Slashdot Mirror

← Back to Stories (view on slashdot.org)

Interview with Ilfak Guilfanov (WMF Patch Hero)

Posted by Zonk on from the small-acts-lead-to-big-things dept.

GrayWolf42 writes "SecuriTeam Blogs has posted an interview with Ilfak Guilfanov, one of the people developing the IDA Pro disassembler, who also happens to have written the unofficial WMF vulnerability patch. In this short interview he discusses the patch, how it works, and why he wrote it." From the article: "Q: When you heard of this vulnerability, you created a temporary patch to close the hole until Microsoft updated its software. Could you tell us more about what the patch does? A: The patch just removes this powerful command. It does not do anything else. The fix modifies the memory image of the system on the fly. It does not alter any files on the disk. It modifies [the image of] the system DLL 'gdi32.dll' because the vulnerable code is there." Microsoft has released an official update, which you should be able to download from the windows update site.

42 of 167 comments (clear)

  1. SecuriTeam blogs by GrayWolf42 · · Score: 5, Informative

    Seems like the site also provides with a binsiff output of the Microsoft patch: http://blogs.securiteam.com/index.php/archives/184 The "SecuriTeam Blogs" site has been a very good source for real-time security information since it came online.

  2. ok... by User+956 · · Score: 5, Insightful

    MS deserves bashing for the flaw, but there's a difference between an untested one-man release, and the official, QA'd patch. Part of the reason Microsoft couldn't release a patch immediately is because they need to make sure their fix doesn't break snything else.

    --
    The theory of relativity doesn't work right in Arkansas.
    1. Re:ok... by ackthpt · · Score: 3, Insightful
      MS deserves bashing for the flaw, but there's a difference between an untested one-man release, and the official, QA'd patch. Part of the reason Microsoft couldn't release a patch immediately is because they need to make sure their fix doesn't break snything else.

      Often, historically, Microsoft's approach has been the same, to just take away the offending bit.

      When the actually correct the code is where Microsoft have sometimes introduced new vulnerabilities, perhaps because the focus of their Q/A is too narrow.

      --

      A feeling of having made the same mistake before: Deja Foobar
  3. Microsoft Update by Chalex · · Score: 3, Insightful

    I think the /. post should link to Microsoft Update and not Windows Update. Microsoft Update will patch MS Office and other products as well as Windows. It's one step closer to "apt-get update; apt-get upgrade".

    1. Re:Microsoft Update by wiz31337 · · Score: 3, Funny

      I just received an e-mail that the IT department where I work will be pushing out the new Microsoft Patch at 2:00PM.

      On a related note: This may be my last /. post for today.

      --
      /whisper/ Thanks for the candy!
  4. From the Interview... by IAAP · · Score: 5, Interesting
    ... There is one very powerful command code in WMF files. This command code means 'if something wrong happens, do the following: ...'. So the creator of the WMF file can make your computer do anything he/she wants by using this command code and deliberately creating an error condition afterward.

    So this is a design issue?

    Yes, it is a design issue.

    I would think the MS would have a department of crackers and hackers to try to do shit like this. Also, didn't any of the original developers think of this when they wrote it or did they think the exploit was so remote, that it'll never happen?

    1. Re:From the Interview... by mobiux · · Score: 4, Informative

      Considering it went back to windows 98, i don't think they anticipated the current computing climate at all.

    2. Re:From the Interview... by IAAP · · Score: 2, Interesting

      I guess now it's back to my first question. Considering the beating that MS' security reputation is getting, if I were Balmer, I'd be setting up a division of crackers to try to find this shit before the bad guys do. OTOH, this is great for Linux, *BSDs, GNU, etc...

    3. Re:From the Interview... by cnettel · · Score: 4, Informative

      It goes back to Windows 3.0. You know, the one which relied on DOS software for network access, without sockets. You know, the one where using any memory protection at all was an OPTION (kind of mandatory in 3.1 and up, even if it was far from complete).

    4. Re:From the Interview... by hey · · Score: 3, Funny

      And everytime the cracker time finds a hole Balmer throws a chair at them.

