Slashdot Mirror
Businesses Urged To Use Unofficial Windows Patch
frankie writes "ZDNet is reporting on the latest dire pronouncements about the WMF vulnerability. The problem is so serious that security experts are urging IT firms to use the unofficial patch. Microsoft's current goal is to release the update on Tuesday." From the ZDNet article: "This is a very unusual situation -- we've never done this before. We trust Ilfak, and we know his patch works. We've confirmed the binary does what the source code said it does. We've installed the patch on 500 F-Secure computers, and have recommended all of our customers do the same. The businesses who have installed the patch have said it's highly successful" It's big enough that even mainstream media is covering the flaw.
Why not have other people make the patches for you? For one, it works, and second, they didn't pay anyone to get it done. Hmm, this sounds familiar...
Han shot first.
This has always been a problem with MSFT. They are usually several weeks or months behind on security bugs. I guess their new Security push is bringing it down to 1 week - or there abouts...
Keep in mind that MSfts team must ensure compatibility with hundreds of programs before implementing patches. An independent developer who comes up with a patch doesn't. My 2 cents.
What's the liability for the 3rd party if their patch screws something up in a bad way? Zippo. That's (part of) the reason why it takes longer to put out an "official" patch.
"I'd rather be a lightning rod than a seismometer." -Ken Kesey
We don't see 3rd parties doing patches for MS problems much :-) They joining the Open Source bandwagon yet?
Ha, so much for such "features" - times have changed...
--LWM
Because Windows in its infinate wisdom looks beyond the filename and looks at the contents of the file, allowing the following:
I save a hacked WMF on the webserver as HeaderPicture.jpg and link it into the webpage with an img tag it will be downloaded as a jpg file, and only then once it gets to my computer does it get handled using the internal WMF code.
It would be easy to block WMF files on the border, but as you can see, not every WMF identifies itself quite so easily.
To block it on the firewall, the IDS will require file content scanning which if I remember rightly would strain the poor processors and hold up all the other good traffic.
Thats what I heard about it all anyway, ymmv
liqbase
"What's the liability for the 3rd party if their patch screws something up in a bad way? Zippo. That's (part of) the reason why it takes longer to put out an "official" patch."
What's the liability if MS screws up a patch? They do it all the time, but I don't hear anything about them being sued or compensating businesses they've hurt.
The global economy is a great thing until you feel it locally.
That would be the same as the liability that Microsoft would have if its patch screwed something up, right? Zippo in either case. RTFEULA.
A republic cannot succeed till it contains a certain body of men imbued with the principles of justice and honour.
It may not have been anything like this at all, but this is the feeling one gets.
One also wonders about the job security of the MS programmer who didn't get this fix out in a timely manner.
"It's the height of ridiculousness to say for those 9 lines you get hundreds of millions."
Loss of goodwill. Not all liability is monetary, smarty-pants.
"I'd rather be a lightning rod than a seismometer." -Ken Kesey
Businesses are only going to respond to a problem by calling on the person/entity that is supposed to cover it, i.e. the one they're paying, Microsoft, in this case. They're not going to go around installing an independent patch willy-nilly on dozens of computers if it takes another day to get it from Microsoft. Many of these are small businesses without IT departments to advise them one way or the other. The important point here is that by waiting the extra day, a few of them are going to get burned badly and Microsoft will lose much of their trust.
They may be, but they have a very good series of releases on the problem - a lot of information. Compare that to other anti-virus, and you don't see much.
No complaints.
--LWM
Oh sorry, what I meant was Vista will have ever more voracious hardware requirements, 3-D widgets, DRM up the yin yang, 12 different versions so it runs on everything from the computer to the home theater to the microwave oven, bugs crawling out of everywhere from day one and the same broken piece of shit security model wrapped up in corporate hype and buzztalk for only 30% more retail cost than the version of Windows you're running today.
Yeah that's what I meant to say. Sorry.
