Trustworthy Computing

Anonymous Coward writes "This is a first: the Internet Storm Center is recommending trustworthy computing. They want you to trust that the unofficial patch for the Windows Metafile Volunerability that is currently being exploited by an IM worm. No patch from Microsoft at this time, and the exploit is arranged in such a manner that it cannot be detected by most intrusion detection systems (the snort rule will peg the CPU on your router) nor filtered by packet-inspecting firewalls (it spans two or more ethernet frames). Not really a whole lot of choice about this one."

Some won't

As it says in the article, some people in the corporate world won't do it if the patch didn't come from MS. It's sad, really. If I had an exploitable machine around, I would trust their patch.

Re:Is it just me

It's a thing called sarcasm. MS are the ones pushing "trustworthy computing" but are showing that at a time like this, they can't be trusted to do the right thing.

Re:Is it just me

You are absolutely correct, sir. This aricle has absolutely nothing to do with "trustworthy computing," (aside from the use of the word "trust"). It is perhaps interesting that the headline was enough to persuade me to read the summary, and click the link to the story. Maybe, in some strange way, they're demonstrating how the exploit works.

Re:Some won't

If you'd have followed your own suggestion, you'd know that for as far as the current IM worm goes, the workaround works perfectly fine.

What is more, re-registering the dll by some bit of software is a possibility, but for this to happen without action from the user, there needs to be another vulnerability that allows running the code to do this (or another way to access this specific vulnerability). If there is another vulnerability then the hotfix won't make you safe, The hotfix does work and provide some extra protection but only for the cases where this specific vulnerability can be exploited through a different path (that does not use shimgvw.dll).

Re:Some won't

They recomend both deregistering and applying the 3rd party patch, if some 3rd party application loads the DLL directly, unregistering it won't help.

I'm a trusting person, and if ISC, and Fsecure's lab both recomend it, I don't mind applying it, I'd trust there code more than MS's :)

Its not a DLL -its Windows, and its a feature

F-Secure has more on it: http://www.f-secure.com/weblog/#00000761 [f-secure.com]

Windows Metafiles are a file representation of drawing commands. They are more flexible than bitmaps and get used quite a lot in things like for caching images of every OLE object embedded inside a MS word or powerpoint document. There just happens to be one operation to set a callback when a printing aborts which can be saved to a WMF file, which, when followed by something to abort the rendering, lets you jump to the nominated location.

This back door is built into windows from version 3.0 onwards. Any app that displays WMF images from untrusted sources (lotus notes, maybe msword, even google desktop search) is vulnerable. This is potentially code red for the desktop.

I have the patch on all my systems, the author works for IDA, the debugger tool, and is well respected. I dont care whether IT central will push it out or not; I think they ought to before the back to work/school event causes major worm attacks using it. It will be pretty embarrassing for microsoft though -a third-party emergency fix for windows, in the same year that Vista, "Windows Secured" is due to ship.

Re:Its not a DLL -its Windows, and its a feature

Is it just me, or is the Slashdot "unofficial patch" link at the top absolutely useless?

After banging around the SANS site for a good 15 minutes, I *finally* found WHERE YOU CAN DOWNLOAD THE PATCH from:

http://isc.sans.org/diary.php?storyid=999 [sans.org]
http://isc.sans.org/diary.php?storyid=1004 [sans.org]

Re:Pushing the patch via Zenworks/SMS/Tivoli???

The fix can be applied in the automatic mode using the following command line:

wmffix_hexblog13.exe /VERYSILENT /SUPPRESSMSGBOXES

These switches do not suppress dialog boxes about installation errors.
The /LOG="file" switch can be added to the command line to create a log file.


[from http://www.hexblog.com/2005/12/wmf_vuln.html [hexblog.com] ]

There's a MSI version in the works as well.

Deploying to many machines is hard

I'm the author of the hotfix and one could expect me to say 'yes, please go ahead and install it on your corporate network with thousands of machines'.

But I won't say that.

First of all deploying any software on a large network is a serious task. It should be carefully planned and performed with the correct (read: responsible) approach.

The hotfix must be tested on as many machines as possible. Possible negative consequences must be determined and decided upon if they are acceptable or not.

In short, more rigorous testing is required.

