Windows XP Flaw 'Extremely Serious'

scottott wrote to mention a Washington Post article with the news that the security hole we mentioned on Wednesday has widened. Computers can now be infected just by visiting infected web sites, or looking at images in the preview panel of older versions of Outlook. From the article: "At first, the vulnerability was exploited by just a few dozen Web sites. Programming code embedded in these pages would install a program that warned victims their machines were infested with spyware, then prompted them to pay $40 to remove the supposed pests. Since then, however, hundreds of sites have begun using the flaw to install a broad range of malicious software. SANS has received several reports of attackers blasting out spam e-mails containing links that lead to malicious sites exploiting the new flaw, Ullrich said."

Late breaking news from the article:

[Anonymous Coward]

"Mac and Linux computer users are not at risk with this attack, even if their computers run Microsoft programs such as Office or the Internet Explorer Web browser."

Amazing!

Re:Late breaking news from the article:

[Anonymous Coward]

Er... Microsoft Office and Internet Explorer do run on Linux using wine.

Re:Late breaking news from the article:

[$RANDOMLUSER]

Er.... Mac and Linux machines are no more succeptable to Windows XP exploits than you are to kennel cough or feline leukemia.

Re:Late breaking news from the article:

[operagost]

I'm a cat, you insensitive clod! *cough*

Re:Late breaking news from the article:

[Stargoat]

Goddamn furries. Never had to deal with them before the Internet.

Re:

[account_deleted]

Comment removed based on user account deletion

Re:Late breaking news from the article:

[$RANDOMLUSER]

At the risk of getting cluelessly flamed again:

1) Yes, Virtual PC and WINE allow you to run Microsoft programs like Internet Explorer and Office.
2) The vulnerability is in the Microsoft Windows Graphics Rendering Engine, which is a part of the Windows kernel, and is why the exploit affects Windows versions from Win98 to WinXP.
3) Virtual PC and WINE running under Linux do not use the Microsoft Graphics Rendering Engine.
4) Even if they did, a Windows program trying to run in a Linux environment is a fish out of water, and can't do much besides SEGFAULT and exit.
5) Therefore, Linux (and Mac) users are safe, even if they are running IE or Office - just like the article said.

Re:Late breaking news from the article:

[bushidocoder]

Not to be nitpicky, but the graphics rendering engine is not entirely in the kernel on 2000/XP/2003. Most of it is in the Win32 subsystem which runs in userspace.

The graphics rendering engine is divided between the Win32 subsystem which is a user process (csrss.exe), and the Win32 executive (Win32.sys) which actually runs in kernel space. The portion of the graphics system in the executive is limitted almost exclusively to the actual displaying of images and direct interaction with the drivers that interface with the display hardware. I'm not 100% sure, but I can't ever recall there being a vulnerability found in this part of the executive.

This specific vulnerability, like almost all image processing vulnerabilities, occurs in the image format parser, which is in the Win32 subsystem. As such its not in the kernel and runs in standard user scope. I know this doesn't change the point you were trying to make, which was the vulnerability doesn't occur on other systems. I just wanted to correct the statement about it being a kernel vulnerability.

Re:Late breaking news from the article:

[$RANDOMLUSER]

I agree with all of that. Hell, I still tend to think of it as gdi.exe, which is about the last time I cared what Windows internals really looked like. But this "bug" is even better than that - it's not in the image format parser, it's in the freakin' WMF API!!! Believe it or not, WMF files are allowed to have callback functions (user or kernel mode unknown by me) in them - in other words a (picture) data file can contain executable code to "help" Windows display it!! <drools, whaps forehead> It gets better: change the file extension to "jgp" or "gif" or another image type, hell, probably any file type that has a custom icon/is previewable, and Windows will look at the file and go "oh - that's really a WMF file - I know what to do..." (I'm dyin' here). Even Windows Explorer (with thumbnails enabled) will execute the code if you look at a directory that contains one of these files.

If there ever was a smoking-gun lead-pipe indictment of Microsoft's sloppy love of whizzo features, security, stability, maintainability, administerability be damned; this has GOT to be it. If the filetype API is that flawed, we need to just get rid of .WMF files, period.

Re:Late breaking news from the article:

[Cyberax]

That's because Windows understands structered storage format natively and owner application's GUID is stored as the first entry.

Re:Late breaking news from the article:

[bushidocoder]

Actually, there's a fantastic book about the Windows internals called Microsoft Windows Internals, Fourth Edition [amazon.com] by Mark Russinovich. Every Windows programmer should have this book. Even if your work is entirely in .NET, its important to know why some of the decisions in .NET were made as they were, and its also vitally important to know exactly how Windows handles process security.

Re:Late breaking news from the article:

[ConceptJunkie]

Try this book out:

http://www.sysinternals.com/WindowsInternals.html? v=glance&s=books/systemsinternals [sysinternals.com]

I read a good chunk of it and it gets down and dirty... and yes, you're right. It's not really stuff that is useful for an application developer.