The actual root of the problem is in the GDI, which is what handles all basic interface display for Windows. The unofficial patch just disables the call that the exploit uses. Ok, fair enough, but that's a hack, not a fix. That means that anything that legitmately uses that call won't work, and the underlying problem is still there.
Well, testing a fix for a system component like that takes time, espically since it affects a ton of versions.
Now you might ask, why not release a hack fix, and then do a proper patch later? Well as it stands, it's hard enough to get people to update their systems. We fight with it all the time with people here at work. They turn auto updates off since they run simulations at night and don't want it rebooting (even though patch day is known ahead of time) and then never manually patch since they "can't be bothered".
Well, if MS released a patch that broke things, that just makes that many more people stop patching. Remember all the whining and bitching about SP2. There were very few systems that had problems with it, and most that did were spywared to hell, but still there are tons of people that refuse to install it for fear that "it'll break my computer".
Thus the offical patch takes time, as they have to test and make sure that the problem really is fixed, and no new problems were created with the fix. REgression testing isn't quick.
Even better: The writer of the patch should enforce a copyright on the code and binary, and patent the idea...then demand Windows be open-sourced as payment.
Maybe not. I wouldn't want the guy to have his whole neighborhood bought by a pissed off Bill Gates and turned into a toxic waste dump...a mere pittance spent by Bill on a stunt like that would ruin the patch-writer financially if he owns his home.
Procrastination -- because good things come to those who wait.
There is a quid pro quo in the "Linux community". Yes, J. Random Hacker is encouraged (and really expected) to patch Linux flaws. But he recieves a Free system with source code in exchange.
It doesn't sit well with me to see Microsoft eat their cake and have it too.
-Peter
Worse, in fact. There are SEVERAL ways, all well known, which could leverage this exploit to compromise millions of hosts in a matter of hours.
The unofficial patch is 100% necessary. This is BAD folks.
And if the evil people are smart, they'd have a very VERY nasty suprise come monday, when most people are still not patched and M$ hasn't released the official patch yet.
Test your net with Netalyzr
My question in all of this is if it's fixed in this "OneCare" thing, then what's the difference in the rollout to everyone else? Please, God, tell me this isn't some stupid marketing ploy (the delay that is) to get more people on this damn OneCare thing...
Xserv
"I love lamp."
Its not just the extension that dictates that it's a WMF... Windows in its infinate wisdom also looks at the header bytes of the file and says "ohh! thats a WMF!"
So, in other words, it does exactly the same thing Unix does for every single executable file.
Do a man magic if you don't know what I'm talking about, and/or look into why scripts have that #! as the very first two bytes in order to work automatically.
Windows has gotten bashed for years for relying on file extensions. Here they don't and they get bashed more! Ok, yeah, it's yet another example of deviation from expected behavior, but complain about that, not that they're finally trying to be smarter about files. Hell, most programs will now ignore file extensions and look at the file header -- it's hardly a MS only behavior.
That said, MS's slackness on this issue is ridiculous. Yes, I know that they have to test a patch in a very large test environment to make sure nothing goes "boom", but in this case they would better serve their customers by simply disabling WMF support entirely until they can properly patch things. WMF is not a widely used format -- in the very few cases where it's actually being used you could simply not patch the computer and take appropriate actions to isolate that system. It would be a hell of a lot better than the current situation, especially given how nasty and widespread this exploit is.
This puts MSFT in an interesting position -- their official patch has to be tested on systems with the unofficial patch. Otherwise there's a possibility that the unofficial patch will break something in the official patch (or vice versa.)
With the unofficial patch already deployed on thousands (millions?) of machines, it would be a big deal if something went wrong.
God, I'd hate to be in Redmond right now...
-ch
Testing?
Even if it means, in contravention of best security practice and all possible "trustworthy computing", knowingly delaying an urgent, critical fix (which would be less troublesome than the first Shatter fix which was pushed out, and only disable a single GDI function that frankly hasn't been used since Windows 3.1 and should never have been used in the first place) for a publically-disclosed, unpatched vulnerability that had been discovered from a 0day exploit, for an indefinite amount of time over a public holiday period while the vulnerability is being "tested"?