    5. Re:From the Interview... by HalAtWork · · Score: 2, Interesting
      Also, didn't any of the original developers think of this when they wrote it or did they think the exploit was so remote, that it'll never happen?

      I guess they thought the chances were remote, because when MS were doing their security review and subsequently made their GDI vulnerability detection tool available, it was not designed to pay attention to this vulnerability. I wonder if they have updated the tool?

      --
      Twinstiq, game news
    6. Re:From the Interview... by bmajik · · Score: 4, Insightful

      I would think the MS would have a department of crackers and hackers to try to do shit like this. Also, didn't any of the original developers think of this when they wrote it or did they think the exploit was so remote, that it'll never happen?


      We have a few security-focused assets in the company.

      There is a team that grew out of some of the company-wide security folks that are sort of the "gatekeepers" now for all software that leaves the building.. you have to pass their audits, which are primarily about running internally brewed tools against your source code and binaries. As we get better at this stuff we update our tools and as the tools find things the developers get smarter about not writing dumb code to begin with, the testers get better at writing evil tests, and the PMs get better about recognizing that a feature is a problem-by-design to begin with.

      This team will also do some code/design review, and will make you justify any bugs you decided to "Won't Fix" during the developmnent cycle. Our bug tracking systems have all been amended to include lots of rich info re: security/threat impact, and this team mines that data as well.

      They do _very_ limited penetration testing.

      Distributed across teams there are security "representatives" that are supposed to coordinate training and getting the latest tools/best practices out to the developers/testers at large.

      Development teams are required to create threat models for all feature areas. The threat model library must be presented to the "gatekeeper" team described earlier as well.

      Some teams are building local penetration testing teams.. which ahve product/feature area domain expertise.. but also understand the art of penetration testing. We don't have enough "centralized" resources to have a crack team of pen testers that cover all products. They can provide guidance/expertise/interviewing/whatever, but ultimately cant cover the whole company. Building a culture of grey-hat minded people and sprinkling them through-out every product team takes a long time.

      Note that everything i am describing did not exist at MS 5 years ago. Blaster, Nimda, CodeRed, Melissa, etc really kicked our ass with customers. In a way, we needed all those so that internally people could really justify making the investments needed in security. There was a lot of sentiment along the lines of "we got to be #1 with the way we've been doing things, who are you to argue?", from a lot of really smart, strong-minded people.

      Breaking that and reforming them to the new religion takes time.

      We have a _huge_ debt of bad code, bad practices, bad developers, bad testers, and bad managers. We've been working pretty hard to pay down that debt. When i say "bad developer" i mean "developer that wrote code for years, never having to care about security", not that the developer is stupid/has malcious/intentionally poor habits.

      Based on how often we issue patches, # of patches released for a given product, etc now compared to say, Win2k, i think the changes are already starting to pay dividends for us. Server 2003 is a lot better out-of-box than Server 2000 was. If nothing else, when i read a design doc or look at a bug report now and feel like it might be a problem, and say so, people take me more seriously. They aren't as apt to play the "it's not my problem" or "that can't happen in the real world" games as they were just a few years ago.

      --
      My opinions are my own, and do not necessarily represent those of my employer.
  5. Security Now! Interview by AnalystX · · Score: 2, Informative

    http://thisweekintech.com/sn21

  6. Microsoft can boost your notariety by digitaldc · · Score: 3, Funny

    The guy removes one line of code and becomes famous almost instantly.
    Why didn't anyone a Microsoft think of this solution? They might have been put in charge of their own security team.

    --
    He who knows best knows how little he knows. - Thomas Jefferson
    1. Re:Microsoft can boost your notariety by Rolan · · Score: 5, Informative
      Why didn't anyone a Microsoft think of this solution?


      They did. The official patch has the same end effect as the unofficial one. The only difference is in method. Microsoft modified the source code to remove the vulnerability instead of removing it in memory.
      --
      - AMW
    2. Re:Microsoft can boost your notariety by cheezit · · Score: 4, Informative

      The guy did not "remove one line of code." He used a DLL injection technique (documented by Richter in Advanced Windows Programming) that allows him to replace the registered address of a function in gd132.dll. This is not beginner coding, it works fine in principle but is not easy to pull off and have be reliable.

