Interview with Ilfak Guilfanov (WMF Patch Hero) 167
GrayWolf42 writes "SecuriTeam Blogs has posted an interview with Ilfak Guilfanov, one of the people developing the IDA Pro disassembler, who also happens to have written the unofficial WMF vulnerability patch. In this short interview he discusses the patch, how it works, and why he wrote it." From the article: "Q: When you heard of this vulnerability, you created a temporary patch to close the hole until Microsoft updated its software. Could you tell us more about what the patch does? A: The patch just removes this powerful command. It does not do anything else. The fix modifies the memory image of the system on the fly. It does not alter any files on the disk. It modifies [the image of] the system DLL 'gdi32.dll' because the vulnerable code is there." Microsoft has released an official update, which you should be able to download from the windows update site.
SecuriTeam blogs (Score:5, Informative)
Re:SecuriTeam blogs (Score:2)
You simply should not be able to go and mess around with system files like this.
Re:SecuriTeam blogs (Score:2)
If you're not an Administrator, you can't.
ok... (Score:5, Insightful)
Re:ok... (Score:3, Insightful)
Often, historically, Microsoft's approach has been the same, to just take away the offending bit.
When the actually correct the code is where Microsoft have sometimes introduced new vulnerabilities, perhaps because the focus of their Q/A is too n
You're missing the point, though (Score:3, Insightful)
Re:You're missing the point, though (Score:5, Insightful)
I think that's a bit unfair. We got news of this zero day exploit the 27th of December? It's still only about 10 days to produce a patch and test it. It fixes multiple versions of Windows too. IMO it didn't take too long for MS to fix it compared to the 200+ day fixes you read about regulary on eEye's site. Of course the not so good design of Windows doesn't help either. Windows is not modular so fixing something like an image processing function can impact the entire kernel, it needs extra testing.
Re:You're missing the point, though (Score:2)
I think that's a bit unfair. We got news of this zero day exploit the 27th of December? It's still only about 10 days to produce a patch and test it.
Actually, the 27th is when the exploit went public. I have yet to see reliable data on when it first was discovered being exploited in the wild and when it was reported to MS. For all we know MS had this reported to them months ago.
Re:You're missing the point, though (Score:2)
You're still missing the point of his original post. He wasn't arguing that Microsoft got news of the exploit long before it went public, but that you shouldn't assume that Microsoft only heard of the exploit when it went public, as this is often not the case. The assumption that Microsoft recieved news of the exploit 3 months ahead of the rest of us is about as supported as the assertion that Microsoft only found out about it when it went public--that's the point.
If you want to be a smart ass, atleast fig
Re:You're missing the point, though (Score:2)
Making up scenarios (ie, "they could have known this for months") and then implying that it took longer than 10 days is just as useless.
The original poster said that MS only had 10 days to build a patch and test it. I replied saying that we don't have enough information to draw that conclusion since we don't know when MS was informed of the vulnerability or exploit. Then I postulated that they could have known about it for months. This is called an example. It was demonstrating the way in which the pre
Re:You're missing the point, though (Score:5, Informative)
Additionally if you check the timestamp on %WINDIR%\System32\gdi32.dll (the file fixed by Microsoft's patch) you'll see that it is dated 12/28. So we found out about the exploit on 12/27, Microsoft had it fixed the next day (assuming they didn't modify the file dates for any reason) and spent the remainder of the time testing the patch.
Re:You're missing the point, though (Score:2, Interesting)
I understand that gdi32.dll is pretty much the equivalent of glibc, so its not something they want to modify without testing, but they should have at least went ahead and released the patch to the home users, production servers and the like, shouldn't of been affecte
Re:You're missing the point, though (Score:2)
Re:You're missing the point, though (Score:3, Insightful)
I think you misunderstand the meaning of modular. Because Windows is modular the change of one module can impact a number of processes.
