Slashdot Mirror

← Back to Stories (view on slashdot.org)

Interview with Ilfak Guilfanov (WMF Patch Hero)

Posted by Zonk on from the small-acts-lead-to-big-things dept.

GrayWolf42 writes "SecuriTeam Blogs has posted an interview with Ilfak Guilfanov, one of the people developing the IDA Pro disassembler, who also happens to have written the unofficial WMF vulnerability patch. In this short interview he discusses the patch, how it works, and why he wrote it." From the article: "Q: When you heard of this vulnerability, you created a temporary patch to close the hole until Microsoft updated its software. Could you tell us more about what the patch does? A: The patch just removes this powerful command. It does not do anything else. The fix modifies the memory image of the system on the fly. It does not alter any files on the disk. It modifies [the image of] the system DLL 'gdi32.dll' because the vulnerable code is there." Microsoft has released an official update, which you should be able to download from the windows update site.

3 of 167 comments (clear)

  1. ok... by User+956 · · Score: 5, Insightful

    MS deserves bashing for the flaw, but there's a difference between an untested one-man release, and the official, QA'd patch. Part of the reason Microsoft couldn't release a patch immediately is because they need to make sure their fix doesn't break snything else.

    --
    The theory of relativity doesn't work right in Arkansas.
  2. Why not scramble all DLL's and EXE's on the fly? by DoktorFuture · · Score: 5, Insightful

    Why not just auto-scramble the DLL code on the fly for every installation of the Windows OS?
    That would mean buffer overflows are essentially defeated on a vast majority of cases? One simple thing we could do would be to insert random NOP's in DLL's, making the buffer overflow get the correct offset wrong most of the time and thus fail to work. I'm sure there are dozens of more clever ways to achieve this, in a completely general sort of way.

    The reason these attacks spread is that the binary code is essentially a monoculture crop -- all clones of each other. Why not take the SID of a system, or some GUID, and use it to morph all the binary images on a system in a unique way for that system?

    Since lots of attacks use NOP's, XOR'd code, and other techniques to avoid being detected as code, why don't we apply the same techniques to our binary objects to obfuscate them from the attacking code?

    Paul Sop

  3. Re:You're missing the point, though by dc29A · · Score: 5, Insightful

    MS should have been all over this once the news hit. Why did it take them so long to get a patch out the door for this vulnerability? I suppose I could understand that it was the holiday, but even then, with 90%+ marketshare, you have an obligation to get that patched up ASAP.

    I think that's a bit unfair. We got news of this zero day exploit the 27th of December? It's still only about 10 days to produce a patch and test it. It fixes multiple versions of Windows too. IMO it didn't take too long for MS to fix it compared to the 200+ day fixes you read about regulary on eEye's site. Of course the not so good design of Windows doesn't help either. Windows is not modular so fixing something like an image processing function can impact the entire kernel, it needs extra testing.