Microsoft has updated its advisory today on the critical Windows flaw to state that development of the patch is complete, and they are now in the process of testing it. The expected release date for the patch is currently set for January 10, which will be included as part of Microsoft’s monthly release of security bulletins. In the meantime, Microsoft advices against using a third party fix which appeared.
The slashdot coverage of the otherside of this topic may be of interest http://it.slashdot.org/it/06/01/03/1913252.shtml?tid=220&tid=109&ti…
From the ZDNet article: “This is a very unusual situation — we’ve never done this before. We trust Ilfak, and we know his patch works. We’ve confirmed the binary does what the source code said it does. We’ve installed the patch on 500 F-Secure computers, and have recommended all of our customers do the same. The businesses who have installed the patch have said it’s highly successful”
What do MS recommened instead then? Disable images in IE?
I can see their point of view, they want to make sure that a patch for this has been thouroughly tested before releasing it to the public.
The unofficial patch might break a critical system, or better said, might have a bigger chance of breaking something that hasn’t been tested.
500 computers of F-Secure themselves, isn’t “tested”. Feedback from other companies, too.
As a business you have the choice of mass internal infestation and potential security breach or loss of data. Or a patch that the AVers are using themselves.
Sure companies still use IE in the firstplace, but it’s not all that easy for some to move away from it. (eg. Internal intranets and webapps)
500 computers of F-Secure themselves, isn’t “tested”. Feedback from other companies, too.
So USE that one and stop crying, please.
BTW, 500 computers is not enough when you’re talking about the system that gets deployed all over the world. My guess is that MS is waiting for “green light” from major Windows users/customers.
Microsoft can not recommend third party’s patch, what is so wrong with that? You can still use it, it’s not like you have to blindly listen to MS, do you?
Or disable the most direct attack vector (you know, regsvr32 -u..) and get your antivirus up to date. All major av vendors have delivered updates to address this. And it works.
Except that those pc’s and the reports of others don’t mean anything if they haven’t used all possible scenarios. Maybe it was just opening a file on 500 different pc’s, whereas MS tests with all wmf capable software to put it simple. MS needs to be very sure before they get sued by someone because the patch broke down something and a kitten died. (to put it in extremes)
Is it exceptionally likely that Microsoft will complete full regression testing on a patch conveniently in one week just in time to fit the pre-existing monthly patch schedule? Or perhaps they just want to keep to their schedule, no matter what.
Every patch breaks something; there’s almost always tradeoffs. And MS is setting themselves up for not patching a known vulnerability as fast as possible, perhaps.
It’s possible. Even though I’m not very fond of MS I hope they take these security issues seriously and trust them not to screw this up intentionally.
“The unofficial patch might break a critical system…”
Hate to break it to you, but the system is already critically broken.
You’re right on a way, and I try to keep away from Windows whenever possible, but the reality is that there are already systems running MS stuff which are critical to some people/companies. Might as well keep them as safe as is possible.
Microsoft can’t recommend using this patch because then they’d have to support it. They don’t want to do that, and it’s very understandable.
I don’t really understand it either. Microsoft is saying that people should just ‘wait’ for a CRITICAL patch? How could MS sell that to its (corporate) customers? “You’ll risk getting keylogged only one week. That’s not a big problem, is it? I’m sure there’s no sensitive data at all.”
This is imho a really unprofessional attitude. What are they trying to do? Keep it out of the media? Making us believe that the vulnerability isn’t critical? What, exactly?
Cmon LB06, isn’t it reasonable to verify that the “cure isn’t worse than the ailment”? I mean like, the analogy is clear – drugs are tested before they are released to folks with whatever it is they are intended to treat. What happens if an apparently functional patch is later found to bork some critical app/function/service only because it was not properly tested? Hell Fire for MS!
Like a desperate patient, if you feel as though you are on your last legs and are willing to take the risk, go for the untested solution. Good luck. Hope it doesn’t kill ya man!
quotes from the advisory:
Upon learning of the attacks, Microsoft mobilized under its Software Security Incident Response Process (SSIRP) to analyze the attack, assess its scope, define an engineering plan, and determine the appropriate guidance for customers, as well as to engage with anti-virus partners and law enforcement.
Microsoft confirmed the technical details of the attack on December 28, 2005 and immediately began developing a security update for the WMF vulnerability on an expedited track.
Microsoft has completed development of the security update for the vulnerability. The security update is now being localized and tested to ensure quality and application compatibility. Microsoft’s goal is to release the update on Tuesday, January 10, 2006, as part of its monthly release of security bulletins. This release is predicated on successful completion of quality testing.
So this means they disable setting the default user as a superuser? This means they abandon IE? Or this means they just patch one of possibly hundreds of exploitable bugs which lead to full control of a MS Windows XP default installation?
