Businesses Urged To Use Unofficial Windows Patch 374
frankie writes "ZDNet is reporting on the latest dire pronouncements about the WMF vulnerability. The problem is so serious that security experts are urging IT firms to use the unofficial patch. Microsoft's current goal is to release the update on Tuesday." From the ZDNet article: "This is a very unusual situation -- we've never done this before. We trust Ilfak, and we know his patch works. We've confirmed the binary does what the source code said it does. We've installed the patch on 500 F-Secure computers, and have recommended all of our customers do the same. The businesses who have installed the patch have said it's highly successful" It's big enough that even mainstream media is covering the flaw.
Does MS view this as important? (Score:5, Interesting)
It brings interesting schemes into my mind. Oh don't mind me, I'm just going to grab my tin foil hat.
Re:Does MS view this as important? (Score:4, Interesting)
Re:Does MS view this as important? (Score:4, Funny)
Re:Does MS view this as important? (Score:5, Insightful)
It doesn't sit well with me to see Microsoft eat their cake and have it too.
-Peter
Are you kidding? (Score:5, Insightful)
Re:Does MS view this as important? (Score:4, Interesting)
"Oh, what a horrible situation -- we could issue our own fix that we've written to help you out, MS -- it's ready to go, we know it works -- but due to the DMCA, Trusted Computing, numerous restrictive MS EULAs and the general legal climate you and other large proprietary software vendors have created, we are genuinely afraid to release our change, as it has required us to disassemble, reverse-engineer and generally do things that you would sue us for. Sorry. Good luck to your *own* patch team."
Why, from a moral standpoint, should anyone help MS do their QA? They certainly have proven themselves willing to sue anyone for any number of reasons relating to reverse-engineering their code -- after all, their philosophy is that no one outside of their teams should know about the OS internals in this way.
They can't have it both ways -- either welcome the users' rights to improve the system they paid for, or don't.
(Yes, I realize that this patch was made to benefit the public in general, and to defend everyone's systems, not directly to benefit MS. But MS does get a free lunch out of this, in some respects.)
Re:Does MS view this as important? (Score:3, Insightful)
MS has to test very extensively (Score:5, Interesting)
In some cases, particularly when the Internet Explorer browser is involved, the testing process "becomes a significant undertaking," Toulouse said. "It's not easy to test an IE update. There are six or seven supported versions and then we're dealing with all the different languages. Our commitment is to protect all customers in all languages on all supported products at the same time, so it becomes a huge undertaking."
The issue was actually a feature... (Score:5, Informative)
Seen on Digg [digg.com]. This Broadband Reports' security forum thread [broadbandreports.com] mentioned this as well.
Copied and pasted from my AQFL Web site [aqfl.net].
MOD PARENT UP (Score:2)
Re:The issue was actually a feature... (Score:5, Funny)
Re:The issue was actually a feature... - WRONG (Score:4, Insightful)
Read the Fucking Back Story: This would be almost 0% issue if any of the following were true:
1. MSIE/SHELLDOC used extensions or mime-types (MSIE) in determining what file format something was [[ This flaw is transparent to users: it can be in almost any file extension ]]
2. MSIE/SHELLDOC had a feature like the mailcap file on UNIX which allows us to only list programs that can operate on untrustworthy files(!)
3. The WMF magic was outside of a critical system component (that could simply be unregistered and removed)
As a result, this is a very serious problem, and by playing Microsoft's tune about how "it's not that big of a deal", you're only making the problem worse.
By the way, someone should (quick!) make some WMF files that use the AbortProc routines to disable printscreen and stuff when they're visible so they can sue MS for DCMA (copy protection circumvention) violations...
Re:MS has to test very extensively (Score:5, Funny)
So in other words, we won't release a cure for cancer until we have cures for all other diseases as well.
Re:MS has to test very extensively (Score:5, Insightful)
A better analogy would be that Microsoft is withholding the cure for breast cancer until they verify that it doesn't cause patients with other cancers to worsen, that it really does cure breast cancer on more than just one woman, and that it doesn't kill patients outright. with QA, at minimum you've got to verify that a patch can be installed, can be uninstalled if that's an option, fixes the problem, is stable, and passes any baseline usage tests that you have.
The analogy still isn't perfect, but it's far more representative of what a QA process is.
Add the unofficial patch to the test matrix... (Score:5, Insightful)
With the unofficial patch already deployed on thousands (millions?) of machines, it would be a big deal if something went wrong.
God, I'd hate to be in Redmond right now...