      One problem, for instance, is that if some other hacker came along and reset the function pointer with their *own* dll, we'd be back to square one (tho that requires a greater level of system access). And the DLLs themselves don't have explicit control over when they get loaded, so they can't guarantee that they are first or last.

      Microsoft's patch is nothing like his. They (I'm guessing) rebuilt gdi32.dll to actually turn the function into a no-op. Adequate testing by MS would have to include ensuring that all the various WMFs dynamically generated by the OS are not adversely affected.

      --
      Premature optimization is the root of all evil
    3. Re:Microsoft can boost your notariety by courtarro · · Score: 2, Insightful
      I'd be willing to bet that Microsoft knew exactly what was wrong and exactly how to fix it within hours of being notified about the problem. From their own FAQ, you'll see that there's quite a bit more involved than simply disabling the function and putting the new DLL on Windows Update. They've got many languages, different versions of Windows, and millions of customers running all sorts of weird crap on their machines that Ilfak doesn't have to worry about in order to maintain his job.

      Also, most people running Ilfak's patch are going to know what they're doing well enough to expect changes in their machine's behavior if the patch causes problems. If MS put the exact same patch on Windows Update and every granny's and PHB's computer applied it overnight, it would be equally bad publicity when millions of less-tech-inclined users wake up the next day and can't add EPS clipart to their PowerPoint presentations because the patch prevented vector graphics from working at all.

      Think about it - when you installed Ilfak's patch, did you think that it was failsafe? No, if you're smart, you figured it was better than nothing and went ahead anyway. Microsoft can't afford to release something that's "better than nothing". Only after several days of Ilfak's patch being released, without any serious side effects being reported, could you really be sure that it was a truly good solution. By then, it was only a couple more days before MS released their official patch that made the same solution permanent within the DLL.

  7. Root of the problem by Billosaur · · Score: 3, Insightful

    From SecuriTeam Blogs: Is there anything that you think should be done to make vulnerabilities like this less dangerous in the future?

    Good design and good coding practices, but that is easier said than done.

    But shouldn't that be everybody's focus? We're seeing a lot of articles this week on coding practices, bugs, and vulnerabilities, and it all boils down to how hard every programmer is going to work to eliminate them. It's unrealistic to think that there will be no bugs in any piece of code, but if there are to be bugs/vulnerabilities, their impact should at least be minimized. And it's going to take teamwork; the day of the lone programmer capable of wiping out the bugs is long over.

    --
    GetOuttaMySpace - The Anti-Social Network
    1. Re:Root of the problem by rewt66 · · Score: 4, Insightful
      This particular problem has a deeper root. The problem is that the code is working as designed, and is well-designed to do what was intended.

      The problem is in what was intended. If your "feature" is a boneheaded security hole, no amount of good design and good coding can save you. All they will get you is a beautifully designed, perfectly coded boneheaded security hole.

    2. Re:Root of the problem by dc29A · · Score: 2, Insightful

      But shouldn't that be everybody's focus? We're seeing a lot of articles this week on coding practices, bugs, and vulnerabilities, and it all boils down to how hard every programmer is going to work to eliminate them. It's unrealistic to think that there will be no bugs in any piece of code, but if there are to be bugs/vulnerabilities, their impact should at least be minimized. And it's going to take teamwork; the day of the lone programmer capable of wiping out the bugs is long over.

      Hey now, programmers aren't the only ones responsible. Yes programmers produce code with bugs, yes they do try to correct it until Mr.Manager comes in and tells them they need to ship yesterday. Right now finding and fixing elusive bugs and security issues is not even close to the top priority for the majority of the companies, it costs money and it doesn't produce any money. They rather ship the coding team to start cranking out a new project/version. Not to mention for desktop software, the vast majority of the users don't even know what the hell a security hole is. So they don't care, there is no pressure on companies to produce quality code and invest time and resources into finding and fixing bugs. Until there is no governement regulation about software security, sloppy and unsecure software will continue to exist in large numbers, especially for desktops.