In addition, anti-virus companies indicate that attacks based on exploiting the WMF vulnerability are being effectively mitigated through up-to-date signatures.
So is it all about making money and not at all about improving security?
What might an attacker use the vulnerability to do?
An attacker who successfully exploited this vulnerability could take complete control of the affected system.
The user was only visiting a malicious web site, right? “So let’s make a list of all malicious web sites in future implementations of MS IE” instead of fixing the underlying problems?
This is really ridiculous.
So is it all about making money and not at all about improving security?
Yep. Isn’t it always?
Yeah this is kinda dumb… just release the patch.
BTW is this a IE only exploit? I use Opera and I don’t see pr0n sites that much (I have it all on my hard drive) so I’m safe (for now).
BTW is this a IE only exploit? I use Opera…
It affects IE, Opera, and “older versions” of Firefox. I don’t know for certain which “older versions”, but I assume at least FF 1.5 is in the clear.
Thanks for the advice about older versions of Firefox.
I run fedora 4, but since Saturday my system has been sluggish. I was runnning an older version of Firefox (1.06). I installed Firefox 1.5. Now everything seems to be back to normal. I think that is the first time I have been affected by a virus since coming to linux in 2001.
Is there anything else I need to do except delete out the old directory of firefox?
I was under the impression that this was a windows only thing. So my guess is that the sluggishness you have experienced have some other reason.
“I was under the impression that this was a windows only thing. So my guess is that the sluggishness you have experienced have some other reason.”
That was I thought too but blixel said, “It affects IE, Opera, and “older versions” of Firefox. I don’t know for certain which “older versions”, but I assume at least FF 1.5 is in the clear.
I upgraded to ff 1.5 and that was the only change I made and since then everything is back to normal. I have not even rebooted. Strange????
Is it possible the sluggishness was the result of a program running in the background whenever I ran ff1.06?
I just don’t know but if anybody is experienceing sluggishness and they are running an older version of FireFox I suggest they try upgrading firefox.
Any other opinions?
“I was under the impression that this was a windows only thing. So my guess is that the sluggishness you have experienced have some other reason.”
That was I thought too but blixel said, “It affects IE, Opera, and “older versions” of Firefox. I don’t know for certain which “older versions”, but I assume at least FF 1.5 is in the clear.
Well, it’s a Windows flaw so I think the underlying assumption is that it affects IE, Opera and older versions of FF running on Windows It’s actually a flaw in one of the .dll’s used for processing WMF files, so there’s zero chance of explot in linux, unless you happen to be running Firefox for Windows under Wine in linux and also have Office installed, though even then any risk to your underlying linux system would still be relatively equal to zero.
I upgraded to ff 1.5 and that was the only change I made and since then everything is back to normal. I have not even rebooted. Strange????
FF 1.5 is inherently better performing that 1.0x versions, so you would definitely have noticed a change.
There were numerous security vulnerabilities with earlier versions of FF, some of which could have impacted linux users though not on the scale of the Windows exploit. I’d be surprised though if the Fedora team hadn’t backported security patches to the FC4 version of Firefox, I assume you’d been updating regularly? Regardless, this exploit couldn’t have impacted you.
Is it possible the sluggishness was the result of a program running in the background whenever I ran ff1.06?
Sure, Fedora’s default install is a bit heavy so there could be services etc. running in the background causing sluggish performance, could be the result of recent upgrades that may have impacted the libraries in use. Even a flaky or poorly written extension could cause Firefox to drag. Hard to narrow down without knowing more.
I just don’t know but if anybody is experienceing sluggishness and they are running an older version of FireFox I suggest they try upgrading firefox.
Good advice in general.
I’m sorry but your wrong. I just was hit by the exploit and Symantec caught it. I’m using Firefox 1.5
“A”
🙁
This SUX. MS Fix your holes. Please.
No, you’re not. It’s possible to plant exploit in many pages that allow posting images, count blogs, formus, friend matching sites, online auctions and so on, so on
From the https://blogs.technet.com/jesper_johansson/archive/2006/01/02/416762…
“Finally, there is an unofficial patch. Patch really is the right terminology for this. It patches (using basic rootkit technology) a system DLL to ignore calls to the vulnerable function. The patch is an executable and has to be run on each vulnerable system, meaning cost of implementation is potentially very high. According to SANS, it does stop the current exploits. Personally, I have not tested it, and I have no intention of using an unofficial patch at this time.”
Yeah, right , throw in some “root kit” stuff, more FUD.
Actually this patch _does_ use a fairly standard rootkit attack vector to do its work. The patch injects code into each running process to patch the the import of the call to Escape (exported from gdi32.dll) so that it does nothing.
Process injection is a standard malware/rootkit technique, and system call patching (via IAT hooks or direct manipulation of the loaded code image) is standard practice for user mode rootkits. It is a pretty cool way to patch the problem without modifying to OS binaries.