Re:You're missing the point, though (Score:3, Informative)
Re:You're missing the point, though (Score:2)
Re:You're missing the point, though (Score:2)
Re:You're missing the point, though (Score:2)
Do some reading on the design and architecture of Windows. It most certainly *is* modular.
Not to mention you've got the whole thing arse-about-face. Modularity is *why* code fixes in one module can have repurcussions in many other modules.
Not a Zero-Day - more like a 15k-day exploit (Score:2)
Re:ok... (Score:1, Interesting)
Part of the reason Microsoft couldn't release a patch immediately is because they need to make sure their fix doesn't break snything else.
I've got a big fat BOLLOCKS to that. How much software uses WMFs? How much software relies on being able to supply its own error-handling code should that WMF not display properly? In the WMF file itself?
Now weigh "all those" applications (i.e. practically none) against the people that can be/have been/will be compromised with this vulnerability. Care to make a
Re:ok... (Score:2)
Microsoft Update (Score:4, Insightful)
Re:Microsoft Update (Score:3, Funny)
On a related note: This may be my last
Re:Microsoft Update (Score:2)
Bit of exaggeration, eh? (or trolling)
Let me guess, you definition of "modern" is what?
'cause Debian Stable sure as hell doesn't have that many updates...
As a matter of fact, I only have a little over 2000 packages installed!
And... I only see 15979 packages in the entire repository. (which isn't just Debian)
From the Interview... (Score:5, Interesting)
So this is a design issue?
Yes, it is a design issue.
I would think the MS would have a department of crackers and hackers to try to do shit like this. Also, didn't any of the original developers think of this when they wrote it or did they think the exploit was so remote, that it'll never happen?
Re:From the Interview... (Score:5, Informative)
Re:From the Interview... (Score:2, Interesting)
Re:From the Interview... (Score:4, Funny)
Re:From the Interview... (Score:2)
Re: (Score:2)
Re:From the Interview... (Score:5, Informative)
Re:From the Interview... (Score:2)
Re:From the Interview... (Score:1)
You start out by loading a DLL and telling the system that DLL needs to be loaded into every process started from there on. Now you are in targets memory space and you are able to modify targets memory space. This in turn allows you to hook functions, ie replace the DLL jump table or write to executable memory directly.
Of course, with NT (Win2000, XP = NT) you need proper rights (Administrative Account, or User Accounts with specific rights ena
Re:From the Interview... (Score:2)
Yep, read my /. comment... (Score:3, Informative)
Re:From the Interview... (Score:2)
No, it goes back to Windows 3.0. And while they couldn't have anticipated the current computing climate, it's hardly as if there were no trojans, virii, or other malicious programs back then. That's a completely invalid excuse.
Why would they.... (Score:1)
Re:From the Interview... (Score:2, Interesting)
I guess they thought the chances were remote, because when MS were doing their security review and subsequently made their GDI vulnerability detection tool [microsoft.com] available, it was not designed to pay attention to this vulnerability. I wonder if they have updated the tool?
Re:From the Interview... (Score:2)
Bill Gates at CES unveils Ballmer 2.0!
Another great interview (podcast) (Score:2)
Re:From the Interview... (Score:2)
Re:From the Interview... (Score:2)
Cracking is largely driven by curiosity, geniune dislike towards software vendor or a criminal intent. Neither really fit the full-timer profile, leave alone someone being employed by the company itself.
MS can hire 10 departments of 'crackers and hackers', it will still not do them any good.
Re:From the Interview... (Score:5, Insightful)
We have a few security-focused assets in the company.
There is a team that grew out of some of the company-wide security folks that are sort of the "gatekeepers" now for all software that leaves the building.. you have to pass their audits, which are primarily about running internally brewed tools against your source code and binaries. As we get better at this stuff we update our tools and as the tools find things the developers get smarter about not writing dumb code to begin with, the testers get better at writing evil tests, and the PMs get better about recognizing that a feature is a problem-by-design to begin with.
