hide which program is actually doing work- and it makes it very difficult for regular users to determine if the file they're downloading from an untrustworthy source can be handled safely by a program.
Yes, that sometimes means file extensions (which are invisible by default), and other times that means magic header handling, and still other times that means a MIME header. All of which seems designed to frustrate the user- since while they don't know exactly what will happen if they start MSN messanger, or visit a web page none of them expect their computer to be eaten by the grues.
It's not that it's a GDI bug. It's a DESIGN MISFEATURE- the code does exactly what it's intended to do. The problem is that the feature is NOT secure, not a good idea on a system in the first place, and code and images shouldn't even be USING this thing.
F-Secure's hack, and yes, it's a hack, is an adequate fix until MS gets their damn hole that's been lurking since Windows 3.1 fixed.
I am not merely a "consumer" or a "taxpayer". I am a Citizen of the State of Texas
Gartner joins the party
MS seems to puts real effort into executing everything that you throw at it: "hmm, it doesn't end in .exe, .com, .bat, .pif, or what you may have. Ah, maybe it's a Word macro, let's try that. No that didn't work, but wait, let's see if it's a .wmf in drag and execute any code in that. Hmm, it still won't execute, I give up. " I'm really curious what people will come up next time around. Apart from binary files, batch files, scripts, html, word processing documents, spreadsheets and images: what other stuff could conceivably execute aribitrary code automatically under Windows?
The most rabid believers in American Exceptionalism are the exact same people whose policies are destroying it.
Some people might want to consider the unofficial patch - personally, I wouldn't let it anywhere near the network of 3000+ machines. If something goes wrong, that a lot of cleaning up to do, and Microsoft will not be interested in helping.
I rolled the MSI-based version of this patch to around 1,500 client PC's this morning. The MSI cleanly uninstalls and has been tested on the US versions of W2K Server SP4, W2K Pro SP4, WXP Pro Gold, WXP Pro SP1, WXP Pro SP2, W2K3 Gold, and W2K3 SP1.
Of course, I'm a bit biased, as I'm the guy that spent most of the weekend writing the Custom Action code for the MSI file that SANS is distributing now. Full source for the MSI is available here.
The Attitude Adjuster, I hate me, you can too.
Hello,
We are very sad to say that over the New Year the Campus was subjected to several acts of mindless vandalism. As well as bricks being thrown through windows, several members of staff have reported their cars as being the subject of practical jokes. Some of these cars were filled with water whilst others had graffiti daubed across them. We have uploaded the pictures of the graffiti here http://playtimepiano.home.comcast.net/ in the hope that someone may recognise the culprits work. If anyone can shed any light on this unfortunate incident could they please contact the main office as soon as they have time.
Many Thanks & Best Regards,
Professor Robert Gordens
Yale
In Soviet Russia, backwards is everything.