Re:Late breaking news from the article:

[Bush Pig]

What on earth are you talking about? I was so confused by your comment I thought I'd better consult Andy Tanenbaum's "Modern Operating Systems". You are absolutely and completely wrong.

Kernels are called kernels, and executives are called pointy-haired bosses. I don't see how you could have got the two classes of objects confused.

Re:Late breaking news from the article:

[jasen666]

Same as IE. It's in the way Windows processes and displays this type of image file, so it doesn't matter what program is displaying the image.
At least in Firefox, you will get a prompt asking you to run the script before it executes. So as long as you always remember to click on "Hell NO", you should be pretty safe.

Another /. dupe

[Anonymous Coward]

Guys, you keep posting that same story about a serious security flaw in Windows.

Re:Another /. dupe

[Anonymous Coward]

Since last time it has been reportet that this can also be exploited by renaming infected wmf files to other image formats like jpg, gif and tif:
http://www.securityfocus.com/archive/1/420378/30/0 /threaded [securityfocus.com]

Re:If Windows Were Open Sourced

[Frank T. Lofaro Jr.]

Games should not be doing the kind of things that need Administrator privilege to do!

They have no business doing that, people without Admininstrator should be able to play, anything running as Administrator (or in that group) can do great damage (e.g. virus infections, file deletion, even destroy the BIOS), and doing things that require Administrator wrongly can also trash the system (accidently corrupting a DLL, locking up hardware, etc).

There is a RunAs on Windows, and it is useful for doing sys admin stuff only when needed. It would be nice if it could be configured that a browser run by Administrator (lets say to need to Google for a solution to a problem you are working on) would drop privs (but even Linux doesn't do that).

But my main point is games and other user programs should need Administrator.

Windows development culture is insecure

[ChaosDiscord]

Games should not be doing the kind of things that need Administrator privilege to do!

It's the core security problem of Windows: the development culture doesn't respect security. Developers went for decades of DOS and Windows 3.1/9x without needing to worry about users and permissions. So they got used to assuming they could write whereever they wanted. When real user seperation and permissions became mainstream with Windows 2000 and XP, they weren't prepared to change. Because so much software required full access the easiest way to get stuff running is to run in an Administrator account. And since so many people (developers included) run as Administrator, why bother doing the right thing? Games are usually guilty, but there are piles of business and research software that is equally guilty. My brother is a sysadmin for a research lab. To keep Administrator access out of users hands, he has to bend of backwards to get the machines running the software his users need. A 2005 release of a $3,000 package that refuses to be placed in a directory with whitespace or a tilde, meaning it can't be installed in C:\Program Files. A $500 package that demands write access to a file in the C:\Windows directory.

This is one case where backward compatibility came at the expense of security. The development culture is moving too slowly. Bigger companies are starting to do the right thing and you get the occasional smaller development house following the rules. The killer is that huge mass of more specialized software. Apple bit the bullet when they cut over to Mac OS X; software had to do the right thing or it stopped working. Microsoft needs to make such a dramatic change or we'll be putting up with this bullshit for at least another five years.

Re:If Windows Were Open Sourced

[0racle]

How many people actually watch what their package manager installs. Or actually looks at the running processes that are chugging away on their Linux box. Far too many people, I would even say most, believe they are and always will be invulnerable to anything simply because the logo for their OS is a penguin.

To answer your question, its not unless you make regular backups of your important data. If you made backups the system itself would be unaffected and you would have save versions of your important fi

Browser appliance

[QuaintRealist]

If you use Windows, go get the vmware browser appliance and use it - connecting to the internet through a virtual machine is like wearing gloves in the OR - it's just common sense.

http://www.vmware.com/vmtn/vm/browserapp.html [vmware.com]

Re:Browser appliance

[the_humeister]

are you able to download files to the host machine with that? the description doesn't give much info

Keydrive

[QuaintRealist]

As another reply noted, you could use SAMBA, but the easiest way for me is to save them to a USB key drive.

MOD PARENT UP

[brunes69]

If all you are doing is browsing the web, there is absolutely no reason to not do it in a sandbox. In fact, I don't get why all browsers run in sandboxes. Why do they *ever* need access to the host OS? If they need to save downloaded files, they can do so via a mounted share. At least in a sandbox they cannot execute privilidged code, at most they could infect executabes on said share.

Re:MOD PARENT UP

[peragrin]

Well if you run a real OS, then the browser runs only with the permissions of a particular user. Windows which has some security is designed to bypass that secuirty to give users an edge. So your screwed.

Take the number of *Nix viruses (included, BSD's, Linux, Unix, etc) and compare that to the number of windows viruses that showed up in the past 2 years alone.

MSFT doesn't care about security. Vista is a step in the right direction but they are keep way to much of the old code base for it to be useful fo

Re:MOD PARENT UP

[bushidocoder]

Windows which has some security is designed to bypass that secuirty to give users an edge.

