The saga around the WMF flaw in Windows continues. “A cryptographically signed version of Microsoft’s patch for the Windows Metafile vulnerability accidentally leaked onto the Internet late Tuesday, adding a new wrinkle to the company’s round-the-clock efforts to stop the flow of malicious exploits. The MSRC (Microsoft Security Response Center) acknowledged that a slip-up caused ‘a fast-track, pre-release version of the update’ to be posted to a security community site and urged users to ‘disregard’ the premature update.”
This is becoming hilarious
I wouldn’t do this myself, but I think if people go against Microsoft’s advice and try it anyway we might find out if it works now. Not that that’s necessarily a good idea.
At least there’ll be a patch within a week though. That’s a relief since I still have to look after two windows boxes over here, and one of them is frequently in use by someone far more dangerous than any premature patch I can think of 😉 . I’m not looking forward to running a virus/malware scan on that box when the MS patch is finally out.
What scare me is the fact they are already too late to release this patch.
Isn’t that usually the case?
When a security hole becomes public knowledge it’s a little late to be getting around to writing a patch. But that happens all to frequently anyway because either the company doesn’t know about the problem, or hasn’t scheduled time to fix it until there are exploits already in the wild and they realize they can’t wait any longer.
No, that’s not always what happens. This issue has been known to MS (and the world) for at least a couple of weeks now, and they still haven’t issued a patch.
Red Hat, Novell, etc, would never take that long to issue a patch for an issue with the severity of this one.
Red Hat, Novell, etc, would never take that long to issue a patch for an issue with the severity of this one.
How did you figure that one out?
Because.. super-guru-coders work at RH and Novell and at MS we have a bunch of kids?
Or could it be, because in “Linux world” it is acceptable that users/customers are, in fact, doing what is normally QA’s job?
Here’s what Ilfak Guilfanov says about it, but I guess you know better, right?
There is also a sense of division among those who want Microsoft to deliver the update now, as opposed to waiting until its monthly patch release on Jan. 10. What do you think Microsoft should do?
Guilfanov: I think Microsoft should develop a patch, (and) test and release it. And I believe that this is exactly what they are doing.
Rest of the interview http://news.com.com/Beating+Microsoft+to+the+punch/2008-7355_3-6018…
“Because.. super-guru-coders work at RH and Novell and at MS we have a bunch of kids?”
So far you’re the only one in this thread to have said that either directly or indirectly.
“Or could it be, because in “Linux world” it is acceptable that users/customers are, in fact, doing what is normally QA’s job?”
That’s a common myth actually.
Linux is not all developed by one entity, the software packaged by RH and the like are developed outside of the company. Red Hat simply packages and distributes that software with a price tag on it so they get a return for the work they did: taking different packages that would otherwise be separate, and bundling them together into a Linux distribution. Red Hat doesn’t produce it’s own patches for the software if there already is one, and the developers who contribute to open source software often write those patches first because they hear about it first and it’s primarily their responsability. If someone, whether their customer or not, writes a patch first of their own volition it’s hardly fair to claim that Red Hat is making it’s customers roll out their own updates. I have heard of Linux distributors putting together their own patches before, but usually the people responsible for the vulnerable software get to it first or a patch is contributed. And even if Red Hat doesn’t get to writing the patch first, they’re still the ones that review the code before including it, package it, and take care of putting it up on a package repo so other’s can get it.
So far you’re the only one in this thread to have said that either directly or indirectly.
Yeah, but someone else said that “RH or Novell” would provide patch much faster without any explanation.
and the developers who contribute to open source software often write those patches first because they hear about it first and it’s primarily their responsability
We all know how well it works when Pat Slackware got sick. Define “developers who contribute to open source software”? Big companies don’t like to deal with something not really defined.
And please, why did you skip this part:
Guilfanov: I think Microsoft should develop a patch, (and) test and release it. And I believe that this is exactly what they are doing.
You guys know better than him, too…
“So far you’re the only one in this thread to have said that either directly or indirectly.
Yeah, but someone else said that “RH or Novell” would provide patch much faster without any explanation. “
I can’t see how saying “RH or Novell” would patch it faster translates into an insult on MS.
