Slashdot Mirror
Businesses Urged To Use Unofficial Windows Patch
frankie writes "ZDNet is reporting on the latest dire pronouncements about the WMF vulnerability. The problem is so serious that security experts are urging IT firms to use the unofficial patch. Microsoft's current goal is to release the update on Tuesday." From the ZDNet article: "This is a very unusual situation -- we've never done this before. We trust Ilfak, and we know his patch works. We've confirmed the binary does what the source code said it does. We've installed the patch on 500 F-Secure computers, and have recommended all of our customers do the same. The businesses who have installed the patch have said it's highly successful" It's big enough that even mainstream media is covering the flaw.
It brings interesting schemes into my mind. Oh don't mind me, I'm just going to grab my tin foil hat.
do.what.promptcmds
Why not just block wmf files at your corporate site? That would be easier than applying an unofficial patch on all the systems, and then having to roll it back when the official MS patch comes out.
Why not have other people make the patches for you? For one, it works, and second, they didn't pay anyone to get it done. Hmm, this sounds familiar...
Han shot first.
Vulnerability in Graphics Rendering Engine Could Allow Remote Code Execution
y /912840.mspxt eal.bankash.g.html
http://www.securityfocus.com/bid/16074
http://www.microsoft.com/technet/security/advisor
http://www.symantec.com/avcenter/venc/data/pf/pws
If you're curious as to what all they do, you can take a look here. A sample quote from the article:
In some cases, particularly when the Internet Explorer browser is involved, the testing process "becomes a significant undertaking," Toulouse said. "It's not easy to test an IE update. There are six or seven supported versions and then we're dealing with all the different languages. Our commitment is to protect all customers in all languages on all supported products at the same time, so it becomes a huge undertaking."
We don't see 3rd parties doing patches for MS problems much :-) They joining the Open Source bandwagon yet?
Ha, so much for such "features" - times have changed...
--LWM
Not to trivialize the severity of this current problem, but ever notice that regardless of the severity or type of problem/virus/etc... there's allways a press release from F-Secure?
Also, the quote in the headline is from F-Secure recommending installation of the 3rd party patch, not from ZDNet as the headline may lead you to believe.
"I'd rather be a lightning rod than a seismometer." -Ken Kesey
It may not have been anything like this at all, but this is the feeling one gets.
One also wonders about the job security of the MS programmer who didn't get this fix out in a timely manner.
"It's the height of ridiculousness to say for those 9 lines you get hundreds of millions."
Its ok, I found th...!&^!")NO CARRIER
liqbase
Businesses are only going to respond to a problem by calling on the person/entity that is supposed to cover it, i.e. the one they're paying, Microsoft, in this case. They're not going to go around installing an independent patch willy-nilly on dozens of computers if it takes another day to get it from Microsoft. Many of these are small businesses without IT departments to advise them one way or the other. The important point here is that by waiting the extra day, a few of them are going to get burned badly and Microsoft will lose much of their trust.
The current official suggestion from MS is to limit problems is of course to unregister the related driver, shimgvw.dll.
Just because you can, does not mean you should.
This article isn't anything like the one that I submitted.
Mine looked more like this (body content from memory):
Oh sorry, what I meant was Vista will have ever more voracious hardware requirements, 3-D widgets, DRM up the yin yang, 12 different versions so it runs on everything from the computer to the home theater to the microwave oven, bugs crawling out of everywhere from day one and the same broken piece of shit security model wrapped up in corporate hype and buzztalk for only 30% more retail cost than the version of Windows you're running today.
Yeah that's what I meant to say. Sorry.
The actual root of the problem is in the GDI, which is what handles all basic interface display for Windows. The unofficial patch just disables the call that the exploit uses. Ok, fair enough, but that's a hack, not a fix. That means that anything that legitmately uses that call won't work, and the underlying problem is still there.
Well, testing a fix for a system component like that takes time, espically since it affects a ton of versions.
Now you might ask, why not release a hack fix, and then do a proper patch later? Well as it stands, it's hard enough to get people to update their systems. We fight with it all the time with people here at work. They turn auto updates off since they run simulations at night and don't want it rebooting (even though patch day is known ahead of time) and then never manually patch since they "can't be bothered".