When there's realistically no possible way the different L10n's of Windows would affect the GDI32 core because it contains almost no l10n strings anyway, and the vulnerability is in fact a purposely-designed, never-used legacy "feature" that should definitely have been removed in Windows NT or during the Windows 2000 GDI rewrites, or noticed, say, during last months GDI audit?
Despite Microsoft promising that the introduction of the Patch Tuesday would not preclude emergency fixes being issued out-of-cycle and as soon as possible for, ooh, say, critical core Windows vulnerabilities with an enormous number of possible vectors of infection, no effective mitigation and wide, dangerous exploits in the wild with a number of vulnerable machines easily capable of providing an ample breeding ground for supporting wide botnets or enormous worm infections?
Which is exactly what has happened, as Windows has, frankly, just faced the worst single vulnerability in its entire history?*
What the fuck are they doing, deliberately trying to breed another big internet worm?
Sorry, but I'm calling bullshit. I'm a security researcher, and I'm really quite angry at Microsoft's piss-poor handling of this. They couldn't have done much worse if they'd heard about the bug and then have let MSRC take Christmas off anyway.
This was not business as usual. This was an exceptional event (true 0days are actually quite rare to discover in the wild). It could not, and should not, have waited until the next patch cycle. This is exactly the kind of situation upon which a speedy mitigation - hours to days, but definitely not weeks - is absolutely critical, and we should demand that. They should AT LEAST have provided the (untested) hotfix themselves within a day, and pushed it out to Automatic Updates and Windows Update/Microsoft Update within the week after first discovery in the wild - not unrealistic goals for a vendor who wishes to paint themselves as "trustworthy".
They should be brought to task on this one. Behaviour like this is what created the full-disclosure movement in the first place.
* Yes, I'm going to say this one's actually worse than the various active remote vulnerabilities we've had over the years, like the UPnP vuln or the numerous RPC-related vulns. Those, you could at least block with a firewall. This, it's single-payload, multi-vector. It's got plenty of room to drop anything, it's capable of highly metamorphic exploit streams, can be fed online or offline, even spread on media, anything from email to a web page to a simple read-only directory listing or right-click, or uploaded to a site or blog, god help you, rendered inside MSN... the number of potential vectors is so numerous and troublesome it even makes analysis difficult; Windows disregarding filenames and extensions and MIME types and using magic sniffing instead, so you can't even block it effectively using a content-inspecting IDS - that's just the icing on the cake. This is a classic vulnerability, a real ticking Christmas present, a true textbook candidate.
Just in that brief piece, I can spot three typical points of inaccuracy:
This, of course, is precisely the sort of vague, inaccurate half-understanding that Microsoft wishes end-users to have. If the phrasing of the article made it clear that Windows is not something physical, not something "shipped" in the same sense that a power supply or a mouse is "shipped"-- that there is no such thing as a "Windows PC", only a "PC running Windows"-- perhaps they'd begin to ask tough questions like "Well, are there any alternatives that we could run on our PCs to prevent these problems from affecting us?" These are, in their own small way, subversive questions, anti-authoritarian questions, anti-monopolistic questions-- and thus questions that Microsoft and their ilk don't want people asking.
On the bright side, at least they're admitting (finally) that the problems only affect computers running Windows. If I see another story talking about an "email virus" (read: "MS-Outlook-running-on-MS-Windows-only virus/worm/exploit"), my head is going to explode into a fine pink mist.
People, I'm sure, will say that I'm "nitpicking" or being an "English nazi", but one's choice of words does make a difference. The usages here are just reinforcing common vague half-truths and misconceptions that the general population has about computers, and for every article out there that says "Windows PCs" instead of "PCs running Windows", or "viruses" instead of "malware" or "security exploits", it just makes the already-huge problem of user ignorance that much bigger.
