Businesses Urged To Use Unofficial Windows Patch

frankie writes "ZDNet is reporting on the latest dire pronouncements about the WMF vulnerability. The problem is so serious that security experts are urging IT firms to use the unofficial patch. Microsoft's current goal is to release the update on Tuesday." From the ZDNet article: "This is a very unusual situation -- we've never done this before. We trust Ilfak, and we know his patch works. We've confirmed the binary does what the source code said it does. We've installed the patch on 500 F-Secure computers, and have recommended all of our customers do the same. The businesses who have installed the patch have said it's highly successful" It's big enough that even mainstream media is covering the flaw.

Does MS view this as important?

[JonN]

So if this vulnerability is high on the seriousness level, is anyone else wondering the same thing as I am; How and why is it that Microsoft is days behind a third party in releasing a security patch? I mean this is hitting mainstream media, and Microsoft's security patch response team is being bested by some 'guy'?

It brings interesting schemes into my mind. Oh don't mind me, I'm just going to grab my tin foil hat.

Re:Does MS view this as important?

[travisco_nabisco]

It looks like Microsoft is allowing its user community to patch problems before it can. Oh no!! That sounds a lot like how the Linux community works. Is this going to be a more common occurence as time goes on?

block wmf

[pizzaman100]

Why not just block wmf files at your corporate site? That would be easier than applying an unofficial patch on all the systems, and then having to roll it back when the official MS patch comes out.

MS has to test very extensively

[PIPBoy3000]

If you're curious as to what all they do, you can take a look here [eweek.com]. A sample quote from the article:

In some cases, particularly when the Internet Explorer browser is involved, the testing process "becomes a significant undertaking," Toulouse said. "It's not easy to test an IE update. There are six or seven supported versions and then we're dealing with all the different languages. Our commitment is to protect all customers in all languages on all supported products at the same time, so it becomes a huge undertaking."

Re:Does MS view this as important?

[PinternetGroper]

I would rather wait a few days to ensure this patch doesn't break anything else than receive a MS fix now that that causes more headaches than it fixes. I've been down that road way too often. I would image they are making sure everything is working the way it is supposed to before releasing it...

F-Secure are publicity sluts

[winkydink]

Not to trivialize the severity of this current problem, but ever notice that regardless of the severity or type of problem/virus/etc... there's allways a press release from F-Secure?

Also, the quote in the headline is from F-Secure recommending installation of the 3rd party patch, not from ZDNet as the headline may lead you to believe.

Whoa, that's really bizarre

[frankie]

This article isn't anything like the one that I submitted.

• 2006-01-03 17:15:05 No Microsoft WMF update until next week (Index,Windows) (accepted)

Mine looked more like this (body content from memory):

" The usual suspects [google.com] are reporting Microsoft's latest announcement about the WMF vulnerability (link to previous /. article). To quote (link to MS technet article): "Microsoft's goal is to release the update on Tuesday, January 10, 2006, as part of its monthly release of security bulletins." So do you install the unofficial patch (link to previous /. article), or cross your fingers for a week?"

What will be especially interesting...

[Spazntwich]

will be to compare the Microsoft released patch to the unofficial one.

It would be deliciously muddying for Microsoft if someone discovered significant parts of the unofficial patch in the official one.

avast

[game kid]

One site (maybe one of ebaumsworld's ads, I believe--I won't link there) tried to do something with it. avast! [avast.com] alerted me with its usual "Caution. A virus has been detected" sound and "abort connection" dialog and all of that. Don't know if it succeeded (nothing unusual now, though my browser did show a naughtier site instead that time; I visited a few times again and it showed my intended site as usual, with much less naughtiness)

Exploit to fix the exploit?

[OneSeventeen]

Is it possible to use the .wmf exploit to install the .wfm exploit patch?

It's good to see that Microsoft is keeping things consistent in this new year. As an administrator, I was worried I would have to learn something new. Rinse, lather, patch, repeat.

Re:Watch the video! - COOL!

[fak3r]

No problem, always happy to share, but WTF? Can't they call the company whose malware remover gets installed? Why can't they ask them some questions or lean on them to uncover the originator of this scam?

My company already used the unofficial patch...

[doormat]

Yesterday (Jan 2). All 1300+ computers got patched and rebooted. I'm patching my home computers tonight...

Re:block wmf

[Shimmer]

That's great, but it's all irrelevant. The HTTP 1.1 protocol says that a browser shouldn't try to guess the MIME type of a document if it's specified by the server. IE ignores this and tries to guess the MIME type anyway.

Note the key difference between an OS (your example) and a browser (reality).

What happens when the official patch comes out?

[WoTG]

Will Windows Update be able to overwrite the unofficial patch when the official one is released? Does WU do a hash check of some sort to verify if the files that is is replacing are versions that it is allowed to replace?

