Microsoft to Patch WMF Exploit Early 306
Chran writes "Microsoft has just announced that they will release a security update for the .WMF-exploit today at 2pm ET, instead of Tuesday, as originally planned.
Microsoft writes: "Microsoft originally planned to release the update on Tuesday, January 10, 2006 as part of its regular monthly release of security bulletins, once testing for quality and application compatibility was complete. However, testing has been completed earlier than anticipated and the update is ready for release. In addition, Microsoft is releasing the update early in response to strong customer sentiment that the release should be made available as soon as possible."
Reactive vs Proactive (Score:5, Insightful)
It would have been nicer if they make patches available as soon as possible with or without strong customer sentiment.
8 Days to patch (Score:4, Insightful)
Re:8 Days to patch (Score:5, Insightful)
Re:8 Days to patch (Score:2)
I'm sure it didn't take microsoft very long to create the patch, but lots of manhours to test it -- whatever that's worth.
2000, XP, 2003, but no 3.10, 3.11, 95, 98, or ME? (Score:3, Informative)
I'm only getting hits on 2000, XP, and 2003:
According to the Financial Times article [ft.com] highlighted at Drudge, Hyppönen said the vulnerability is supposed to hit "every Windows operating system since 1990".
So is there a patch for older versions of Windows?
Re:2000, XP, 2003, but no 3.10, 3.11, 95, 98, or M (Score:3, Funny)
Sadly no (Score:3, Informative)
-----
Microsoft Windows 98, Microsoft Windows 98 Second Edition (SE), and Microsoft Windows Millennium Edition (ME) were previously listed as affected, but are no longer listed. Why is that?
Although Windows 98, Windows 98 Second Edition, and Windows Millennium Edition do contain the affected component, at this point in the investigation, an exploitable attack vector has not been identified that would yield a Critical severity rating for these versions. Per the support life cycle of
Re:Sadly no (Score:2)
There are a *lot* of companies still using that on the backend servers and on the desktop (not sure if it's still the majority but it's very significant).
Re:Sadly no (Score:2, Insightful)
If you are in this predicament, of supporting an NT4 environment - I feel for you, I really do. Seriously at some point avoiding the costs of upgrades is going hurt more then cutting the dang check.
ask not for whom the bell tolls...
Re:Sadly no (Score:4, Insightful)
Over 40% of our customers are NT4 shops. Some of them are *big*.
Re:Sadly no (Score:4, Informative)
Ironic, as the older operating systems come from a time when that format may have been relevant. It's kind of funny that only after the Windows Metafile became obsolete did MS choose to create a default program association.
Re:2000, XP, 2003, but no 3.10, 3.11, 95, 98, or M (Score:2)
Re:2000, XP, 2003, but no 3.10, 3.11, 95, 98, or M (Score:4, Informative)
I never thought back then that memory leak could mean buffer overflow which could mean security vulnerability
In this case, its not a buffer overflow bug. In fact, its not even a bug, per say. Its a feature, or at least a really bad design flaw that no one has stumbled upon/abused up until now. See F-Secure's writeup. [f-secure.com]
Re:2000, XP, 2003, but no 3.10, 3.11, 95, 98, or M (Score:5, Informative)
http://www.microsoft.com/technet/security/Bulleti
I suspect 3.x is the same, but really, if you're using 3.10 as a desktop...
Re:8 Days to patch (Score:5, Funny)
I have no idea what the side effects of this will be for your other applications (because I didn't do any regression testing), but I'm not MS, so I don't really care. Mat
Re:8 Days to patch (Score:5, Funny)
Do I have to reboot afterwards?
3rd party did not patch vulnerability (Score:4, Insightful)
1st Party did not patch vulnerability either, then (Score:3, Informative)
By your logic, Microsoft also has not patched the vulnerability. From the MS006-001 FAQ:
So, they basically used exactly the same workaround as the 3rd party patch that'
NO! (Score:5, Informative)
The MS patch removes the call in the WMF rendering engine that calls the gdi32 Escape() function with the SETABORTPROC parameter. The 3rd party runtime patch thats been around 'for a week' killed the Escape() function's ability to receive the SETABORTPROC procedure in _all user32.dll bound applications_ called by _anything_ for _any purpose_, 'breaking' more than just the WMF rendering caller.
Microsoft couldn't have done any better because this wasn't a coding error like a buffer overflow, it was an ancient long forgotten genuine feature.
Re:NO! (Score:3, Funny)
Re:3rd party did not patch vulnerability (Score:2)
Does this update contain any security-related changes to functionality?
Yes. The change introduced to address this vulnerability removes the support for the SETABORTPROC record type from the META_ESCAPE record in a WMF image. This update does not remove support for ABORTPROC functions registered by application SetAbortProc() API calls.