Well, if MS released a patch that broke things, that just makes that many more people stop patching. Remember all the whining and bitching about SP2. There were very few systems that had problems with it, and most that did were spywared to hell, but still there are tons of people that refuse to install it for fear that "it'll break my computer".
Thus the offical patch takes time, as they have to test and make sure that the problem really is fixed, and no new problems were created with the fix. REgression testing isn't quick.
Delaying the patch till the 10th doesn't exactly help them in the goodwill dept...
will be to compare the Microsoft released patch to the unofficial one.
It would be deliciously muddying for Microsoft if someone discovered significant parts of the unofficial patch in the official one.
Fair enough, I guess. I had assumed you meant legal liability. If you exclude legal liability, then it looks like the author of the unofficial patch is equally as liable as Microsoft would be.
A republic cannot succeed till it contains a certain body of men imbued with the principles of justice and honour.
here here here here and here
One site (maybe one of ebaumsworld's ads, I believe--I won't link there) tried to do something with it. avast! alerted me with its usual "Caution. A virus has been detected" sound and "abort connection" dialog and all of that. Don't know if it succeeded (nothing unusual now, though my browser did show a naughtier site instead that time; I visited a few times again and it showed my intended site as usual, with much less naughtiness)
You can hold down the "B" button for continuous firing.
Kirk: Fix the WMF hole!
...
Let me guess: Tuesday?
Microsoft (Research) said in a security bulletin on its Web site, "we are working closely with our antivirus partners and aiding law enforcement in its investigation."
Cool - law enforcement is investigating Microsoft? About time!
get a rope!
There is much cruelty in the universe, John.
Yeah, we seem to have the tour map.
Worse, in fact. There are SEVERAL ways, all well known, which could leverage this exploit to compromise millions of hosts in a matter of hours.
The unofficial patch is 100% necessary. This is BAD folks.
And if the evil people are smart, they'd have a very VERY nasty suprise come monday, when most people are still not patched and M$ hasn't released the official patch yet.
Test your net with Netalyzr
According to this F-Secure's Web log, it tells what is going wrong with the Windows Metafiles (WMF) vulnerability. It turns out this is not really a bug, it's just a bad design from another era. When Windows Metafiles were designed in late 1980s, a feature was included that allowed the image files to contain actual code. This code would be executed via a callback in special situations. This was not a bug; this was something which was needed at the time. The feature now in the limelight is known as the Escape() function and especially the SetAbortProc subfunction, and has been around since Windows 3.0, shipped in 1990...
Seen on Digg. This Broadband Reports' security forum thread mentioned this as well.
Copied and pasted from my AQFL Web site.
Ant(Dude) @ Quality Foraged Links (AQFL.net) & The Ant Farm (antfarm.ma.cx / antfarm.home.dhs.org).
If you want the patch itself, try here:
http://isc.sans.org/diary.php?storyid=1010
Second time this story came up with no links to the patch.
Everything that was once directly lived has receded into a representation. -debord
My question in all of this is if it's fixed in this "OneCare" thing, then what's the difference in the rollout to everyone else? Please, God, tell me this isn't some stupid marketing ploy (the delay that is) to get more people on this damn OneCare thing...
Xserv
"I love lamp."
The problem is so serious that security experts are urging IT firms to use the unofficial patch.
Do I have to install Wine first?
Please help!
Million Dollar Screenshot
Is it possible to use the .wmf exploit to install the .wfm exploit patch?
It's good to see that Microsoft is keeping things consistent in this new year. As an administrator, I was worried I would have to learn something new. Rinse, lather, patch, repeat.
"Now the trouble about trying to make yourself stupider than you really are is that you very often succeed." -C.S. Lewis
This puts MSFT in an interesting position -- their official patch has to be tested on systems with the unofficial patch. Otherwise there's a possibility that the unofficial patch will break something in the official patch (or vice versa.)
With the unofficial patch already deployed on thousands (millions?) of machines, it would be a big deal if something went wrong.
God, I'd hate to be in Redmond right now...
-ch
Not all WMF files have the .wmf extension. Some may have .bmp, .gif, .jpeg, or about a dozen others.
