Slashdot Mirror

← Back to Stories (view on slashdot.org)

Businesses Urged To Use Unofficial Windows Patch

Posted by Zonk on from the quick-quick dept.

frankie writes "ZDNet is reporting on the latest dire pronouncements about the WMF vulnerability. The problem is so serious that security experts are urging IT firms to use the unofficial patch. Microsoft's current goal is to release the update on Tuesday." From the ZDNet article: "This is a very unusual situation -- we've never done this before. We trust Ilfak, and we know his patch works. We've confirmed the binary does what the source code said it does. We've installed the patch on 500 F-Secure computers, and have recommended all of our customers do the same. The businesses who have installed the patch have said it's highly successful" It's big enough that even mainstream media is covering the flaw.

19 of 374 comments (clear)

  1. More details by anandpur · · Score: 5, Informative

    Vulnerability in Graphics Rendering Engine Could Allow Remote Code Execution

    http://www.securityfocus.com/bid/16074
    http://www.microsoft.com/technet/security/advisory /912840.mspx
    http://www.symantec.com/avcenter/venc/data/pf/pwst eal.bankash.g.html

  2. MS has to test very extensively by PIPBoy3000 · · Score: 5, Interesting

    If you're curious as to what all they do, you can take a look here. A sample quote from the article:

    In some cases, particularly when the Internet Explorer browser is involved, the testing process "becomes a significant undertaking," Toulouse said. "It's not easy to test an IE update. There are six or seven supported versions and then we're dealing with all the different languages. Our commitment is to protect all customers in all languages on all supported products at the same time, so it becomes a huge undertaking."

    1. Re:MS has to test very extensively by Anonymous Coward · · Score: 5, Insightful

      No, it wouldn't. That's a bad analogy. Your analogy would more accurately describe a situation where they were sitting on a patch until multiple bug fixes were implemented.

      A better analogy would be that Microsoft is withholding the cure for breast cancer until they verify that it doesn't cause patients with other cancers to worsen, that it really does cure breast cancer on more than just one woman, and that it doesn't kill patients outright. with QA, at minimum you've got to verify that a patch can be installed, can be uninstalled if that's an option, fixes the problem, is stable, and passes any baseline usage tests that you have.

      The analogy still isn't perfect, but it's far more representative of what a QA process is.

  3. Re:Does MS view this as important? by chrish · · Score: 5, Funny

    Presumably they do some sort of testing with their patches before they release...

    --
    - chrish
  4. Re:block wmf by NinePenny · · Score: 5, Informative

    Its not just the extension that dictates that it's a WMF... Windows in its infinate wisdom also looks at the header bytes of the file and says "ohh! thats a WMF!" Execute! im in a damned hurry, hopfully I stated that correctly...ymmv

  5. Re:Does MS view this as important? by digidave · · Score: 5, Insightful

    "What's the liability for the 3rd party if their patch screws something up in a bad way? Zippo. That's (part of) the reason why it takes longer to put out an "official" patch."

    What's the liability if MS screws up a patch? They do it all the time, but I don't hear anything about them being sued or compensating businesses they've hurt.

    --
    The global economy is a great thing until you feel it locally.
  6. Re:Does MS view this as important? by aquabat · · Score: 5, Insightful

    That would be the same as the liability that Microsoft would have if its patch screwed something up, right? Zippo in either case. RTFEULA.

    --
    A republic cannot succeed till it contains a certain body of men imbued with the principles of justice and honour.
  7. This is slashdot, wheres the pictures? by LiquidCoooled · · Score: 5, Funny

    Its ok, I found th...!&^!")NO CARRIER

    --
    liqbase :: faster than paper
    1. Re:This is slashdot, wheres the pictures? by TheHawke · · Score: 5, Funny

      No Spot! Don't Chew on the power*ZAP!* %^@!NO TERRIER.

      Sorry, had to do that. ^.^

      --
      First rule of holes; When in one, stop digging.
  8. Whoa, that's really bizarre by frankie · · Score: 5, Interesting

    This article isn't anything like the one that I submitted.

    • 2006-01-03 17:15:05 No Microsoft WMF update until next week (Index,Windows) (accepted)

    Mine looked more like this (body content from memory):

    " The usual suspects are reporting Microsoft's latest announcement about the WMF vulnerability (link to previous /. article). To quote (link to MS technet article): "Microsoft's goal is to release the update on Tuesday, January 10, 2006, as part of its monthly release of security bulletins." So do you install the unofficial patch (link to previous /. article), or cross your fingers for a week?"
    1. Re:Whoa, that's really bizarre by BushCheney08 · · Score: 5, Insightful

      Just further shows that the "editors" don't even "get" their roles as editors. Attributing words that weren't written to the submitter is not something they should be doing. Or if they do, they should use the standard square brackets to indicate that those words weren't said, but were what was implied. Changing the title is fine. Adding additional commentary or extra sources (as Zonk did with the 'From the ZDNet article' bit) is fine. Putting words in people's mouths is a HUGE editorial no-no.