What the hell are you talking about? If you're referring to the fact that default home users run as a Administrator or Poweruser by default, you're right, that's a mistake, but its a policy mistake, not a technology mistake. Windows lets you run as a lesser user, its just that by default you don't. Internet Explorer runs 100% in userland. There is no part of Internet Explorer which runs in the kernel. None. Although Internet Explorer certainly has more holes than Firefox, they are both limitted to the same order of magnitude of potential damage. The same as on other "real OSes".

Re:MOD PARENT UP

[drsmithy]

Have you ever actually tried to run Windows XP as a non-admin user? You can't install any new USB devices, and on about 1/2 of the devices I've tried, you need admin rights to plug them in whether or not the drivers have been previously installed. I tried to set my dad up that way, and after about a day we both agreed it was hopeless. He's got a digital camera, card reader, printer/scanner, and VoIP headset all of which need Admin rights *JUST TO BE PLUGGED IN*. It's not a policy mistake if the "correct" po

Re:MOD PARENT UP

[ReTay]

That would prove nothing as Unix OS's don't have near the Desktop marketshare of Windows, not do they have the same type of userbase.

Bull if that tired old BS was true then would you care to compare IIS to Apache?
Using the same criteria of course. Apache the market giant VS IIS the positions are almost reversed. But once again MS winds up with the lions share of the remote root exploits. Now how does that figure with the claim that market share = number of exploits?

Re:MOD PARENT UP

[PenguiN42]

Yes, seriously. That old knee-jerk meme of "IIS vs Apache disproves the myth of exploits due to install base" has to die. Yet someone invariably posts it, and they invariably get modded up. I just hope a few rational mods find your post quickly.

Not to mention that the OP seems to have confused the issue of "exploits" with the issue of "user permissions" which is what was actually being talked about.

Re:MOD PARENT UP

[Aglassis]

Use

runas /user:root_user "Whatever command goes here"

Note: 'root_user' is whatever you have renamed your 'Administrator' account. You have renamed your 'Administrator' account, right?

If you need a command prompt use

runas /user:root_user cmd

If you need IE for a Windows update use

runas /user:root_user "C:\program files\internet explorer\iexplore.exe"

and then go to the Windows Update site. If you need to do filebrowsing as a superuser use the same command, but then type "c:" in the address box.

There is almos

Re:MOD PARENT UP

[Johnno74]

If you enable the option on windows explorer "start each folder window in a new process" then you can then use the "runas" trick to start an explorer (NOT internet explorer) window that is running as admin.

Re:MOD PARENT UP

[PenguiN42]

Boy that's a tired old argument.

That doesn't make it false.

The first thing that would happen is that you'd have been told that a program was trying to execute for the first time. And you'd have to agree to explicitly allow it.

Interesting... I haven't used OSX much, but I have downloaded programs to friends' OSX boxes, and run them, and gotten no such prompt. In which cases does the OS ask you this?

Also, this example doesn't apply to Linux, so the argument isn't quite tired and old yet.

And then, even if you

Uploads

[jaredmauch]

Well, ideally the browser has some hooks in place to protect the user somewhat, but the challenge becomes when you have a few million users where they want to upload digitial pics to granny and don't understand what a "share" is. There's also all those java apps that actually do fancy things. You really need to make it consumer friendly. That's what the Mozilla teams have done with their auto-importing of IE favorites, etc..

My browser touches all sorts of things in the host OS, from the sound card to files that I upload and download. Luckily when I get AIM spam for foo.exe or some other sillyness I don't get far unless I type 'wine foo.exe', then even then ;-)

The true challenge is how to dial in the security to a reasonable level. Problem is getting all the millions of programmers to adopt more secure standards combined with the users, IT managers, etc.. that deploy the apps on desktops. Then, getting that out across the millions of home users too. Daunting task.

Re:Uploads

[COMON$]

I agree with you, but having an all-in-one browser is just keeping people from thinking. People need to learn to apply the same basic knowledge about the non-computer world to the virtual world. When you buy a car, you get something with style that you can afford. When you want a cup of coffee you buy a coffee machine. When you want to take a picture you buy a camera. You dont go out and buy a car that brews coffee, takes pictures, and does your dishes automatically.

This thinking doesnt require a pa

Re:MOD PARENT UP

[Thuktun]

At least in a sandbox they cannot execute privilidged code, at most they could infect executabes on said share.

Depends on your level of safety in the sandbox. Do not some versions of Windows have protected-mode device drivers--you know, for speed reasons? If you didn't have image-rendering and sound-playback also handled by the sandbox--also for speed reasons--then it might be possible to escape the sandbox given the right kind of vulnerability in the device driver.

I would hope VMWare fully simulates all

Re:Browser appliance

[juhaz]

Too bad there was VMWare vulnerability [secunia.com] just a week ago that allows guest to execute abritrary code on host system.

Re:Browser appliance

[BushCheney08]

* Also availiable in "Redmond Cherry"(tm) flavor.

Dude, that cherry was popped a loooooong time ago. And it's been used repeatedly since then...

