Businesses Urged To Use Unofficial Windows Patch 374
frankie writes "ZDNet is reporting on the latest dire pronouncements about the WMF vulnerability. The problem is so serious that security experts are urging IT firms to use the unofficial patch. Microsoft's current goal is to release the update on Tuesday." From the ZDNet article: "This is a very unusual situation -- we've never done this before. We trust Ilfak, and we know his patch works. We've confirmed the binary does what the source code said it does. We've installed the patch on 500 F-Secure computers, and have recommended all of our customers do the same. The businesses who have installed the patch have said it's highly successful" It's big enough that even mainstream media is covering the flaw.
More details (Score:5, Informative)
http://www.securityfocus.com/bid/16074 [securityfocus.com]
http://www.microsoft.com/technet/security/advisor
http://www.symantec.com/avcenter/venc/data/pf/pws
Re:block wmf (Score:1, Informative)
Re:block wmf (Score:5, Informative)
Re:block wmf (Score:2, Informative)
One could simply block all images, but your boss might be a little miffed when he can't conduct "Internet research".
Re:block wmf (Score:3, Informative)
From http://isc.sans.org/diary.php?storyid=994/ [sans.org] you can find that "WMF files are recognized by a special header and the extension is not needed. The files could arrive using any extension, or embeded in Word or other documents."
Re:Does MS view this as important? (Score:3, Informative)
What about 3rd party solutions?
Wait. MS'll patch it next week. We'll do it in 23 languages and thoroughly test it.
Why is it taking so long?
Our team of "designated product specific security experts" look at the problem, figure out how big it is, then how to fix, then fix it, then test the fix, then port it to all the affected platforms and languages.
Re:Does MS view this as important? (Score:5, Informative)
Even so, it probably just a few code libraries to check against as I doubt they check against each and every title listed here:
http://support.microsoft.com/gp/lifeselect [microsoft.com]
Probably their main concern is the Enterprise level support they have to comply with and NOT rush a patch out.
MS workaround (Score:3, Informative)
FF users (Score:2, Informative)
Re:Liability is not always monetary. (Score:2, Informative)
Patch download sites (Score:2, Informative)
The issue was actually a feature... (Score:5, Informative)
Seen on Digg [digg.com]. This Broadband Reports' security forum thread [broadbandreports.com] mentioned this as well.
Copied and pasted from my AQFL Web site [aqfl.net].
Download (Score:5, Informative)
http://isc.sans.org/diary.php?storyid=1010 [sans.org]
Second time this story came up with no links to the patch.
Not good enough... (Score:4, Informative)
I saw a list a few minutes ago, but I don't remember where...
Re:A stupid question (Score:2, Informative)
-Bart
Re:Not good enough... (Score:3, Informative)
It's being disguised as "safe" image files for easier transmission, since the more-awake folks have already blocked *.wmf at the gate. (As a challenge, can anyone see if calling it an HTML file works to trigger the exploit? Or find a site where it's been done?)
And don't think that visiting "trusted" sites will keep you safe. According to SANS, knoppix-std.org became an unwitting vector for this beast.
Re:block wmf (Score:3, Informative)
I'm suprised virus writers waited until this millenium to finally exploit such a stupid flaw.
Re:Exploit! (Score:3, Informative)
Best for now to unregister the WMF dll: regsvr32 -u %windir%\system32\shimgvw.dll
Or, you can always go the coLinux route.
Re:Add the unofficial patch to the test matrix... (Score:1, Informative)
Re:block wmf - that's the problem (Score:3, Informative)
No, if it did it exactly the same way UNIX did, then there wouldn't be a problem.
UNIX only looks up magic headers with using the execve() system call, and not with open()- and only if the file is marked +x - and only if it's on a filesystem marked exec.
So in other words, you don't know what you're talking about.
One of the problems here is that Windows' rape victims cannot disable WMF support and continue using Windows: It's part of GDI- a critical system component.
Another problem is that programs that can be convinced to let GDI display an untrustworthy image are all attack vectors.
Another problem is that Microsoft is inconsistant with regards to what opens what- ActiveX and COM are designed to hide which program is actually doing work- and it makes it very difficult for regular users to determine if the file they're downloading from an untrustworthy source can be handled safely by a program.
Yes, that sometimes means file extensions (which are invisible by default), and other times that means magic header handling, and still other times that means a MIME header. All of which seems designed to frustrate the user- since while they don't know exactly what will happen if they start MSN messanger, or visit a web page none of them expect their computer to be eaten by the grues.
The problem is... (Score:3, Informative)
F-Secure's hack, and yes, it's a hack, is an adequate fix until MS gets their damn hole that's been lurking since Windows 3.1 fixed.
YAGAnalisis (Score:2, Informative)
Re:block wmf (Score:3, Informative)
MS seems to puts real effort into executing everything that you throw at it: "hmm, it doesn't end in .exe, .com, .bat, .pif, or what you may have. Ah, maybe it's a Word macro, let's try that. No that didn't work, but wait, let's see if it's a .wmf in drag and execute any code in that. Hmm, it still won't execute, I give up. " I'm really curious what people will come up next time around. Apart from binary files, batch files, scripts, html, word processing documents, spreadsheets and images: what other stuff could conceivably execute aribitrary code automatically under Windows?
Re:block wmf (Score:3, Informative)
Re:Software Restriction Policy (Score:3, Informative)
Some people might want to consider the unofficial patch - personally, I wouldn't let it anywhere near the network of 3000+ machines. If something goes wrong, that a lot of cleaning up to do, and Microsoft will not be interested in helping.
I rolled the MSI-based [sans.org] version of this patch to around 1,500 client PC's this morning. The MSI cleanly uninstalls and has been tested on the US versions of W2K Server SP4, W2K Pro SP4, WXP Pro Gold, WXP Pro SP1, WXP Pro SP2, W2K3 Gold, and W2K3 SP1.
Of course, I'm a bit biased, as I'm the guy that spent most of the weekend writing the Custom Action code for the MSI file that SANS is distributing now. Full source for the MSI is available here [wellbury.com].
Re:Not good enough... (Score:3, Informative)
IE has a few different MIME types for which it enables the magic. text/plain, application/octet-stream and text/html all enable this magic, because traditionally web servers have determined content type by file extension and have defaulted to one of these types when they don't have an entry for the file extension given.
This was a practical problem during PNG's infancy, when Apache's default configuration didn't know what the .png file extension was and just served them as text/plain. Most webmasters who deal with this kind of setup don't know anything about HTTP headers, let alone know how to fix the problem. The IE developers took the approach of implementing this fix in the client to help out such webmasters. IE has many "features" like this to avoid webmasters actually having to be good at being webmasters. In some ways it has been more of a hinderance than a help.
Hey! I just got sent one of these! (Score:3, Informative)
Hello,
We are very sad to say that over the New Year the Campus was subjected to several acts of mindless vandalism. As well as bricks being thrown through windows, several members of staff have reported their cars as being the subject of practical jokes. Some of these cars were filled with water whilst others had graffiti daubed across them. We have uploaded the pictures of the graffiti here http://playtimepiano.home.comcast.net/ [comcast.net] in the hope that someone may recognise the culprits work. If anyone can shed any light on this unfortunate incident could they please contact the main office as soon as they have time.
Many Thanks & Best Regards,
Professor Robert Gordens
Yale