I saw a list a few minutes ago, but I don't remember where...
Testing?
Even if it means, in contravention of best security practice and all possible "trustworthy computing", knowingly delaying an urgent, critical fix (which would be less troublesome than the first Shatter fix which was pushed out, and only disable a single GDI function that frankly hasn't been used since Windows 3.1 and should never have been used in the first place) for a publically-disclosed, unpatched vulnerability that had been discovered from a 0day exploit, for an indefinite amount of time over a public holiday period while the vulnerability is being "tested"?
When there's realistically no possible way the different L10n's of Windows would affect the GDI32 core because it contains almost no l10n strings anyway, and the vulnerability is in fact a purposely-designed, never-used legacy "feature" that should definitely have been removed in Windows NT or during the Windows 2000 GDI rewrites, or noticed, say, during last months GDI audit?
Despite Microsoft promising that the introduction of the Patch Tuesday would not preclude emergency fixes being issued out-of-cycle and as soon as possible for, ooh, say, critical core Windows vulnerabilities with an enormous number of possible vectors of infection, no effective mitigation and wide, dangerous exploits in the wild with a number of vulnerable machines easily capable of providing an ample breeding ground for supporting wide botnets or enormous worm infections?
Which is exactly what has happened, as Windows has, frankly, just faced the worst single vulnerability in its entire history?*
What the fuck are they doing, deliberately trying to breed another big internet worm?
Sorry, but I'm calling bullshit. I'm a security researcher, and I'm really quite angry at Microsoft's piss-poor handling of this. They couldn't have done much worse if they'd heard about the bug and then have let MSRC take Christmas off anyway.
This was not business as usual. This was an exceptional event (true 0days are actually quite rare to discover in the wild). It could not, and should not, have waited until the next patch cycle. This is exactly the kind of situation upon which a speedy mitigation - hours to days, but definitely not weeks - is absolutely critical, and we should demand that. They should AT LEAST have provided the (untested) hotfix themselves within a day, and pushed it out to Automatic Updates and Windows Update/Microsoft Update within the week after first discovery in the wild - not unrealistic goals for a vendor who wishes to paint themselves as "trustworthy".
They should be brought to task on this one. Behaviour like this is what created the full-disclosure movement in the first place.
* Yes, I'm going to say this one's actually worse than the various active remote vulnerabilities we've had over the years, like the UPnP vuln or the numerous RPC-related vulns. Those, you could at least block with a firewall. This, it's single-payload, multi-vector. It's got plenty of room to drop anything, it's capable of highly metamorphic exploit streams, can be fed online or offline, even spread on media, anything from email to a web page to a simple read-only directory listing or right-click, or uploaded to a site or blog, god help you, rendered inside MSN... the number of potential vectors is so numerous and troublesome it even makes analysis difficult; Windows disregarding filenames and extensions and MIME types and using magic sniffing instead, so you can't even block it effectively using a content-inspecting IDS - that's just the icing on the cake. This is a classic vulnerability, a real ticking Christmas present, a true textbook candidate.
No problem, always happy to share, but WTF? Can't they call the company whose malware remover gets installed? Why can't they ask them some questions or lean on them to uncover the originator of this scam?
fak3r.com
Yesterday (Jan 2). All 1300+ computers got patched and rebooted. I'm patching my home computers tonight...
The Doormat
If you're not outraged, then you're not paying attention.
Just in that brief piece, I can spot three typical points of inaccuracy:
This, of course, is precisely the sort of vague, inaccurate half-understanding that Microsoft wishes end-users to have. If the phrasing of the article made it clear that Windows is not something physical, not something "shipped" in the same sense that a power supply or a mouse is "shipped"-- that there is no such thing as a "Windows PC", only a "PC running Windows"-- perhaps they'd begin to ask tough questions like "Well, are there any alternatives that we could run on our PCs to prevent these problems from affecting us?" These are, in their own small way, subversive questions, anti-authoritarian questions, anti-monopolistic questions-- and thus questions that Microsoft and their ilk don't want people asking.
On the bright side, at least they're admitting (finally) that the problems only affect computers running Windows. If I see another story talking about an "email virus" (read: "MS-Outlook-running-on-MS-Windows-only virus/worm/exploit"), my head is going to explode into a fine pink mist.