-------
Ilfak Guilfanov, the author of the hotfix

Re:Deploying to many machines is hard

What you have said should be SOP for any fix on any large network. Even vendors can get it wrong, so testing is always important.

Over/Under

What is the over/under for Microsoft getting a patch out for this?

If there is a time to deviate from their monthly patch cycle, this is it. The patch should have been out days ago, yet we are still waiting.

And Microsoft wonders why no one takes their security promises seriously.

Re:Holidays!

Sure, people needs lives (e.g., vacation, time off, etc.).

And so do those who work as network administrator etc..

I can tell you that many a company that takes internal security seriously has had people working on this over the last weekend to make sure they are as safe as can be when everyone starts working today.

MS could have had a few employees working on this during the hollidays, get it properly fixed, and have an update installed with windows update.. as it is, they got a few thousand people working on implementing workarounds and unofficial fixes instead. Lots of extra work that has to be undone when the official fix is there.

Re:Over/Under

It's probably a hard problem to patch. From what I've gathered, this is a feature of WMFs, not a bug. They were designed before people even knew what the Internet was. WMFs, apparently, have the ability to specify code to be run on a failure to render. So the bad guys give you a bad WMF file, cleverly renamed as JPG, and stick it in an ad banner. You browse a site (with any browser), Windows fails to render the WMF (which it will recognize even if the filename says JPG), runs the specified failure code, and you're hacked. That fast.

Changing code that's this deeply buried in Windows is risky. The interpreter for WMF is one of the remnants of code left over from single-user computers, and they'll have to test changes very thoroughly. They're GOING to break things with this patch, because they're removing a designed-in feature. They're probably working feverishly to figure out how to minimize the damage, but some damage is inevitable. And the problem could be far worse than it appears; that DLL could be riddled with problems. It may not have been audited in many years.

This is yet another example of how you can't retrofit security; the first Windows versions were designed when security wasn't even an issue, when the Internet was barely a twinkle in Al Gore's eye. There's a mountain of code that was written just to work, not to worry about being handed malicious data. If a user passed bad values to a system call and it crashed, oh well. It was their fault for doing it. It's not like they had anything to gain from it, after all. They owned the computer. Why on earth would the computer need to protect itself from its owner?

With the advent of the Net, Microsoft decided to both stay backward-compatible and extend what they had onto the Internet. And their focus for many years was on new features, not security. Essentially every security person at the time warned them -- stridently -- against the choices they were making. It was obviously going to be a trainwreck. This is just the latest in that ongoing collision between a single-user operating system and exposure to every computer in the world.

This particular exploit is BY FAR the worst one yet...even very competent administrators, doing everything exactly as they should, can get nailed by this one. As bad as this is, though, it's not like they're going to stop here.

Trying to retrofit security onto the Win3.1/Win95 model is like trying to use scotch tape to make cheesecloth waterproof. No matter how much tape you use, even if it's a lot more tape than cloth, it will ALWAYS leak. It might hold water for a bit, but leaks will constantly spring up. They've added tremendous functionality in the NT/2k/XP kernels which can limit what users can do and limit the possible scope of compromises, but many many programs (especially games) require administrator privs just to run. So most people run as Administrator even though they shouldn't. And that makes hacks like this one very easy and *extremely* damaging.

Hopefully Microsoft will get a patch out fast.... they certainly must understand how overwhelmingly bad this problem is. The fact that they're reacting slowly is likely an indication that it's hard to fix.

can't remove the callback feature

The WMF file is really a list of Windows drawing functions to call, along with their parameters.

Guess what else uses this.

There are in-memory and on-disk WMF files. Some are used by apps for repainting the screen. Some are used by apps for printing; Windows printing is based on the WMF. You want error handling with printing, right?

Now, I'm not saying how to fix this unless Microsoft shares some cold hard cash with me, but there are reasonable solutions. It's just not as simple as patching out the feature.

Re:can't remove the callback feature

It doesn't look all that obsolete in Microsoft's documentation.

CERT may think the function is obsolete, but that doesn't mean
that apps no longer depend on it. Stuff breaks if you go ripping
pieces out of an ABI. Somebody's critical business app might
even depend on the function.

Re:Over/Under

One wonders how long MicroSoft themselves have known about this one. Despite them being "The Incompetent Company", they do have a lot of very competent software people working for them. I'd be willing to bet some money that some of those have identified this particular flaw some time ago already but that, after looking at the consequences of fixing it properly, the company decided to hope that nobody would notice until they finally get around to publicly breaking backward compatibility.