This is rootkit technology because it used in many rootkits. It is used because it works. This does not mean that the patch is a rootkit.
I do not understand Microsoft! Why would they not release an untested “BETA” patch now to customers/enterprises willing to forgo formal QA/QT?
At any rate I congratulate the developer who did write the patch that is available now.
It just goes to show, how true it is over and over, small things can move mountains. In this case one developer.
“Privately, Microsoft officials are furious that the issue was overblown…”
Are they equally as furious that yet another major weakness in their OS has been found and that somebody else came up with a patch first? Or are they just furious that they’re getting “picked on”? What an ass this Johansson is.
Cmon LB06, isn’t it reasonable to verify that the “cure isn’t worse than the ailment”? I mean like, the analogy is clear – drugs are tested before they are released to folks with whatever it is they are intended to treat. What happens if an apparently functional patch is later found to bork some critical app/function/service only because it was not properly tested? Hell Fire for MS!
It simply can’t get more serious. This is a remote exploit which requires no user interaction (besides visiting a malicious site) but gives the attacker potentially full control over the system. Furthermore this means “as every casual user can’t really know if his system has already gone to some malicious asshole, he has to reinstall the complete system after the patch is released by MS”. Of course, nobody really takes these actions but, instead, relies on his Antivirus/Antispyware products.
So does this mean that they need 7 more days of testing? I highly doubt it. I really hope people can see that Microsoft is releasing this patch at a time that is convenient for them, and not their consumers.
Edited 2006-01-04 01:39
This is totally an outrage.
I set an EMAIL about this LAST WENDSDAY to our support team and Microsoft STILL DOES NOT have a patch.
Some guy on the internet to use open source tools to hack their binaries and come up with a fix when Microsoft still sits on their ass and tell us to wait?
THIS WOULD NEVER HAPPEN WITH OPEN SOURCE!! NEVER!
Man…to quote office space:
“thumbs up their asses, thumbs up their asses.”
The guy that made a fix *did not* patch binaries. The “patching” is done in memory and no system file is ever changed. The fix can easily be uninstalled before applying the official patch.
Yeah, because in the open source world they’d just release a patch and not even bother testing it on 10 machines.
“Yeah, because in the open source world they’d just release a patch and not even bother testing it on 10 machines.”
WTF?
Windows security is borked, has been for years, there are thousands of Windows machines out there utterly own3d, people are expected to pay for this rubbish, Microsoft takes forever to come up with a fix to a 0day exploit and recomends *AGAINST* Windows users even temporarily avoiding Microsofts stuff-up by insatlling a patch Microsoft didn’t write – and it is all somehow open source’s fault according to you?
What planet are you on?
Get off the Linux cake and come back to us.
Or maybe you just have no concept of computing past the rubbish heap in your garage. You know, in the real world … stuff like this has to be tested, especially when many businesses rely on it …
While it’s true that testing is important, sometimes its more important to make a rough (if unsupported) patch available to ones clients.
IBM did this with their OS/2 platform — that was one of the purposes behind the testcase site, and one could even get unofficial kernel builds in that way (sans support).
Maybe MS has something similar I’m just not aware of?
They might do something of the sort through their beta program, but I wouldn’t know.
I know I’m replying to a known troll but still…
This proves that you have no idea whatsoever how patches work. When a vulnerability is found in the kernel or any of the supporting libraries, there are a number of possibilities: it might be possible that the patch requires 0 testing, simply because the code in question and the solution has no way to bork your machine, and can be deemed safe. Then there can be patches that needs testing, because perhaps it might lead to instabilities or expose other problems. So there is no universal rule that _every_ patch should be tested on 1000 machines to be safe.
Yeah, probably we would find some cases when a patch broke something, but even then, we can’t be 100% certain that problems with the patch would have been exposed during tests. On the other hand, that isn’t very rare with Microsoft patches now is it? So how come the oh so professional Microsoft Corp. with supposedly adequate testing (and tons of money to set up testing facilities) can (repeatedly) release patches that break something?
do you think such a globally pervasve system would be so leaky without official sanction? the govt wants MS sofware to be this way – before it was office softwafre but web connecting software is easier to control remotelty. trust me – if they didn’t want it like this no way would anyone sell this for a price.
Browser: Links (2.1pre18; Linux 2.6.12-14mdk-i686-up-4GB i686; 80×24)
Don’t use the unofficial patch, Microsoft would rather your box be owned. When will they learn.
Haha…this gets even more of a shitfest for Microsoft..
The http://www.hexblog.com/ site that had the unoffical patch has been pulled off the net probably for excedding bandwith or something.
MAN, Microsoft software is low quality garbage and anyone who makes their business depend on it is freaking crazy.
