Slashdot Mirror
Two New WMF Bugs Found
Resident Egoist writes "Via PCWorld the news that two new Metafile bugs have been found, just a week after the patching of previous critical WMF issues." From the article: "All three flaws concern the way Windows renders images in the Windows Metafile (WMF) format used by some CAD (computer-aided design) applications, but these latest flaws are far less serious than the vulnerability that Microsoft patched last week, according to security experts. That vulnerability was serious enough to cause Microsoft to take the unusual step of releasing an early patch for the problem, ahead of its monthly security software update."
It's going to be tough on them, but they really hope that windows can surpass the number of vulnerablities in unix/linux.
MS: These new WMF bugs are considered non-critical and a patch will be released during the normal patch release schedule (aka Feb 14).
In other news, Ullrich's quote in TFA was hilarious.
Who will guard the guards?
I normally don't take that much notice of the various security announcements, because most people cause their own trouble on the internet through their mode of behaviour. These news reports really are starting to make me wonder what other holes there are in Microsoft products.
Wellybog
http://www.wellybog.com
So Microsoft poo-poos the bugs. Not an issue, overblown, won't affect anybody.
Andy Grove could advise them on how not to handle such situations.
please tell me one of the bugs is not a bee, we're still sorting it out.
A feeling of having made the same mistake before: Deja Foobar
What's so unusual about that? (Seriously, it seems to happen every few months.)
...a hacker has published details of two new flaws that affect the same part of the operating system.
If you read the post on the security mailing list it sounds like someone trying to get this vulnerability out in the open so it can be fixed. Unless they mean a "white hat" hacker or a hacker in the real sense of the word but I doubt it. This is one of those words that should be used carefully, especially by "journalists".
Bradley Holt
Unfortunately, these days everyone is accustomed to MS and software in general having bugs. Back when Intel was hit, it wasn't commonly known that sometimes CPUs and hardware do have bugs. People tolerate software bugs because they assume there will be a patch. With hardware, you most likely will need a replacement part.
Well, there's spam egg sausage and spam, that's not got much spam in it.
... what a fucking mess.
Why aren't the programmers that worked on any given buggy module ever named? If you faced public ridicule and loss of reputation for releasing exploitable code you might be more careful about what you certify as ready to ship.
"It's the height of ridiculousness to say for those 9 lines you get hundreds of millions."
...if Microsoft had had the extra time and not released the patch until they considered it "fully tested", would they have caught these bugs as well?
Knowing that the WMF code is now under the microscope, will they divert resources to specifically re-vet that code, or will they sit on their rear ends and wait until another exploit is found for them?
As a tidbit of information, I have "converted" three of my neighbors to Linux -- at least dual booting, if not whole penguin -- in the last two months. Each time was at their request and for the exact same reason. Their Windows PC regularly gets trashed by spyware, viruses and worms and they've just damn well had enough in having to deal with it all. They want to get their work done, not fight with malware and have to upgrade machines because their old one isn't powerful enough to run their apps AND all the "keep me safe" software.
-Charles
Learning HOW to think is more important than learning WHAT to think.
The best part is the response from Lennart Wistrand yesterday on the MS Security Response blog. "As it turns out, these crashes are not exploitable but are instead Windows performance issues that could cause some WMF applications to unexpectedly exit." -- Lennart Wistrand http://blogs.technet.com/msrc/archive/2006/01/09/4 17198.aspx
"8 days should have been enough time for MS to completly check the code involved and use every attack possible."
/ 28/53298.aspx "How many MS Employees to change a light bulb?"
Yes becuase breaking hundreds of people off their regular duties, tracking down 10 year old code written by someone who either doesn't remember writing it or no longer works there, correcting the code in a way that prevents the exploit, but doesn't impact functionality, testing the correction on all supported versions of windows, numerous hardware configurations, and against dozens of 3rd party software packages that use the library, then documenting the problem, the change, and the disimination of the change, then getting the whole thing wrapped up into a nice neat deployment package, is easy.
Yeah, I can see how 8 days is slacking.
Try reading this article: http://blogs.msdn.com/ericlippert/archive/2003/10
-Rick
-Rick
"Most people in the U.S. wouldn't know they live in a tyrannical state if it walked up and grabbed their junk." - MyFirs
but these latest flaws are far less serious than the vulnerability that Microsoft patched last week, according to security experts This sentence says that according to security experts Microsoft has patched the previous vulnerability. The sentence should read: but these latest flaws are far less serious, according to security experts, than the vulnerability Microsoft patched last week
8 days should have been enough time for MS to completly check the code involved and use every attack possible. The fact that MS obviously hasn't bothered shows they still don't understand security. OF course hackers are going to try to find new exploits in WMF code since they know MS and that if there is one bug there must be others.
