Microsoft acknowledged late Wednesday the existence of a zero-day exploit for Windows Metafile images, and said it was looking into ways to better protect its customers. Even worse, by the end of the day nearly 50 variants of the exploit had already appeared. One security company said the possibilities were endless on how the flaw could be exploited. 'This vulnerability can be used to install any type of malicious code, not just Trojans and spyware, but also worms, bots or viruses that can cause irreparable damage to computers,' said Luis Corrons of Panda Software.
To view parent comment, click here.
To read all comments associated with this story, please click here.
Member since:2005-12-03
Didn't you know ? GPO is flawed too, and GPO use these ACE/ACL. Stop the BS please.
The Sony rootkit and WMF flaw are proof you are all wrong.
Actually they prove that you are the one who's wrong and doesn't know absolutelly anything about malware, windows security model and security vulnerabilites in general.
Shellcode exploiting this WMF flaw will run AS USER, ie: if you visit the web page logged in as LUA (non-admin), the shellode, trojan downloader the shellcode is dropping and spyware the trojan downloader is downloading and executing will run AS USER.
There is NO WAY to escalate privileges with this WMF bug.
As for the sony DRM rootkit - it's rootkit component is aries.sys driver, it's basically copy/pasted from sample source from rootkit.com. Now, if you knew anything on windows drivers, you would know that there is NO WAY to install them unless you're running as Admin, regardless of filesystem you're trying to run the driver from.
All of these won't work on non NTFS anyway. You are surrounded by non NTFS systems/appliances (USB key, CDROM, ...) in case you didn't know.
When you see spyware, worms and viruses spreading via USB and CDROM, let me know.
Everything in NT is an object managed by the Object Manager executive subsystem and every object has a security descriptor with an ACL enforced by the Security Reference Monitor executive subsystem
Wrong. That's one big flaw of NT BTW.
No it isn't, IMHO NT Object Manager is the supreme example of it's great design. Imagine: everything is an object (file, device, thread, semaphore, mutex, process, driver..), and every object type has a set of private routines (OPEN/QUERY/CLOSE/DELETE/SECURITY) that are routed onto object-specific functions.
When you open a file in Windows Explorer, open a mutex or semaphore inside your C code, try to terminate process in Task Manager...the object type specific SECURITY method is invoked an your access token is validated against the ACL of object you are trying to open/delete/enumerate/execute..
Now show me how to set an ACL on a socket or POSIX semaphore/thread/mutex in linux without installing some obscure kernel patches? No way dude.
Thanks to NT Object Manager i can atomically wait on an array of DIFFERENT object handles with WaitForMultipleObjects(), there is no way to do anything similar in pthreads.
Especially since in Linux, this is configurable on an object by object basis, by device, by default, ...
In NT-based Windows you can confiugure ACL on object-by-object basis too, you could do it actually since 1993.
Go download sysinternals Process Explorer, WinObjEx tools and play as much as you like.
So these kind of hacks are not possible by default on a Linux system, so no, it's not obvious to me.
Oh please, there are hundreds of linux rootkit easyly found on Internet, actually the very first rootkit was made for UNIX (SunOS) in 1994. And regarding WMF exploit, it's a classical buffer overflow and linux is by no means immune to them. It's the result of IA-32 stack implementation that (up until recently) didn't support non-executable stack.
Edited 2006-01-02 12:31
Member since:2005-11-11
"And regarding WMF exploit, it's a classical buffer overflow"
As I understood it, this vulnerability is not a buffer overflow. Rather it is due to a design feature of the WMF data format where the data can include a call to have some coded instructions executed.
AFAIK, it is a classic repeat (yet again) of the basic security hole where Windows mixes executable instructions in with the data formats.
Member since:
2005-11-14
You have absolutely NO idea what you are talking about. The DACL model used in NT has been there since day one (1993)
You should stop talking out of your a**. Security of NT and all of its derivatives (yes 2003 too) is abysmal.
This flaw is one more proof, but won't stop those in denial from thinking otherwise.
The rest of your post is just so much FUD
It's not. You are the clueless one.
However, it would be wise in the future to actually KNOW what you are talking about before shooting your mouth off
Look who's talking there.
Oh, and yes, if I either remove the ACE or set an explicit deny entry on the ACL on ANY object referenced by the Security Reference Monitor you will not be able to access that object
Didn't you know ? GPO is flawed too, and GPO use these ACE/ACL. Stop the BS please.
The Sony rootkit and WMF flaw are proof you are all wrong. All of these won't work on non NTFS anyway. You are surrounded by non NTFS systems/appliances (USB key, CDROM, ...) in case you didn't know.
Everything in NT is an object managed by the Object Manager executive subsystem and every object has a security descriptor with an ACL enforced by the Security Reference Monitor executive subsystem
Wrong. That's one big flaw of NT BTW.
obviously if you are using a legacy filesystem with no defined NT SDDL ACL, the object will be instantiated by the system with a blank ACL
It's not obvious at all to me. Especially since in Linux, this is configurable on an object by object basis, by device, by default, ...
So these kind of hacks are not possible by default on a Linux system, so no, it's not obvious to me.