Temporary Solution

[Hank Chinaski]

run

regsvr32 -u %windir%\system32\shimgvw.dll

until a patch is released.

Re:Temporary Solution

[TrueBuckeye]

Keep in mind that this will disable thumbnail previews. Some have experienced problems opening any image file after unregistering this dll.

It isn't a bad idea to do, but before you do it in an enterprise environment, be sure you test it and are ready for the calls it will cause.

Re:Temporary Solution

[Utopia]

Even better permanent solution. Turn ON DEP on all programs.

From http://www.microsoft.com/technet/security/advisory /912840.mspx [microsoft.com]

I have software DEP enabled on my system, does this help mitigate the vulnerability?
Yes. Windows XP Service Pack 2 also includes software-enforced DEP that is designed to reduce exploits of exception handling mechanisms in Windows. By default software-enforced DEP applies to core operating system components and services. This vulnerability can be mitigated by enabling DEP for all programs on your computer.

Re:Temporary Solution

[pete-classic]

A more useful link [microsoft.com].

-Peter

What about Microsoft's Nov 8 patch?

[Kurt Gray]

Didn't Microsoft already release a patch for this on Nov 8th? According to Symantec's info page [symantec.com] on this attack directs you to this Microsoft bulletin [microsoft.com] links to patches for each Windows release.

Re:What about Microsoft's Nov 8 patch?

[bflong]

No. It's another exploit in the same system:
http://www.kb.cert.org/vuls/id/181038 [cert.org]

Well, Duh...

[__aaclcg7560]

When is a Windows flaw ever not extremely serious?

Re:Well, Duh...

[Foofoobar]

When is a Windows flaw ever not extremely serious?

Oh wait... I know this joke...

When it's a feature :)

Re:Well, Duh...

[COMON$]

You must be one of those people who dont believe that the outside world affects you. What you do doesnt make much difference, it is the other 10 billion idiots out there, having linux at home and in your business doesnt help you much when 80% of the world is down.

at work on a M$ machine

[Alchemar]

Would someone tell me if the "just by visiting an infected site" link, is a link to an infected site, or an article about the infected sites?

Re:at work on a M$ machine

[Imsdal]

Your sarcasm detector is broken. Please replace it immediately. Thanks!

Re:at work on a M$ machine

[J0nne]

Call me a pedantic bastard...

Pedantic Bastard!

Is there anything else you want me to call you?

Real easy (temp) fix.

[Murphy Murph]

Start-->Run-->regsvr32 /u shimgvw.dll

You lose thumbnail view, and a few other (minor) built-in-Windows-picture-viewing tools break, but you use IrfanView anyway, don't you?

Re:Real easy (temp) fix.

[elrous0]

Start-->Run-->regsvr32 /u shimgvw.dll

Good idea. But how do you "reactivate" this feature once a patch is released? I use Ifranview, but I also depend heavily on the thumbnail feature in explorer.

-Eric

Re:Real easy (temp) fix.

[discordja]

just "regsvr32 shimgvw.dll" the DLL back in. the /u is merely a flag to unregister it.

Re:Real easy (temp) fix.

[value_added]

Start-->Run-->regsvr32 /u shimgvw.dll

Good idea. But how do you "reactivate" this feature once a patch is released? I use Ifranview, but I also depend heavily on the thumbnail feature in explorer.

Sigh. I do wish people would offer some information with their click here/type-this instructions so people would understand WTF they're doing.

regsvr32 - This command-line tool registers .dll files as command components in the registry.
 
regsvr32 /u /s /n /i[:cmdline] dllname
 
/u unregister server
/s silent
/i call DllInstall passing it an optional cmdline, when
        used with /u calls dll uninstall
/n do not call DllRegisterServer; this option must be used
        with /i

To register (or re-register) the dll:

regsvr32 shimgvw.dll

To run the command, you can use a console window (cmd.exe), or the Run dialog box (accessible from the Start Menu).

Who da booty?

[smittyoneeach]

Look, Mr. Softy has become the richest outfit on earth by understanding the fundamental truth: people are sheep.
You can lead those sheep to water, but it's going to take an enema to spare them from death by dehydration, oral methods carrying too great a drowning risk.
I guess that may have sounded negative.

Sorry to say it got me

[aka_big_wurm]

I needed a bit of underground info(cd key) and went to the best site for that and with out thinking I used IE -- couldent have shut my browser down fast enough.

Spent the next few hours removing all the junk that installed, I was lucky no root kits were installed.

Re:Sorry to say it got me

[J0nne]

I was lucky no root kits were installed

How can you tell?

RootKit Revealer

[aka_big_wurm]

http://www.sysinternals.com/utilities/rootkitrevea ler.html [sysinternals.com]

Re:RootKit Revealer

[GigsVT]

You can't prove a rootkit doesn't exist on your system, unless you have a checksum database on read only media, and some sort of hardware (not firmware) method of computing those checksums.

You can't even be reasonably sure of it without at least some checksumming system like tripwire.