“We all know how well it works when Pat Slackware got sick.”
Red Hat and Novell are companies, run by several people and capable of continuing should anything happen to one or more of them. Pat Volkerding (is that how you spell his last name) is one person, with a distribution which is more or less his own. So the comparisson isn’t a good one.
Secondly when Pat Volkerding became ill few people knew what had actually happened to him at first, to many he simply seemed to have disappeared until news of the guy’s illness had reached them. As I understand it no one took over for him because it wasn’t important enough yet, and because there was still a good enough chance he might recover. Had he not survived I have no doubt someone else would have taken over the project, and no doubt now the guy has a backup plan should anything happen to him.
Thirdly just because no one is there to package an update doesn’t mean there isn’t one. It simply means that it’s not packaged for that distribution yet so some independent person will probably package it and in the mean time sysadmins can install it manually which is what they are payed for. Heck, even most ordinary Linux users I know of know how to compile software from source, and if they don’t they can get easy help from IRC, if you ask nice enough someone might even package it up for you so you never have to go near a console (depending on your distribution of course, but most now can do package management with a GUI).
“And please, why did you skip this part:
Guilfanov: I think Microsoft should develop a patch, (and) test and release it. And I believe that this is exactly what they are doing.
You guys know better than him, too…”
I don’t think I disagree with that part, so why would I need to reply to it.
“Or could it be, because in “Linux world” it is acceptable that users/customers are, in fact, doing what is normally QA’s job?”
<i?That’s a common myth actually.[/i]
Well let’s see: so you say that users are not doing QA’s job (my point of virew), RH is not doing it, Novell is not doing it..
Well, who is doing it then? Nobody?
Red Hat doesn’t produce it’s own patches for the software if there already is one
And if there isn’t one? And my company pays for support to RH?
Righhht..
“”Or could it be, because in “Linux world” it is acceptable that users/customers are, in fact, doing what is normally QA’s job?”
<i?That’s a common myth actually.
Well let’s see: so you say that users are not doing QA’s job (my point of virew), RH is not doing it, Novell is not doing it..
Well, who is doing it then? Nobody?
Red Hat doesn’t produce it’s own patches for the software if there already is one
And if there isn’t one? And my company pays for support to RH?
Righhht..”
Ok, lets try this again. Obviously you don’t understand the relationship between OSS developers and Linux distributions.
Linux distributions are comprised of the Linux kernel and software, these are not written by Red Hat or Novell, athough the two companies do contribut code among other things. Other people maintain the programs they wrote that Red Hat and Novell in turn package for their distributions. Now if there is a problem, the people who actually wrote the software and continue to maintain it are usually the ones who also fix it if someone else doesn’t willingly contribute a fix first, and it actually happens very fast with a patch usually released before 24 hours elapses. All Red Hat and Novell do is is package the patch and put it up on their servers so people can update. Now, if a patch isn’t issued that is where things change, either Red Hat or Novell or some other distributiors will have their employees work on a patch and then they are packaged and uploaded to the servers usually very promptly.
Neither Red Hat or Novell leave thier customers or users to roll out thier own patches, if patches are contributed it’s done by people who wanted to do it. Otherwise the distributors take care of making and packaging the patches themselves, and they do so very promptly.
LOL it seems like MS cant please anyone these days. If they release a broken patch they get flak and if they release a working patch but takes time they still get flak! Nice lol.
Microsoft has the patch, still they don’t release it because of the needed testing they have this weird rule of only releasing security fixes on tuesday)
I only can say: WELL DONE. When you’ve 95% of the computer market share you just can’t take two weeks to release a critical fix that is already being exploited. Release it early even if it’s buggy.
The patch breaks something? Well, who cares. Your system is broken because of a unpatched security bug anyway. Time has show that what is important is not the quality of the software, but how fast you can fix it. Just make the patch, test it slightly so it don’t breaks the basic functions of the OS, release it to protect your users, do extensive testing, check if it breaks something, and if it breaks something release another security fix. While this metodology may look crazy, it sure has a lot more sense than having to wait until 10th January to get a fix and be exposed to be infected by Yet Another Worm.