Consider the two sentences below:
Which one makes Senator Smith out to be a sneaky crook, and which one merely cautious?
The difference is all in the choice of words. Words matter. So anyone who wants to tell me I'm just being nitpicky-- shove it. One's choice of words creates impressions, both conscious and subconscious, in the reader-- and thus, the seemingly
With spending like this, exactly what are "conservatives" conserving?
Just further shows that the "editors" don't even "get" their roles as editors. Attributing words that weren't written to the submitter is not something they should be doing. Or if they do, they should use the standard square brackets to indicate that those words weren't said, but were what was implied. Changing the title is fine. Adding additional commentary or extra sources (as Zonk did with the 'From the ZDNet article' bit) is fine. Putting words in people's mouths is a HUGE editorial no-no.
Be a real patriot: Question authority. Think for yourself. Formulate your own conclusions.
This guy (he may be reknowned in the security community, but I've never heard of him) was able to successfully bandage a Windows flaw before Microsoft, without access to the Windows source code or any backing from the writers of the program being patched. I doubt he'll need to look far for work for a long time, and if he does, 'Successfully wrote a patch for a Windows flaw independently' looks damn good on his resume. He still has to pay for Windows, sure, but it's not like he's going to be completely unrewarded for his work.
Stasis is death. Embrace change.
No, it wouldn't. That's a bad analogy. Your analogy would more accurately describe a situation where they were sitting on a patch until multiple bug fixes were implemented.
A better analogy would be that Microsoft is withholding the cure for breast cancer until they verify that it doesn't cause patients with other cancers to worsen, that it really does cure breast cancer on more than just one woman, and that it doesn't kill patients outright. with QA, at minimum you've got to verify that a patch can be installed, can be uninstalled if that's an option, fixes the problem, is stable, and passes any baseline usage tests that you have.
The analogy still isn't perfect, but it's far more representative of what a QA process is.
If you have a Windows domain and use mostly XP and 2003 machines... try using the built-in 'Software Restriction Policy' to prevent the path %systemroot%/system32/shimgvw.dll this will apply to all of the machines in the domain.
/. comments have already pointed out. The only real fix for this will be the official patch next week.
.wmf at the mail and web gateways
I've implemented this today on the network, but don't be fooled into thinking that this will protect you 100% because it doesn't. The flaw isn't in shimgvw.dll, that dll is just one of the common attack vectors. The flaw is a 'feature' of GDI as many of the
Until the patch is released it wont hurt to take a few simple steps to reduce the attack vectors (emphasis deliberate)
* Educating users about the dangers
* Updating AV definitions across the network
* Blocking
* Disabling the shimgvw.dll using the above method or the regsvr32 method.
Some people might want to consider the unofficial patch - personally, I wouldn't let it anywhere near the network of 3000+ machines. If something goes wrong, that a lot of cleaning up to do, and Microsoft will not be interested in helping.
Cisco traditionally has used a monolithic kernel, which Linux guys poo-poo, but when you control all of the hardware, and you know all of the possible modular components that can be installed in that hardware, why not? The new IOS XR software (runs on the CRS, and GSRs, two routers you'll never see if you can't figure out which code to run at your office) is modular. Eventually, I believe that their entire hardware catalog will utilize the XR code, but that won't occur for years.
But we're not talking about Cisco in this thread... We're discussing Microsoft. We're talking about a the largest software company in the world refusing to release a critical security update as quickly as possible. We're talking about a conscious decision to leave millions of systems vulnerable to a known exploit in the wild, so that no one gets left behind.
It's criminal.
For those that would die defending it, Freedom
has a sweet taste that the protected will never know.
Huh? How'd get this modded Insightful? It's pretty much the opposite, actually - considering that F-Secure is in the business of security solutions, it's *expected* of them to uncover new problems, and I at least think it's *GREAT* that they decide to make the information available to everyone instead of just rolling it into the next update for their enterprise products.