Re:8 Days to patch (Score:3, Informative)
Re:8 Days to patch (Score:2)
Re:8 Days to patch (Score:3, Informative)
Why would you download Firefox three times?
Re:8 Days to patch (Score:5, Insightful)
Re:Reactive vs Proactive (Score:5, Informative)
Get it here http://www.microsoft.com/technet/security/Bulleti
According to the folks at F-secure, it co-exists well with Ilfak's unofficial patch as well as the REGSVR32 workaround. Read their blog here. http://www.f-secure.com/weblog/archives/archive-0
Re:Ilfak's unofficial patch did not require a re-b (Score:3, Informative)
Re:Reactive vs Proactive (Score:5, Interesting)
I think that some corporate users (especially) are quite thankful for patch Tuesdays; especially those that have been bitten by some compatibility issue previously and can't just run autoupdate of all desktops at night, but rather want to roll it out manually.
Again, this is not the case here, this exploit was discovered in the wild and it's spreading right now.
Re:Reactive vs Proactive (Score:4, Insightful)
This doesn't make any sense. All patch release dates are a function of:
1) impact of the problem
2) complexity of required testing
The idea being that the patch shouldn't cause more harm than the original flaw.
If the impact is huge, testing of more obscure cases can be deferred somewhat. If the impact is small, more time can be taken.
So if there hadn't been any customer sentiment (i.e. no one cared), it would make no sense to rush the patch and risk breaking something.
Re:Reactive vs Proactive (Score:5, Insightful)
"If the impact is huge, testing of more obscure cases can be deferred somewhat. If the impact is small, more time can be taken."
I'm with you so far....
"So if there hadn't been any customer sentiment (i.e. no one cared), it would make no sense to rush the patch and risk breaking something."
Err, that's a non-sequitur. Whether customers care or not has nothing to do with the cost/benefit analysis that decides the timing and scope of an initial patch. A software company should never rely on its customers to perform risk analysis. If it's serious (and the WMF flaw is egregiously so), then you find a way to protect your customers as quickly and effectively as you can. In some cases - though certainly not all - you can even accept shortcomings in the patch itself if significantly reduces the risk.
The third-party patch, for example, causes issues with the Windows printing subsystem. People voiced suspicions that this might be the case right from the start, though confirmation only came through earlier today. To my mind, that was an acceptable risk. A server that can't perform some print tasks and won't show pretty preview icons is worth a heck of a lot more to me than one that's 0wned by some random script kiddy.
And before some astroturfing twit spouts the simplistic, binary logic of 'MS is damned if they do and damned if they don't', I'd like to say from experience that deciding the timing of a security patch is a terribly difficult process. It requires the right amount of analytical skill, deep technical expertise, a healthy dose of horse sense and exactly the right measure of patience. Too much or too little of any of these can result in exactly the wrong kind of response.
Patching is not about being a nice guy. It's not about what your customers think of you. There should be no marketing or sales angle in the creation or timing of a security patch. You determine the scope and severity of the threat, be as thorough as you can reasonably hope to be (and that's never as thorough as you'd like), and deliver it as soon as you reasonably can.
I'm in complete agreement with this handler's diary [sans.org] from isc.sans.org [sans.org] concerning Microsoft's announcement that they would issue the patch at the regularly scheduled time. Given the severity of the flaw, it's unconscionable that they should leave their customers exposed for so long. The fact that they only decided to release the patch out of cycle in response to their users demonstrates that they're far more worried about their image than they are about their software. This does not bode well at all for them. Or for their customers, for that matter.
One Size Does Not Fit All (Score:2)
All problems are not the same quality or severity so why is MS tryi
Re:Reactive vs Proactive (Score:2)
That said, I don't know for that particular case, I just say that in general (and this rule has been proved right many many times for Micorsoft products).
Re:Reactive vs Proactive (Score:2)
and millions of /.'ers groan... (Score:5, Funny)
To use this site, you must be running Microsoft Internet Explorer 5 or later.
To upgrade to the latest version of the browser, go to the Internet Explorer Downloads website.
Re:and millions of /.'ers groan... (Score:2)
Does *not* require Internet Explorer... (Score:5, Informative)
Funny, yes, but not true. The patch is available here:
http://www.microsoft.com/technet/security/Bulletin /MS06-001.mspx [microsoft.com]
Just downloaded it with Firefox. It's just Windows Update that requires IE.
Re:Does *not* require Internet Explorer... (Score:2)
Re:and millions of /.'ers groan... (Score:3, Informative)
Re:and millions of /.'ers groan... (Score:3, Insightful)
They aren't "saying" anything. The Windows Update web app, as a requirement of the fact that it uses ActiveX, requires Internet Explorer. Nonetheless, not only is the patch rolling out right now via auto-updates, you can also download it directly [microsoft.com].
