Microsoft has officially released the patch that fixes the WMF flaw. The patch can be download individually here, but it is advised to simply use Windows Update. Yesterday, Microsoft said it would not release it until next Tuesday, but two (1 | 2) third party fixes were already available. And to make matters worse, Microsoft accidentally leaked their own patch to the Net yesterday.
Only what, a week after exploit code was released?
long live http://www.packetstormsecurity.org
So does this mean that any non-official fixes need to be removed or re-registered?
SANS ISC recommends removing Ilfak Guilfanov’s patch (hexblog.com) and/or re-registering the shimgvw.dll *after* rebooting, installing Microsoft’s patch, and rebooting again…
http://isc.sans.org/diary.php?storyid=1019
BTW, the link “1” in the parent post is malformed.
from the FAQ….
[/i]”How does the extended support for Windows 98, Windows 98 Second Edition, and Windows Millennium Edition affect the release of security updates for these operating systems?
For these versions of Windows, Microsoft will only release security updates for critical security issues. Non-critical security issues are not offered during this support period. For more information about the Microsoft Support Lifecycle policies for these operating systems, visit the following Web site”[/i]
ALSO…
[/i]”Are Windows 98, Windows 98 Second Edition, or Windows Millennium Edition critically affected by one or more of the vulnerabilities that are addressed in this security bulletin?
No. Although Windows 98, Windows 98 Second Edition, and Windows Millennium Edition do contain the affected component, the vulnerability is not critical because an exploitable attack vector has not been identified that would yield a Critical severity rating for these versions.”[/i]
yeah right, it affects ALL versions of Windows.
But, the icing on the cake is this one…..
“Extended security update support for Microsoft Windows NT Workstation 4.0 Service Pack 6a and Windows 2000 Service Pack 2 ended on June 30, 2004. Extended security update support for Microsoft Windows NT Server 4.0 Service Pack 6a ended on December 31, 2004. Extended security update support for Microsoft Windows 2000 Service Pack 3 ended on June 30, 2005. I’m still using one of these operating systems, what should I do?
Windows NT Workstation 4.0 Service Pack 6a, Windows NT Server 4.0 Service Pack 6a, Windows 2000 Service Pack 2, and Windows 2000 Service Pack 3 have reached the end of their support life cycles. It should be a priority for customers who have these operating system versions to migrate to supported versions to prevent potential exposure to vulnerabilities.”
In laymans terms… You guys are screwed unless you update.
Edited 2006-01-05 21:58
But, the icing on the cake is this one…..
“Extended security update support for Microsoft Windows NT Workstation 4.0 Service Pack 6a and Windows 2000 Service Pack 2 ended on June 30, 2004. Extended security update support for Microsoft Windows NT Server 4.0 Service Pack 6a ended on December 31, 2004. Extended security update support for Microsoft Windows 2000 Service Pack 3 ended on June 30, 2005. I’m still using one of these operating systems, what should I do?
Windows NT Workstation 4.0 Service Pack 6a, Windows NT Server 4.0 Service Pack 6a, Windows 2000 Service Pack 2, and Windows 2000 Service Pack 3 have reached the end of their support life cycles. It should be a priority for customers who have these operating system versions to migrate to supported versions to prevent potential exposure to vulnerabilities.”
In laymans terms… You guys are screwed unless you update.
Well, yeah. Is it practical and reasonable to support an OS for more than 10 years? Not really.
For comparison purposes:
Redhat – 7 years – http://www.redhat.com/en_us/USA/rhel/
Novell – 5 years (+2 extended if you pay) – http://support.novell.com/lifecycle/index.jsp
Sun – 7-8 years (hard to tell) – http://www.sun.com/software/solaris/releases.xml
NT 4.0 has had a good run, time to move on. Not running SP4 on 2000? Update, it’s free. Using Win98? Patching is pointless, it’s not a secure OS anyways, move on for your own good.
Apple – 1 year (or until 10.n+1 comes out)?
Windows 2000 is 10 years old ?
how many business have you worked in ? The majority of the ones I seen have data centres running Windows 2000 SP2 or SP3. The logistics of upgrading 4000 computers at once is a nightmare.