This flaw potentially affects all versions of Windows back to 3.0. To trigger it, you need Windows, plus a viewer. Windows versions from XP onward (including Vista Beta) use the Picture and Fax Viewer as a default viewer for WMF files. Third party, registered WMF viewers might also be affected.
In practice, this means that by default, Windows 2000, ME, and earlier will not get infected. Install any other graphics software, and things might get very different.
The Unofficial patch may impact some network printing. If it does, it can be removed via the control panel. It should be removed prior to installing any official patch from Microsoft.
Robert Cringely wrote an article about corporate culture recently, arguing that it remains pretty constant over time, even in a fast moving field, such as computer technology. The WMF flaw is the result of a flawed decision made roughly 15 years ago. Microsoft’s current response to the flaw still shows they don’t “get” security.
http://www.pbs.org/cringely/pulpit/pulpit20051222.html
Peter Besenbruch
Browser: Links (1.00pre12;Linux 2.4.40 i786)
“In practice, this means that by default, Windows 2000, ME, and earlier will not get infected. Install any other graphics software, and things might get very different.”
Why then does SANS say that this should be the end for W9x, and that everyone still on should upgrade because there is no fix?
Are you quite sure it is right that 2000 and 9x are not at risk?
I’m sure that, like each and every other time a major Windows virus / worm / security hole story became major network news, the tone of ABC/NBC/CNN/FOX and their affiliates will be “computers are dangerous! Don’t touch or go near your computer!” rather than “Windows is dangerous. Use something else.”
Good thing I uploaded the ptach to rapidshare.de yesterday then, isn’t it?
[ http://rapidshare.de/files/10230411/wmffix_hexblog11.exe.html ]
Of course I don’t need it myself I’m currently using Ubuntu and will likely stay there until this whole thing blows over. Fresh install as of this morning! I knew it was time to get out when I hadn’t seen any response from Microsoft and was beginning to hear astroturfing about ‘malicious sites’ –as if you can know for a fact which sites will be attacked ahead of time! The fact that this is an ongoing issue makes me doubly glad I moved out when I did! I’ll probably wait for the offical patch and the ptach to fix that patch before throwing my drive image back on and patching my system.
–bornagainpenguin (who wishes good luck to anyone unfortunate enough to still ‘need’ be on Windows on days like this…)
Dear Windows Users: You’re all sitting ducks! Hahaha – Microsoft.
You can get the unofficial patch here:
http://castlecops.com/a6436-Newest_WMF_Exploit_Patch_Saves_the_Day….
http://handlers.sans.org/tliston/wmffix_hexblog14.exe
http://handlers.sans.org/tliston/WMFHotfix-1.4.msi
As others have noted, hexblog.com has been slammed, and is no longer available.
Peter Besenbruch
Browser: Links (1.00pre12;Linux 2.4.40 i786)
In case those other sites get too bogged down, you can also get a patch for the WMF vulnerability here: http://store.apple.com/
does anyone even use wmf for anything other than exploiting vulnerabilities like this one? i’ve never seen a legitimate use of the format and microsoft’s implementation of it has always been full of holes like this one… i remember using similar exploits on windows 95 machines when i was in high school… wouldn’t it be so much easier for microsoft to completely remove support for the format from windows?
Browser: Mozilla/4.0 (MobilePhone PM-8200/US/1.0) NetFront/3.1 MMP/2.0
This is how I understand the exploit came to light –
Re:They call hackers researchers now? (Score:5, Informative)
by ninja_assault_kitten (883141) on Wednesday December 28, @08:30PM (#14355305)
The exploit was published by HD Moore after reverse engineering some malware. HD Moore is absolutely a very prominent researcher and hacker. Secondly the person(s) who discovered the vulnerabilty and wrote the initial malware to exploit it are also hackers. Even by the historical definition. Intent has no bearing on the term. Skill does. And you can’t tell me discoverying a 0day affecting any MS platform doesn’t require skill. There are tens of thousands of researchers out there right now who can’t.
http://it.slashdot.org/comments.pl?sid=172399&cid=14355305
I assume this is the release post at Metasploit –
http://www.metasploit.com/archive/framework/msg00755.html
And I assume this is the example code – http://www.frsirt.com/exploits/20051231.ie_xp_pfv_metafile.pm.php
Browser: ELinks (0.4pre5; Linux 2.6.0 i686; 176×66)
Anyone read ‘Waiting for Godot’ ? That’s Microsoft.
Anyone read ‘Waiting for Godot’ ? That’s Microsoft.
“Godot” is a bottomless pit of evil. Microsoft are a bottomless pit of incompetence.
Browser: ELinks (0.4pre5; Linux 2.6.0 i686; 176×66)
Or maybe their vast 10,000 man Windows division could simply get the lead out.