Most of the 8 days wasn't spent checking that the exploit was fixed. I'm sure that part went fairly quickly. The real issue is that although WMF files are fairly rare, the WMF format is used extensively inside Windows. The feature in question is only a security issue when found in arbitrary WMF files, but serves a legit purposes when used inside of applications. The 3rd party fix floating around broke some printer drivers and probably other software, whereas Microsoft's fix resulted in less (if any) broken software. The bulk of the time was spent testing the fix for unexpected consequences.
As much fun as it is to lambast Microsoft for this kind of thing, the types of exploit that have been "exposed" recently are very difficult to predict in advance (i.e. use of software features in unexpected ways). It's a little like blaming Boeing for letting their aircraft be flown towards tall buildings...
Wellybog
http://www.wellybog.com
More info in this Microsoft Security Resource Center (MSRC) blog post.
Wouldn't this make 6 bugs on *nix - two for each of cedega, wine & crossover?
... Microsoft will never catch up.
"Women are just like ninjas; They lie even when it is more convenient to tell the truth." ~ Unknown
Announcing Bill The Cat's PC Operating System -- As many bugs, if not more than other leading brands, such as Microsoft Windows 98, 2000 and XP!
A feeling of having made the same mistake before: Deja Foobar
(Or do I?)
. . . that any Windows PC used to read this Slashdot story is now infected with a worm that exploits these WMF security holes.
Darn banner ads!
With spending like this, exactly what are "conservatives" conserving?
But maybe if they had been doing those in the first place they wouldn't be patching it now.
www.lucernesys.comHorizon: Calendar-based personal finance
ELOI, ELOI, LAMA SABACHTHANI!?
We Share Your Pain (WE-SUP)
But still released many days after independent programmers (e.g. Ilfak Guilfanov) managed to build a fix. At work (a national lab), we were explicitly instructed not to wait for the early windows patch.
i\hbar\dot{\psi}=\hat{H}\psi
As much fun as it is to lambast Microsoft for this kind of thing, the types of exploit that have been "exposed" recently are very difficult to predict in advance
Oh, do you really believe that it is difficult to predict that failure to check for null pointers in C code might lead to serious problems? Criticizing coding and QC practices that don't measure up to professional standards is hardly facile or unworthy. It's sort of like criticizing rampant fraud, waste, and abuse in our government. Never excuse the inexcusable.
All you people that wanted Windows to rush out a fix. Take that. Now you see that rushing isn't always the best policy. They just need to take their time and make sure everything works. And, if that means they never actually fix the problem, well so be it. It's better than rushing and then realizing they only scratched the surface of the problem. Because, that's embarassing.
Actually, given MS' scope and resources I fully expect them to have a staff whose regular duties consist solely of fixing these types of problems.
I do not have a signature
That statement is far less misleading than your analysis. Obviously you didn't read the entire summary, much less the article.
From TFA: "...the latest vulnerabilities appear to pose the risk of simply crashing the WMF-viewing software, typically Internet Explorer".
Crashing. Whoop-dee-doo. Annoying, sure. Hardly a security issue. (And no, the crash hasn't been shown to allow executed code, either.)
-David
One of our developers applied the Microsoft fix (along with ten others) this morning. He can no longer debug multi-threaded code in MSDev version 6.0. Stopping on a break point in any thread other than the main thread locks the GUI for all processes. At this point, we are testing if this is isolated to MSDev version 6 or all debuggers. We also do not know which of the ten or so patches was responsible. I would be interested to know if anyone else encounters this. At this point, our developer will be reinstalling his machine on Tuesday.
-Hope
What it really boils down to is that Microsoft isn't in the business of writing quality code. Their goal is to pump out code that is good enough to maximize profits. This is why Free Software is important.
Part of the problem is that MS is reluctant to phase out obsolete technologies.
Take WMF files for example. Obviously nobody making new software today, would incorporate WMF technology. It's obsolete and unpopular. The only people who use WMF tech today are those who are using software that was designed to make use of that format. And therein lies the problem. At some point in time, software programs were created that used WMF technology. MS could come out and say "WMF is obsolete, and rather than take the risk of continuing to include a software component that may compromise security, we're going to completely remove support for it in future versions of Windows, since barely anybody uses it anyway." If MS were to say that with enough legacy technologies, people would get mad at them. If you're using or writing software for some new technology, you AT LEAST want to take solace in knowing that, even if it's unpopular and discontinued, it will at least remain USABLE on future systems.
