Slashdot Mirror
Two New WMF Bugs Found
Resident Egoist writes "Via PCWorld the news that two new Metafile bugs have been found, just a week after the patching of previous critical WMF issues." From the article: "All three flaws concern the way Windows renders images in the Windows Metafile (WMF) format used by some CAD (computer-aided design) applications, but these latest flaws are far less serious than the vulnerability that Microsoft patched last week, according to security experts. That vulnerability was serious enough to cause Microsoft to take the unusual step of releasing an early patch for the problem, ahead of its monthly security software update."
It's going to be tough on them, but they really hope that windows can surpass the number of vulnerablities in unix/linux.
MS: These new WMF bugs are considered non-critical and a patch will be released during the normal patch release schedule (aka Feb 14).
In other news, Ullrich's quote in TFA was hilarious.
Who will guard the guards?
I normally don't take that much notice of the various security announcements, because most people cause their own trouble on the internet through their mode of behaviour. These news reports really are starting to make me wonder what other holes there are in Microsoft products.
Wellybog
http://www.wellybog.com
So Microsoft poo-poos the bugs. Not an issue, overblown, won't affect anybody.
Andy Grove could advise them on how not to handle such situations.
please tell me one of the bugs is not a bee, we're still sorting it out.
A feeling of having made the same mistake before: Deja Foobar
What's so unusual about that? (Seriously, it seems to happen every few months.)
...a hacker has published details of two new flaws that affect the same part of the operating system.
If you read the post on the security mailing list it sounds like someone trying to get this vulnerability out in the open so it can be fixed. Unless they mean a "white hat" hacker or a hacker in the real sense of the word but I doubt it. This is one of those words that should be used carefully, especially by "journalists".
Bradley Holt
oh this does not count as it was a different problem and can't be exploited (yet) and just because it is in the same code I am a meanie for thinking MS should have fixed WMF once and for all?
8 days should have been enough time for MS to completly check the code involved and use every attack possible. The fact that MS obviously hasn't bothered shows they still don't understand security. OF course hackers are going to try to find new exploits in WMF code since they know MS and that if there is one bug there must be others.
Oh well, at least the MS apologists get their daily excersise again. Wonder what drivel they come up with this time.
MMO Quests are like orgasms:
You may solo them, I prefer them in a group.
Unfortunately, these days everyone is accustomed to MS and software in general having bugs. Back when Intel was hit, it wasn't commonly known that sometimes CPUs and hardware do have bugs. People tolerate software bugs because they assume there will be a patch. With hardware, you most likely will need a replacement part.
Well, there's spam egg sausage and spam, that's not got much spam in it.
... what a fucking mess.
Why aren't the programmers that worked on any given buggy module ever named? If you faced public ridicule and loss of reputation for releasing exploitable code you might be more careful about what you certify as ready to ship.
"It's the height of ridiculousness to say for those 9 lines you get hundreds of millions."
...if Microsoft had had the extra time and not released the patch until they considered it "fully tested", would they have caught these bugs as well?
Knowing that the WMF code is now under the microscope, will they divert resources to specifically re-vet that code, or will they sit on their rear ends and wait until another exploit is found for them?
As a tidbit of information, I have "converted" three of my neighbors to Linux -- at least dual booting, if not whole penguin -- in the last two months. Each time was at their request and for the exact same reason. Their Windows PC regularly gets trashed by spyware, viruses and worms and they've just damn well had enough in having to deal with it all. They want to get their work done, not fight with malware and have to upgrade machines because their old one isn't powerful enough to run their apps AND all the "keep me safe" software.
-Charles
Learning HOW to think is more important than learning WHAT to think.
The best part is the response from Lennart Wistrand yesterday on the MS Security Response blog. "As it turns out, these crashes are not exploitable but are instead Windows performance issues that could cause some WMF applications to unexpectedly exit." -- Lennart Wistrand http://blogs.technet.com/msrc/archive/2006/01/09/4 17198.aspx
but these latest flaws are far less serious than the vulnerability that Microsoft patched last week, according to security experts This sentence says that according to security experts Microsoft has patched the previous vulnerability. The sentence should read: but these latest flaws are far less serious, according to security experts, than the vulnerability Microsoft patched last week
As much fun as it is to lambast Microsoft for this kind of thing, the types of exploit that have been "exposed" recently are very difficult to predict in advance (i.e. use of software features in unexpected ways). It's a little like blaming Boeing for letting their aircraft be flown towards tall buildings...
Wellybog
http://www.wellybog.com
More info in this Microsoft Security Resource Center (MSRC) blog post.
Wouldn't this make 6 bugs on *nix - two for each of cedega, wine & crossover?
... Microsoft will never catch up.