However, that was not the point I was making.
The point was this…
Microsoft should fix exploits in ALL versions of software it produces. Not just ones it wants you to use.
Windows 2000 is 10 years old ?
No, NT 4.0 is. Like I said previously.
how many business have you worked in ?
Many, as I’ve mostly consulted for Fortune 100 and 500 companies over the past 10 years. I currently work for MS PSS.
The majority of the ones I seen have data centres running Windows 2000 SP2 or SP3. The logistics of upgrading 4000 computers at once is a nightmare.
Then they have lazy and inexperienced admins. Patch management of service packs is a fact of life. You can do it for free with WSUS, or pay out the pooper for larger scaled apps like SMS, Tivoli, Altaris, etc. The hard part is testing, but again, a fact of life. Deployment is trivial compared to the testing, but usually companies don’t have 4000 different kinds of images to worry about testing on.
Microsoft should fix exploits in ALL versions of software it produces. Not just ones it wants you to use.
You want patches for everything, but you want them yesterday. With this theory, you just increased testing for 2000 alone by 6 times. It’s simply not feasible. MS always supports N-1 for SP’s on an OS. In the case of 2000, it’s N-1 from the post SP4 rollup to SP4. Service Pack 4 has been out for 3 years – if you aren’t running it, you are not doing your job.
(Forgot to mention):
And I’d not be able to name any OS that creates updates for every possible permutation of patch level. There’s always a current baseline, with limited backporting.
To use the car analogy, if you are still driving a Model T in 2006, Ford is not going to give you a free replacement carbeurator when yours finally breaks…
You really do not get it do you ?
Microsoft has a duty to provide support for its customers. These people bought Microsoft products and use Micrsoft products. If they want to upgrade, it is up to the customers to do that.
If you want to talk anologies, think of this one…
You have a Ford Cortina Mk1, and you have a mechanic who only works with Cortinas. The car has been running sweet for 30 years, but suddenly, fuel will not pump. You contact Ford and they say “Piss off, buy a Galaxy, we only support cars that are under 3 years”
I think you would all get competitors cars after that.
BTW, dont even bother trying to reply. I looked at your profile and you have had more posts taken down than put up, the mark of a troll and all your posts sound like those of a schill.
Microsoft has a duty to provide support for its customers. These people bought Microsoft products and use Micrsoft products. If they want to upgrade, it is up to the customers to do that.
It’s also up to the customers to realise that at a certain point, their configurations are no longer supported. The support schedule is well known and published, and MS’ cycle is one of the longest in the industry. There are plenty other companies where you’d be lucky to get free support beyond 1 year. At some point, you’re going to have to pay if you want continued support. This isn’t anything new or unusual.
Microsoft has a duty to provide support for its customers. These people bought Microsoft products and use Micrsoft products. If they want to upgrade, it is up to the customers to do that.
Just Microsoft? As I’ve been consistent in pointing out in this thread, this sort of behavior is normal in all OS companies, and in fact MS is far more liberal than most. You just dislike MS, so that colors your replies. You had no comment on Redhat, Novell, or Sun supporting for only 5-7 years, nor that they also require baseline patching.
You have a Ford Cortina Mk1, and you have a mechanic who only works with Cortinas. The car has been running sweet for 30 years, but suddenly, fuel will not pump. You contact Ford and they say “Piss off, buy a Galaxy, we only support cars that are under 3 years”
I think you would all get competitors cars after that.
I don’t understand the analogy. Ford would say that, and they’d be right. Although most car makers continue to stock parts for 5 years or so.
BTW, dont even bother trying to reply. I looked at your profile and you have had more posts taken down than put up, the mark of a troll and all your posts sound like those of a schill.
From my profile:
Number of Comments: 20 (9 voted up, 3 voted down)
As a side note, I like how the rest of my previous statements I made in reply to you were ignored. 😉 If contradicting people in this discussion forum makes me a schill, guilty as charged. It would be pretty boring if we all agreed though… you know, like Slashbot…
How am I not surprised?