With stuff like this in their closet, one surely can understand at least to some extent why they advocate closed source. The feature in question is likely well documented, and thus reasonably "open", but the idea of what might happen if crackers get access to all the non-safe zombie code that dates from their pre-history truly must horrify them.

Wiki

Some wikis probably don't check file content.

Wikipedia tries to block stuff like this, but I don't think it is all that reliable. They just use the UNIX file command to see if a file matches the file extension.

WMF files start with 0x01 0x00, are are unrecognized by the file command.

JPEG starts with 0xff, so that won't do. Well, there are other formats to try.

Re:Over/Under

Dude, I think I'm older than you--I remember when my job first gave me a 2400 baud modem, and at the time thinking ruefully of all the time I had wasted with 300 baud modems. I still have a Codex 2264 modem (It's the size of a shoebox, has a three prong plug and a fan, and seems to be immortal).

As to your contention that microsoft gets a pass because nobody thought of security back "then", I'll take "then" to be the 10 years immediately prior to the release of Windows 3.0. Multi-user PCs were a well-known concept to every student who's done work in the general-population 'computer lab'. Remember Banyan, Appletalk, Netware (you mentioned it)? They may not have been Microsoft products, but they were ubiquitous. Unix workstations (Apollo, Sun, Microvax, etc.) were in very common use among engineers and product designers, and they all were networked. (of course, most unixes and VMS versions were very hackable, but that was part of the fun)

What's more, there were thousands of anti-mal-ware software products for MS-DOS, some samples here. [llnl.gov] The virus vector was BBS downloads and floppy disks rather than open port attacks or browser overruns, but the concept of attacking PCs was already well known. So, no, Microsoft does not "get a pass" for a security problem that nobody could have predicted (sarcasm). They made conscious choices to de-emphasize and ignore security in order to maintain market share at all costs. The economics proved them correct, so far, but they still should carry the blame for those choices.

Shame

It'd be nice to have a computer that I can use the patch on.. Maybe I can Wine it?

Sometimes I think they do it on purpose

Sometimes, I really start to think that security is so poor in commercial operating systems, because they want to use protection from all these exploits as the bait to get us into the "trusted computing" cage.

Trusted computing is a farce, because the one thing that *isn't* trusted, is the user.

Well the truth is....

..that if we all were running "trustworthy" computers, this problem would be much, much worse than it is now. Imagine that now instead of having a patch that's already been made by someone else while we sit and wait for Microsoft to get off their asses, we now have to wait on Microsoft, who still hasn't shown up.

Instead of having *some* machines patched, we'd have none. This late after the exploit has been released, and a zero-day attack has happened, we'd see no respite.

If you try to argue that Trustworthy computers wouldn't allow this to be exploited, what if the trustworthy compontent itself was exploited? As the Xbox and soon the Xbox 360 have shown, the more complex the hardware, the more complicated the bugs are. Microsoft's betting that the hardware complexity can outgrow the programmer's abilities to crack it, but if there's any truth in the world, it's that if it can be engineered, it can be destroyed. So imagine if this virus was actually signed by Microsoft through the exploit. How would this look for their company? How can you save face from a disaster like that?

No, trusted computers aren't the answer, just more secure computers, with better code. And the fact of the matter is, the more eyes that are on the code, the better it is, and that's why Open Source will always succeed. No amount of cryptography will help you if there's a hole in your crypto system.

Re:Well the truth is....

There's no "if" about it. The vulnerable component is a genuine Microsoft DLL, shipped as part of Windows, intended to render an official Windows file format. If you were running a "Trusted"(tm) PC, this DLL would 0WNZ0R you with no way out.

You have it backwards. If you were running a DRM'd PC, this DLL would allow you to retake your own computer.

Remember, security flaws are only bad when security is protecting you. DRM protects Disney against you, so any hole in a DRM'd computers security makes it more, not less, valuable to its owner.

Maybe, in ten years time when only DRM'd computers are legal to buy, and attempt to install anything but Windows Whatever into them is a crime punishable by death, we will yet end up praising Microsofts total incompetence with anything resembling security.