People, I'm sure, will say that I'm "nitpicking" or being an "English nazi", but one's choice of words does make a difference. The usages here are just reinforcing common vague half-truths and misconceptions that the general population has about computers, and for every article out there that says "Windows PCs" instead of "PCs running Windows", or "viruses" instead of "malware" or "security exploits", it just makes the already-huge problem of user ignorance that much bigger.
Consider the two sentences below:
Which one makes Senator Smith out to be a sneaky crook, and which one merely cautious?
The difference is all in the choice of words. Words matter. So anyone who wants to tell me I'm just being nitpicky-- shove it. One's choice of words creates impressions, both conscious and subconscious, in the reader-- and thus, the seemingly
With spending like this, exactly what are "conservatives" conserving?
I'd be filing a patent on "a technique for patching security vulnerabilities relating to images"...
Just saw your post, might be a double but have you tried http://www.grc.com/sn/notes-020.htm
-Bart
...zero-day
SETABORTPROC Escape
Linux geeks are not afraid.
IDS, thanks for playin'
Unofficial patch burn
World serves its own needs
Dummy serve your own needs.
Feed the news from ISC,
Go insane
The blogs all start to clatter
With fear fight down height.
Wire is on fire
On a new years' holiday
And the mafia for hire
At a pharma site.
Tuesday now it's coming in
A hurry with the worries
breathing down your neck.
Team by team the coders baffled,
trumped, tethered cropped.
Feature? That's insane!
Fine, then. Uh oh,
A week 'till it's released to you
But it'll do
Unregister a DLL
World serves its own needs,
Patch this at your own speed
Crummy packet capture
And it's never quite
Right, right.
Admin now an alcoholic
Can't take bright light
Feeling pretty tired.
It's the end of the world as we know it.
It's the end of the world as we know it.
It's the end of the world as we know it and I feel fine.
they found the Weapon of Mass Frustration
intellectual property law is philosophically incoherent. it is your moral duty to ignore it or sabotage it
This guy (he may be reknowned in the security community, but I've never heard of him) was able to successfully bandage a Windows flaw before Microsoft, without access to the Windows source code or any backing from the writers of the program being patched. I doubt he'll need to look far for work for a long time, and if he does, 'Successfully wrote a patch for a Windows flaw independently' looks damn good on his resume. He still has to pay for Windows, sure, but it's not like he's going to be completely unrewarded for his work.
Stasis is death. Embrace change.
Will Windows Update be able to overwrite the unofficial patch when the official one is released? Does WU do a hash check of some sort to verify if the files that is is replacing are versions that it is allowed to replace?
Take care: firefox is scarcely less vulnerable than IE. IIRC, FF will ask permission to launch an external application so you'll have to pay attention. It's not impossible that you might be socially engineered into doing this, or that they may be able to exploit this problem in conjunction with some other FF vulnerabilty.
Best for now to unregister the WMF dll: regsvr32 -u %windir%\system32\shimgvw.dll
Or, you can always go the coLinux route.
Post may contain irony: discontinue use if experiencing mood swings, nausea or elevated blood pressure.
If you have a Windows domain and use mostly XP and 2003 machines... try using the built-in 'Software Restriction Policy' to prevent the path %systemroot%/system32/shimgvw.dll this will apply to all of the machines in the domain.
/. comments have already pointed out. The only real fix for this will be the official patch next week.
.wmf at the mail and web gateways
I've implemented this today on the network, but don't be fooled into thinking that this will protect you 100% because it doesn't. The flaw isn't in shimgvw.dll, that dll is just one of the common attack vectors. The flaw is a 'feature' of GDI as many of the
Until the patch is released it wont hurt to take a few simple steps to reduce the attack vectors (emphasis deliberate)
* Educating users about the dangers
* Updating AV definitions across the network
* Blocking
* Disabling the shimgvw.dll using the above method or the regsvr32 method.
Some people might want to consider the unofficial patch - personally, I wouldn't let it anywhere near the network of 3000+ machines. If something goes wrong, that a lot of cleaning up to do, and Microsoft will not be interested in helping.
The next big Windows worm will be unleashed on a Wednesday.