I’m GLAD that MS released the patch, a little late, but at least they are PARTIALLY ATTEMPTING to dig themselves out of the whole they are in. That’s assuming they care, which they SHOULD……..
I feel sad for all those people that can’t get patches lol
Raver31, I would vote your comment up, but I have no votes left
Thanks for the good information, I have yet to read any of the links due to time constraints ATM for me.
–ZaNkY
I don’t see how releasing a patch that affects 95% of the computing world, spread over different versions, a week after the vuln. is discovered, can be considered late.
Someone, please enlighten me.
Because response time should be measured in hours, not weeks. When over 100 varients of an unpatched exploit are out in the wild, and you still haven’t released a patch, then yeah, you are late.
I would love to see a Dev, QA, and release team release a patch to an operation system in a couple of hours.
I am sorry, this isn’t linux where you are QA and release team.
Correct. And that’s the problem apparently
A week is a week too late for anything this serious.
You had 2 different unofficial patches, from Ilfak and ESET that work flawlessly, the first one being released in a couple of hours, packed inside MSI so that it could easily be distributed via group policy.
You had at least one workaround (unregistering shimgvw.dll) that COMPLETELY mitigates this vulnerability.
You have several AntiViruses reportedly (http://www.av-test.org) blocking EVERY exploit variant (206 known exploit were tested), and some of them are even FREE for home use (ClamAV even for corporate).
You have snort signatures (http://www.bleedingsnort.com/cgi-bin/viewcvs.cgi/sigs/CURRENT_EVENT…), and a known list of web sites distributing the exploits that every cabable admin blocked access to.
Most e-mail clients (I use gmail) won’t even show images from unknown sources, and the only way to get infected is _manually_ visiting malicious XXX/warez site with exploit.
So tell me how is this “late”, when the bug isn’t even remotely exploitable without manual interaction. I just installed MS hotfix and gdi32.dll has a timestamp on December 28th, what means that MS fixed this bug almost IMMEDIATELY, and the only think that got it delayed was thoroughly testing it required in the lab.
Windows core components are not Firefox 1.0.x, when new versions were built just to get around broken extensions. What would you tell your customers if Mozilla broke some APIs your mission-critical application required?
Microsof has the right balance between security and reliability it guarantees to it’s customers. This WMF flaw is nothing serious, just a media-overhyped minor bug that came in an unfortunate time of holidays when IT news are generaly lacking. You see no high-profile worm propagating with this bug, because it is nothing serious.
This WMF flaw is nothing serious, just a media-overhyped minor bug that came in an unfortunate time of holidays when IT news are generaly lacking.
hmm…
* the flaw allows remote execution of code
* windows has several known unfixed privilege escalation vulnerabilities ( http://secunia.com/advisories/11633/ for example)
how can this be “overhyped”? even most “careful” users can have their system completely compromised by this bug…
It’s interesting to note that PivX, the security company with Thor Larholm that became infamous for their huge ‘Still unpatched IE vulnerablities’ page a few years ago, created preEmpt (formerly called Qwik-fix) which blocked all vectors of the WMF vulnerabilities with their auto-update to preEmpt clients on December 7th. I haven’t heard/read about the update breaking any WMF related functionality.
To me at least, it’s a point in itself that there exist 3.rd party patches before Microsoft themselves are able to make one. Then they’re late.
./nalle.
Ok then please do us a favor and don’t use windows. Thanks now and pretty please piss off
BTW 3rd party patch developer himself said, his patch is a work around. He was just patching the API instead of proper solution.
Ok then please do us a favor and don’t use windows. Thanks now and pretty please piss off
And you, young man, ought to learn how to reply in decent manner
I consider the whole charade extremely hilarious. Microsoft this, Microsoft that, please don’t use 3rd party fix, we won’t release before a couple of weeks, ooh geez we leaked our fix, hey dudes we released our fix…
Duuuh… PR amateurs
Think of all the poor souls who “see no patch”, much like it was with Sasser et al. Many people may be unaware of the threat.