Your TPM software might refuse to run

In some DRM scenarios, the TPM chip is also used to prove to your software that the OS has not been modified. Unless you have the skills to hack that software, your bought and paid for TPM programs may refuse to work any longer.

A much tougher case would be the "rely on others" programs where you have to prove to an external instance that your system has not been hacked. Take the "death to game cheaters" implementations as an example:
Want to fix your vulnerable Windows with a non-official patch?
World Of Warcraft II won't let you play anymore ;)

I also don't believe this is temporary. Except in the sense that TPM might be (hopefully!) a colossal failure in the market. And considering the current vulnerability, this looks like more than a slight theoretical risk to me.

Re:Well the truth is....

Huh? I am not aware of any current implementations of "trustworthy computing" that would prevent you applying this sort of patch. The TPM chip and the like simply let you prove things about the configuration of your computer to other computers (and lock data to a particular machine) - by all means, go wild, do whatever you want to your own computer. Just don't expect to then be able to lie about it to others. If you then rely on others for various things who refuse to trust you because you're loading patch DLLs into every process then you may have a problem yes, but this is only temporary and the benign applications of such a technology (death to game cheaters!) IMHO outweigh the very slight theoretical risks.

So let's say I'm JoeISP. Hi JoeISP you might say, I'd laugh and go about my business. Some nasty cruel internet underdwellers would go about writing their programs as they do today, and start delivering their payloads to people over my network. I can't really stop them from doing this; there's simply too much data that goes through my network to look at every packet and assure that the content isn't executable or worse, a virus. I can take some countermeasures, but not to many. Nope, it's the end users who have to be trusted.

So over there is Miss Jane. She loves the internet, and her newly bought Laptop from Dell with a pretty new TPM chip in it. She's a customer as JoeISP, and I love her for it, she pays me a pretty penny a month she could be getting for free if her neighbor would share his wireless access point, but sadly for Jane, her computer doesn't detect that his WAP has a TPM chip, and her operating system says to her that even if the network weren't protected by WPA2, she still wouldn't be allowed to connect to it because it isn't a Trusted connection. She shrugs it off.

So, Jane goes about checking her email when she sees a really funny picture her aunt sent her. Oh boy that's funny she said, and she saves the picture on her desktop so she can look at it later, or maybe even send it to a friend! But what's this? Her computer suddenly locks up tighter than a steel drum and a little popup tells her that "Windows Trusted Computing has detected unauthorized code in memory, and will not allow it to be executed." But she wants to save the image! She dismisses the popup, and saves it again, same message.

She is disheartened and goes to Trusted Go^W Microsoft Search to find an answer. Turns out, lots of people have been having this same exact problem, and nobody knows why. Some guy with a pocket protector and glasses tell them to reboot their computers, go into their BIOS and turn off TPM protection, and she does.

Now when she gets back on the Internet (this of course, assuming that she can, more on this in a minute), she saves the picture and poof, she's now got the exploit running on her machine. Her virus protector (assuming she has one) goes haywire! Of course, Windows File Protection make certain that she can't easily select the file and delete it, after all, it is a running executable now. (Or, even if WFP *did* allow it, most viruses these days are smart enough to break virus protectors in a way that they can't remove the virus on their own, even if their data files are up to date).

She's smarter than your average bear, however, and is able to go to another computer and get back on the internet. She finds a patch for the bug, and a clean up tool that allows her to remove the code from the image. "Goodie" she thinks.

She goes back to the other machine, fixes the DLL, turns back on TPM, and goes to get on the internet.

My ISP (remember me, JoeISP?) instantly alerts an error. Someone has connected to our network with TPM on, but has modified their files! Our policy is not to let those people on our network at all, since that's what Microsoft told us to do. So we block her MAC and continue about our day. She calls in later, furious that she can't get the Internet to work in her house anymore. Any attempts to quell her ar

Trustworthy Computing != Trusted Computing

There seems to be a lot of confusion in this thread regarding these two terms. It isn't that surprising, since they are both purposely misleading, but still.

"Trustworthy computing" is Microsoft's bullshit name for their so-called initiative to start taking security seriously. It was under this banner that Bill sent all his coders to secure coding seminars so they could learn what a buffer overflow is. The article is ironic in its title: that Microsoft have failed to find such a glaring issue as a native image format that purposely allows images to execute arbitrary code, and that they have not offered a patch even now when exploits are in the wild since almost a week, shows how trustworthy they really are.