      --
      Be a real patriot: Question authority. Think for yourself. Formulate your own conclusions.
  9. The problem is it's a GDI exploit by Sycraft-fu · · Score: 5, Insightful

    The actual root of the problem is in the GDI, which is what handles all basic interface display for Windows. The unofficial patch just disables the call that the exploit uses. Ok, fair enough, but that's a hack, not a fix. That means that anything that legitmately uses that call won't work, and the underlying problem is still there.

    Well, testing a fix for a system component like that takes time, espically since it affects a ton of versions.

    Now you might ask, why not release a hack fix, and then do a proper patch later? Well as it stands, it's hard enough to get people to update their systems. We fight with it all the time with people here at work. They turn auto updates off since they run simulations at night and don't want it rebooting (even though patch day is known ahead of time) and then never manually patch since they "can't be bothered".

    Well, if MS released a patch that broke things, that just makes that many more people stop patching. Remember all the whining and bitching about SP2. There were very few systems that had problems with it, and most that did were spywared to hell, but still there are tons of people that refuse to install it for fear that "it'll break my computer".

    Thus the offical patch takes time, as they have to test and make sure that the problem really is fixed, and no new problems were created with the fix. REgression testing isn't quick.

  10. Re:Does MS view this as important? by pete-classic · · Score: 5, Insightful

    There is a quid pro quo in the "Linux community". Yes, J. Random Hacker is encouraged (and really expected) to patch Linux flaws. But he recieves a Free system with source code in exchange.

    It doesn't sit well with me to see Microsoft eat their cake and have it too.

    -Peter

  11. The issue was actually a feature... by antdude · · Score: 5, Informative

    According to this F-Secure's Web log, it tells what is going wrong with the Windows Metafiles (WMF) vulnerability. It turns out this is not really a bug, it's just a bad design from another era. When Windows Metafiles were designed in late 1980s, a feature was included that allowed the image files to contain actual code. This code would be executed via a callback in special situations. This was not a bug; this was something which was needed at the time. The feature now in the limelight is known as the Escape() function and especially the SetAbortProc subfunction, and has been around since Windows 3.0, shipped in 1990...

    Seen on Digg. This Broadband Reports' security forum thread mentioned this as well.

    Copied and pasted from my AQFL Web site.

    --
    Ant(Dude) @ Quality Foraged Links (AQFL.net) & The Ant Farm (antfarm.ma.cx / antfarm.home.dhs.org).
    1. Re:The issue was actually a feature... by wo1verin3 · · Score: 5, Funny

      When can I expect a patch for Windows for Workgroups 3.11?

  12. Download by reconn · · Score: 5, Informative

    If you want the patch itself, try here:
    http://isc.sans.org/diary.php?storyid=1010

    Second time this story came up with no links to the patch.

    --
    Everything that was once directly lived has receded into a representation. -debord
  13. Bullshit. by Anonymous Coward · · Score: 5, Insightful

    Testing?

    Even if it means, in contravention of best security practice and all possible "trustworthy computing", knowingly delaying an urgent, critical fix (which would be less troublesome than the first Shatter fix which was pushed out, and only disable a single GDI function that frankly hasn't been used since Windows 3.1 and should never have been used in the first place) for a publically-disclosed, unpatched vulnerability that had been discovered from a 0day exploit, for an indefinite amount of time over a public holiday period while the vulnerability is being "tested"?

    When there's realistically no possible way the different L10n's of Windows would affect the GDI32 core because it contains almost no l10n strings anyway, and the vulnerability is in fact a purposely-designed, never-used legacy "feature" that should definitely have been removed in Windows NT or during the Windows 2000 GDI rewrites, or noticed, say, during last months GDI audit?

    Despite Microsoft promising that the introduction of the Patch Tuesday would not preclude emergency fixes being issued out-of-cycle and as soon as possible for, ooh, say, critical core Windows vulnerabilities with an enormous number of possible vectors of infection, no effective mitigation and wide, dangerous exploits in the wild with a number of vulnerable machines easily capable of providing an ample breeding ground for supporting wide botnets or enormous worm infections?

    Which is exactly what has happened, as Windows has, frankly, just faced the worst single vulnerability in its entire history?*

    What the fuck are they doing, deliberately trying to breed another big internet worm?

    Sorry, but I'm calling bullshit. I'm a security researcher, and I'm really quite angry at Microsoft's piss-poor handling of this. They couldn't have done much worse if they'd heard about the bug and then have let MSRC take Christmas off anyway.

    This was not business as usual. This was an exceptional event (true 0days are actually quite rare to discover in the wild). It could not, and should not, have waited until the next patch cycle. This is exactly the kind of situation upon which a speedy mitigation - hours to days, but definitely not weeks - is absolutely critical, and we should demand that. They should AT LEAST have provided the (untested) hotfix themselves within a day, and pushed it out to Automatic Updates and Windows Update/Microsoft Update within the week after first discovery in the wild - not unrealistic goals for a vendor who wishes to paint themselves as "trustworthy".