      We only see things like "Trusted Computing Initiative" and other BS propaganda like that when a company takes a LOT of bad mainstream press. The only time companies cave into pressure fixing their software when there is a huge outcry from the press. Of course that is all caused by no one in managmenet giving a fsck about quality, just to ship version X of the software ASAP and start working on version X+1.

    3. Re:Root of the problem by Pike · · Score: 2, Funny

      "All they will get you is a beautifully designed, perfectly coded boneheaded security hole."

        - at best.

      It might have bugs, which might close the security hole.

  8. Actual link to the MS-official patches by mflorell · · Score: 3, Informative

    http://www.microsoft.com/technet/security/bulletin /ms06-001.mspx

  9. You're missing the point, though by thewldisntenuff · · Score: 3, Insightful

    MS should have been all over this once the news hit. Why did it take them so long to get a patch out the door for this vulnerability? I suppose I could understand that it was the holiday, but even then, with 90%+ marketshare, you have an obligation to get that patched up ASAP. This could have been a lot worse than it is/was, but I think the pressure from outside and the release of the "unofficial" patch is ultimately what got MS off it's collective ass and back to work.

    --
    My MythTV HowTo
    1. Re:You're missing the point, though by dc29A · · Score: 5, Insightful

      MS should have been all over this once the news hit. Why did it take them so long to get a patch out the door for this vulnerability? I suppose I could understand that it was the holiday, but even then, with 90%+ marketshare, you have an obligation to get that patched up ASAP.

      I think that's a bit unfair. We got news of this zero day exploit the 27th of December? It's still only about 10 days to produce a patch and test it. It fixes multiple versions of Windows too. IMO it didn't take too long for MS to fix it compared to the 200+ day fixes you read about regulary on eEye's site. Of course the not so good design of Windows doesn't help either. Windows is not modular so fixing something like an image processing function can impact the entire kernel, it needs extra testing.

    2. Re:You're missing the point, though by Diamon · · Score: 4, Informative
      I think that's a bit unfair. We got news of this zero day exploit the 27th of December? It's still only about 10 days to produce a patch and test it. It fixes multiple versions of Windows too. IMO it didn't take too long for MS to fix it compared to the 200+ day fixes you read about regulary on eEye's site. Of course the not so good design of Windows doesn't help either. Windows is not modular so fixing something like an image processing function can impact the entire kernel, it needs extra testing.

      Additionally if you check the timestamp on %WINDIR%\System32\gdi32.dll (the file fixed by Microsoft's patch) you'll see that it is dated 12/28. So we found out about the exploit on 12/27, Microsoft had it fixed the next day (assuming they didn't modify the file dates for any reason) and spent the remainder of the time testing the patch.
    3. Re:You're missing the point, though by j79zlr · · Score: 2, Interesting

      Actually I believe that this was being exploited as early as December 14th according to one security blog [which I can't find at the moment]. I don't think the exploit was widespread until the 27th. Either way, it still took too long to patch.

      I understand that gdi32.dll is pretty much the equivalent of glibc, so its not something they want to modify without testing, but they should have at least went ahead and released the patch to the home users, production servers and the like, shouldn't of been affected by this [shouldn't be browsing around porn or warez sites, atleast not on the server] and their administrators could have easily held back the update until further notice/testing.

        Imagine if say, google.com or yahoo.com or microsoft.com were hacked in this time period, for nothing other than to upload and display an infected wmf file...............

      --
      I'm not not licking toads.
    4. Re:You're missing the point, though by ergo98 · · Score: 3, Insightful

      Windows is not modular so fixing something like an image processing function can impact the entire kernel, it needs extra testing.

      I think you misunderstand the meaning of modular. Because Windows is modular the change of one module can impact a number of processes.

    5. Re:You're missing the point, though by CFrankBernard · · Score: 3, Informative

      The 27th? Security firm PivX was able to program an update for preEmpt that blocked all of the WMF exploit vectors on Win9x and higher without breaking anything. It was made available for its auto-updating clients on December 7th (2005-12-07).