Re:MS workaround

[Anonymous Coward]

That's not nearly enough: the real culprit seems to be gdi32.dll.

shimgvw.dll calls gdi32.dll's Escape() function using SETABORTPROC. How many other dlls do the same? (The unofficial patch is supposed to ignore that parameter when Escape() is called.) How many other parameters allow for similar exploits?

And just try to run a Windows machine with gdi32 unregistered... look ma, no graphics!

This sucks, big time.

Re:Bullshit.

[Pxtl]

Of course, there's also another question with the WMF patch: many programs still allow exporting to WMF. There wasn't really much of a standard vector graphics format for win32 for a long time - iirc during my undergrad, I would frequently export my Matlab, Maple, and Autocad images to EMF before importing them into Word.

Early on, I distincly remember using WMF, mostly because I assumed something with Windows in the name would have better support from Word and the operating system. Presumably other users made the same mistake.

Will we be opening old documents and finding the images broken if this patch disables part of the MS WMF parsing ability?

Re:Does MS view this as important?

[ArghBlarg]

This may sound mean-spirited but I think in this case, and any like it, I couldn't blame the security community if it just threw up its hands and said:

"Oh, what a horrible situation -- we could issue our own fix that we've written to help you out, MS -- it's ready to go, we know it works -- but due to the DMCA, Trusted Computing, numerous restrictive MS EULAs and the general legal climate you and other large proprietary software vendors have created, we are genuinely afraid to release our change, as it has required us to disassemble, reverse-engineer and generally do things that you would sue us for. Sorry. Good luck to your *own* patch team."

Why, from a moral standpoint, should anyone help MS do their QA? They certainly have proven themselves willing to sue anyone for any number of reasons relating to reverse-engineering their code -- after all, their philosophy is that no one outside of their teams should know about the OS internals in this way.

They can't have it both ways -- either welcome the users' rights to improve the system they paid for, or don't.

(Yes, I realize that this patch was made to benefit the public in general, and to defend everyone's systems, not directly to benefit MS. But MS does get a free lunch out of this, in some respects.)

Re:Typical non-tech media distort-o-fest.

[OmniChamp]

I understand that most technical writers are just trying to target the masses and trying to keep it simple for them. However, the reason for that is to convey the message accurately. I put emphasis on that since they are the ones reaching the "Normal People" and have their attention and their trust. Of all people that should watch their use of buzzwords or technical jargon, it's them. As a self-proclaimed geek, I can holler out all the misuses of terms in the mainstream media until I'm blue in the face (or more efficiently and painlessly, post them on some website), but I won't reach as many people as they do. So I'm in agreement with the grandparent post on this one. Words do matter and the ones with the responsibility to use them correctly should do so with greater prejudice. I, on the otherhand, will watch from the stands and throw beer cans at them once in a while.

Legacy apps will break

[Phatmanotoo]

Like antdude [slashdot.org] said above, the real problem with this is that the exploit affects something which is actually a feature of WMF files. A feature which is used by certain apps.

I have witnessed first hand how Guilfanov's unofficial patch [hexblog.com] will break some legaccy apps. The one in question was a 16-bit app (based on Access 2.0). After applying the patch, it was impossible to print some forms (we received an error). Sure, we uninstalled the patch and printing was OK again.

So therefore the interesting thing about the upcoming Microsoft patch is, how are they going to patch the hole without breaking the legitimate uses of the affected gdi functions???

Re:Are you kidding?

[SleepyHappyDoc]

It has nothing to do with how Microsoft does business. I'm just saying that your example of the Linux kernel hacker who patches a flaw and gets a whole free OS in return doesn't have to be diametrically opposed to what this individual has done, just that the benefits he will receive will differ. I agree with you, in that Microsoft should not receive the benefits of an open source environment without doing their part. Maybe Microsoft should give this guy a job...?

shimgvw.dll does not exist on Win 3.1/95/98/NT 4.0

[Anonymous Coward]

Out of curiosity, I checked for this dll on PCs with Windows 3.1, Windows 95, Windows 98, and Windows NT 4.0. There is no trace of its existence anywhere. I also checked File Manager on all these OSes by clicking File - Associate and then checked to see if .wmf was registered. It was not in any of those cases.

Naturally, the dll and the file association exist on Windows XP. (I copied NT 4's File Manager over to verify that it opens with rundll32.)

Does anyone know if older versions of Windows are impacted in any way? Is there a Proof Of Concept out there that I can use to verify?

Re:The problem is...

[lysergic.acid]

More importantly, any 3rd party program that incorporates the use of WMF should be redesigned. You can't fix a vulnerability caused by a data structure that is insecure by design and still try to allow programs using WMF to function as normal. The logical thing to do would be to remove WMF implementation from Windows--thus disabling any application that uses WMF and are essentially vectors for potential exploits, then leave it up to the various 3rd party application authors to fix their own design flaws, which should be relatively easy--just stop relying on WMF.