Slashdot Mirror
Microsoft to Patch WMF Exploit Early
Chran writes "Microsoft has just announced that they will release a security update for the .WMF-exploit today at 2pm ET, instead of Tuesday, as originally planned.
Microsoft writes: "Microsoft originally planned to release the update on Tuesday, January 10, 2006 as part of its regular monthly release of security bulletins, once testing for quality and application compatibility was complete. However, testing has been completed earlier than anticipated and the update is ready for release. In addition, Microsoft is releasing the update early in response to strong customer sentiment that the release should be made available as soon as possible."
Patch has been released.n /ms06-001.mspx
1 2006.html#00000771
Get it here http://www.microsoft.com/technet/security/Bulleti
According to the folks at F-secure, it co-exists well with Ilfak's unofficial patch as well as the REGSVR32 workaround. Read their blog here. http://www.f-secure.com/weblog/archives/archive-0
I'm only getting hits on 2000, XP, and 2003: According to the Financial Times article highlighted at Drudge, Hyppönen said the vulnerability is supposed to hit "every Windows operating system since 1990".
So is there a patch for older versions of Windows?
Funny, yes, but not true. The patch is available here:
http://www.microsoft.com/technet/security/Bulletin /MS06-001.mspx
Just downloaded it with Firefox. It's just Windows Update that requires IE.
This wouldn't have anything to do with the fact that the fix got leaked early, would it?
http://grc.com/sn/notes-020.htm
Insert Sig Here
go get the IEtab extension for Firefox and whitelist update.microsoft.com to use the IE engine instead of the gecko engine and viola...
The third party patch didn't actually (AFAIK) patch the file in the operating system. It simply blocked the calling of the Escape() function, which broke printing on several machines and programs. So while a decent workaround for this week, it really isn't a long term solution. I got this information from SANS' ISC.
Here is the FAQ from the KB
-----
Microsoft Windows 98, Microsoft Windows 98 Second Edition (SE), and Microsoft Windows Millennium Edition (ME) were previously listed as affected, but are no longer listed. Why is that?
Although Windows 98, Windows 98 Second Edition, and Windows Millennium Edition do contain the affected component, at this point in the investigation, an exploitable attack vector has not been identified that would yield a Critical severity rating for these versions. Per the support life cycle of these versions, only vulnerabilities of Critical severity would receive security updates. For more information about the security update support policy for these versions of Windows, visit the following Web site.
-----
Although I do believe they should be patching this.
The other guy didn't fix the bug.
he did not fix it
All the 3rd party patch did was implement a workaround.
[Fuck Beta]
o0t!
Regarding the third-party patch...
I simply unregistered the dll file on both work and home XP computers, but not the others I help supervise. The folks that are concerned about hackers "re-registering" it are working with the assumption that there is either another 0-day exploit out there that allows the hackers to do that, or don't understand how the vulnerability works. Also, the need for a patch on Windows 98, NT, or 2K is non-existant.
I honestly think relying on a third-party to patch a system is ridiculous. Someone could tell me there is absolutely no ill-intent on behalf of the person releasing the particular patch, and even tell me exactly what the patch does. I still wouldn't implement it. The reason, of course, is because in five years, Microsoft will still be Microsoft, whereas Ilfak Guilfanov might disappear or ignore requests for help. Who knows if he'll even be contactable?
Also, FYI, this specific "patch" he created hides windows functionality on a kernel level. There are other pieces of software that use this same kind of methodology: rootkits. While this could be considered a white-hat rootkit, it's just not a legitimate fix for the real problem. Unregistering the dll was the best solution for security nuts.
Accountability is a very important factor. Microsoft might be taking a gamble on not releasing an insta-patch that breaks (what amounts to being) unused functionality at the cost of security, but that is their perrogative. Home consumers, and their other clients, get to be the judge on whether or not they are doing the right thing. By releasing this patch early, I think they've quelled some corporate concerns.
By your logic, Microsoft also has not patched the vulnerability. From the MS006-001 FAQ:
So, they basically used exactly the same workaround as the 3rd party patch that's been out for a week.
Causation can cause correlation
Actually, the only reason IE is vulnerable but FF & Opera is not, is because the other big name browsers associate WMF files with Media Player instead of Picture and Fax viewer. WMP does nothing with WMF files, therefore nothing happens when exposed to the vulnerability. On the other hand, should the offending graphic actually get on your hard drive and you use Google Desktop, you will be vulnerable due to the indexing done immediately after download (obviously, if you have indexing turned off for graphics, this won't happen).
