Slashdot Mirror

← Back to Stories (view on slashdot.org)

Microsoft to Patch WMF Exploit Early

Posted by CmdrTaco on from the well-i-guess-early-is-relative dept.

Chran writes "Microsoft has just announced that they will release a security update for the .WMF-exploit today at 2pm ET, instead of Tuesday, as originally planned. Microsoft writes: "Microsoft originally planned to release the update on Tuesday, January 10, 2006 as part of its regular monthly release of security bulletins, once testing for quality and application compatibility was complete. However, testing has been completed earlier than anticipated and the update is ready for release. In addition, Microsoft is releasing the update early in response to strong customer sentiment that the release should be made available as soon as possible."

9 of 306 comments (clear)

  1. Re:Reactive vs Proactive by Anonymous Coward · · Score: 5, Informative

    Patch has been released.
    Get it here http://www.microsoft.com/technet/security/Bulletin /ms06-001.mspx

    According to the folks at F-secure, it co-exists well with Ilfak's unofficial patch as well as the REGSVR32 workaround. Read their blog here. http://www.f-secure.com/weblog/archives/archive-01 2006.html#00000771

  2. Does *not* require Internet Explorer... by SenorCitizen · · Score: 4, Informative
    Thank you for your interest in obtaining updates from our site. To use this site, you must be running Microsoft Internet Explorer 5 or later.

    Funny, yes, but not true. The patch is available here:

    http://www.microsoft.com/technet/security/Bulletin /MS06-001.mspx

    Just downloaded it with Firefox. It's just Windows Update that requires IE.

  3. Re:The Real Reason by TubeSteak · · Score: 3, Informative

    The other guy didn't fix the bug.

    he did not fix it

    All the 3rd party patch did was implement a workaround.

    --
    [Fuck Beta]
    o0t!
  4. Re:and millions of /.'ers groan... by l1_wulf · · Score: 4, Informative

    Actually, the only reason IE is vulnerable but FF & Opera is not, is because the other big name browsers associate WMF files with Media Player instead of Picture and Fax viewer. WMP does nothing with WMF files, therefore nothing happens when exposed to the vulnerability. On the other hand, should the offending graphic actually get on your hard drive and you use Google Desktop, you will be vulnerable due to the indexing done immediately after download (obviously, if you have indexing turned off for graphics, this won't happen).

  5. Re:2000, XP, 2003, but no 3.10, 3.11, 95, 98, or M by Mercano · · Score: 3, Informative

    I never thought back then that memory leak could mean buffer overflow which could mean security vulnerability

    In this case, its not a buffer overflow bug. In fact, its not even a bug, per say. Its a feature, or at least a really bad design flaw that no one has stumbled upon/abused up until now. See F-Secure's writeup.

    --
    #include <signature.h>
  6. Re:2000, XP, 2003, but no 3.10, 3.11, 95, 98, or M by jschottm · · Score: 4, Informative

    Microsoft's policy is that they will only release critical patches for 9X/ME systems because they have EOLed them. Their study of the vulnerability found that while those systems are vulnerable, that it is not critical because no attack vector has been identified. Whether or not you trust their assessment is another question, but that's why there's no patch for them. See questions 2, 3, and 4 in the FAQ.

    http://www.microsoft.com/technet/security/Bulletin /MS06-001.mspx

    I suspect 3.x is the same, but really, if you're using 3.10 as a desktop...

  7. NO! by baadger · · Score: 5, Informative

    So, they basically used exactly the same workaround as the 3rd party patch that's been out for a week.

    The MS patch removes the call in the WMF rendering engine that calls the gdi32 Escape() function with the SETABORTPROC parameter. The 3rd party runtime patch thats been around 'for a week' killed the Escape() function's ability to receive the SETABORTPROC procedure in _all user32.dll bound applications_ called by _anything_ for _any purpose_, 'breaking' more than just the WMF rendering caller.

    Microsoft couldn't have done any better because this wasn't a coding error like a buffer overflow, it was an ancient long forgotten genuine feature.

  8. Re:and millions of /.'ers groan... by cnettel · · Score: 4, Informative

    I'm not so sure about that. Yes, some picture loading libraries provided in Windows will do this. No, LoadBitmap won't (it's not a bitmap!). IIRC, Firefox doesn't use the same high-level libraries, as they are rolling their own code on all platforms. So, no, it won't happen. You can easily try this if you have a valid WMF file lying around. Rename it to JPG and open in FF. It won't render, complaining about an invalid header. Rename a valid PNG to JPG or a valid JPG to PNG, though, and it renders just fine. Firefox does auto-detection of image type, but not autodetection of WMF.

  9. Re:Sadly no by Pii · · Score: 3, Informative
    Actually, the reason there's no attack vector is because while the same vulnerability on older versions of Windows, older versions of Windows don't have the Microsoft Picture and Fax Viewer configured as the default file handler for .wmf files.

    Ironic, as the older operating systems come from a time when that format may have been relevant. It's kind of funny that only after the Windows Metafile became obsolete did MS choose to create a default program association.

    --
    For those that would die defending it, Freedom
    has a sweet taste that the protected will never know.