Of course this won’t work because of the stupid “if you release a fix to fix a fix your company is crap” mentality. It’s amazing how companies don’t matter releasing untested versions of software when there’s a lot of pressure to release a product (Microsoft has eliminated a release candidate version from Vista because of the lack of time), still they will spend a full week to test and release a bug that is already being exploited and is already coded today.
Edited 2006-01-05 00:37
“Just make the patch, test it slightly so it don’t breaks the basic functions of the OS, release it to protect your users”
As long as they make it optional. I can go a while without browsing untrusted sites in Windows (or I could just use Linux) and would rather that than having things break because of the patch. I’m sure sysadmins for big companies would really appreciate having the WMF hole patched at the expense of breaking other parts of the OS and having users complain to them all day, they may even get fired for fixing a problem most ignorant users were oblivious to at the expense of bringing up several other problems that those users aren’t so oblivious to.
Early access for those who want it is fine, as long as the experimental patches are deselected by default and labeled as experimental on the Windows update site.
“Interestingly, Microsoft’s patch works seamlessly with the unofficial hotfix from reverse-engineering guru Ilfak Guilfanov. “It looks like Microsoft was right on the ball with a patch and they’ve done it the right way, taking all things into consideration, including the fact that [Guilfanov’s patch] is going to be on a lot of machines,” a source said.”
So then it won’t be necessary to uninstall Ilfak’s patch even after the new one is installed?
A quick recap – We have a hole a mile wide in a zillion desktops and servers (including a hundred and a dozen managed by me), and known exploits for said hole.
We have an unnoficial patch, and we also have a semi-official patch (being officially from MS and leaked before all testing is complete for all languages, if I have my facts right).
Microsoft says “Nope, don’t use EITHER patch! Just keep waiting.”
So, are they *now* responsible if my network gets infiltrated? Am I irresponsible if I follow their instructions?
So, are they *now* responsible if my network gets infiltrated? Am I irresponsible if I follow their instructions?
The only one acting irresponsibly is Microsoft. There is absolutely no excuse for such a lengthy release period. Furthermore, there is no excuse for setting future release dates for something that should have been released days ago. I would advise you to do whatever you have to do to secure your network because the company that has the “Trustworthy Computing” campaign has obviously abandoned their consumers, if only temporarily.
Edited 2006-01-05 01:18
Microsoft says “Nope, don’t use EITHER patch! Just keep waiting.”
So, are they *now* responsible if my network gets infiltrated? Am I irresponsible if I follow their instructions?
Emmm…. No
Microsoft are never responsible if anything happens to your computers/software/data while you are running any version of Windows.
In fact, you should all have a read of the EULA. Microsoft cannot be held responsible if a security issue screws up your PC, they also cannot be held responsible if their own software screws your PC.
This is strange though, why should they delay the patches release for testing, if, ultimately, they do not care if they hose your machine or not.
This is not FUD or flamebait… have a look at the EULA for yourself.
This is getting overblown. If you don’t come in contact with WMF files, you’re safe.
You know, I have to say that in my 5 years of using XP, I have *never* seen or used a WMF file, let alone had one sent to me. It looks like the pro-open source sites are all over this, yet the IRC channels are not even seeing a whimper about it.
Wrong again dickwad.
In any case, because you’ll be so blatently unaware, mind if send you a 1x1px WMF as an embedded image on a webpage you view, and f–k your computer right up the arse?
So much for no contact eh? This security hole could be a great tool to combat trolls such as yourself.
Yeah? And how exactly are you going to do that? Short of this and my own site, I don’t read any other forums.
In any case, Opera on my Windows box is set up not to load any images anyway. Windows = gaming, encoding.
You know, I have to say that in my 5 years of using XP, I have *never* seen or used a WMF file, let alone had one sent to me.
….maybe because the bug was discovered two weeks ago?
In case you don’t get it, virus creaters will start using it today even if nobody in the whole world had created a WMF file in 10 years. Windows supports it. It’s everything you need to get a worm working. Actually, the fact that nobody uses WMF makes it worse: nobody knows what WMF files do, so it’ll be much easier to deceive users.
Edited 2006-01-05 02:30
This is hardly over blown. I’ve had norton popup about 10times because websites and some web ads have this exploit in them.