That is so true, I plan on going around tomorrow to various people I meet during the course of my day and ask them: So what do you think about WMF?
See how many people will have a clue…..lol
and Thom:
I don’t know exactly how long the vuln has been “known”, but lets say one week.
7 * 24 = 168 hours
It takes probably an hour to write up a patch for this vuln. Please don’t flame me for saying ONE hour. I’m sure it could be done in that time considering all the “unofficial” patches that have popped up and all those instructions to unregister a dll and stuff like that….doesn’t seem hard to me…. But let’s give MS the benefit of the doubt and say it takes longer.
bottom line is that the patch can be written in a day. Especially considering how critical it is and the “potential” for damage. next? TeStInG. How long can that possibly take? I would go as bold to say again a couple hours, possibly a whole day.
So we’re looking at 2 days to write a patch, test it, and then distribute it. And do so on the first available moment (not next Tuesday! ). 2 days = 48 hours. There’s 120 hours left there….
This is all considering that A multi-billion (perhaps trillion) dollar company, with near endless resources and motivation, who LOVES their customers and wants only to do good is involved.
If you notice, the first ones above apply to MS, but they get bleaker and bleaker
To sum up, Thom: 1 week to write a patch for a vuln is ok. 1 week to write a CRITICAL patch that has near invincibility and affects nearly the entire world (sadly)? NOT OK.
–ZaNkY
There are more factors.
First, it they must decide on what is actually the best method for how to fix this flaw. All that must go through bureauocracy (it’s a big company). Then, they actually do the fixing. Then comes the hard part. Testing.
They must make sure that their new patch breaks absolutely NOTHING. Imagine the damage if suddenly nobody could use Office anymore because the patch somehow affects Office? Or any of the other gazillion applications companies and individuals depend on each day? Do you really think they can test that in a few hours?
Look, I’m not saying that it can’t be faster– all I’m saying is that MS has to take a lot more possible user scenarios into account because they supply 95% of the computing world, instead of just a few percentages (very simply put).
They must make sure that their new patch breaks absolutely NOTHING. Imagine the damage if suddenly nobody could use Office anymore because the patch somehow affects Office? Or any of the other gazillion applications companies and individuals depend on each day? Do you really think they can test that in a few hours?
Would you rather Office and your other applications stopped working because of an early MS patch, or because your machines were compromised?
Convenience (like easy-to-guess passwords, not challenging the person walking in the door behind you, or relying on the hope that you won’t be infected before a patch is issued so that your apps don’t break) seems to be the greatest enemy to security measures.
Would you rather Office and your other applications stopped working because of an early MS patch, or because your machines were compromised?
If your business depended on Office (your internal apps use it as a backend, for example), you’d do better with a patch that works instead of one that shuts down your business. Most corporate networks have AV and other services that already provided a level of mitigation for the WMF issue anyway. Plus most corporate users run as standard users.
In you’re idyllic situation, the patch would probably be exploited as fast as it was released. Allowing a day for testing would imply that the code was written perfect the first time and there were no errors, or bugs while the patch was being written. In the world of coding I live in, undertesting causes most of my problems.
A week is a quick turn around for a situation as critical as this in an environment as complex as Windows.
“It takes probably an hour to write up a patch for this vuln.”
Ok, I’m not fond of the long wait either, but consider this:
Microsoft has been around for a long time, their operating system too. It’s fair to assume that they use code from at least as far back as the 90’s, more likely some time in the late 80’s for some parts of their software. That’s code reuse for you, it’s a good time saver and it makes sense to keep the code if it works rather than waste time replacing it (and if bugs are found later that doesn’t mean all the code needs to be scrapped, just fixed). Now Microsoft has had employees come and go from the company since then, no doubt most of the ones working on the really old code aren’t around any more, and if they are do you really think they’ll remember something from five years ago, nevermind a decade or more ago? They would have a general idea based on what part of the OS is affected where the vulnerability is, but it would still take time to search through all that source code to find out where exactly they need to make their changes, and whether or not those changes would fix the problem entirely, or whether someone could find a way to get around those changes. So do you still think one hour is a good estimate? I’d figure they’d need a couple at least just to get the code fixed up, and then I’d give them a day or two to get it compiled and tested to make sure it’s safe for the public before they release it. A week may be a bit much, but a a day or two isn’t unreasonable when you have a company with very old code and only so many employees who can be dedicated to the task of fixing bugs and security holes.