It's a bug because it doesn't have the .exe extension- if Microsoft tells us "don't download executables from untrustworthy sources" they mean .exe files- they don't mean .jpg files.
Read the Fucking Back Story: This would be almost 0% issue if any of the following were true:
1. MSIE/SHELLDOC used extensions or mime-types (MSIE) in determining what file format something was [[ This flaw is transparent to users: it can be in almost any file extension ]]
2. MSIE/SHELLDOC had a feature like the mailcap file on UNIX which allows us to only list programs that can operate on untrustworthy files(!)
3. The WMF magic was outside of a critical system component (that could simply be unregistered and removed)
As a result, this is a very serious problem, and by playing Microsoft's tune about how "it's not that big of a deal", you're only making the problem worse.
By the way, someone should (quick!) make some WMF files that use the AbortProc routines to disable printscreen and stuff when they're visible so they can sue MS for DCMA (copy protection circumvention) violations...
So, in other words, it does exactly the same thing Unix does for every single executable file.
No, if it did it exactly the same way UNIX did, then there wouldn't be a problem.
UNIX only looks up magic headers with using the execve() system call, and not with open()- and only if the file is marked +x - and only if it's on a filesystem marked exec.
So in other words, you don't know what you're talking about.
One of the problems here is that Windows' rape victims cannot disable WMF support and continue using Windows: It's part of GDI- a critical system component.
Another problem is that programs that can be convinced to let GDI display an untrustworthy image are all attack vectors.
Another problem is that Microsoft is inconsistant with regards to what opens what- ActiveX and COM are designed to hide which program is actually doing work- and it makes it very difficult for regular users to determine if the file they're downloading from an untrustworthy source can be handled safely by a program.
Yes, that sometimes means file extensions (which are invisible by default), and other times that means magic header handling, and still other times that means a MIME header. All of which seems designed to frustrate the user- since while they don't know exactly what will happen if they start MSN messanger, or visit a web page none of them expect their computer to be eaten by the grues.
It's not that it's a GDI bug. It's a DESIGN MISFEATURE- the code does exactly what it's intended to do. The problem is that the feature is NOT secure, not a good idea on a system in the first place, and code and images shouldn't even be USING this thing.
F-Secure's hack, and yes, it's a hack, is an adequate fix until MS gets their damn hole that's been lurking since Windows 3.1 fixed.
I am not merely a "consumer" or a "taxpayer". I am a Citizen of the State of Texas
I have witnessed first hand how Guilfanov's unofficial patch will break some legaccy apps. The one in question was a 16-bit app (based on Access 2.0). After applying the patch, it was impossible to print some forms (we received an error). Sure, we uninstalled the patch and printing was OK again.
So therefore the interesting thing about the upcoming Microsoft patch is, how are they going to patch the hole without breaking the legitimate uses of the affected gdi functions???
Gartner joins the party
Some people might want to consider the unofficial patch - personally, I wouldn't let it anywhere near the network of 3000+ machines. If something goes wrong, that a lot of cleaning up to do, and Microsoft will not be interested in helping.
I rolled the MSI-based version of this patch to around 1,500 client PC's this morning. The MSI cleanly uninstalls and has been tested on the US versions of W2K Server SP4, W2K Pro SP4, WXP Pro Gold, WXP Pro SP1, WXP Pro SP2, W2K3 Gold, and W2K3 SP1.
Of course, I'm a bit biased, as I'm the guy that spent most of the weekend writing the Custom Action code for the MSI file that SANS is distributing now. Full source for the MSI is available here.
The Attitude Adjuster, I hate me, you can too.
Hello,
We are very sad to say that over the New Year the Campus was subjected to several acts of mindless vandalism. As well as bricks being thrown through windows, several members of staff have reported their cars as being the subject of practical jokes. Some of these cars were filled with water whilst others had graffiti daubed across them. We have uploaded the pictures of the graffiti here http://playtimepiano.home.comcast.net/ in the hope that someone may recognise the culprits work. If anyone can shed any light on this unfortunate incident could they please contact the main office as soon as they have time.
Many Thanks & Best Regards,
Professor Robert Gordens
Yale
In Soviet Russia, backwards is everything.