This team will also do some code/design review, and will make you justify any bugs you decided to "Won't Fix" during the developmnent cycle. Our bug tracking systems have all been amended to include lots of rich info re: security/threat impact, and this team mines that data as well.
They do _very_ limited penetration testing.
Distributed across teams there are security "representatives" that are supposed to coordinate training and getting the latest tools/best practices out to the developers/testers at large.
Development teams are required to create threat models for all feature areas. The threat model library must be presented to the "gatekeeper" team described earlier as well.
Some teams are building local penetration testing teams.. which ahve product/feature area domain expertise.. but also understand the art of penetration testing. We don't have enough "centralized" resources to have a crack team of pen testers that cover all products. They can provide guidance/expertise/interviewing/whatever, but ultimately cant cover the whole company. Building a culture of grey-hat minded people and sprinkling them through-out every product team takes a long time.
Note that everything i am describing did not exist at MS 5 years ago. Blaster, Nimda, CodeRed, Melissa, etc really kicked our ass with customers. In a way, we needed all those so that internally people could really justify making the investments needed in security. There was a lot of sentiment along the lines of "we got to be #1 with the way we've been doing things, who are you to argue?", from a lot of really smart, strong-minded people.
Breaking that and reforming them to the new religion takes time.
We have a _huge_ debt of bad code, bad practices, bad developers, bad testers, and bad managers. We've been working pretty hard to pay down that debt. When i say "bad developer" i mean "developer that wrote code for years, never having to care about security", not that the developer is stupid/has malcious/intentionally poor habits.
Based on how often we issue patches, # of patches released for a given product, etc now compared to say, Win2k, i think the changes are already starting to pay dividends for us. Server 2003 is a lot better out-of-box than Server 2000 was. If nothing else, when i read a design doc or look at a bug report now and feel like it might be a problem, and say so, people take me more seriously. They aren't as apt to play the "it's not my problem" or "that can't happen in the real world" games as they were just a few years ago.
Security Now! Interview (Score:2, Informative)
Microsoft can boost your notariety (Score:4, Funny)
Why didn't anyone a Microsoft think of this solution? They might have been put in charge of their own security team.
Re:Microsoft can boost your notariety (Score:5, Informative)
They did. The official patch has the same end effect as the unofficial one. The only difference is in method. Microsoft modified the source code to remove the vulnerability instead of removing it in memory.
Re:Microsoft can boost your notariety (Score:5, Informative)
One problem, for instance, is that if some other hacker came along and reset the function pointer with their *own* dll, we'd be back to square one (tho that requires a greater level of system access). And the DLLs themselves don't have explicit control over when they get loaded, so they can't guarantee that they are first or last.
Microsoft's patch is nothing like his. They (I'm guessing) rebuilt gdi32.dll to actually turn the function into a no-op. Adequate testing by MS would have to include ensuring that all the various WMFs dynamically generated by the OS are not adversely affected.
Re:Microsoft can boost your notariety (Score:2)
He removed a "system call"... guess what... there are probably a few applications that have a legit reason to use this function.
Kinda like chemotherapy... kill everything 'cause you might get the cancer too.
So Microsoft is doing some due diligence to figure out how its broken and how to fix it without breaking more sh!t.
I love this though. There is a bunch of calls in kernel32 that pose potentially security risks... lets remove them...
Re:Microsoft can boost your notariety (Score:3, Insightful)
Also, most people
Re:Microsoft can boost your notariety (Score:2)
So how do you explain Windows?
Thank you, thank you, I'll be here all week.
Re:Microsoft can boost your notariety (Score:2)
I don't think Granny or Dilbert's boss would have any clue, or need to know how to do a Powerpoint presentation.