  10. Podcast Interview by Anonymous Coward · · Score: 2, Informative

    Leo Laporte and Steve Gibson also interviewed him yesterday in their very professional sounding security podcast.

  11. Why not scramble all DLL's and EXE's on the fly? by DoktorFuture · · Score: 5, Insightful

    Why not just auto-scramble the DLL code on the fly for every installation of the Windows OS?
    That would mean buffer overflows are essentially defeated on a vast majority of cases? One simple thing we could do would be to insert random NOP's in DLL's, making the buffer overflow get the correct offset wrong most of the time and thus fail to work. I'm sure there are dozens of more clever ways to achieve this, in a completely general sort of way.

    The reason these attacks spread is that the binary code is essentially a monoculture crop -- all clones of each other. Why not take the SID of a system, or some GUID, and use it to morph all the binary images on a system in a unique way for that system?

    Since lots of attacks use NOP's, XOR'd code, and other techniques to avoid being detected as code, why don't we apply the same techniques to our binary objects to obfuscate them from the attacking code?

    Paul Sop

  12. Re:Slashdot Windows logo by networkBoy · · Score: 2, Interesting

    we could but then we'd be sued for trademark infringement. The current logo is unique enough to be "artistic expression".
    -nB

    --
    whois gawk date unzip strip find touch finger mount join nice man top fsck grep eject more yes exit umount sleep dump
  13. Re:Why not scramble all DLL's and EXE's on the fly by Anonymous Coward · · Score: 5, Interesting

    Or just do what OpenBSD does: Make writable memory non-executable, make executable memory non-writable. This bit of common sense is disappointingly rarely implemented.

  14. Re:How wierd by mopslik · · Score: 2, Insightful

    Maverick patches are the last thing we need. And now, since this guy is getting a bunch of press, we will have 90 million hackers trying to be the first to release a patch for the next MS bug.

    So who's the one at fault: the maverick hacker who writes a patch, or the user who chooses to install it instead of waiting for the official patch from Redmond?

    You do know that Ilfak's patch was optional, right?

  15. Re:Why not scramble all DLL's and EXE's on the fly by CoderBob · · Score: 2, Insightful
    The reason these attacks spread is that the binary code is essentially a monoculture crop -- all clones of each other. Why not take the SID of a system, or some GUID, and use it to morph all the binary images on a system in a unique way for that system?

    That's all reversible information, though. Somewhere, for an executable to work, this information would need to be stored, and on the disk. Considering that nothing stored on disk is completely secure, I don't see this as a viable option.

    Consider the GUID option: That GUID is going to have to be known so that everytime a new DLL or EXE or other executable code file is copied, on an OS level, to the system, that it be modified to include the correct jump points. It would be trivial to write a hack that grabs this GUID stored somewhere. Knowing that this GUID is used to jumble the locations of a process, the whole thing could be "undone". Even if you were to generate the GUID on the fly (with each execution) the problem arises that the original executable code is still on the disk somewhere- and that you can get at that file. The only security this creates would be fleeting, because it depends on the method of "encrypting" the file with the GUID be secret or that the method the GUID is created with be secret. Otherwise, it's all easily repeatable by anyone who takes the time to determine how the GUID is generated.

    Even in a best-case scenario, in which the GUID is generated based on some known information and some pseudo-random information, applied on execution of the file on the OS level, and then the file is run from memory, could still fall prey to some easy hacks: Patterns. If the file is ever stored on the disk, it can be analysed, patterns generated from it, and memory locations could be determined from that.

    Basically, any executable stored is vulnerable to this unless the code is secure to begin with. Instead of patching the entire system with a solution that is more of a cold medicine-style fix, the key is to have both have engineers design good specs and to have programmers write better code.

  16. irony by seudafed · · Score: 2, Funny

    http://www.datarescue.com/freefiles/funnyad.jpg

  17. Re:Patch doesn't work for me by Fishstick · · Score: 2, Funny

    >I'm not sure [..] if Windows is just POS software.

    Really? Let me clear that up for you ...

