Businesses Urged To Use Unofficial Windows Patch

frankie writes "ZDNet is reporting on the latest dire pronouncements about the WMF vulnerability. The problem is so serious that security experts are urging IT firms to use the unofficial patch. Microsoft's current goal is to release the update on Tuesday." From the ZDNet article: "This is a very unusual situation -- we've never done this before. We trust Ilfak, and we know his patch works. We've confirmed the binary does what the source code said it does. We've installed the patch on 500 F-Secure computers, and have recommended all of our customers do the same. The businesses who have installed the patch have said it's highly successful" It's big enough that even mainstream media is covering the flaw.

More details

[anandpur]

Vulnerability in Graphics Rendering Engine Could Allow Remote Code Execution

http://www.securityfocus.com/bid/16074 [securityfocus.com]
http://www.microsoft.com/technet/security/advisory /912840.mspx [microsoft.com]
http://www.symantec.com/avcenter/venc/data/pf/pwst eal.bankash.g.html [symantec.com]

Re:block wmf

[Anonymous Coward]

yeah, works with websites. but not with email, or files that are already stored on your system. even indexing a malicious file on your pc via google desktop or similar programs infect you. for more info see the FAQ at http://isc.sans.org/ [sans.org]

Re:block wmf

[NinePenny]

Its not just the extension that dictates that it's a WMF... Windows in its infinate wisdom also looks at the header bytes of the file and says "ohh! thats a WMF!" Execute! im in a damned hurry, hopfully I stated that correctly...ymmv

Re:block wmf

[Hunter-Killer]

A filter would be pretty easy to bypass, either by sending the wmf in a compressed file; or by renaming the extension.

One could simply block all images, but your boss might be a little miffed when he can't conduct "Internet research".

Re:block wmf

[Raato]

How do you intend to block them? Block anything with extension .wmf? Isn't enough as the file will be identified and handled as wmf, no matter what the extension is.

From http://isc.sans.org/diary.php?storyid=994/ [sans.org] you can find that "WMF files are recognized by a special header and the extension is not needed. The files could arrive using any extension, or embeded in Word or other documents."

Re:Does MS view this as important?

[whitehatlurker]

They try to address some of this in the official advisory [microsoft.com]. (Paraphrased below)

What about 3rd party solutions?
Wait. MS'll patch it next week. We'll do it in 23 languages and thoroughly test it.

Why is it taking so long?
Our team of "designated product specific security experts" look at the problem, figure out how big it is, then how to fix, then fix it, then test the fix, then port it to all the affected platforms and languages.

Re:Does MS view this as important?

[Ucklak]

I wouldn't call it hundreds.
Even so, it probably just a few code libraries to check against as I doubt they check against each and every title listed here:
http://support.microsoft.com/gp/lifeselect [microsoft.com]

Probably their main concern is the Enterprise level support they have to comply with and NOT rush a patch out.

MS workaround

[Telepathetic Man]

The current official suggestion from MS is to limit problems is of course to unregister the related driver, shimgvw.dll.

FF users

[naChoZ]

Tip for Firefox users. Adblock extension, add filter, *.wmf, click Ok...

Re:Liability is not always monetary.

[aquabat]

Fair enough, I guess. I had assumed you meant legal liability. If you exclude legal liability, then it looks like the author of the unofficial patch is equally as liable as Microsoft would be.

Patch download sites

[Anonymous Coward]

here [redhat.com] here [netbsd.org] here [suse.com] here and here [freebsd.org]

The issue was actually a feature...

[antdude]

According to this F-Secure's Web log [f-secure.com], it tells what is going wrong with the Windows Metafiles (WMF) vulnerability. It turns out this is not really a bug, it's just a bad design from another era. When Windows Metafiles were designed in late 1980s, a feature was included that allowed the image files to contain actual code. This code would be executed via a callback in special situations. This was not a bug; this was something which was needed at the time. The feature now in the limelight is known as the Escape() function and especially the SetAbortProc subfunction, and has been around since Windows 3.0, shipped in 1990...

Seen on Digg [digg.com]. This Broadband Reports' security forum thread [broadbandreports.com] mentioned this as well.

Copied and pasted from my AQFL Web site [aqfl.net].

Download

[reconn]

If you want the patch itself, try here:
http://isc.sans.org/diary.php?storyid=1010 [sans.org]

Second time this story came up with no links to the patch.

Not good enough...

[rewt66]

Not all WMF files have the .wmf extension. Some may have .bmp, .gif, .jpeg, or about a dozen others.

I saw a list a few minutes ago, but I don't remember where...

Re:A stupid question

[bartman227]

Just saw your post, might be a double but have you tried http://www.grc.com/sn/notes-020.htm [grc.com]

-Bart

Re:Not good enough...

[Aero]

To elaborate, what makes a WMF a WMF is a few magic bytes at the beginning of the file. Windows sees these magic bytes and hands the file off to the GDI for processing, regardless of the extension. Hence the "M" in "WMF".

It's being disguised as "safe" image files for easier transmission, since the more-awake folks have already blocked *.wmf at the gate. (As a challenge, can anyone see if calling it an HTML file works to trigger the exploit? Or find a site where it's been done?)

And don't think that visiting "trusted" sites will keep you safe. According to SANS, knoppix-std.org became an unwitting vector for this beast.

Re:block wmf

[Yartrebo]

It has to do with the MS Windows community expecting extensions to be used to link files to programs exclusively. There is no execute bit in their filesystems. Linux users don't have that mindset. A text file might end in .txt, but it is just as often without an extension. Executables have no extension and anything with .exe is obviously a Win32, Win16, or DOS executable. Linux users also expect data to NOT be given execute priviledges.