(unless of course you were referring to someone with a Bachelor's
Re:Microsoft can boost your notariety (Score:2)
Re:Microsoft can boost your notariety (Score:2)
I can think of only one poor soul who is no longer with us....Clippy
http://www.microsoft.com/presspass/features/2001/
Re:Microsoft can boost your notariety (Score:1, Interesting)
Re:Microsoft can boost your notariety (Score:2)
The guy removes one line of code and becomes famous almost instantly. Why didn't anyone a Microsoft think of this solution?
And if every guy at Microsoft removed a line of code, probably the final product would be far better.
Root of the problem (Score:4, Insightful)
From SecuriTeam Blogs: Is there anything that you think should be done to make vulnerabilities like this less dangerous in the future?
Good design and good coding practices, but that is easier said than done.
But shouldn't that be everybody's focus? We're seeing a lot of articles this week on coding practices, bugs, and vulnerabilities, and it all boils down to how hard every programmer is going to work to eliminate them. It's unrealistic to think that there will be no bugs in any piece of code, but if there are to be bugs/vulnerabilities, their impact should at least be minimized. And it's going to take teamwork; the day of the lone programmer capable of wiping out the bugs is long over.
Re:Root of the problem (Score:5, Insightful)
The problem is in what was intended. If your "feature" is a boneheaded security hole, no amount of good design and good coding can save you. All they will get you is a beautifully designed, perfectly coded boneheaded security hole.
Re:Root of the problem (Score:3, Funny)
- at best.
It might have bugs, which might close the security hole.
Re:Root of the problem (Score:2, Insightful)
Hey now, programmers are
Re:Root of the problem (Score:2)
But... The point is they could be designing/coding in ways that reduce bugs from the start, not spending time later trying to hunt them down.
Re:Root of the problem (Score:2)
But this is moot, because the WMF flaw is not a bug. It's a design problem. The code does exactly what it is supposed to. The trouble is that no one went back and examined these ancient APIs for security issues when people started hooking Win
Actual link to the MS-official patches (Score:3, Informative)
Podcast Interview (Score:2, Informative)
Slashdot Windows logo (Score:1, Troll)
Re:Slashdot Windows logo (Score:3, Interesting)
-nB
Re:Slashdot Windows logo (Score:3, Insightful)
hanks for clearing that up. I find it hard to believe that Microsoft would threaten to sue over something like that.
MS threatening to sue is news to me. It sounds like pure speculation. My pure speculation is that the icon was created by someone right after MS did one of the thousands of annoying/illegal/unethical things they regularly do to piss off the computer industry as a whole (you know like buy out and kill a cool technology, intentionally break a standard, or bundle yet another software package i
OT Evil rant (Score:2)
The evil! I understand what you mean, but honestly, Evil? Evil is what happens when one person kills another person. Evil is not giving someone software for free. Its not a word that should be used so lightly. Yes microsoft is very annoying and their behavior has served to hinder competetion for years and yes much of it is illegal. But its not evil. Does it really make you feel better to look at a broken window? I suppose in a secular society that no longe
Re:OT Evil rant (Score:2)
The evil! I understand what you mean, but honestly, Evil? Evil is what happens when one person kills another person. Evil is not giving someone software for free.
If it makes you feel any better, which it probably won't, I don't believe in evil. I was using the term emblematically.
invent the devil in the immage of someone we don't like (ie Bill Gates)and call everything he does "evil".
Who said anything about Bill Gates? I was writing about Microsoft.
Does it really make you feel better to look at a
Re:OT Evil rant (Score:2)
Re:OT Evil rant (Score:2)
Yes I know you don't believe in Evil. Thats why you used the word. Thats part of my point. But my point transends your particular post, and slashdot in general. Its really strange place to put that thought, but I felt it so I wrote it. Thats just the way I'm rolling right now. don't take any offence. Its not your fault its such a large problem, but you do contribute to it.