    --

    There is much cruelty in the universe, John.
    Yeah, we seem to have the tour map.

  18. Re:You had me going right up until . . . by mmell · · Score: 2, Insightful
    Yes, but inserting NOP's into a DLL requires you to compute and store entry points, does it not? I mean, there's gotta be a jump table somewhere, right? That computation must be replicable in order for software to use it; so all an enterprising cracker need do is perform the same count valid software has to and voila - security bypassed.

    Doesn't matter where in the software you hide the algorithm, the algorithm must be available in software and therefore provides only the illusion of security. Sorta like locking the front door, but leaving the key under the door mat (when everybody knows that you leave the key somewhere near the front door).

    Put it in hardware, and you've begun sliding down the slippery slope leading to "Trustworthy Computing".

    This is all wide of the point, however; the problem isn't a buffer overflow, it's a well-coded but ill-concieved functionality built into Windows by design. Going back to that front door, it's a mail-slot large enough to put your arm into, in case you ever need to spin the doorknob from the inside. Not intended to make your home insecure, but rather to make your life easier. Oopsy! Didn't realize that thieves could also reach through the mail slot.

  19. A few reasons i can think of that complicate it.. by bmajik · · Score: 3, Informative

    I'm not saying these are (necessarily) insurmountable, but:

    One doesn't really have _full_ flexibility in binary layout. There are issues like word alignment to be aware of.

    Windows needs to know how to get the address of a symbol, by name, dynamically. Even if you change the address underneath, the exploit only needs to call a routine to just call the moved function by name.

    One of the advantages of DLLs is that the text (code) segments are shared cross-process. If you want to make the loader muck with the images per-process, you effectively have static libraries. This is lethal on server type applications with hundreds or thousands of separate address spaces.

    Note that if you _dont_ do per-process space scrambling, your exploit can just scan its entire address space to see where the relocated stuff is, because it will be the same in all the other address spaces on the box.

    Finally - this was a spec defect - my understanding is that the code is actually running as designed.. it's just a facility that has no business in a modern, assumed-hostile computing world.

    --
    My opinions are my own, and do not necessarily represent those of my employer.
  20. Re:Slashdot Windows logo by 99BottlesOfBeerInMyF · · Score: 2, Insightful

    hanks for clearing that up. I find it hard to believe that Microsoft would threaten to sue over something like that.

    MS threatening to sue is news to me. It sounds like pure speculation. My pure speculation is that the icon was created by someone right after MS did one of the thousands of annoying/illegal/unethical things they regularly do to piss off the computer industry as a whole (you know like buy out and kill a cool technology, intentionally break a standard, or bundle yet another software package illegally) or after someone has just finished several hours of trying to deal with their buggy software. Generally, after hearing the 507th thing MS has done to slow down the progress of computing, sentiment against them is running high enough so that people with a clue are amused and gain some stress relief from a simple mockery of them. I know after a few hours of coding workarounds for IE's broken version of HTML I'm more than happy to see something mocking MS. It's not prejudice to judge someone after observing their behavior for years.

    I predict a non-mocking logo for MS will replace the existing one about one year after MS stops pissing everyone off by being evil.

  21. Also by shoptroll · · Score: 2, Informative

    There's also an interview with him in yesterday's Security Now! podcast

    http://www.twit.tv/

    --
    Insert Sig Here
  22. Re:Why not scramble all DLL's and EXE's on the fly by Rufus211 · · Score: 4, Informative
    Or just do what OpenBSD does: Make writable memory non-executable, make executable memory non-writable. This bit of common sense is disappointingly rarely implemented.

    That's exactly what the Data Execution Prevention (DEP) is. It requires XP SP2 and a CPU that has the NX bit (or I forgot what Intel called the "we didn't copy this form AMD" bit). In fact, it appears that DEP does stop the exploit.
  23. Yep, read my /. comment... by antdude · · Score: 2, Informative

    See here.

    --
    Ant(Dude) @ Quality Foraged Links (AQFL.net) & The Ant Farm (antfarm.ma.cx / antfarm.home.dhs.org).