Think about it - they're doing good research, AND they're making it available for free, and you still criticise them for exactly that? You're not just looking the gift horse into the mouth, buddy, you're trying to paint the giver in a bad light for attempting to give it to you for free.
Seriously, get a grip.
quidquid latine dictum sit altum videtur.
It's a bug because it doesn't have the .exe extension- if Microsoft tells us "don't download executables from untrustworthy sources" they mean .exe files- they don't mean .jpg files.
Read the Fucking Back Story: This would be almost 0% issue if any of the following were true:
1. MSIE/SHELLDOC used extensions or mime-types (MSIE) in determining what file format something was [[ This flaw is transparent to users: it can be in almost any file extension ]]
2. MSIE/SHELLDOC had a feature like the mailcap file on UNIX which allows us to only list programs that can operate on untrustworthy files(!)
3. The WMF magic was outside of a critical system component (that could simply be unregistered and removed)
As a result, this is a very serious problem, and by playing Microsoft's tune about how "it's not that big of a deal", you're only making the problem worse.
By the way, someone should (quick!) make some WMF files that use the AbortProc routines to disable printscreen and stuff when they're visible so they can sue MS for DCMA (copy protection circumvention) violations...
Nah, tactically speaking, I'd assume that it's best to release a mega-worm about a week and a half to two weeks before patch day. The reason why is simple: if you release it too early and it's bad enough, Microsoft will break stride and release a patch early. On the other hand, if the time to develop a patch and test it (I'm guessing around a week to a week and a half, depending on the difficulty of the patch) is within four or five days of Patch Tuesday, Microsoft is politically better off waiting until Tuesday to release th epatch anyways, for fear of a large media buzz over the emergency patch.
Alternatively, two or three days before Patch Tuesday might also be prudent. It's highly unlikely Microsoft would be able to release a fix by that Tuesday (in many cases, they might not even recognize the true scope of an exploit during that time), so you get a week or so without the patch, and Micrsoft needs to issue an emergency patch anyway.
It depends on what you're trying to accomplish, I suppose. The first option gives you the best chance of infecting more systems. On the other hand, the second option has a far better chance of getting egg on the face of Microsoft. Then again, it might have a backwards effect, increasing people's trust of Microsoft in that they broke protocol and offered an emergency patch.
Personally, I'd probably prefer the first option.
No comment.
It has to do with the MS Windows community expecting extensions to be used to link files to programs exclusively
.pl file is a Perl script, or a .py a Python script, etc. -- there's certainly no obligation for them to be. And I know just as many expert users in both Windows and Unix who don't do stupid things like execute unknown files, trust scripts without reviewing them, etc.
And Linux users don't? Double click on a GIF/JPG/MP3/HTML/etc file in Konqueror or Nautilus (or the file manager of your choice) and what happens? Exactly the same as in Windows -- it launches the executable that's associated with the file.
There is no execute bit in their filesystems.
Yes there is. Admittedly, it's not used very much, and I don't expect that to change anytime soon. Not that it would've mattered in this case.
Linux users also expect data to NOT be given execute priviledges.
That's nice. And if a previously unknown vulnerability is found in libjpeg, then how is it going to matter? Sure, the JPEG isn't marked executable, but when the program that actually loads the executable links to libjpeg.so, and the JPEG contains a buffer overrun exploit then the resultant code may end up executing bytes out of the "non-executable" JPEG. The only way to avoid this is to use the new NX mode/instructions in modern CPUs -- something that you can do in Windows Server 2003 as well as in Linux.
Frankly, I know a lot of Unix users who will happily run a shell script without looking at it, or assume that a
I'm suprised virus writers waited until this millenium to finally exploit such a stupid flaw.
They didn't. Kinda. The idiocy of MS hiding "known" extensions was exploited years ago (happyfun.txt.exe -- guess what it shows up as in Outlook Express or Explorer?), along with similar exploits.