Ahh, but you seem to be failing to understand the perspective of others. If evil does not exist, then there is no harm in using the wo
Why not scramble all DLL's and EXE's on the fly? (Score:5, Insightful)
That would mean buffer overflows are essentially defeated on a vast majority of cases? One simple thing we could do would be to insert random NOP's in DLL's, making the buffer overflow get the correct offset wrong most of the time and thus fail to work. I'm sure there are dozens of more clever ways to achieve this, in a completely general sort of way.
The reason these attacks spread is that the binary code is essentially a monoculture crop -- all clones of each other. Why not take the SID of a system, or some GUID, and use it to morph all the binary images on a system in a unique way for that system?
Since lots of attacks use NOP's, XOR'd code, and other techniques to avoid being detected as code, why don't we apply the same techniques to our binary objects to obfuscate them from the attacking code?
Paul Sop
You had me going right up until . . . (Score:2)
Why not take the SID of a system, or some GUID, and use it to morph all the binary images on a system in a unique way for that system?
Now that sounds quite similar to M$'s "(un)Trustworthy Computing" bit. Since the keys and the encryption algorithm both reside on any given system, the decryption must take place within a (hardware embedded) subsystem in order to prevent the system software from being compromised. Uh, what happens if I want to install LINUX, or even when I just want to rein
Re:You had me going right up until . . . (Score:2)
No, it is perfectly safe to do this encryption / entry point calculation in software. The moment someone can run code on your system, you're screwed anyway. But in order to run code, they must 1) load the code to be executed into system memory, and 2) get the CPU to execute the code. Step 1 is stil
Re:You had me going right up until . . . (Score:3, Insightful)
Doesn't matter where in the software you hide the algorithm, the algorithm must be available in software and therefore provides only the illusion of security. Sorta like
Re:Why not scramble all DLL's and EXE's on the fly (Score:1)
I think if MS did that, it may slow down the search for exploits until someone comes up with the de-scrambler. If the starting point of the scramble is on the system, the hackers will have a starting point to break it. From there it's just a matter
Re:Why not scramble all DLL's and EXE's on the fly (Score:5, Interesting)
Re:Why not scramble all DLL's and EXE's on the fly (Score:5, Informative)
That's exactly what the Data Execution Prevention (DEP) is. It requires XP SP2 and a CPU that has the NX bit (or I forgot what Intel called the "we didn't copy this form AMD" bit). In fact, it appears that DEP does stop [blogspot.com] the exploit.
DEP doesn't stop the exploit... (Score:2)
hardware DEP does stop the exploit under certain conditions, but installing other (seemingly unrelated) code invalidates the protection (because they are binaries packed with some special software and MS turns off DEP for those binaries since they wouldn't work otherwise).
I'm surprised DEP worked at all on this, the flaw is a design flaw, not a buffer overflow exploit.
Re:Why not scramble all DLL's and EXE's on the fly (Score:2)
Re:Why not scramble all DLL's and EXE's on the fly (Score:3, Insightful)
That's all reversible information, though. Somewhere, for an executable to work, this information would need to be stored, and on the disk. Considering that nothing stored on disk is completely secure, I don't see this as a viable option.
Consider the GU
Re:Why not scramble all DLL's and EXE's on the fly (Score:1)
This would not prevent procedure call hijacking attacks, where an existing call to a procedure is given specially crafted parameters. Nor would it prevent exploits from using system calls directly. Just like preventing execution of code in the stack segment, the measure would make attacks harder, but would not prevent them.
A few reasons i can think of that complicate it.. (Score:4, Informative)
One doesn't really have _full_ flexibility in binary layout. There are issues like word alignment to be aware of.
Windows needs to know how to get the address of a symbol, by name, dynamically. Even if you change the address underneath, the exploit only needs to call a routine to just call the moved function by name.
One of the advantages of DLLs is that the text (code) segments are shared cross-process. If you want to make the loader muck with the images per-process, you effectively have static libraries. This is lethal on server type applications with hundreds or thousands of separate address spaces.
