Slashdot Mirror
Two New WMF Bugs Found
Resident Egoist writes "Via PCWorld the news that two new Metafile bugs have been found, just a week after the patching of previous critical WMF issues." From the article: "All three flaws concern the way Windows renders images in the Windows Metafile (WMF) format used by some CAD (computer-aided design) applications, but these latest flaws are far less serious than the vulnerability that Microsoft patched last week, according to security experts. That vulnerability was serious enough to cause Microsoft to take the unusual step of releasing an early patch for the problem, ahead of its monthly security software update."
It's going to be tough on them, but they really hope that windows can surpass the number of vulnerablities in unix/linux.
MS: These new WMF bugs are considered non-critical and a patch will be released during the normal patch release schedule (aka Feb 14).
In other news, Ullrich's quote in TFA was hilarious.
Who will guard the guards?
As TFA says, these vulnerabilities just cause things to crash. The other holes in microsoft products are what they used to patch regularly so far, this is no reason to think they're all as secure as a sieve.
Send email from the afterlife! Write your e-will at Dead Man's Switch.
...a hacker has published details of two new flaws that affect the same part of the operating system.
If you read the post on the security mailing list it sounds like someone trying to get this vulnerability out in the open so it can be fixed. Unless they mean a "white hat" hacker or a hacker in the real sense of the word but I doubt it. This is one of those words that should be used carefully, especially by "journalists".
Bradley Holt
Typically it's unusual to see ``just a crash.'' Most programmes written in C and C++ crash due to buffer overflows, which frequently lead to running unsigned code. As a general rule, if a C or C++ code crashes, it is a fairly likely possibility to be able to run arbitrary code. Just because nobody's done it yet doesn't mean that it's not possible.
Unfortunately, these days everyone is accustomed to MS and software in general having bugs. Back when Intel was hit, it wasn't commonly known that sometimes CPUs and hardware do have bugs. People tolerate software bugs because they assume there will be a patch. With hardware, you most likely will need a replacement part.
Well, there's spam egg sausage and spam, that's not got much spam in it.
... what a fucking mess.
Why aren't the programmers that worked on any given buggy module ever named? If you faced public ridicule and loss of reputation for releasing exploitable code you might be more careful about what you certify as ready to ship.
"It's the height of ridiculousness to say for those 9 lines you get hundreds of millions."
...if Microsoft had had the extra time and not released the patch until they considered it "fully tested", would they have caught these bugs as well?
Knowing that the WMF code is now under the microscope, will they divert resources to specifically re-vet that code, or will they sit on their rear ends and wait until another exploit is found for them?
As a tidbit of information, I have "converted" three of my neighbors to Linux -- at least dual booting, if not whole penguin -- in the last two months. Each time was at their request and for the exact same reason. Their Windows PC regularly gets trashed by spyware, viruses and worms and they've just damn well had enough in having to deal with it all. They want to get their work done, not fight with malware and have to upgrade machines because their old one isn't powerful enough to run their apps AND all the "keep me safe" software.
-Charles
Learning HOW to think is more important than learning WHAT to think.
"8 days should have been enough time for MS to completly check the code involved and use every attack possible."
/ 28/53298.aspx "How many MS Employees to change a light bulb?"
Yes becuase breaking hundreds of people off their regular duties, tracking down 10 year old code written by someone who either doesn't remember writing it or no longer works there, correcting the code in a way that prevents the exploit, but doesn't impact functionality, testing the correction on all supported versions of windows, numerous hardware configurations, and against dozens of 3rd party software packages that use the library, then documenting the problem, the change, and the disimination of the change, then getting the whole thing wrapped up into a nice neat deployment package, is easy.
Yeah, I can see how 8 days is slacking.
Try reading this article: http://blogs.msdn.com/ericlippert/archive/2003/10
-Rick
-Rick
"Most people in the U.S. wouldn't know they live in a tyrannical state if it walked up and grabbed their junk." - MyFirs
8 days should have been enough time for MS to completly check the code involved and use every attack possible. The fact that MS obviously hasn't bothered shows they still don't understand security. OF course hackers are going to try to find new exploits in WMF code since they know MS and that if there is one bug there must be others.
Most of the 8 days wasn't spent checking that the exploit was fixed. I'm sure that part went fairly quickly. The real issue is that although WMF files are fairly rare, the WMF format is used extensively inside Windows. The feature in question is only a security issue when found in arbitrary WMF files, but serves a legit purposes when used inside of applications. The 3rd party fix floating around broke some printer drivers and probably other software, whereas Microsoft's fix resulted in less (if any) broken software. The bulk of the time was spent testing the fix for unexpected consequences.
The bugs demonstrated here are not buffer overflows. They are the other kind of common C/C++ bug, namely an invalid (in this case NULL) pointer dereference. Null pointer dereferencing bugs are rarely exploitable.
More info in this Microsoft Security Resource Center (MSRC) blog post.
Wouldn't this make 6 bugs on *nix - two for each of cedega, wine & crossover?