"Trusted computing", on the other hand, is the bullshit name for a nefarious scheme involving hardware and software whereby control over PCs should be taken out of the hands of their owners, and given to the software and hardware vendors. This is sometimes claimed to be about security, but is actually motivated by DRM and DRM only (the name is short for "Trusted Client Computing" and comes from the ability of DRM vendors to trust that your computer, the client, will obey their directions).

The people pushing "trusted computing" are actually not so much Microsoft as Intel and IBM: Microsoft completely support the concept of trying to put the freely programmable computer back in the bottle, but they have had their own ideas about implementation (their version was first called "Palladium", but when they realized that it is bad to have a recognizable name for something customers actually don't want it was renamed "Next Generation Secure Computing Base" and after that it was renamed to nothing at all so they can be snuck into the coming versions of Windows without people noticing.) // oskar

Re:SPI Aren't meant for this type of filtering...

FTFA

* Should I just block all .WMF images?

This may help, but it is not sufficient. WMF files are recognized by a special header and the extension is not needed. The files could arrive using any extension, or embeded in Word or other documents.

It goes without saying

FTA:
You cannot wait for the official MS patch, you cannot block this one at the border, and you cannot leave your systems unprotected.

This has always been the case with Windows, if I'm not mistaken.

Shows how much MS cares for its customers.

How many late nights, allnighters, and missed holidays have you experienced, thanks to things like ILOVEYOU and Slammer? How many times have you had to clean up the mess created by Microsoft's shitty, unsecure software?

Clearly Microsoft wasn't interested in calling people in over the holidays to whip up a patch for this critical vulnerability-- something that you could go in a couple hours early tomorrow and roll out to the PCs in your organization. They're going to let you suffer. And why should they care? They've already got the money of the company you work for. People are going to return from their holiday vacations tomorrow, load the wrong web page in IE, and get pwned. And you'll be left to clean up the mess. Again. Better pack an extra sandwich with your lunch tomorrow, because you probably won't be getting out at 5.

Programmers?

Windows have produced a datatype that allows people to place executable code into image files? How can they call themselves programmers. Seriously whoever engineered the WMF format should be ashamed.

Re:Programmers?

There is not an 'EXEC' segement type in the metadata specification itself, if you will.

In the internet age, it's hard to believe, but in fact, yes, there is [f-secure.com]. This isn't a buffer overflow exploit; this is actually the way metafiles were intended to work. AC makes the same point a bit more rudely.

Re:Programmers?

If this *were* a stack overflow, you'd have a good point.

However, the WMF format allows you to embed a code in it that basically says "when you've finished drawing this, call the function at this address to execute it". The reason that this exists is that WMF was not originally intended to be a file format. It was intended to allow Windows applications to record the steps necessary to draw an object, so they could do it again later (presumably using less processing at that point because everything's precalculated).

Re:Programmers?

Obviously you know nothing about CPU architecture. Like the designers of the x86 series, you think you have to invent the wheel from scratch, when so many better wheel-designers have already done the job for you.

An 'arbitrary jump' is fine inside your own address-space, so long as you jump to storage you own, AND you have requested, AND have the 'key' to, AND is marked 'executable' in your current key/ring.

Jeeze! The mainframe guys had this figured out decades ago.

Don't trust the coder first - trust the computer architect first!

I deployed it

Today was supposed to be my fifth vacation day this christmas.
I've had two; and decided to come in to the office today to make sure we were patched up against the exploit.

Yes, I took the plunge.
The patch is now deployed in our small office (30 windows PCs atm); and so far so good.
Would I have felt safer if the sourcecode was released? Perhaps.

That said, I'd rather take the ISC's word on the fix than have a guaranteed hell within a couple of days.
The dedication of the people involved with ISC, as well as that of Mr. Guilfanov brightened my start of the new year.

Kudos, people.

Re:I deployed it

Would I have felt safer if the sourcecode was released? Perhaps.

But the source code is released, too . The installation package should have copied it into the "WindowsMetafileFix" folder under the "Program Files" folder.

Re:TFA conclusion is BS

Don't open e-mail from senders you don't recognize.

What would this accompolish? Since around 1999 or 2000, the vast majority of viruses and trojans have grabbed all the email addresses in someone inbox, address book, etc. and sent themselves out using a random return address from this list. There is a good bet that any virus/trojan you get will have a known return address in it, however it is just as good a bet that it will not be the address of the person infected.

