Interview with Ilfak Guilfanov

GrayWolf42 writes "SecuriTeam Blogs has posted an interview with Ilfak Guilfanov, one of the people developing the IDA Pro disassembler, who also happens to have written the unofficial WMF vulnerability patch. In this short interview he discusses the patch, how it works, and why he wrote it." From the article: "Q: When you heard of this vulnerability, you created a temporary patch to close the hole until Microsoft updated its software. Could you tell us more about what the patch does? A: The patch just removes this powerful command. It does not do anything else. The fix modifies the memory image of the system on the fly. It does not alter any files on the disk. It modifies [the image of] the system DLL 'gdi32.dll' because the vulnerable code is there." Microsoft has released an official update, which you should be able to download from the windows update site.

From the Interview...

[IAAP]

... There is one very powerful command code in WMF files. This command code means 'if something wrong happens, do the following: ...'. So the creator of the WMF file can make your computer do anything he/she wants by using this command code and deliberately creating an error condition afterward.

So this is a design issue?

Yes, it is a design issue.

I would think the MS would have a department of crackers and hackers to try to do shit like this. Also, didn't any of the original developers think of this when they wrote it or did they think the exploit was so remote, that it'll never happen?

Re:From the Interview...

[IAAP]

I guess now it's back to my first question. Considering the beating that MS' security reputation is getting, if I were Balmer, I'd be setting up a division of crackers to try to find this shit before the bad guys do. OTOH, this is great for Linux, *BSDs, GNU, etc...

Re:From the Interview...

[HalAtWork]

Also, didn't any of the original developers think of this when they wrote it or did they think the exploit was so remote, that it'll never happen?

I guess they thought the chances were remote, because when MS were doing their security review and subsequently made their GDI vulnerability detection tool available, it was not designed to pay attention to this vulnerability. I wonder if they have updated the tool?

Re:Slashdot Windows logo

[networkBoy]

we could but then we'd be sued for trademark infringement. The current logo is unique enough to be "artistic expression".
-nB

Re:Why not scramble all DLL's and EXE's on the fly

Or just do what OpenBSD does: Make writable memory non-executable, make executable memory non-writable. This bit of common sense is disappointingly rarely implemented.

Re:You're missing the point, though

[j79zlr]

Actually I believe that this was being exploited as early as December 14th according to one security blog [which I can't find at the moment]. I don't think the exploit was widespread until the 27th. Either way, it still took too long to patch.

I understand that gdi32.dll is pretty much the equivalent of glibc, so its not something they want to modify without testing, but they should have at least went ahead and released the patch to the home users, production servers and the like, shouldn't of been affected by this [shouldn't be browsing around porn or warez sites, atleast not on the server] and their administrators could have easily held back the update until further notice/testing.

  Imagine if say, google.com or yahoo.com or microsoft.com were hacked in this time period, for nothing other than to upload and display an infected wmf file...............