I never thought back then that memory leak could mean buffer overflow which could mean security vulnerability
In this case, its not a buffer overflow bug. In fact, its not even a bug, per say. Its a feature, or at least a really bad design flaw that no one has stumbled upon/abused up until now. See F-Secure's writeup.
#include <signature.h>
I went here for using firefox, followed a few links, and was allowed to download and install the patch:
n /ms06-001.mspx
http://www.microsoft.com/technet/security/Bulleti
Microsoft's policy is that they will only release critical patches for 9X/ME systems because they have EOLed them. Their study of the vulnerability found that while those systems are vulnerable, that it is not critical because no attack vector has been identified. Whether or not you trust their assessment is another question, but that's why there's no patch for them. See questions 2, 3, and 4 in the FAQ.
n /MS06-001.mspx
http://www.microsoft.com/technet/security/Bulleti
I suspect 3.x is the same, but really, if you're using 3.10 as a desktop...
Ilfak's patch required a reboot to start applying to new processes, rtffaq.
Anyone who uses Cross-Over Office, Cedega, or plain old Wine (all 10 of you) -- your system is vulnerable to the recent WMF exploit. Loading an office document in Cross-Over that has an embedded WMF file will execute arbitrary code on your system. Gamers -- any games that display user-defined graphics (avatars, etc) and accept the WMF/EMF formats, could be exploitable. A patch was submitted to the Wine development team, but it may not be available for a while (especially if you use a commercial derivative). Please see the following URL for more information:s ure/2006-01/0173.html
http://archives.neohapsis.com/archives/fulldisclo
So, they basically used exactly the same workaround as the 3rd party patch that's been out for a week.
The MS patch removes the call in the WMF rendering engine that calls the gdi32 Escape() function with the SETABORTPROC parameter. The 3rd party runtime patch thats been around 'for a week' killed the Escape() function's ability to receive the SETABORTPROC procedure in _all user32.dll bound applications_ called by _anything_ for _any purpose_, 'breaking' more than just the WMF rendering caller.
Microsoft couldn't have done any better because this wasn't a coding error like a buffer overflow, it was an ancient long forgotten genuine feature.
it co-exists well with Ilfak's unofficial patch as well as the REGSVR32 workaround.
And if you did the REGSVR32 workaround, you can now get back the functionality of Windows Picture and Fax viewer.
Click Start, Run, Type "regsvr32 %windir%\system32\shimgvw.dll" (without the quotation marks) then OK.
This info was kind of buried here.
// no
I'm not so sure about that. Yes, some picture loading libraries provided in Windows will do this. No, LoadBitmap won't (it's not a bitmap!). IIRC, Firefox doesn't use the same high-level libraries, as they are rolling their own code on all platforms. So, no, it won't happen. You can easily try this if you have a valid WMF file lying around. Rename it to JPG and open in FF. It won't render, complaining about an invalid header. Rename a valid PNG to JPG or a valid JPG to PNG, though, and it renders just fine. Firefox does auto-detection of image type, but not autodetection of WMF.
"If Microsoft Doesn't Fix Windows 98/ME, GRC will. Microsoft has "reclassified" the WMF vulnerability in Windows 95, 98, and ME as non-critical. This means that it will probably NOT be updated and patched for the WMF handling vulnerability that those older versions of Windows apparently have."
So, if Microsoft does not produce an update to repair those older versions of Windows, GRC (Steve Gibson) will make one available.
Source: http://www.grc.com/sn/notes-020.htm
- I just think that maybe in near future patches for Windows from outside Microsoft will became more common...
-xet7
Microsoft didn't mean for this to be released this week.
+ WMF+patch/2100-1002_3-6018263.html?part=rss&tag=60 18263&subj=news
http://news.com.com/Microsoft+inadvertently+leaks
Yes this was also in another post, but here you go:n /MS06-001.mspx
http://www.microsoft.com/technet/security/Bulleti
I was able to download the XP and 2000 patches just fine with Firefox from that link.
Why would you download Firefox three times?
Bush and Blair ate my sig!
Thank you for your interest in obtaining updates from our site.
..... I use firefox so I don't have to use their crap any more than I have to, but I have to use their crap in order to fix another piece of their crap .....
To use this site, you must be running Microsoft Internet Explorer 5 or later.
To upgrade to the latest version of the browser, go to the Internet Explorer Downloads website.
How bloody typical
Has anyone else noticed that after installing the "WMF Patch" you now have a "My Websites on MSN" site in your "My Network Places" and that Firefox v1.0.7 now hangs on load? That's a good way to win the browser war. Great job Microsoft!