Note that if you _dont_ do per-process space scrambling, your exploit can just scan its entire address space to see where the relocated stuff is, because it will be the same in all the other address spaces on the box.
Finally - this was a spec defect - my understanding is that the code is actually running as designed.. it's just a facility that has no business in a modern, assumed-hostile computing world.
Re:Why not scramble all DLL's and EXE's on the fly (Score:2)
Because adding NOOPs will not change the behavior of the functions. Especially case in point, it would not have blocked this security hole. Nor would it really block any security hole.
Exploits just attempt the exploitable behavior and if it works, then it works, if it doesn't then the exploit fails, but who cares? and it continues on.
The problem with buffer overflows is the regularized position and size of the STAC
Re:Why not scramble all DLL's and EXE's on the fly (Score:2)
sloldotted (Score:2)
You will have to download from one of the better-connected mirrors, as poor Ilfak has already had to move hosts once. I guess he's a victim of his own popularity.
Why can't we get credit for THAT?
Without Source Code (Score:2, Interesting)
In this context I find it quite amusing that Guilfanov was able to make a quick and effective fix without the benefit of the source code for gdi32.dll. In contrast the folks at Microsoft thrashed around for more than a week before realizing the significance and the simplicity of the fix.
I wonder how
Re:Without Source Code (Score:2)
It was an issue with the WMF file processing. The fix in this case should have been painfully obvious to anyone with source code. Given the simplicity and severity of this situation, it shouldn't have taken long (a couple days perhaps) to do adequate testing to assure that there wouldn't be any other unanticipated side effects.
No, my concern is that Microsoft's management misread this situation and
irony (Score:2, Funny)
Also (Score:3, Informative)
http://www.twit.tv/ [www.twit.tv]
And also (Score:2)
Re:OT: Can we get a font change? (Score:2)
Re:Russians RULE (Score:1, Troll)
Thanks, comrade. And also thank you for the extra bandwidth and hard-drive space. Your zombified box is helping us spread our spam to the proletariate.
Mod Funny! Re:Russians RULE (Score:2)
Re:How wierd (Score:3, Insightful)
Maverick patches are the last thing we need. And now, since this guy is getting a bunch of press, we will have 90 million hackers trying to be the first to release a patch for the next MS bug.
So who's the one at fault: the maverick hacker who writes a patch, or the user who chooses to install it instead of waiting for the official patch from Redmond?
You do know that Ilfak's patch was optional, right?
Re:Patch doesn't work for me (Score:2, Funny)
Really? Let me clear that up for you
Re:Patch doesn't work for me (Score:2)
Go here, with any browser type http://www.microsoft.com/downloads/details.aspx?fa milyid=0C1B4C96-57AE-499E-B89B-215B7BB4D8E9&displa ylang=en [microsoft.com]
I collect the worst patches and utilitites with Firefox on Linux and make myself a 'Windows Bugspray' CDROM, which I then use to fix client's PCs.
Re:Hero? (Score:2)
According to your narrow and highly romanticized version only. How sad. If only you could broaden your view you would see heroes everywhere...
Re:Weird error (Score:2)
Bullshit.
Go here: http://www.microsoft.com/downloads/details.aspx?fa milyid=0C1B4C96-57AE-499E-B89B-215B7BB4D8E9&displa ylang=en [microsoft.com]
Or here http://tinyurl.com/7kyrc [tinyurl.com]
Re:What if I'm already rooted? (Score:2)
If you have an MSDN subscription (like windows developers do), you can pull down ISO images to burn. but it still takes ages to install and patch windows+apps to work, compared to say the afternoon it took me to get suse 10,0 on.
I dont think things will improve either. I installed vista onto a vmware image and the virtual HDD was u
Re:What if I'm already rooted? (Score:2)
Also see this: http://www.nu2.nu/pebuilder/ [nu2.nu]
Bart's PE is very handy for deleting files that Windows normally cannot delete, or simply to use as an incorruptable Windoze.