So I can sort of understand MS's pickle from that point of view. It's sort of like users complaining that some security hole in Windows 3.1 has, in 2005, still not been patched. And on the other hand, a whole wave of users would potentially be up in arms if MS decided to, in the name of security, remove support for running old 16-bit Windows 3.1 programs in Windows XP.
And incidentally, I have a box of clip art CDs in WMF format.
The same people on this forum who would criticize MS for not patching AND not removing WMF support, probably wish that Windows XP had better support for the old early-mid 90's DOS games. And yet it might be a completely impractical task (not to mention an expensive one given the limited appeal of the feature) to eliminate all of the security risks posed by support for DOS (and, don't forget, back in the DOS era, a virus was more likely to format your hard drive than email your address book).
Windows may be a feature-driven, compatibility-over-security operating system, but just because we all want security, let's not pretend we don't like features and compatibility.
WMF is wired into the GDI- it's a GDI playback script is what it really is. This means that printers use it to do the WYSIWYG printing work unless you're using Postscript printing or force the GDI to print to a RAW spool (in which the printer driver renders the print job to the spool as printer commands- which is MUCH more inefficient...).
Just because you don't think you're using it, doesn't mean Microsoft's not using it for you.
I am not merely a "consumer" or a "taxpayer". I am a Citizen of the State of Texas
interesting
then how is it possible MS
decided to release the patch 5 days earlier than they saidd they would
That day of the month
Patch Day
wouldnt be they were sitting it on ice waiting for patch day
but released it early due to public backlash
J00 F00!!
:P
.
== WolfriderV6 == I'm willing to admit that *I just might* be wrong... Are you??
running Win2K for a brand spanking new AMD64 with more RAM.
I ran the old thing behind a firewall and got my wife used to OpenOffice, FireFox and Thunderbird so it was pretty safe.
Performance was pathetic but since the box originally cost me nothing (a 'freebie' with tuition) I figured I was ahead of the game.
It was XMas, her iTunes had stopped working because of a DLL hell problem, so I bought the new box. (I actually bought 2 boxes, and one is slicing and dicing on slackware Linux and its noticably faster than the old 32bit AMD I had my old Linux box.)
I noticed that the default install for WinXP come with so much AV & Spyware cruft that I suspect that I'm running 1:3 in CPU cycles: 1 for the app versus 3 for the cruft.
Its actually running __slower__ at some tasks that the old Win2K box.
Windows sux donkey balls.
MSBPodcast.com The opinions expressed here are my own. If you don't like 'em... Think up your own stuff.
seeing is believing
[Fuck Beta]
o0t!
[Fuck Beta]
o0t!
But maybe if they had been doing those in the first place they wouldn't be patching it now.
Have you ever worked on a large software project? No matter what you do, if your code is large, complex, and used extensively, there will be security flaws that need patching. There is no process or technique that can provide the same level of testing as 600 million users and (at least) several thousand individuals working to break your product.
Indeed, security vunerabilities have dropped in severity and number with Microsoft products developed after the security push began (Windows Server 2003, XP SP2, IIS 6, etc.). But patches will always be a part of Windows.
And, remember, WMF has existed since the 3.x days - this code is at least 10 years old, and it was likely developed in an age where Windows didn't even have a TCP/IP stack.
couldn't they do a bit of overtime or something. maybe shorter lunch breaks until this is fixed.
When they came for the communists, I said "He's next door. Take him away. Goddam commies."
> Yes becuase breaking hundreds of people off their regular duties, tracking down 10 year old code written by someone who either doesn't remember writing it or no longer works there, correcting the code in a way that prevents the exploit, but doesn't impact functionality, testing the correction on all supported versions of windows, numerous hardware configurations, and against dozens of 3rd party software packages that use the library, then documenting the problem, the change, and the disimination of the change, then getting the whole thing wrapped up into a nice neat deployment package, is easy.
You've ENTIRELY missed the real point. Every time Bill Gates releases his "latest and greatest" product, we're told that it's a "completely rewritten, new code base". This is now shown to be complete nonsense - there is legacy code in Windows going back almost 20 years. There is obviously no proper CVS or code auditing system in place at Microsoft, which shows an astonishing ineptitude.
Microsoft do not deserve any more of our money!