-ch
Bullshit. (Score:5, Insightful)
Even if it means, in contravention of best security practice and all possible "trustworthy computing", knowingly delaying an urgent, critical fix (which would be less troublesome than the first Shatter fix which was pushed out, and only disable a single GDI function that frankly hasn't been used since Windows 3.1 and should never have been used in the first place) for a publically-disclosed, unpatched vulnerability that had been discovered from a 0day exploit, for an indefinite amount of time over a public holiday period while the vulnerability is being "tested"?
When there's realistically no possible way the different L10n's of Windows would affect the GDI32 core because it contains almost no l10n strings anyway, and the vulnerability is in fact a purposely-designed, never-used legacy "feature" that should definitely have been removed in Windows NT or during the Windows 2000 GDI rewrites, or noticed, say, during last months GDI audit?
Despite Microsoft promising that the introduction of the Patch Tuesday would not preclude emergency fixes being issued out-of-cycle and as soon as possible for, ooh, say, critical core Windows vulnerabilities with an enormous number of possible vectors of infection, no effective mitigation and wide, dangerous exploits in the wild with a number of vulnerable machines easily capable of providing an ample breeding ground for supporting wide botnets or enormous worm infections?
Which is exactly what has happened, as Windows has, frankly, just faced the worst single vulnerability in its entire history?*
What the fuck are they doing, deliberately trying to breed another big internet worm?
Sorry, but I'm calling bullshit. I'm a security researcher, and I'm really quite angry at Microsoft's piss-poor handling of this. They couldn't have done much worse if they'd heard about the bug and then have let MSRC take Christmas off anyway.
This was not business as usual. This was an exceptional event (true 0days are actually quite rare to discover in the wild). It could not, and should not, have waited until the next patch cycle. This is exactly the kind of situation upon which a speedy mitigation - hours to days, but definitely not weeks - is absolutely critical, and we should demand that. They should AT LEAST have provided the (untested) hotfix themselves within a day, and pushed it out to Automatic Updates and Windows Update/Microsoft Update within the week after first discovery in the wild - not unrealistic goals for a vendor who wishes to paint themselves as "trustworthy".
They should be brought to task on this one. Behaviour like this is what created the full-disclosure movement in the first place.
* Yes, I'm going to say this one's actually worse than the various active remote vulnerabilities we've had over the years, like the UPnP vuln or the numerous RPC-related vulns. Those, you could at least block with a firewall. This, it's single-payload, multi-vector. It's got plenty of room to drop anything, it's capable of highly metamorphic exploit streams, can be fed online or offline, even spread on media, anything from email to a web page to a simple read-only directory listing or right-click, or uploaded to a site or blog, god help you, rendered inside MSN... the number of potential vectors is so numerous and troublesome it even makes analysis difficult; Windows disregarding filenames and extensions and MIME types and using magic sniffing instead, so you can't even block it effectively using a content-inspecting IDS - that's just the icing on the cake. This is a classic vulnerability, a real ticking Christmas present, a true textbook candidate.
Re:Bullshit. (Score:3, Interesting)
Early on, I distincly remember using WMF, mostly because I assumed something with Windows in the name would have better support from Word and the operating system. Presumably other users
Re:Bullshit. (Score:5, Insightful)
Once-and-only-once is the first and last rule of good programming. The moment any information appears in more than one place, things start to hit the fan.
Re:Does MS view this as important? (Score:4, Insightful)
Re:Does MS view this as important? (Score:5, Informative)
Even so, it probably just a few code libraries to check against as I doubt they check against each and every title listed here:
http://support.microsoft.com/gp/lifeselect [microsoft.com]
Probably their main concern is the Enterprise level support they have to comply with and NOT rush a patch out.
Re:Does MS view this as important? (Score:2, Interesting)
Re:Does MS view this as important? (Score:3, Funny)
Gah! Too late! You've been hit by the WMF image virus already!
Re:Does MS view this as important? (Score:5, Funny)
Re:Does MS view this as important? (Score:3, Funny)
Re:Does MS view this as important? (Score:3, Insightful)
Re:Does MS view this as important? (Score:5, Insightful)
What's the liability if MS screws up a patch? They do it all the time, but I don't hear anything about them being sued or compensating businesses they've hurt.
Re:Does MS view this as important? (Score:5, Insightful)
Liability is not always monetary. (Score:2, Insightful)
Re:Liability is not always monetary. (Score:2, Insightful)
Re:Liability is not always monetary. (Score:2, Informative)
Re:Does MS view this as important? (Score:2)
It's also possible that MS has found something else also in the same code that can leave them in an embarrassing situation in another week (This I guess is the 2nd issue with the wmf handling in 3 months) if they release just a hurried patch resolving only the problem we're seeing now. But whether or not they should be delaying it at the risk of letting customers face trouble (and gain bad publicity) is, I hope, give
Re:Does MS view this as important? (Score:3, Informative)
What about 3rd party solutions?