Geeze, here it is 2006 and people still think that the return address in unsigned email means ANYTHING.

And if you are in a coporate setting and the Network Admin hasn't blocked IM, you've already got bigger problems to worry about.

It really seems sad that the norm is to block reasonable communication tools (I use IM almost exclusively for work related communication) simply because corporate America is infatuated with Microsoft despite the massive security headaches they cause.

Off topic, I'm really getting annoyed with Microsoft admins where I work constantly complaining about IE problems. I'm starting to ask these people how many times they had to put their hand on a hot stove when they were children before they decided it was a bad idea. Is pattern recognition a skill that we as a society just no longer have?

Finkployd

Haha!

Saturday's word was "transferbangle." Today's word is "volunerability." I wonder what tomorrow's word will be!

Shame on Hemos

No flamebait intended, but that's a typical sensationalist misleading Slashdot headline. Noone's advocating "trusted computing" or similar initiatives here; all they do is saying "here's an unofficial fix, and we'd like to recommend even though it *is* unofficial, considering the seriousness of the vulnerability and also considering it was written by a reputable windows expert, namely Ilfak Guilfanov (author of IDA Pro)".

And for that matter, there's no mention of "the Snort rules will hog your router's CPU", either - that's total rubbish, probably made up by the article submitter. And it slipped, too, since the Slashdot "editors" never care to actually edit stories before they publish them.

Shame on you, Hemos!

Get the joke, will travel...

So we have to explain the joke again:
The title comes from the original note in the Handler's Diary [sans.org]. You see, it creates a mental tension between "Trustworth Computing", the lack of an official patch and ISC's "Please, trust us". It makes some readers smile.

Re:Shame on Hemos

There should've been a link to this: [sans.org]

There is one important note in regards to ALL published signatures including this one. All these signatures will fail to detect the exploits when the http_inspect preprocessor is enabled with default settings. By default, the flow_depth of the preprocessor is 300 which is too short to cover the whole exploit. Should the exploit be transmitted on port 80 and http_inspect is enabled, no alert will occur. Note that it will still alert on any ports (using the all port sig below) that are not configured in http_inspect (ie FTP).

One solution is to add the statement "flow_depth 0" to the http_inspect preprocessor (actually the appropriate http_inspect_server line in the config). This will tell the preprocessor not to truncate the reassembled pseudo-packet, but it will have an adverse impact on performance. On busy networks, this will lead to 100% CPU utilization of the Snort process and major packet drops.

And you should've checked before saying it was all made up.

Talking of 'Trustworthy Computing'

I love the way the story starts 'Anonymous Coward writes', with an email address link to the author.

o.O

They want you to trust that the unofficial patch for the Windows Metafile Volunerability that is currently being exploited by an IM worm.

OK, tell me how that sentence is supposed to make sense. Come on :|.

Re:Why do folks still use Windows?

What is the calculation that Windows users -- esp. businesses -- make that allows them to keep on using Windows?

I usually stay out of the Windows/Linux/Mac arguments, but I'm afraid you just don't understand my world.

I work for a very small company, probably typical of thousands of other very small companies. Our company is too small to afford a full-time IT staff; I'm the entire IT department, and it's a very small part of my job. I'm the IT guru because I'm the only one there who knows a DLL from a dungheap.

I have formal training in computers, but so long ago that the field was still called EDP and time-sharing was a big deal. I've spent years learning what I know about Windows and Windows networks, in my spare time. It would take me years more to reach a similar level of expertise with a brand-new OS. And until I reached that level, we'd be more vulnerable than with Windows.

My company has about a dozen computers, including a single domain server with no backup server. We have about $60,000 invested in software (other than OS's) that will only run under Windows. We have no hardware to set up a test server, no money (or time) to spend on unsuccessful experiments.

The only person in our company who has ever used Linux is our 21-year-old secretary. We have one Unix machine, which I despise, because its desktop GUI is primitive and its command interface makes MS-DOS look well-designed and intuitive.

I rarely get to spend more than two or three hours a week on network maintenance, security monitoring, and research combined. If I hadn't automated them I wouldn't have time to do file backups some weeks. I have no time to spend trying to research the seventeen hundred different distros of Linux available, or whether Wine will support our COM+-dependent network applications--or whether the WMF exploit still applies if we run Windows applications on Linux.