I talked to Symantec tech support today. They are having problems with lots of false positive detections on this. it is possible that the files you are seeing detected are not actually malicious.
You do realise that black hats can give a malicious wmf file another extension (such as gif or jpg) and your Windows security hole will still be exposed, don’t you?
“This is getting overblown. If you don’t come in contact with WMF files, you’re safe.”
False. WMF files may masquerade as seemingly legitimate image files by using a different extension. Ignorance is not a point of view, troll.
I don’t have a clue what WMF files are, but saw one for the first time just yesterday. Firefox in Linux asked me what I wanted to do with a WMF file that I hadn’t explicitly requested.
So you may not know or have ever encountered WMF files, but you can bet they’ll start popping up in order to exploit the vulnerability.
Windows users : it is important to know that a file may be a WMF even if its filename does not end in .wmf. Windows, like any modern OS, does not rely only on the extension to determine the filetype. Any file ending in .jpg or .jpeg or .gif or .bmp or… may be a WMF. So be extremely careful in e-mail attachments, and most importantly, disable the automatic displaying of pictures in your mail client.
Also note that, according to the SANS ISC, unregistering the dll is not a 100% sure protection, because malware may re-register it. (Maybe a safe solution would be to not only unregister the dll, but also rename the dll file, so that windows won’t find it.)
EDIT : I just found this interesting story on the ISC website, titled “What do the bad guys do with WMF?” :
http://www.isc.sans.org/diary.php?storyid=1016
I’m happy I installed linux on the computers of my relatives (mother, brother, girlfriend…) — at least they’re safe.
Edited 2006-01-05 02:59
Also note that, according to the SANS ISC, unregistering the dll is not a 100% sure protection, because malware may re-register it.
In the same way that malware can re-register the dll, they can patch it in memory like the unofficial patch does, and still screw you over.
Actually, unlike modern operating systems, windows DOES use the extension to know the format of an image. Try to rename a .jpg to .whatever and see by yourself.
The list of known extensions is in the registry; just search for it.
By the way, a known method of deception is using extensions with strings that windows will NEVER show you (they look like long alphanumeric strings in curly braces, just like the many weird registry keys). I read in the past that it is quite simple to produce a file that looks like a “file.doc” but is actually a “file.doc.{dfa43d35sljf3d53k2afd5jf35kldjfldjflk}” (whatever).
The next step is registering an handler for this weird file type… like “execute this”, or “open in explorer”, and your virus/worm is served.
I am just HAD it with all of the hysteria every week about some new exploit. It’s like just running a computer in these days will give people nervous breakdowns. I started my migration to other platforms three years ago, but have TWO Windows installations left, and frankly don’t care if they blow up… but the poor businesses and IT managers that have to manage thousands of these things….this is a nightmare.
When will the gauntlet be brought down and Microsoft will finally have to PAY THE PRICE for the money and manpower that is being spent not on just THIS particular hole, but it’s EVERY WEEK!
I’ve HAD it.
And I’m getting to the point, although it’s not nice and it’s not the right thing to do, of just laughing and not caring anymore when people call up with another problem to fix. I just can’t do it anymore…
They (meaning the bad guys…not Microsoft) have ruined computing for most people…it’s just not fun anymore, running Windows (except that the games still kick butt!
Maybe we should all just keep the Windows for gaming or playing with things, but disable the interface cards…boot into your BSD, Linux or fire up the MAC for the internet stuff…
It isn’t overblown. WMF files that have been renamed to have .jpg, .gif, etc. filename extensions are just as threatening. And all you have to do is visit a web page that contains any such WMF file.
The worry isn’t over WMFs that you consciously download for use as a WMF file. It’s over the fact that all you have to do is visit a malicious / hacked web page to hand your computer over to a sleaze.
What are the symptoms of infections? If I click on a WMF file Windows Media Player starts, but then displays a message saying there was an error and I am given the option of sending an error report or not. How would I go about reinstalling WMP or finding out if other system files are damaged and need fixing?
For those that don’t know what a WMF file is: http://filext.com/detaillist.php?extdetail=wmf
I think is time for me to switch my parents to Apple. I’m finally sick of cleaning and fixing their Windows machine. Everyday is something new. I feel that I have become sort of a Windows expert fixing these kind of freaking problems all the time.