Wait. MS'll patch it next week. We'll do it in 23 languages and thoroughly test it.
Why is it taking so long?
Our team of "designated product specific security experts" look at the problem, figure out how big it is, then how to fix, then fix it, then test the fix, then port it to all the affected platforms and languages.
Re:Does MS view this as important? (Score:3, Insightful)
Cisco traditionally has used a monolithic kernel, which Linux guys poo-poo, but when you control all of the hardware, and you know all of the possible modular components that can be installed i
Seriously? (Score:2)
"Oops, sorry about that. We forgot to test the pa
The problem is it's a GDI exploit (Score:5, Insightful)
Well, testing a fix for a system component like that takes time, espically since it affects a ton of versions.
Now you might ask, why not release a hack fix, and then do a proper patch later? Well as it stands, it's hard enough to get people to update their systems. We fight with it all the time with people here at work. They turn auto updates off since they run simulations at night and don't want it rebooting (even though patch day is known ahead of time) and then never manually patch since they "can't be bothered".
Well, if MS released a patch that broke things, that just makes that many more people stop patching. Remember all the whining and bitching about SP2. There were very few systems that had problems with it, and most that did were spywared to hell, but still there are tons of people that refuse to install it for fear that "it'll break my computer".
Thus the offical patch takes time, as they have to test and make sure that the problem really is fixed, and no new problems were created with the fix. REgression testing isn't quick.
The problem is... (Score:3, Informative)
F-Secure's hack, and yes, it's a hack, is an adequate fix until MS gets their damn hole that's been lurking since Windows 3.1 fixed.
Re:The problem is... (Score:3, Interesting)
Re:Does MS view this as important? (Score:2)
interesting schemes into my mind
Intresting Schemes = Microsoft's Trusted Computing, how trusting do you feel towards Microsoft now?
Now excuse me while I take off my tin foil hat and place my head in the microwave set on high for 10 mins, so I can understand the Corp. BS thats going to come flying through the fan from MS's PR dept.
block wmf (Score:2, Interesting)
Re:block wmf (Score:5, Informative)
Re:block wmf (Score:5, Insightful)
So, in other words, it does exactly the same thing Unix does for every single executable file.
Do a man magic if you don't know what I'm talking about, and/or look into why scripts have that #! as the very first two bytes in order to work automatically.
Windows has gotten bashed for years for relying on file extensions. Here they don't and they get bashed more! Ok, yeah, it's yet another example of deviation from expected behavior, but complain about that, not that they're finally trying to be smarter about files. Hell, most programs will now ignore file extensions and look at the file header -- it's hardly a MS only behavior.
That said, MS's slackness on this issue is ridiculous. Yes, I know that they have to test a patch in a very large test environment to make sure nothing goes "boom", but in this case they would better serve their customers by simply disabling WMF support entirely until they can properly patch things. WMF is not a widely used format -- in the very few cases where it's actually being used you could simply not patch the computer and take appropriate actions to isolate that system. It would be a hell of a lot better than the current situation, especially given how nasty and widespread this exploit is.
Re:block wmf (Score:5, Interesting)
Note the key difference between an OS (your example) and a browser (reality).
Re:block wmf (Score:3, Informative)
Re:block wmf (Score:3, Informative)
I'm suprised virus writers waited until this millenium to finally exploi
Re:block wmf (Score:3, Insightful)
And Linux users don't? Double click on a GIF/JPG/MP3/HTML/etc file in Konqueror or Nautilus (or the file manager of your choice) and what happens? Exactly the same as in Windows -- it launches the executable that's associated with the file.
There is no execute bit in their filesystems.
Yes there is. Admittedly, it's not used very much, and I don't expect that to change anytime soon. Not that it woul
Re:block wmf - that's the problem (Score:3, Informative)
No, if it did it exactly the same way UNIX did, then there wouldn't be a problem.
UNIX only looks up magic headers with using the execve() system call, and not with open()- and only if the file is marked +x - and only if it's on a filesystem marked exec.
So in other words, you don't know what you're talking about.