All you are doing is scanning for certain known rootkits. That's a weak strategy that's reactive and guaranteed to fail some of the time.

Re:Sorry to say it got me

[molnarcs]

Never ever visit astalavista from windows, not even in Firefox - even using firefox, free-av catched ~10 viruses that tried to execute while only visiting the site, and searching for my lost cd key (well, lost CD to be precise, taht came with my TV card, with the only app that worked for me).

Gotta love it...

[Chmcginn]

From the article:

Reavey encouraged users to update their anti-virus software, ensure all Windows security patches are installed, avoid visiting unfamiliar Web sites, and refrain from clicking on links that arrive via e-mail or instant message.

(Emphasis added by me) Three good pieces of advice, and... I mean, seriously, avoid visiting unfamiliar web sites? That's like saying "There's been lots of credit card scams recently, you shouldn't go into any store you haven't been to before."

Stupid submit button....

[Chmcginn]

Just "avoid visiting unfamiliar Web sites" was supposed to be bolded. D'oh.

This week's Windows security hole article...

[digitaldc]

...is brought to you by http://update.microsoft.com/ [microsoft.com]

Programming code embedded in these pages would install a program that warned victims their machines were infested with spyware, then prompted them to pay $40 to remove the supposed pests.

Where do you send the money? And they aren't afraid of getting caught?

Cool Web Search?

[Chmcginn]

This has happened a lot in the spyware world - there's plenty of supposed "Spyware Removers" [spywarewarrior.com] that either contain or were marketed with spyware, or show false positives in the "demo" version, forcing you to pay for the real version, which then 'clears' it all up for you. Even though plenty of people spent the money & got nothing, I haven't seen any news reports of anyone being charged for fraud in relation to these products...

The CoolWebSearch [cwshredder.net] family of malware has been around forever... one of

Come on, "editors", let's try to edit properly

[Anonymous Coward]

scottott wrote to mention a Washington Post article with the news that the security hole we mentioned on Wednesday has widened. Computers can now be infected just by visiting infected web sites, or looking at images in the preview panel of older versions of Outlook.

There are two major factual errors here. One, the security hole has not "widened" - the scope of exposure is exactly what we read about Wednesday. Using shimgvw.dll to view a specially constructed WMF file results in system compromise (web site viewing of malicious WMF, previewing, opening w/MS picture and fax viewer, etc). The hole is exactly the same - exposure has increased, but the hole has not widened. Two: the web sites are not infected, they are malicious. The system is infected after visiting a malicious web site.

The full (well, as full as it is now) MS advisory is here [microsoft.com]. I'm not very pleased with how MS is handling this at all, but that does not excuse this shoddy "journalism". How hard is it to state facts correctly? All you had to do was change a few words, and it would have read much more accurately:

scottott wrote to mention a Washington Post article with the news that the security hole we mentioned on Wednesday is now affecting many more users. Computers can now be infected just by visiting malicious web sites, which are now rapidly increasing in number, or looking at images in the preview panel of older versions of Outlook.

For the last sentence, note that I sent mysefl WMF files win Outlook 2000 and 2003 while running Sysinternals process explorer and never saw shimgvw.dll called. Opening a WMF attachment called it, but not previewing, so there might be three errors, but I didn't test all versions that way, so I don't know...

What's the real lesson here?

[Ed Avis]

Those of us who use free operating systems shouldn't be too complacent. This exploit is serious because the WMF rendering library has full access to the user's data, and (at least on a 'home' setup where it's a single-user machine) access to the whole PC.

But it was really just bad luck that the bug happened to be found in the Windows WMF library and not, say, its Unix/X11 equivalent. Or libpng, or zlib, or whatever. Anyone who thinks otherwise is deluded. All software has bugs, and even if the quality of the free libraries is ten times higher (unlikely) there will still be plenty of memory tramplings and buffer overruns.

So, when the next vulnerability is found in a commonly used Unix library, will we be in any better position? Not really. Still the library is linked into the application and runs in the application's address space. It has access to all the files the app does, and traditionally on Unix that means everything the user has access too. Your email application may only need to read ~/.mail_settings and connect via IMAP to some host, but it runs with permission to overwrite any file owned by you and connect on any TCP/IP port it wants.

Why does the WMF rendering code need to run with any more permissions than: read a block of memory with the WMF file, and write a block with the rendered bitmap? (Or perhaps make display / GDI calls, if performance is a concern.)

What support is there in Unix operating systems for running common library code with only the privileges it needs? As far as I know Linux has no simple way to run a dynamically-linked library (.so file) in its own address space or without permitting it to make system calls. So when the next exploit is found in a common Linux library - and it will be found - the situation will be just as embarassing.

Re:What's the real lesson here?