I have always been a Mac user since day one (System 1 to Mac OS X), and I have never seen an exploit with this level of damage on the Mac.
Here’s my big question I haven’t seen asked yet:
How come they have to do so much testing in so many languages for a simple patch to the library that handles an image format?
Where do foreign languages come in to it? Shouldn’t it be language agnostic?
In theory, couldn’t they completely replace their libwmf.dll (or whatever they call it) with an entirely different one that was built to be compatible and have no reason to worry? (again, in theory)
And for cryin’ out loud, there are so few places where WMF is used, and it’s a relatively simple format… couldn’t they just assign 50 people to testing, give each of them four computers loaded with all sorts of esoteric software, and let them test all day for one day? And let their Big Name Partners do the same for their in-house software?
How much can any patch possibly screw up an image format handler???
How much can any patch possibly screw up an image format handler???
Has it occurred to you that it’s not only the image format handler that is being patched?
AFAIK, this was simply an attack vector that was vulnerable, but fixing the handler itself won’t remove the underlying problems.
It occurred to me, yes, but can anyone give me an example of such a thing happening in a properly designed library?
I’m asking seriously. I’m in school for this sort of thing right now, and I’d like to know. I’ll have to look up the details of the vulnerability now.
I looked this thing up on Symantec’s web site (let me know if they aren’t as reputable as I think), and it seems there are two reports of WMF bugs. The first was reported 11-08-05 and allows execution of arbitrary code as SYSTEM user (totally unlimited root, IIRC), and the second, dated 12-28-05, is the same, except code is run as the user viewing the file.
In both cases, it seems to be completely confined to this one library (the former is an integer overflow, the second is less descriptive, citing a single function in the library).
I still don’t understand why it has to be so thoroughly tested in so many languages. I’m guessing the November buffer overflow was fixed quickly. I definitely understand, though, that the more recent one is something I understand less.
Here is an answer 😉
Take this with a grain of salt since I don’t work for MS, and don’t have visibility into exactly what they have been doing.
As far as I understand, the flaw is in the GDI call Escape(). This means that the pathch will likely need to be to GDI32.DLL and likely WIN32K.SYS. These are low level core components to the Win32 subsystem (the subsystem the most applications and the shell use).
So here is a bit more detail (as I understand it) into the issue:
The GDI framework is an API used to abstract away the details of graphics devices. This API is used to do basic graphics operations on video boards, and printers, and any other “display” device. Abstractions like this hide the details of the hardware from the appilcations programmer. This is a good thing.
The Escape call is a call that lets the application pass various commands to the driver without having to know the details of the driver. Most of the uses of this call are replaced with newer API calls, so this one has been around for quite a while. IIRC the issue here is that WMF files (which are really a set of GDI commands) can also contain Escape calls that will set a callback into arbitrary code (AbortProc). The proper use for this value is for an application to be able to tell the print driver to notify it if the print job has been canceled. However, a callback is a callback, and a malicious coder can make them do all sorts of nastiness.
Now GDI32.DLL is a rather thin library that mostly passes its work to WIN32K.SYS (In NT based systems).
WIN32K.SYS is the kernel mode component of the Win32 Subsystem. It does the real work of Win32. It _is_ Win32.
Any modifications to these libraries, no matter how trivial, could have wide ranging impact. These changes need to be well tested. Since the updated libraries will likely contain the rest of the Win32 API they need to be localized.
The point is that WMF is not so much an image format as it is a GDI scripting language. So the patch needs to be in GDI not in an image format handler.
Oooh. First sentance of your third paragraph foreshadowed the rest of the explanation nicely. Have you considered becoming a novelist? Your explanation was entertaining, thorough (enough), and clear. Thanks!
I guess a GDI scripting language sounded like a pretty good idea back when malware was comparably unknown.
Typical!
… Where are you now?
The Microsoft Patch is now on windowsupdate ahead of schedule, so please get updating if you are a Windows XP user.
more info here
http://www.microsoft.com/technet/security/Bulletin/MS06-001.mspx
and here
http://www.windowsupdate.com
cheers
anyweb