I'm suprised virus writers waited until this millenium to finally exploit such a stupid flaw.

Re:Exploit!

[hey!]

Take care: firefox is scarcely less vulnerable than IE. IIRC, FF will ask permission to launch an external application so you'll have to pay attention. It's not impossible that you might be socially engineered into doing this, or that they may be able to exploit this problem in conjunction with some other FF vulnerabilty.

Best for now to unregister the WMF dll: regsvr32 -u %windir%\system32\shimgvw.dll

Or, you can always go the coLinux route.

Re:Add the unofficial patch to the test matrix...

[Anonymous Coward]

The author of the unofficial patch recommended uninstalling it before applying any official patches. This is made easier by the fact that he included an uninstaller that shows up in Add/Remove Programs.

Re:block wmf - that's the problem

[mrsbrisby]

So, in other words, it does exactly the same thing Unix does for every single executable file.

No, if it did it exactly the same way UNIX did, then there wouldn't be a problem.

UNIX only looks up magic headers with using the execve() system call, and not with open()- and only if the file is marked +x - and only if it's on a filesystem marked exec.

So in other words, you don't know what you're talking about.

One of the problems here is that Windows' rape victims cannot disable WMF support and continue using Windows: It's part of GDI- a critical system component.

Another problem is that programs that can be convinced to let GDI display an untrustworthy image are all attack vectors.

Another problem is that Microsoft is inconsistant with regards to what opens what- ActiveX and COM are designed to hide which program is actually doing work- and it makes it very difficult for regular users to determine if the file they're downloading from an untrustworthy source can be handled safely by a program.

Yes, that sometimes means file extensions (which are invisible by default), and other times that means magic header handling, and still other times that means a MIME header. All of which seems designed to frustrate the user- since while they don't know exactly what will happen if they start MSN messanger, or visit a web page none of them expect their computer to be eaten by the grues.

The problem is...

[Svartalf]

It's not that it's a GDI bug. It's a DESIGN MISFEATURE- the code does exactly what it's intended to do. The problem is that the feature is NOT secure, not a good idea on a system in the first place, and code and images shouldn't even be USING this thing.

F-Secure's hack, and yes, it's a hack, is an adequate fix until MS gets their damn hole that's been lurking since Windows 3.1 fixed.

YAGAnalisis

[omz]

Gartner joins [gartner.com] the party

Re:block wmf

[NoOneInParticular]

Then and now: Microsoft sucks because they use file extensions and if that doesn't execute they use file content and otherwise mime type.

MS seems to puts real effort into executing everything that you throw at it: "hmm, it doesn't end in .exe, .com, .bat, .pif, or what you may have. Ah, maybe it's a Word macro, let's try that. No that didn't work, but wait, let's see if it's a .wmf in drag and execute any code in that. Hmm, it still won't execute, I give up. " I'm really curious what people will come up next time around. Apart from binary files, batch files, scripts, html, word processing documents, spreadsheets and images: what other stuff could conceivably execute aribitrary code automatically under Windows?

Re:block wmf

[Shimmer]

For those interested, here's the relevant portion of the spec [w3.org] (emphasis added):

Any HTTP/1.1 message containing an entity-body SHOULD include a Content-Type header field defining the media type of that body. If and only if the media type is not given by a Content-Type field, the recipient MAY attempt to guess the media type via inspection of its content and/or the name extension(s) of the URI used to identify the resource. If the media type remains unknown, the recipient SHOULD treat it as type "application/octet-stream".

Re:Software Restriction Policy

[adjuster]

Some people might want to consider the unofficial patch - personally, I wouldn't let it anywhere near the network of 3000+ machines. If something goes wrong, that a lot of cleaning up to do, and Microsoft will not be interested in helping.

I rolled the MSI-based [sans.org] version of this patch to around 1,500 client PC's this morning. The MSI cleanly uninstalls and has been tested on the US versions of W2K Server SP4, W2K Pro SP4, WXP Pro Gold, WXP Pro SP1, WXP Pro SP2, W2K3 Gold, and W2K3 SP1.

Of course, I'm a bit biased, as I'm the guy that spent most of the weekend writing the Custom Action code for the MSI file that SANS is distributing now. Full source for the MSI is available here [wellbury.com].

Re:Not good enough...

[Nurgled]

IE has a few different MIME types for which it enables the magic. text/plain, application/octet-stream and text/html all enable this magic, because traditionally web servers have determined content type by file extension and have defaulted to one of these types when they don't have an entry for the file extension given.

This was a practical problem during PNG's infancy, when Apache's default configuration didn't know what the .png file extension was and just served them as text/plain. Most webmasters who deal with this kind of setup don't know anything about HTTP headers, let alone know how to fix the problem. The IE developers took the approach of implementing this fix in the client to help out such webmasters. IE has many "features" like this to avoid webmasters actually having to be good at being webmasters. In some ways it has been more of a hinderance than a help.

Hey! I just got sent one of these!

[ScaryFroMan]

Got it from some professor at "Yale." The link opens up some WMF file, or at least it tried to, when Firefox asked me what program to open it with. MacAfee caught it then too. A txt file was attached. Beware, I suppose. Here's the full text.

Hello,

We are very sad to say that over the New Year the Campus was subjected to several acts of mindless vandalism. As well as bricks being thrown through windows, several members of staff have reported their cars as being the subject of practical jokes. Some of these cars were filled with water whilst others had graffiti daubed across them. We have uploaded the pictures of the graffiti here http://playtimepiano.home.comcast.net/ [comcast.net] in the hope that someone may recognise the culprits work. If anyone can shed any light on this unfortunate incident could they please contact the main office as soon as they have time.

Many Thanks & Best Regards,

Professor Robert Gordens

Yale