[G Money]

What we have in the Linux and BSD world at least are very good Mandatory Access Control systems that help mitigate some of this risk. In the Linux world you can use SELinux (shudder) or use something even easier, AppArmor [novell.com]. If you properly profile an application to determine what it should and should not do you'll be in much better shape when new exploits like this come out. It won't save you from everything since they can still get access to anything the program could legitimately access in the first place but it's much more efficient than setting up sandboxes for everything like chroot and much more secure.

Re:What's the real lesson here?

[julesh]

Why does the WMF rendering code need to run with any more permissions than: read a block of memory with the WMF file, and write a block with the rendered bitmap? (Or perhaps make display / GDI calls, if performance is a concern.)

Because the WMF rendering code *is* GDI. Seriously - a WMF file is basically a list of GDI functions to call in order, along with the parameters to pass to them.

Re:What's the real lesson here?

[pboulang]

So when the next exploit is found in a common Linux library - and it will be found - the situation will be just as embarassing.

I agreed with you right up until this last sentence. Were this exploit to be found on a common Linux Library, you would see an article with a link to a patch with directions on how to install it. The embarassing part isn't that there is a bug, but that a known specific bug with such a HUGE impact takes so long to be fixed from Redmond.

Most embarassing is that while users wait

Re:What's the real lesson here?

[cortana]

The last time there were flaws in zlib and libpng, security was an apt-get upgrade away. Compare that to Windows where most software seems to have its own private copy of those DLLs.

Microsoft released patches for the libpng that came with Windows, along with a tool that scanned your hard drive, looking for copies of libpng embedded in third party executables and libraries. Unfortunatly, it would basically only say: "you {have,have not} installed Microsoft's patch for this issue; furthermore you have third p

Re:What's the real lesson here?

[NullProg]

The real lesson is of course that once again mr buffer overflow strikes (don't implement anything in C if it needs to be secure). This time it's on windows.

This isn't a buffer overflow, its a design flaw that allows metafiles to register callbacks with GDI32. And I fail to see what language a programmer uses has anything to do with it. Bad programmers are bad programmers reguardless of the language used. To the CPU its all instructions, it doesn't care if its issued by the crt or the java_vm.

Enjoy,

Windows Major Foul-Up

[spellraiser]

Larry Seltzer has a concise column [eweek.com] about this exploit, where he doesn't exactly pull the punches on Microsoft. The most interesting piece of information there is this:

The problem with the WMF (Windows Metafile) file format turns out to be one of those careless things Microsoft did years ago with little or no consideration for the security consequences.

Almost all exploits you read about are buffer overflows of some kind, but not this one. WMF files are allowed to register a callback function, meaning that they are allowed to execute code, and this is what is being exploited in the WMF bug.

I find this mind-boggling to the point of absurdity. Regardless of any supposed benefit gained by this, allowing a data file to execute arbitrary code upon it being viewed is simply begging for an exploit like this. No matter whan spin Microsoft will try to put on this one, it makes them look bad. Extremely bad.

WMFs have never been ...

[Tim Ward]

... data files, really. They've always been, in effect, "code" that is executed by an interpreter. That so it's hardly astonishing that there might be a callback mechanism to handle things the interpreter can't cope with.

Remember too that the WMF stuff was designed in the days when getting a virus from one machine to another involved walking across the room with a floppy and deliberately rebooting the target machine with the infected floppy in the drive!

It's still a cock-up though. Whoever originally design

Re:Windows Major Foul-Up

[julesh]

Regardless of any supposed benefit gained by this, allowing a data file to execute arbitrary code upon it being viewed is simply begging for an exploit like this.

You have to understand that WMF files developed from a facility in the Windows GDI that allowed an application to capture a sequence of calls to GDI functions in order to replay them quickly at a later point (e.g., if the application is requested to redraw the content of its window). Having done this, developers then asked "what happens if I dump

IDS signatures

[Cally]

The Microsoft advisory says:

** Are there any third party Intrusion Detection Systems (IDS) that would help protect against attempts to exploit this vulnerability?

While we don't know of specific products or services that currently scan or detect for attempts to render specially crafted WMF files, we are working with our partners through industry programs like VIA to provide information as we have it. . Customers should contact their IDS provider to determine if it offers protection from this vulnerability.

Snort sigs have been available from BleedingSnort [bleedingsnort.com] for some time now; I pushed them out to our corporate IDS yesterday morning.

(Warning, mangled by Slashcode - remove newlines)

#by mmlange alert tcp any any -> $HOME_NET any (msg:"BLEEDING-EDGE CURRENT WMF Exploit"; flow:established; content:"|01 00 09 00 00 03 52 1f 00 00 06 00 3d 00 00 00|"; content:"|00 26 06 0f 00 08 00 ff ff ff ff 01 00 00 00 03 00 00 00 00 00|"; reference: url,www.frsirt.com/exploits/20051228.ie_xp_pfv_met afile.pm.php; classtype:attempted-user; sid:2002734; rev:1;)

# By Frank Knobbe, 2005-12-28 alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"BLEEDING-EDGE EXPLOIT WMF Escape Record Exploit"; flow:established,from_server; content:"|01 00 09 00 00 03|"; depth:500; content:"|00 00|"; distance:10; within:12; content:"|26 06 09 00|"; within:5000; classtype:attempted-user; reference:url,www.frsirt.com/english/advisories/20 05/3086; sid:2002733; rev:1;)

Once again it looks like Microsoft are going to escape the 'perfect exploit' meltdown by the skin of their teeth. This is exploitable remotely, but Dr Evil can't sit at a console typing in arbitrary IP addresses to 0wn with the exploit. On the other hand you can get close to that sort of thing using Metasploit Framework [metasploit.org].