We can't afford to have a regular support contract with a local computer-specialist firm. That's assuming we could even find someone in town we can trust--the overpriced morons who did our last batch of installations gave us a two-NIC server with only one NIC enabled (so no firewall), and set up user workstations with the Administrator password left blank!

I loathe Microsoft, and have since I first saw Windows 3.11. But what possible reason do I have for trusting the claims of Red Hat or Debian more? What research I can do is hardly reassuring. Remember Saturday's story here [slashdot.org]: researchers found 812 flaws in the Windows operating system, 2,328 problems in various versions of the Unix/Linux operating systems (Mac included)?

Somehow the Windows folks keep on choosing to use Windows...

I didn't choose Windows; I inherited it and have no resources to replace it. My company didn't really choose Windows; it was forced on us by the marketplace. Be realistic! My wife just bought an Apple, and the first thing she installed on it was the OS-X version of MS Office, necessary for compatibility with her company.

Maybe in another ten years Linux will be enough of a force that applications will be written for cross-compatibility, but little companies like mine can't wait that long. We have to use what we can, right now.

Corporate? Try college.

Think users are bad in the corporate sector? Wait until everyone gets back to the college dorms after winter break with their completely unpatched computers. And all the people who have new computers that they got over the holidays. It wouldn't matter if Microsoft had patched it last week, I guarantee that the student users who need it won't have it.

Speaking as a poor sap who has to fix these computers, I have one thing to say: "Thanks for the easy money". And a heads up to all you dorm technicians, get ready to start burning virus CDs.

This Is Incomprehensible!

Anonymous Coward writes

Writes? Wouldn't a high school English teacher send this back with a little markup and a big fat red "F" on it?

"This is a first: the Internet Storm Center is recommending trustworthy computing.

I think this is the one valid sentence in this whole summary!

They want you to trust that the unofficial patch for the Windows Metafile Volunerability that is currently being exploited by an IM worm.

Obviously one instance of "that" is an extra. But which? Remove one, it means one thing; remove the other, it means something different.

No patch from Microsoft at this time,

Fragment (consider revising).

and the exploit is arranged in such a manner that it cannot be detected by most intrusion detection systems

Flowers and furniture are arranged. Music is arranged. Why the hell is the bolded phrase even in there? Try "the exploit cannot be detected by most modern intrusion detection systems" on for size. That edit gets rid of the passive voice and that meaningless phrase all at once!

(the snort rule will peg the CPU on your router)

I guess somebody's snorting something. What the hell does this mean?

nor filtered by packet-inspecting firewalls (it spans two or more ethernet frames).

Ooh, somebody just loves the parentheses! Why not kill them and insert ", since" after "firewalls"?

Not really a whole lot of choice about this one.

Fragment (consider revising).

I don't know who's more of an idiot -- the submitter or the "editor" who accepted this turd of an article summary.

So is there a patch ?

or not ?

according to Microsoft [windowsonecare.com]

If you are a Windows OneCare user and your current status is green, you are already protected from known malware that tries to attack this possible vulnerability.

That sounds like they must have some kind of patch out there, or are they hoping to get more users "hooked" on OneCare ?

Otherwise, this statement doesn't make sense :

Upon completion of this investigation, Microsoft will take appropriate action to help protect our customers. This will include providing a security update through our monthly release process or providing an out-of-cycle security update, depending on customer needs. [microsoft.com]

Maybe I'm being picky, but I think all their customers have a quite urgent need, right now !

Written from the sublime security of Fedora Core, thanks.

Win98 patch?

I wonder if anyone is going to be able to patch Win98 against this? There are still a lot of machines and this vulnerability could make them essentially useless and force an upgrade. While we would all love for them to upgrade to Linux or OS X it is more likely that they will shell out for WinXP and MS will benefit from a windfall of sales as a result of their inept programming. If someone produced a workable patch this would at least allow people to keep using their computers without pouring more money down the MS bottomless pit.

I do trust Microsoft...

...to do what they do best. Which is why I use a different OS and suggest others do so as well.

What does Microsoft do best? Why, get the money out of the pockets of suckers, of course.

Suckers.