I don’t know exactly how long the vuln has been “known”, but lets say one week.
i’ve known about it since i was in high school, but it wasn’t quite as serious back then because the windows picture and fax viewer didn’t exist and everyone was still using netscape 4… of course no one expected anything bad to happen from opening an ms word document (which can contain embedded wmf images), so i was still able to play a few hilarious practical jokes on a couple of my friends…
don’t forget all the other languages that are supported.
They _also_ have to be tested. That takes a bit longer than your 2 days.
cheers
anyweb
Multiple languages, shouldn’t affect the time to get the patch ready, as development and testing of different languages could be done in parallell.
By the way, some tests to show that the patch doesn’t break any needed functionality should allready be written assuming that the software was tested during its original development process.
By the way, some tests to show that the patch doesn’t break any needed functionality should allready be written assuming that the software was tested during its original development process.
What are you? a moron? This software had a design flaw and the feature exposed by WMF could be exploited. If you remove that feature aka bad design aka bug, what if there are some apps that are relying on it in some obscure manner?
And there you go again, being rude and all… so sad.
How do I install this patch on Linux? Is there an RPM out yet?
That’s the good news. That bad news is it did take a couple of third party patches plus a leak of their own to kick them in the ass. Still, at least we know now how to speed things up in Redmond in the future. It’s nice to know to MS can encouraged to move faster.
Mike Nash on the Security Update for the WMF Vulnerability
http://blogs.technet.com/msrc/archive/2006/01/05/416980.aspx
“[…] actually creating the update was a straight forward process. The challenge was testing the update on all of the supported versions of Windows and the 23 languages we support and making sure that the set of applications that might be effected by this update are not negatively affected by this change.”
it is AFFECTED, not EFFECTED.
Thing1 is AFFECTED by thing2…
Thing2 has an EFFECT on Thing1…
sheesh
A vulnerability as serious as this and as widespread as windows is, one week to produce a cleanly working patch isn’t all that bad.
Considering in the history of the Windows Os there were some vulnerabilities that were never resolved but only had workarounds.
Makes me wonder if the “leak” was an unofficial testbed.
And it also proves that Microsoft is going to open-source Windows XP once Vista ships.
//In laymans terms… You guys are screwed unless you update.//
WRONG. You’re screwed if:
You’re a dumbass computer user, and click on anything that pops up on your screen.
Careful PC use easily circumvents this, and myriad other “massive security holes.” It’s all anti-MS hype.
have you benn paying attention at all ?
this vuln requires NO user intervention at all
yeah, you just have to visit a web site that has the exploit on it.
it does not even have to be a porn/warez site, it could be any site, even this one.
Microsoft themselves said that the exploit is against ALL versions of Windows and the user needs to do nothing.
That guy is so pro-microsoft he has not got a clue
Actually this flaw is serious, so serious that even I myself downloaded this MS patch – has never happened before (I don’t talk about normal updates, just about downloading/installing specific security fixes).
Why? Two main reasons:
* because this is one of the very few vulnerabilities, which can affect any user despite his knowledge about security, his surfing habits, his favourite browser/mailer, his firewall and other security measures etc etc;
* because this flaw affects Win core component – GDI32 and thereby can (possibly?) run code in kernel space or at least at very high privilege level.
About testing such patch – one week is IMHO very good result. 3rd party patches don’t need through testing; patch autors are not responsible for breaking any dependent applications or system components. Microsoft is; and of GDI32 depend … all GUI applications, not less.
Of course tests can be run in parallel, probably they did so. Unfortunately even one full testing pass may take days – I hope that Microsoft has developed very through testing system. (Testing against bugs of course, testing against unknown vulnerabilities is generally not possible.)