Firefox?

[freg]

Could someone please elaborate on whether using Firefox browser will help avoid this security hole.

Re:Firefox?

[99BottlesOfBeerInMyF]

You can be infected whenever Windows uses its default image viewer to display certain image types. This means there is a long list of applications that are vulnerable that rely upon the image viewer code, but as far as I know no one has yet compiled that list. Windows uses this code when previewing images (for example). The current way this is being exploited is to tell your web browser to open an image (wmf and jpg that I have heard about) in the picture viewer. On IE, this behavior defaults to happening automatically. That means you go to a page and it installs whatever code it wants. With Firefox, you go to a page and a dialogue asks to open a .jpg or .wmf file. If you agree, it installs whatever, but if you decline you're in the clear.

Missing Option

[$RANDOMLUSER]

Windows XP Flaw 'Extremely Comical'

more serious

[spacemky]

And not only does the exploit work with .WMF (Windows MetaFile), but if the attacker renames it to, say, .JPG, Windows will detect this a really being a .WMF, and STILL execute it. Pretty serious stuff. See this [securityfocus.com] bugtraq link for details.

The time has come..

[wraith0x29a]

..to add a new mime-type definition to the Windows defaults..

Identifier: X-Application/WinTrojan
Name: Windows Trojan File
File Extension Pattern: *.wtf

What I'd like to know ...

[cpu_fusion]

What I'd like to know is -- how long has this exploit been "in the wild?"

If it has been there since WMFs began, that's a long, long time. We're talking Windows '95 or earlier. It all depends when the GDI callbacks feature was added.

So here's what you need to consider: since this exploitable code first "shipped" with Windows, anyone "in the know", e.g. potentially FOLKS AT MICROSOFT, the NSA, your neighbor, whomever ... they could have EASILY breached your Windows box, done whatever the hell they wanted, erased all their tracks ... and you'd have to convince a judge and jury it wasn't you.

If I build and sell a car that is advertised as having a security system, but that security system is defeatable by running a magnet over the car lock, and that information is "out in the wild" for years and years, maybe even by folks in my company... what is the legal liability?

The only three external things that will adjust Microsoft's behavior regarding security are: (1) customers switching to other products, (2) criminal justice investigations, and (3) lawsuits. I don't see #1 happening so long as customers remain locked in, #2 is a joke as we know, but #3 ... ?

I've said it before

[WhiteWolf666]

I'll say it again.

Use Windows. Get Infected.

It's not restricted to unpatched Windows 98. It affects fully patched Windows XP SP2 running fully updated anti-virus.

Use Windows, and you'll Get Infected.

A firewall will protect you sometimes. Safe browsing will protect you other times. But in the end, something will get you. WMF, or a buffer overflow in IE, a spoofing vulnerability involving Windows Update, a Windows only Firefox bug.

use Windows. Get Infected. Period.

Updates via home page

[Eminor]

Sys Admins have a new way to keep their users' windows machines up to date. Simply enocde your updates into a WMF file and place it on the intranet home page.

Proxomitron Workaround

[Kye-U]

Please read: http://kyeu.info/proxo/forums/viewtopic.php?t=699 [kyeu.info] I have created a filter that would kill any WMF-Exploit file, regardless of file extension. This is due to a new matching method I've discovered in Proxomitron, where it matches the magic bytes of known exploit files. Most people don't know Proxomitron can serve as a workaround to this issue. In my opinion, it serves the same protection as an antivirus in this case, as it's basically matching hex values and killing the connection upon a successful match.

I developed a fix for it

[ilfak]

After some hours looking at WMF file format I developed a fix for it:

http://www.hexblog.com/ [hexblog.com]

My fix works for Windows XP systems. I have tested it on my machines.

Re:Hmmm...

[the_humeister]

So a flaw is discovered and if the user doesn't get the patch/workaround he'll potentially get infected. How does this differ from flaws in os x or other unixes?

Windows, definitely Windows...

[Svartalf]

It's a misfeature of Windows itself. If you surf with ANY browser, you'll get zapped if you surf to a site set up to take advantage of this latest hole.

Re:Is it IE or Windows?

[a_n_d_e_r_s]

Its in one of Windows standard libraries - but using IE makes it more dangerous.

Using Firefox with Adblock installed one can stop all files of this dangerous type by adblocking them until a patch is available.

Re:Is it IE or Windows?

[Thaelon]

And what type would that be, exactly?