"Women are just like ninjas; They lie even when it is more convenient to tell the truth." ~ Unknown
Announcing Bill The Cat's PC Operating System -- As many bugs, if not more than other leading brands, such as Microsoft Windows 98, 2000 and XP!
A feeling of having made the same mistake before: Deja Foobar
(Or do I?)
. . . that any Windows PC used to read this Slashdot story is now infected with a worm that exploits these WMF security holes.
Darn banner ads!
With spending like this, exactly what are "conservatives" conserving?
ELOI, ELOI, LAMA SABACHTHANI!?
We Share Your Pain (WE-SUP)
But still released many days after independent programmers (e.g. Ilfak Guilfanov) managed to build a fix. At work (a national lab), we were explicitly instructed not to wait for the early windows patch.
i\hbar\dot{\psi}=\hat{H}\psi
As much fun as it is to lambast Microsoft for this kind of thing, the types of exploit that have been "exposed" recently are very difficult to predict in advance
Oh, do you really believe that it is difficult to predict that failure to check for null pointers in C code might lead to serious problems? Criticizing coding and QC practices that don't measure up to professional standards is hardly facile or unworthy. It's sort of like criticizing rampant fraud, waste, and abuse in our government. Never excuse the inexcusable.
Yeah, I thought that was odd too.
I feel safe on windows now. ...
Call within the next 48 hours and you will get Outlook and Exchange bug fixes as well...
7 04
http://www.itnews.com.au/newsstory.aspx?CIaNID=21
Microsoft TC0 in New York - 354,55 (+2,57)
" " in London (Brent) - 360,00 (+2,03)
All you people that wanted Windows to rush out a fix. Take that. Now you see that rushing isn't always the best policy. They just need to take their time and make sure everything works. And, if that means they never actually fix the problem, well so be it. It's better than rushing and then realizing they only scratched the surface of the problem. Because, that's embarassing.
That statement is far less misleading than your analysis. Obviously you didn't read the entire summary, much less the article.
From TFA: "...the latest vulnerabilities appear to pose the risk of simply crashing the WMF-viewing software, typically Internet Explorer".
Crashing. Whoop-dee-doo. Annoying, sure. Hardly a security issue. (And no, the crash hasn't been shown to allow executed code, either.)
-David
One of our developers applied the Microsoft fix (along with ten others) this morning. He can no longer debug multi-threaded code in MSDev version 6.0. Stopping on a break point in any thread other than the main thread locks the GUI for all processes. At this point, we are testing if this is isolated to MSDev version 6 or all debuggers. We also do not know which of the ten or so patches was responsible. I would be interested to know if anyone else encounters this. At this point, our developer will be reinstalling his machine on Tuesday.
-Hope
Part of the problem is that MS is reluctant to phase out obsolete technologies.
Take WMF files for example. Obviously nobody making new software today, would incorporate WMF technology. It's obsolete and unpopular. The only people who use WMF tech today are those who are using software that was designed to make use of that format. And therein lies the problem. At some point in time, software programs were created that used WMF technology. MS could come out and say "WMF is obsolete, and rather than take the risk of continuing to include a software component that may compromise security, we're going to completely remove support for it in future versions of Windows, since barely anybody uses it anyway." If MS were to say that with enough legacy technologies, people would get mad at them. If you're using or writing software for some new technology, you AT LEAST want to take solace in knowing that, even if it's unpopular and discontinued, it will at least remain USABLE on future systems.
So I can sort of understand MS's pickle from that point of view. It's sort of like users complaining that some security hole in Windows 3.1 has, in 2005, still not been patched. And on the other hand, a whole wave of users would potentially be up in arms if MS decided to, in the name of security, remove support for running old 16-bit Windows 3.1 programs in Windows XP.
And incidentally, I have a box of clip art CDs in WMF format.
The same people on this forum who would criticize MS for not patching AND not removing WMF support, probably wish that Windows XP had better support for the old early-mid 90's DOS games. And yet it might be a completely impractical task (not to mention an expensive one given the limited appeal of the feature) to eliminate all of the security risks posed by support for DOS (and, don't forget, back in the DOS era, a virus was more likely to format your hard drive than email your address book).
Windows may be a feature-driven, compatibility-over-security operating system, but just because we all want security, let's not pretend we don't like features and compatibility.
WMF is wired into the GDI- it's a GDI playback script is what it really is. This means that printers use it to do the WYSIWYG printing work unless you're using Postscript printing or force the GDI to print to a RAW spool (in which the printer driver renders the print job to the spool as printer commands- which is MUCH more inefficient...).
Just because you don't think you're using it, doesn't mean Microsoft's not using it for you.
