Slashdot Mirror

← Back to Stories (view on slashdot.org)

Interview with Ilfak Guilfanov (WMF Patch Hero)

Posted by Zonk on from the small-acts-lead-to-big-things dept.

GrayWolf42 writes "SecuriTeam Blogs has posted an interview with Ilfak Guilfanov, one of the people developing the IDA Pro disassembler, who also happens to have written the unofficial WMF vulnerability patch. In this short interview he discusses the patch, how it works, and why he wrote it." From the article: "Q: When you heard of this vulnerability, you created a temporary patch to close the hole until Microsoft updated its software. Could you tell us more about what the patch does? A: The patch just removes this powerful command. It does not do anything else. The fix modifies the memory image of the system on the fly. It does not alter any files on the disk. It modifies [the image of] the system DLL 'gdi32.dll' because the vulnerable code is there." Microsoft has released an official update, which you should be able to download from the windows update site.

10 of 167 comments (clear)

  1. From the Interview... by IAAP · · Score: 5, Interesting
    ... There is one very powerful command code in WMF files. This command code means 'if something wrong happens, do the following: ...'. So the creator of the WMF file can make your computer do anything he/she wants by using this command code and deliberately creating an error condition afterward.

    So this is a design issue?

    Yes, it is a design issue.

    I would think the MS would have a department of crackers and hackers to try to do shit like this. Also, didn't any of the original developers think of this when they wrote it or did they think the exploit was so remote, that it'll never happen?

    1. Re:From the Interview... by IAAP · · Score: 2, Interesting

      I guess now it's back to my first question. Considering the beating that MS' security reputation is getting, if I were Balmer, I'd be setting up a division of crackers to try to find this shit before the bad guys do. OTOH, this is great for Linux, *BSDs, GNU, etc...

    2. Re:From the Interview... by HalAtWork · · Score: 2, Interesting
      Also, didn't any of the original developers think of this when they wrote it or did they think the exploit was so remote, that it'll never happen?

      I guess they thought the chances were remote, because when MS were doing their security review and subsequently made their GDI vulnerability detection tool available, it was not designed to pay attention to this vulnerability. I wonder if they have updated the tool?

      --
      Twinstiq, game news
  2. Re:Slashdot Windows logo by networkBoy · · Score: 2, Interesting

    we could but then we'd be sued for trademark infringement. The current logo is unique enough to be "artistic expression".
    -nB

    --
    whois gawk date unzip strip find touch finger mount join nice man top fsck grep eject more yes exit umount sleep dump
  3. Re:ok... by Anonymous Coward · · Score: 1, Interesting

    Part of the reason Microsoft couldn't release a patch immediately is because they need to make sure their fix doesn't break snything else.

    I've got a big fat BOLLOCKS to that. How much software uses WMFs? How much software relies on being able to supply its own error-handling code should that WMF not display properly? In the WMF file itself?

    Now weigh "all those" applications (i.e. practically none) against the people that can be/have been/will be compromised with this vulnerability. Care to make a bet as to which side a) numbers the most and b) how severe each side is?

    This is about as straightforward and safe a patch as there can possibly be. It's beauracracy that stopped Microsoft, not technical difficulties.

  4. How wierd by Anonymous Coward · · Score: 0, Interesting

    I agree with "User 956 (568564)", this type of thing should not be encouraged. What if that custom patch had some sort of flaw that resulted in some major problem or data loss?

    Maverick patches are the last thing we need. And now, since this guy is getting a bunch of press, we will have 90 million hackers trying to be the first to release a patch for the next MS bug. And next time, it might not be so stupidly simple to fix.

  5. Re:Why not scramble all DLL's and EXE's on the fly by Anonymous Coward · · Score: 5, Interesting

    Or just do what OpenBSD does: Make writable memory non-executable, make executable memory non-writable. This bit of common sense is disappointingly rarely implemented.

  6. Re:Microsoft can boost your notariety by Anonymous Coward · · Score: 1, Interesting

    Have you ever used IDA Pro, which this guy wrote? If not, trust me, he doesn't need this to be regarded in the community. I think any security guy or cracker who has used IDA Pro respected him completely before this wmf thing came out.

  7. Without Source Code by AB3A · · Score: 1, Interesting

    I think Microsoft deserves a great deal of criticism for their response to this exploit. Let's face it, exploits will always be a fact of life. How we deal with them is what separates the kids from the adults.

    In this context I find it quite amusing that Guilfanov was able to make a quick and effective fix without the benefit of the source code for gdi32.dll. In contrast the folks at Microsoft thrashed around for more than a week before realizing the significance and the simplicity of the fix.

    I wonder how many more times this sort of thing will have to happen before people realize what a poor job Microsoft is doing managing their security flaws. What are people paying them for, anyway?

    --
    Nearly fifty percent of all graduates come from the bottom half of the class!
  8. Re:You're missing the point, though by j79zlr · · Score: 2, Interesting

    Actually I believe that this was being exploited as early as December 14th according to one security blog [which I can't find at the moment]. I don't think the exploit was widespread until the 27th. Either way, it still took too long to patch.

    I understand that gdi32.dll is pretty much the equivalent of glibc, so its not something they want to modify without testing, but they should have at least went ahead and released the patch to the home users, production servers and the like, shouldn't of been affected by this [shouldn't be browsing around porn or warez sites, atleast not on the server] and their administrators could have easily held back the update until further notice/testing.

      Imagine if say, google.com or yahoo.com or microsoft.com were hacked in this time period, for nothing other than to upload and display an infected wmf file...............

    --
    I'm not not licking toads.