Tracking the code down should be no problem. They know what function in what dll it was - how hard is it to find the code for it?
correcting the code in a way that prevents the exploit, but doesn't impact functionality,
Shouldn't take more than a day. Two, tops.
testing the correction on all supported versions of windows, numerous hardware configurations, and against dozens of 3rd party software packages that use the library,
Testing is parallelizeable (sp?). If they really have hundreds of people working on it, it should be done in a matter of hours. Certainly I'd expect them to finish it in 3 days.
then documenting the problem, the change, and the disimination of the change,
This can be done at the same time as testing.
then getting the whole thing wrapped up into a nice neat deployment package,
One click these days.
I am trolling
interesting idea, except you can simply rename it as a .jpg and ie will handily go "Hangon, this is a wmf file, i know what to do this... Root your box!"
This is a joke. I am joking. Joke joke joke.
And there'd been nothing wrong with it, so long as they didn't implement the Escape function. But they DID that one- so it became an unsafe beastie. I'd have patched it so that the code could still fucntion, but if it relied on that one unsafe feature, it'd be broken for you. I'm hoping that is what they did. If so, they did the fix right. If not, shame on them.
I am not merely a "consumer" or a "taxpayer". I am a Citizen of the State of Texas
Unlikely. I doubt Linux will invoke callback hooks in WMFs that are intended to call into Windows code, and so the primary vulerability just isn't going to be there on a platform other than Windows. Sure, it was an ability designed-into WMF, but it was only meant to be used for WMFs passed around within and between live apps, not for WMFs stored on disk. There's no rational reason for libwmf to even care about that particular part of the WMF file.
The other two flaws seem to be implementation specific coding errors.
Program Intellivision!
"I use linux. I have javascript enabled, though I don't let it resize windows or anything else I don't like. I browse wherever I like, without fear, without any real need to be careful."
What browser do you use though? If it's Mozilla or a derivative (e.g. FireFox) I'd say you should be more careful. Mozilla is probably in the same order of magnitude of bugginess as IE (if not more so - just look at Mozilla's track record). It's just not targetted as much publicly. Just wait till it gains even more marketshare.
Basically any software that has had a history of crashing can probably be exploited[1].
At my current workplace I run mozilla using a different user account from my main user account. This prevents browser exploits from having read or write access to files in my home directory. Due to the version of mozilla I'm using not respecting umasks (don't ask) I had to resort to ACLs in order to allow my main account to access files downloaded with the browser.
This way I have a lot less to worry about. Hackers might wipe the files I've downloaded using the browser, but it's harder for them to touch my main files. Of course I still have to be careful that there aren't any local root exploits.
In my previous workplace I used to do a similar thing with IE - run it with a different user account (using runas with savecred on winxp).
At home, I run IE in a virtual machine for sites which require javascript activex etc. So I'm reasonably safe barring an exploitable bug in the virtual machine software (I have found some bugs but I think they are not exploitable) or a bug in the graphics driver, NIC driver or something similar (which won't be Microsoft's fault)...
There was a bug in one version of my NIC drivers which caused bluescreens when certain data patterns were downloaded. Definitely doubleplus ungood. So I had to resort to a different version.
The problem with this WMF bug is it seems that stuff like Google Desktop can trigger payload executiion whilst trying to index the WMF files. I don't use Google Desktop, so I don't know how one could restrict permissions for it.
[1] It's a sign of poor code quality. In my experience some AV software fall in this category too.
Nice leap of logic there. Kinda like saying: All dogs have eyes. I have eyes. Therefore I'm a dog.
Program Intellivision!
In fact, data does not in general ever contain software bugs. It is in fact the executables that might interpret that data, which contain the bugs. That there may exist datastreams that can exploit vulnerabilities in executables that interpret can only be seen as a vulnerability in the data format if and ONLY IF absolutely any present or theroetically future attempts to rigidly follow the specification for the data format exactly as it exists at that time would result in the same vulnerability existing, and the *ONLY* way to eliminate the vulnerabilty is to deviate from the data format specification. The number of data formats that have ever existed in the history of computing that contain this sort of vulnerability are exceptionally rare (I personally can't think of any, but I admit that it's theoretically possible).
File under 'M' for 'Manic ranting'
I'll give you an example: when the last zlib overflow patch came out, I patched it immediately. If it breaks, big deal-- I lose the ability to scan inside zip archives on my mail gateways. But if I wait for it to be "fully tested", whatever that means, then I might get hit with a worm that compromises my mail gateways, or worse. I think I'll take the chance.
I'm going to reiterate my statement about modularization, too-- if the programmer is writing clean code, i.e., functions/methods that only do ONE thing (and further, having only ONE function to do that ONE thing), then that mitigates the impact of a flaw in the patch. It also makes patching much easier because you know what your program is doing.