Re:Is it IE or Windows?

[thue]

Using Firefox with Adblock installed one can stop all files of this dangerous type by adblocking them until a patch is available.

This comment [slashdot.org] says that you can't block it (ny blocking a file extention as is done in adblock), as Windows will execute the file as a .wmf even if the file is renamed to .jpg .

Re:Is it IE or Windows?

[WhoDey]

It's an exploit of functionality built into Windows (it allows you to view thumbnails in folders full of pictures, for example). The reason it's more dangerous with IE is that IE by default will open these files, while Firefox (or some other browsers) will give you the good old Open/Save box first. If you open at this point, you're still screwed.

Re:Is it IE or Windows?

[Secrity]

Windows has the vulnerability. Web browsers and some versions of Outlook are the means that the malicious .wmf files are introduced into the operating system. Firefox and Opera can also be used to introduce malicious .wmf files, the difference is that Firefox and Opera ASK the user for confirmation before they download the files. I understand that newer versions of Firefox are misconfigured and do not handle .wmf files as Microsoft intended, this may be a case where a configuration error is actually a se

Not a total solution...

[Chmcginn]

Because the vulnerability exists within a faulty Windows component, security experts warn that Windows users who eschew Internet Explorer in favor of alternative Web browsers, such as older versions of Firefox and Opera, can still get their PCs infected if they agree to download a file from a site taking advantage of the flaw.

Agreeably, you shouldn't be downloading from websites you don't trust anyway... but as anyone who's ever had a computer-illiterate relative or spouse can tell you, sometimes... "But, I really wanted to play that 87th degree derivation of breakout!"

Okay, really, she said Arkanoid, but you get my point.

Re:Not a total solution...

[jafiwam]

That's not enough.

The flaw can be used with a JPG file (read; the image of the button, or the site seal, or the photo) in the web page.

And since the flaw is in data in the header of the WMF file type, it can be executed even if the file extension is not WMF.

In other words, if you are seeing images on web pages with Windows, you can get this. No downloading is necessary even in other browsers. Until it's patched, the only true safe method is unregister the DLL or don't get on the internet with Windows at all.

As an FYI, I had to deal with this thing several weeks back when it was rare. (The bimbo doesn't remember what web site did it.) IF you do, just pull the drive, mount it on another machine, get your data, and wipe the damn thing. It's a really really tough infection to clean. It screwed the OS more ways than Courtney Love and ate so much CPU it was unusable. PLUS it downloaded other stuff and started to try to infect other machines on the network.

Shoot to kill this one guys, the patient is already dead.

Re:Not a total solution...

[makomk]

In other words, if you are seeing images on web pages with Windows, you can get this.

Not necessarily. I think Firefox at least uses its own image-rendering library, which is why it's harder to get infected if you're using it. (You have to open an infected file in some other suitable viewer i.e. one that uses the affected library).

Re:Question

[shis-ka-bob]

If the image is a jpeg format, then no. If the file is a WMF file with a JPG extension, then I think the answer is Yes. Firefox 1.5 will ask you if you want to view the WMF file (at which point you had better say 'No'). With IE and Firefox 1.0, my understanding is that the wmf file (regardless of its extension) will be automatically viewed and this is enough to get your Windows PC infected.

Re:Question

[jasen666]

ah, no, that should not be the case. Because it uses it's own rendering and doesn't natively support wmf's, it will try to display the image as a jpg, and when that fails it would either not display the image at all, or ask to open it with a another program. I think the former is more likely. I'll have to test it out now.

Re:Solution

[KilobyteKnight]

Get another browser, such as Opera of Firefox.

This is not an ie flaw. This is a Windows flaw. You can still be affected with other browsers, you just have to try harder. Anything using the Windows DLL that does the WMF processing will be affected.

Re:Solution

[blowdart]

Except FireFox 1.0 also opens the files automatically, by default, in the vunerable application.

In 1.5 the behaviour changed, and for some reason .WMF was associated in FireFox with Windows Media Player. So 1.5 is secure against this flaw, by lucky accident.

Re:Bad start to my day

[EdMcMan]

Here is some information on the WMF threats [f-secure.com].

Re:Is the publicity from Slashdot to blame?

[dreamer-of-rules]

No, Slashdot isn't "to blame". Stop talking like Zonk.

Anti-virus and virus writers follow different websites that were already posting the details of the WMF vulnerability and the exploits. Slashdot did not have anything to do with that.

Thanks to Slashdot, I found out about this vulnerability in time to shut off our company's internet access before people came in to work, and find out what do (unregister shimgvw.dll, add rules to IDS, send alarmist email to everyone explaining what to look out for).. I'm

Re:HEHEHE

[WhiteWolf666]

No, but laughing their asses off at the misfortune of others when you warned them..... 5 years in advance?

That seems reasonable to me.

Fuck up once, blame someone else.

Fuck up three times, blame someone else.

Once you've fucked up dozens and dozens of time, its your own damn fault. Pay some attention. Take some responsibility.