In any case, even though I use Firefox and Opera for my day to day browsing, I really don't feel that threatened firing up Internet Explore for the
Re:and millions of /.'ers groan... (Score:2)
Regardless, it's a catch-22. Here's the patch to keep you from being vulnerable but you must be vulnerable in order for us to patch. Gotta love the rocket scientists Microsoft is hiring these days.
Re:and millions of /.'ers groan... (Score:2)
Rockets! Awesome. Some real money finally being invested in space.
Re:and millions of /.'ers groan... (Score:2, Insightful)
Conform with industry standards? What sort of nonsensical groupthink claptrap is that? Is there a W3C standard on updating system libraries via a webpage that Microsoft isn't conforming to? Right - no there isn't, and ActiveX exists as embedded content just
Re:and millions of /.'ers groan... (Score:2)
Re:and millions of /.'ers groan... (Score:2)
Says who? [www.iol.ie]
Re:and millions of /.'ers groan... (Score:2)
Yes please, I'd like to add a giant security hole to my browsing experience thank you very much. Where do I sign up?
Re:and millions of /.'ers groan... (Score:5, Informative)
Re:and millions of /.'ers groan... (Score:2)
But you're right, it's a Windows bug, not an IE bug, and if you were to download a malicious WMF in FF and open it in most any program you'd have a problem.
Re:and millions of /.'ers groan... (Score:5, Informative)
Re:and millions of /.'ers groan... (Score:3, Interesting)
Feh ! (Score:5, Funny)
whatever (Score:4, Funny)
Sure.
Splendid... (Score:4, Insightful)
---
tis is not a FP
Re:Splendid... (Score:2)
3rd person (Score:5, Funny)
is their face red (Score:5, Funny)
Let's be friends again.
Re:is their face red (Score:2)
Re:is their face red (Score:3, Informative)
I simply unregistered the dll file on both work and home XP computers, but not the others I help supervise. The folks that are concerned about hackers "re-registering" it are working with the assumption that there is either another 0-day exploit out there that allows the hackers to do that, or don't understand how the vulnerability works. Also, the need for a patch on Windows 98, NT, or 2K is non-existant.
I honestly think relying on a third-party to patch a system is ridicu
Re:is their face red (Score:3, Insightful)
It's already out.. (Score:2, Insightful)
WSUS picks it up on synch so start deploying once you've tested it internally. 5 days early? Not bad. Not great, but an official patch is always welcome. Hats of to the SANS team for applying the pressure. It's unfortunate that they were not mentioned in the Acknowlegements section of the MS06-001 release notes.
So early? (Score:4, Funny)
Not that (Score:2)
I heard it was because they were having a tough time to come up with the $40 a computer needed to aquire the software to distribute in the patch.
Not 2pm ET, but 2pm PT (Score:2)
Oops (Score:2)
Really? (Score:2, Interesting)
Is really a problem of customer sentiment, or is actually the public embarassment of a third party releasing a patch quicker even without the source code of the libraries?
--
Superb hosting [tinyurl.com] 20GB Storage, 1_TB_ bandwidth, ssh, $7.95
Sober is the reason IMHO (Score:3, Interesting)
I think that by this point Microsoft is pretty much numbed when it comes to public embarrassment.
Re:Really? (Score:2)
If by "patch" you mean "untested workaround that disables other functionality" then you might have a point.
The unofficial patch isn't really comparable.
What the MS patch does (Score:2, Funny)
Re:What the MS patch does (Score:2)
Thank you, Big Brother (Score:5, Insightful)
I call bullshit (Score:2, Insightful)
MS Security Bulletin Link (Score:2, Redundant)
MS Gets Up Early To Issue Patch! (Score:5, Funny)
"When will the patch for the patch be released?" asked Fox News correspondent Bubbles McConnifer, causing the press corps to giggle like schoolgirls in heat.
"Smile when you said that, bitch," growled a visibly angered Microsoft, who then motioned to two pinstripe suited thugs who escorted Ms. McConnifer from the press conference.
"Any other questions, whores?" asked Microsoft, placing fists on hips and allowing his 'MS Certified Otakus Rule!' T-Shirt to be seen. His query was greeted by silence. "Well alright, then."
Re: (Score:2, Funny)
How many uploaded the "hacked" version? (Score:2)
Re:How many uploaded the "hacked" version? (Score:2)
Rough translation (Score:5, Funny)
Our customers are getting pwn3d.
I know, I know... (Score:3, Insightful)
We can't have it both ways, and neither should they. I say send out patches as they're made and let the sysadmins be responsible for whether they can keep up or not. It may be difficult to admin many machines that have to be patched but I'd rather have fixes available ASAP and put the burden on IT to apply them.