... Microsoft will never catch up.
"Women are just like ninjas; They lie even when it is more convenient to tell the truth." ~ Unknown
. . . that any Windows PC used to read this Slashdot story is now infected with a worm that exploits these WMF security holes.
Darn banner ads!
With spending like this, exactly what are "conservatives" conserving?
But maybe if they had been doing those in the first place they wouldn't be patching it now.
www.lucernesys.comHorizon: Calendar-based personal finance
But still released many days after independent programmers (e.g. Ilfak Guilfanov) managed to build a fix. At work (a national lab), we were explicitly instructed not to wait for the early windows patch.
i\hbar\dot{\psi}=\hat{H}\psi
It really depends on the type of crash, and I'm not it's safe to jump to your conclusion so eagerly. In fact, many crashes in C programs CANNOT lead to execution of arbirtrary code, such as division by zero errors and trying to access memory with a NULL pointer.
As much fun as it is to lambast Microsoft for this kind of thing, the types of exploit that have been "exposed" recently are very difficult to predict in advance
Oh, do you really believe that it is difficult to predict that failure to check for null pointers in C code might lead to serious problems? Criticizing coding and QC practices that don't measure up to professional standards is hardly facile or unworthy. It's sort of like criticizing rampant fraud, waste, and abuse in our government. Never excuse the inexcusable.
Actually, given MS' scope and resources I fully expect them to have a staff whose regular duties consist solely of fixing these types of problems.
I do not have a signature
One of our developers applied the Microsoft fix (along with ten others) this morning. He can no longer debug multi-threaded code in MSDev version 6.0. Stopping on a break point in any thread other than the main thread locks the GUI for all processes. At this point, we are testing if this is isolated to MSDev version 6 or all debuggers. We also do not know which of the ten or so patches was responsible. I would be interested to know if anyone else encounters this. At this point, our developer will be reinstalling his machine on Tuesday.
-Hope
What it really boils down to is that Microsoft isn't in the business of writing quality code. Their goal is to pump out code that is good enough to maximize profits. This is why Free Software is important.
Part of the problem is that MS is reluctant to phase out obsolete technologies.
Take WMF files for example. Obviously nobody making new software today, would incorporate WMF technology. It's obsolete and unpopular. The only people who use WMF tech today are those who are using software that was designed to make use of that format. And therein lies the problem. At some point in time, software programs were created that used WMF technology. MS could come out and say "WMF is obsolete, and rather than take the risk of continuing to include a software component that may compromise security, we're going to completely remove support for it in future versions of Windows, since barely anybody uses it anyway." If MS were to say that with enough legacy technologies, people would get mad at them. If you're using or writing software for some new technology, you AT LEAST want to take solace in knowing that, even if it's unpopular and discontinued, it will at least remain USABLE on future systems.
So I can sort of understand MS's pickle from that point of view. It's sort of like users complaining that some security hole in Windows 3.1 has, in 2005, still not been patched. And on the other hand, a whole wave of users would potentially be up in arms if MS decided to, in the name of security, remove support for running old 16-bit Windows 3.1 programs in Windows XP.
And incidentally, I have a box of clip art CDs in WMF format.
The same people on this forum who would criticize MS for not patching AND not removing WMF support, probably wish that Windows XP had better support for the old early-mid 90's DOS games. And yet it might be a completely impractical task (not to mention an expensive one given the limited appeal of the feature) to eliminate all of the security risks posed by support for DOS (and, don't forget, back in the DOS era, a virus was more likely to format your hard drive than email your address book).
Windows may be a feature-driven, compatibility-over-security operating system, but just because we all want security, let's not pretend we don't like features and compatibility.
WMF is wired into the GDI- it's a GDI playback script is what it really is. This means that printers use it to do the WYSIWYG printing work unless you're using Postscript printing or force the GDI to print to a RAW spool (in which the printer driver renders the print job to the spool as printer commands- which is MUCH more inefficient...).
Just because you don't think you're using it, doesn't mean Microsoft's not using it for you.
I am not merely a "consumer" or a "taxpayer". I am a Citizen of the State of Texas
[Fuck Beta]
o0t!
> Yes becuase breaking hundreds of people off their regular duties, tracking down 10 year old code written by someone who either doesn't remember writing it or no longer works there, correcting the code in a way that prevents the exploit, but doesn't impact functionality, testing the correction on all supported versions of windows, numerous hardware configurations, and against dozens of 3rd party software packages that use the library, then documenting the problem, the change, and the disimination of the change, then getting the whole thing wrapped up into a nice neat deployment package, is easy.
You've ENTIRELY missed the real point. Every time Bill Gates releases his "latest and greatest" product, we're told that it's a "completely rewritten, new code base". This is now shown to be complete nonsense - there is legacy code in Windows going back almost 20 years. There is obviously no proper CVS or code auditing system in place at Microsoft, which shows an astonishing ineptitude.
Microsoft do not deserve any more of our money!