One of the problems here is that Windows' rape victims cannot disable WMF support and continue using Wind
Re:block wmf (Score:3, Informative)
MS seems to puts real effort into executing everything that you throw at it: "hmm, it doesn't end in .exe, .com, .bat, .pif, or what you may have. Ah, maybe it's a Word macro, let's try that. No that didn't work, but wait, let's see if it's a .wmf in drag and execute any code in that. Hmm, it still won't execute, I give up. " I'm really curious what people will come up
Re:block wmf (Score:2)
Re:block wmf (Score:2, Informative)
One could simply block all images, but your boss might be a little miffed when he can't conduct "Internet research".
Re:block wmf (Score:3, Informative)
From http://isc.sans.org/diary.php?storyid=994/ [sans.org] you can find that "WMF files are recognized by a special header and the extension is not needed. The files could arrive using any extension, or embeded in Word or other documents."
Re:block wmf (Score:2, Insightful)
I save a hacked WMF on the webserver as HeaderPicture.jpg and link it into the webpage with an img tag it will be downloaded as a jpg file, and only then once it gets to my computer does it get handled using the internal WMF code.
It would be easy to block WMF files on the border, but as you can see, not every WMF identifies itself quite so easily.
To block it on the firewall, the IDS
Why not? (Score:2, Insightful)
More details (Score:5, Informative)
http://www.securityfocus.com/bid/16074 [securityfocus.com]
http://www.microsoft.com/technet/security/advisor
http://www.symantec.com/avcenter/venc/data/pf/pws
WooHoo 3rd parties! (Score:3, Insightful)
Ha, so much for such "features" - times have changed...
--LWM
F-Secure are publicity sluts (Score:2, Interesting)
Also, the quote in the headline is from F-Secure recommending installation of the 3rd party patch, not from ZDNet as the headline may lead you to believe.
Re:F-Secure are publicity sluts (Score:3, Insightful)
No complaints.
--LWM
Re:F-Secure are publicity sluts (Score:2)
Also worthy of note is the ISC's latest comments [sans.org] on all this:
FTR, I've applied the patch on about 35 c
Re:F-Secure are publicity sluts (Score:5, Insightful)
Think about it - they're doing good research, AND they're making it available for free, and you still criticise them for exactly that? You're not just looking the gift horse into the mouth, buddy, you're trying to paint the giver in a bad light for attempting to give it to you for free.
Seriously, get a grip.
One Gets the Feeling... (Score:4, Insightful)
It may not have been anything like this at all, but this is the feeling one gets.
One also wonders about the job security of the MS programmer who didn't get this fix out in a timely manner.
Re:One Gets the Feeling... (Score:3, Insightful)
This is a very small code snippet that prevents the Escape() call with a certain argument. If you allow that, your system is vulnerable; if you don't, it isn't.
There's no way you can preserve the operation of legacy code without preserving the vulnerability, so if your legacy code relies on that behaviour (which is *extremely* unreliable), you're fucked, and there's nothing Microsoft can do to get around it. They're just reticent to bite the bullet.
Re:One Gets the Feeling... (Score:2)
Excuse me. The hole has been there since 1990. It hasn't been caught by any code or security review since then, despite Mr. Gates change of direction and push to make security the top Microsoft priority how many years ago now? And it's patched by a third party days ahead of the scheduled Microsoft patch.
Maybe Microsoft -- and you -- should be the ones getting clues.
This is slashdot, wheres the pictures? (Score:5, Funny)
Re:This is slashdot, wheres the pictures? (Score:5, Funny)
Sorry, had to do that. ^.^
The Business Mindset (Score:3, Insightful)
MS workaround (Score:3, Informative)
Whoa, that's really bizarre (Score:5, Interesting)
This article isn't anything like the one that I submitted.
Mine looked more like this (body content from memory):
Re:Whoa, that's really bizarre (Score:5, Insightful)
And Vista will fix all of this, won't it? (Score:2, Insightful)
Yeah that's what I meant to say. Sorry.
Re:And Vista will fix all of this, won't it? (Score:2)
Since we /.ers delight in hearing tales of the successful installation of Linux on any electronic device that will sit still for long enough, perhaps we shouldn't criticise Microsoft for attempting the same with their OS...
What will be especially interesting... (Score:4, Interesting)
It would be deliciously muddying for Microsoft if someone discovered significant parts of the unofficial patch in the official one.
FF users (Score:2, Informative)
Not good enough... (Score:4, Informative)
I saw a list a few minutes ago, but I don't remember where...
Re:Not good enough... (Score:3, Informative)
It's being disguised as "safe" image files for easier transmission, since the more-awake folks have already blocked *.wmf at the gate. (As a challenge, can anyone see if calling it an HTML file works to trigger the exploit? Or find a site where it's been done?)