I am not merely a "consumer" or a "taxpayer". I am a Citizen of the State of Texas
running Win2K for a brand spanking new AMD64 with more RAM.
I ran the old thing behind a firewall and got my wife used to OpenOffice, FireFox and Thunderbird so it was pretty safe.
Performance was pathetic but since the box originally cost me nothing (a 'freebie' with tuition) I figured I was ahead of the game.
It was XMas, her iTunes had stopped working because of a DLL hell problem, so I bought the new box. (I actually bought 2 boxes, and one is slicing and dicing on slackware Linux and its noticably faster than the old 32bit AMD I had my old Linux box.)
I noticed that the default install for WinXP come with so much AV & Spyware cruft that I suspect that I'm running 1:3 in CPU cycles: 1 for the app versus 3 for the cruft.
Its actually running __slower__ at some tasks that the old Win2K box.
Windows sux donkey balls.
MSBPodcast.com The opinions expressed here are my own. If you don't like 'em... Think up your own stuff.
[Fuck Beta]
o0t!
... what a fucking M$.
Ok, as I understand it the bug can be exploited by Web sites through downloading specifically designed WMF files? Right?
So get onto your firewall/proxy and block any URL's with WMF in them. Problem solved - unless the WMF bugs relate to non-WMF files (which wouldn't surprise me).
dnuof eruc rof aixelsid
I am not so sure about that. I once discovered a bug on a rather big site at the time which potentially exposed personal information. Knowing how big the potential was, I was afraid to let the information get into the wrong hands. So you're saying I was a black hat at that time?
And there'd been nothing wrong with it, so long as they didn't implement the Escape function. But they DID that one- so it became an unsafe beastie. I'd have patched it so that the code could still fucntion, but if it relied on that one unsafe feature, it'd be broken for you. I'm hoping that is what they did. If so, they did the fix right. If not, shame on them.
I am not merely a "consumer" or a "taxpayer". I am a Citizen of the State of Texas
Unlikely. I doubt Linux will invoke callback hooks in WMFs that are intended to call into Windows code, and so the primary vulerability just isn't going to be there on a platform other than Windows. Sure, it was an ability designed-into WMF, but it was only meant to be used for WMFs passed around within and between live apps, not for WMFs stored on disk. There's no rational reason for libwmf to even care about that particular part of the WMF file.
The other two flaws seem to be implementation specific coding errors.
Program Intellivision!
"I use linux. I have javascript enabled, though I don't let it resize windows or anything else I don't like. I browse wherever I like, without fear, without any real need to be careful."
What browser do you use though? If it's Mozilla or a derivative (e.g. FireFox) I'd say you should be more careful. Mozilla is probably in the same order of magnitude of bugginess as IE (if not more so - just look at Mozilla's track record). It's just not targetted as much publicly. Just wait till it gains even more marketshare.
Basically any software that has had a history of crashing can probably be exploited[1].
At my current workplace I run mozilla using a different user account from my main user account. This prevents browser exploits from having read or write access to files in my home directory. Due to the version of mozilla I'm using not respecting umasks (don't ask) I had to resort to ACLs in order to allow my main account to access files downloaded with the browser.
This way I have a lot less to worry about. Hackers might wipe the files I've downloaded using the browser, but it's harder for them to touch my main files. Of course I still have to be careful that there aren't any local root exploits.
In my previous workplace I used to do a similar thing with IE - run it with a different user account (using runas with savecred on winxp).
At home, I run IE in a virtual machine for sites which require javascript activex etc. So I'm reasonably safe barring an exploitable bug in the virtual machine software (I have found some bugs but I think they are not exploitable) or a bug in the graphics driver, NIC driver or something similar (which won't be Microsoft's fault)...
There was a bug in one version of my NIC drivers which caused bluescreens when certain data patterns were downloaded. Definitely doubleplus ungood. So I had to resort to a different version.
The problem with this WMF bug is it seems that stuff like Google Desktop can trigger payload executiion whilst trying to index the WMF files. I don't use Google Desktop, so I don't know how one could restrict permissions for it.
[1] It's a sign of poor code quality. In my experience some AV software fall in this category too.
In fact, data does not in general ever contain software bugs. It is in fact the executables that might interpret that data, which contain the bugs. That there may exist datastreams that can exploit vulnerabilities in executables that interpret can only be seen as a vulnerability in the data format if and ONLY IF absolutely any present or theroetically future attempts to rigidly follow the specification for the data format exactly as it exists at that time would result in the same vulnerability existing, and the *ONLY* way to eliminate the vulnerabilty is to deviate from the data format specification. The number of data formats that have ever existed in the history of computing that contain this sort of vulnerability are exceptionally rare (I personally can't think of any, but I admit that it's theoretically possible).
File under 'M' for 'Manic ranting'