Yeah, there are patches that will break stuff and ample testing should be done anyway...but does rolling them all into a Patch Tuesday really change that fact? Probably not.
With this sentiment, we can put more pressure on Patch Tuesday for what it really is -- a Trustworthy Computing PR stunt in which the number of fixes and vulnerabilities seems to be lower (since we're only patching once a month...maybe).
All that said, kudos to MS for reacting...but unkudos for taking this long...and major unkudos for being naive about the WMF design to begin with.
Re:I know, I know... (Score:2)
Damned if they send out patches as they're made (too many, too confusing) and damned if they wait 'til Patch Tuesday (negligent, inconsiderate).
Yup, but not damned if they fix the obvious design blunders that lead to many of these exploits, do security audits before releasing new technologies, and build an architecture that is not so brittle so that users don't have to worry that a patch to the web browser will break both core OS functions and third party applications.
It still took a long time! (Score:3, Interesting)
While MS was 'testing' everyone has been installing 'fixes' from other sites..
Even IF their patch was not 100% it wouldn't really have mattered in this case.
There was a gaping security hole in their OS and they still needed 12 days to come up with a fix!
For such a large company whose software is being used by *millions* of people worldwide and 7 billion a quarter profit, they've sure taken their sweet time!
Why don't they take some 0.01 procent of that 7 billion and test/release it sooner?
Error in the summary... (Score:4, Funny)
... meaning all us east coast admins will be staying late tonight. Joy.
Clip Art (Score:2, Interesting)
Early release to catch out the hackers (Score:3, Insightful)
I'm sure a lot of people out there who were planning to taking advantage of this problem have been thinking that they have till Tuesday to write a really good exploit, and therefore not hurrying too much.
Now Microsoft come along and patch it early.
I don't know about anyone else but I was expecting Monday do be a day from hell...
Re:Early release to catch out the hackers (Score:3, Interesting)
I don't believe that for a second. People who wanted to take advantage of this flaw had their code done with 48hrs of the public disclosure. No serious hackers we waiting till this weekend to try and catch some people. It's a race you see. The last thing they wanted was to wait a week and let Antivirus ma
Right... (Score:2, Funny)
srsly, fuck u miKKKro$haft
The Real Reason (Score:3, Insightful)
Re:The Real Reason (Score:4, Informative)
he did not fix it
All the 3rd party patch did was implement a workaround.
Fixes already in the wild though? (Score:3, Informative)
http://grc.com/sn/notes-020.htm [grc.com]
Re:Fixes already in the wild though? (Score:2)
Should've hit preview before submitting again.
Why not... (Score:2, Funny)
will? or did.. (Score:4, Interesting)
Chran writes "Microsoft has just announced that they will release a security update for the
talk about releasing the news late.. the patch was already out by the time slashdot had the "news" that microsoft would be releasing the patch.
And now for the "for Nerds" part of the article (Score:2)
So all of you out there with WMFs with SETABORTPROCs in your META_ESCAPE records, beware!
(Not sure what I just said.)
"testing ... completed earlier than anticipated" (Score:5, Insightful)
Early? (Score:2, Insightful)
And finally... (Score:2)
The - final? - twist in the long, strange trip of the WMF bug - the vulnerability that just keeps on giving - has been revealed by H D Moore, the author of the Metasploit exploits (which is now on a third generation and even tricksier than ever!:)
After all the jokes about WINE compatibility [google.co.uk]... it turns out that WINE is vulnerable, too!! [neohapsis.com]
To quote the words of a song by H D's namesake, Du
Re:Not "will", "did" (Score:2)
Re:Not "will", "did" (Score:2)
then turned into "no longer" by the time Cmdr Taco posts a dupe.
Re:Site's not Firefox-compatible (Score:2)
Er - have you used a mainstream linux desktop distro recently? It is like
Re:early my eye (Score:5, Interesting)
They had it ready, if by ready you mean a version had been compiled and 'tested' once on the developer's machine.
Trust me, right now in Redmond there's a whole team of Quality Assurance Engineers who are looking at their test plans, scratching their heads, and once again calling into question the actual value of their work, given that some manager can arbitrarily decide when it's time to rush a release regardless of what the schedule said or what the impact of a patch was or which cases remain un-tested. That, and they're really, really tired after pulling a couple of all-nighters.
Have fun testing that patch.
Re:Old Systems (Score:3, Insightful)
MS: "vulnerability is not critical" (Score:2)
No. Although Windows 98, Windows 98 Second Edition, and Windows Millennium Edition do contain the affected component, the vulnerability is not critical because an exploitable attack vector has not been identified that would yield a Critical severity rating for these versions."
from
http://www.microsoft.com/technet/security/Bulletin