Cheers!

there is always choice

it cannot be detected by most intrusion detection systems (the snort rule will peg the CPU on your router) nor filtered by packet-inspecting firewalls (it spans two or more ethernet frames).

You *can* run 2 instances of snort in-line to get around this CPU-pegging issue.

Not really a whole lot of choice about this one.

There is always choice - have you considered a defense-in-depth multi-layered approach? I'm taking the following steps
1. unregister the ms pic and fax viewer dll
2. make WMF file extension default to an erroneous app like notepad
3. turn DEP up a notch
4. turn off downloads in IE if you must use it (set default security settings to HIGH)
5. block all WMF files at the perimiter
6. keep antivirus up to date and consider frequent manual updates and scans of key machines

These things in combo with being vigilant over the next few days should keep you and your corporate networks safe. There are even MSI versions of the patch for mass distribution.

Re:there is always choice

Did you miss the fact that blocking .wmf files/extensions means nothing for XP users? Because XP took a page from the 'magic bytes' of Unix and recognizes .wmf files from the image header, it can (and will) in some circumstances render them regardless of the extension. So naming it .bbb will bypass your perimeter filters completely.

Ahhhh!

I've removed:
ActiveX for streaming video
AOL ART Image Format Support
Intel Indeo codecs
Media Center
MIDI audio support
Movie Maker
Old CDPlayer and Sound Recorder
Speech Support
Windows Media Player
Windows Media Player 6.4
Client for Netware Networks
FrontPage Extensions
Internet Connection Wizard
Internet Explorer
Internet Explorer Core
IP Conferencing
MSN Explorer
Netmeeting
Outlook Express
Vector Graphics Rendering (VML)
Windows Messenger
Desktop Cleanup Wizard
Framework
Help
Out of Box Experience (OOBE)
Shell Media Handler
Tour
Web View
Zip Folders
Fax Services
Imapi
Indexing Service
System Restore
(nliteos.com)
AND I AM STILL VULNERABLE!???

Perhaps I should switch to linux :) |scroll lock||scroll lock| (KVM)

There is an official fix available!

In an interview with an anonymous MiroScoft employee, it has been reported that MS has found a working fix!

"We've all turned off our computers, and are sitting on our hands. This has effectively blocked all intrusion attempts."

When asked when the fix would be distributed, he replied:

"Once the threat has passed, it will be safe for us to turn our computers back on and email everyone with instructions for turning their computers off and sitting on their hands. Until that time comes, we're asking everyone to be patient."

Re:What's wrong with...

Yeah because 98% of PC users know how to disable the offending DLL. Heck, 98% of PC users don't even know what a DLL is.

Re:What's wrong with...

Of course they don't know what a DLL is. Windows has been marketed as a consumer OS, it was designed to be used by people without a clue. By default you can't even see the DLLs. People shouldn't need to have IT qualifications to use a computer, it should be secure enough for them to use it. What you are suggesting (to use a car metaphor and probably get flamed for it) is that people should need to strip and reassemble an engine to get a drivers liscence.

Re:What's wrong with...

Reading the article, the ISC (and a few others) say that you *should* disable the DLL. There are two ways, with caveats, listed:
*Unregister the DLL : some apps may actually reregister the DLL.
*Rename/Delete: make sure XP File Protection is off, otherwise it will be replaced. Also, some apps may behave badly.

So, disabling the DLL is a *good* idea -- but may not be a complete solution by itself.

Re:"the snort rule will peg the CPU on your router

I believe this is because _any_ image is vulnerable to infection. Because Microsoft checks the header for every image file and treats it as WMF if the header matches, all jpegs, gifs, and pngs are potential vectors for the disease. A router that has to inspect _every_ image that is surfed by users behind it will immediately turn into a bottleneck.

A couple of the other comments here seem to miss this very important point:

It's not just files with ".wmf" at the end. Any image file will get unwrapped by Microsoft code and the callback will get executed. Woof.

Re:What's wrong with...

It may not be enough.

From http://www.viruslist.com/en/weblog?discuss=1768925 30&return=1 [viruslist.com]:

"... Going back to the wmf vulnerability itself, we see number of sites mention that shimgvw.dll is the vulnerable file. This doesn't seem correct as it's possible to exploit a system on which shimgvw.dll has been unregistered and deleted. The vulnerability seems to be in gdi32.dll... "