    They should be brought to task on this one. Behaviour like this is what created the full-disclosure movement in the first place.

    * Yes, I'm going to say this one's actually worse than the various active remote vulnerabilities we've had over the years, like the UPnP vuln or the numerous RPC-related vulns. Those, you could at least block with a firewall. This, it's single-payload, multi-vector. It's got plenty of room to drop anything, it's capable of highly metamorphic exploit streams, can be fed online or offline, even spread on media, anything from email to a web page to a simple read-only directory listing or right-click, or uploaded to a site or blog, god help you, rendered inside MSN... the number of potential vectors is so numerous and troublesome it even makes analysis difficult; Windows disregarding filenames and extensions and MIME types and using magic sniffing instead, so you can't even block it effectively using a content-inspecting IDS - that's just the icing on the cake. This is a classic vulnerability, a real ticking Christmas present, a true textbook candidate.

  14. Typical non-tech media distort-o-fest. by Caspian · · Score: 5, Insightful
    As is typical, the linked-to article gives people a lot of incorrect impressions (including many that the general public already seems to subscribe to, for the most part).

    Just in that brief piece, I can spot three typical points of inaccuracy:
    1. Blurring the line between hardware and software. The use of the phrase "every Windows system shipped since 1990", coupled with the phrase "Windows PCs", seems to subtly (albeit probably unintentionally) imply that Windows is either hardware itself, or irrevokably paired with hardware. (I.e.: "No, that's a Windows PC, it can't run Linux.")

      This, of course, is precisely the sort of vague, inaccurate half-understanding that Microsoft wishes end-users to have. If the phrasing of the article made it clear that Windows is not something physical, not something "shipped" in the same sense that a power supply or a mouse is "shipped"-- that there is no such thing as a "Windows PC", only a "PC running Windows"-- perhaps they'd begin to ask tough questions like "Well, are there any alternatives that we could run on our PCs to prevent these problems from affecting us?" These are, in their own small way, subversive questions, anti-authoritarian questions, anti-monopolistic questions-- and thus questions that Microsoft and their ilk don't want people asking.
    2. Use of the overly simplistic term "virus" to describe any sort of computer security breach. I am getting incredibly sick of this. Yes, the biological metaphor was useful to convey the concept of a computer having problems. But it's worked too well. Now, any time I try to explain a non-virus form of computer affliction to a non-techie, they always seem to start out by saying "so it's a virus?" Spyware? "Viruses". Computer running slow? "Viruses." Pop-ups? "Viruses." On numerous occasions with numerous people, I've mentioned the word "spyware", only to have people say "oh, that's the program that gets rid of the viruses?" or something like that. (They confuse the name "Spybot" (as in "Spybot: Search and Destroy")" with the word "spyware".)
    3. And last but not least: Demonization of those eeeeeeeeeevil "hackers". I know the "hacker vs. cracker" war of words is long since lost, but it still irks me when the term used to describe these guys (my heroes!) is now synonymous in the public mind with "malicious and destructive computer criminal".

    On the bright side, at least they're admitting (finally) that the problems only affect computers running Windows. If I see another story talking about an "email virus" (read: "MS-Outlook-running-on-MS-Windows-only virus/worm/exploit"), my head is going to explode into a fine pink mist.

    People, I'm sure, will say that I'm "nitpicking" or being an "English nazi", but one's choice of words does make a difference. The usages here are just reinforcing common vague half-truths and misconceptions that the general population has about computers, and for every article out there that says "Windows PCs" instead of "PCs running Windows", or "viruses" instead of "malware" or "security exploits", it just makes the already-huge problem of user ignorance that much bigger.

    Consider the two sentences below:

    • "Senator Smith has not yet released a statement concerning the situation."
    • "When asked about the situation, Senator Smith responded, "No comment."

    Which one makes Senator Smith out to be a sneaky crook, and which one merely cautious?

    The difference is all in the choice of words. Words matter. So anyone who wants to tell me I'm just being nitpicky-- shove it. One's choice of words creates impressions, both conscious and subconscious, in the reader-- and thus, the seemingly

    --
    With spending like this, exactly what are "conservatives" conserving?
  15. Are you kidding? by SleepyHappyDoc · · Score: 5, Insightful

    This guy (he may be reknowned in the security community, but I've never heard of him) was able to successfully bandage a Windows flaw before Microsoft, without access to the Windows source code or any backing from the writers of the program being patched. I doubt he'll need to look far for work for a long time, and if he does, 'Successfully wrote a patch for a Windows flaw independently' looks damn good on his resume. He still has to pay for Windows, sure, but it's not like he's going to be completely unrewarded for his work.

    --
    Stasis is death. Embrace change.