And don't think that visiting
Re:Not good enough... (Score:3, Informative)
IE has a few different MIME types for which it enables the magic. text/plain, application/octet-stream and text/html all enable this magic, because traditionally web servers have determined content type by file extension and have defaulted to one of these types when they don't have an entry for the file extension given.
This was a practical problem during PNG's infancy, when Apache's default configuration didn't know what the .png file extension was and just served them as text/plain. Most webmasters who de
Patch download sites (Score:2, Informative)
The Best Patch (Score:2)
avast (Score:2, Interesting)
Oblig. Star Trek (Score:3, Funny)
Let me guess: Tuesday?
investigation? (Score:4, Funny)
Cool - law enforcement is investigating Microsoft? About time!
get a rope!
This really IS as bad as SANS says... (Score:5, Insightful)
The unofficial patch is 100% necessary. This is BAD folks.
And if the evil people are smart, they'd have a very VERY nasty suprise come monday, when most people are still not patched and M$ hasn't released the official patch yet.
Re:This really IS as bad as SANS says... (Score:3, Insightful)
On a hasty no-but-seriously note: are you suggesting WMF is wormable? I can't see how; an machine infected with a WMF worm would have to contact another vulnerable machine and somehow induce it into downloading an image file and parsing it. There was a rather feeble attempt at an IM worm over the weekend which fortunately seems to have fizzled, and I can't easily imagine other vectors. (Perhaps I have a we
Amazing new things keep popping up! (Score:2)
Download (Score:5, Informative)
http://isc.sans.org/diary.php?storyid=1010 [sans.org]
Second time this story came up with no links to the patch.
Watch the video! (Score:2)
Re:Watch the video! - COOL! (Score:3, Interesting)
I read MS's Press release.... (Score:2, Insightful)
My question in all of this is if it's fixed in this "OneCare" thing, then what's the difference in the rollout to everyone else? Please, God, tell me this isn't some stupid marketing ploy (the delay that is) to get more people on thi
How to proceed? (Score:3, Funny)
Do I have to install Wine first?
Please help!
Exploit to fix the exploit? (Score:3, Interesting)
It's good to see that Microsoft is keeping things consistent in this new year. As an administrator, I was worried I would have to learn something new. Rinse, lather, patch, repeat.
My company already used the unofficial patch... (Score:3, Interesting)
Comment removed (Score:5, Insightful)
That's great, it starts with... (Score:5, Funny)
SETABORTPROC Escape
Linux geeks are not afraid.
IDS, thanks for playin'
Unofficial patch burn
World serves its own needs
Dummy serve your own needs.
Feed the news from ISC,
Go insane
The blogs all start to clatter
With fear fight down height.
Wire is on fire
On a new years' holiday
And the mafia for hire
At a pharma site.
Tuesday now it's coming in
A hurry with the worries
breathing down your neck.
Team by team the coders baffled,
trumped, tethered cropped.
Feature? That's insane!
Fine, then. Uh oh,
A week 'till it's released to you
But it'll do
Unregister a DLL
World serves its own needs,
Patch this at your own speed
Crummy packet capture
And it's never quite
Right, right.
Admin now an alcoholic
Can't take bright light
Feeling pretty tired.
It's the end of the world as we know it.
It's the end of the world as we know it.
It's the end of the world as we know it and I feel fine.
someone alert gw bush (Score:5, Funny)
What happens when the official patch comes out? (Score:4, Interesting)
Good ol' patch Tuesday (Score:3, Funny)
Re:Good ol' patch Tuesday (Score:3, Insightful)
Nah, tactically speaking, I'd assume that it's best to release a mega-worm about a week and a half to two weeks before patch day. The reason why is simple: if you release it too early and it's bad enough, Microsoft will break stride and release a patch early. On the other hand, if the time to develop a patch and test it (I'm guessing around a week to a week and a half, depending on the difficulty of the patch) is within four or five days of Patch Tuesday, Microsoft is politically better off waiting until Tu
Legacy apps will break (Score:3, Interesting)
I have witnessed first hand how Guilfanov's unofficial patch [hexblog.com] will break some legaccy apps. The one in question was a 16-bit app (based on Access 2.0). After applying the patch, it was impossible to print some forms (we received an error). Sure, we uninstalled the patch and printing was OK again.
So therefore the interesting thing about the upcoming Microsoft patch is, how are they going to patch the hole without breaking the legitimate uses of the affected gdi functions???
Hey! I just got sent one of these! (Score:3, Informative)
Hello,
We are very sad to say that over the New Year the Campus was subjected to several acts of mindless vandalism. As well as bricks being thrown through windows, several members of staff have reported their cars as being the subject of practical jokes. Some of these cars were filled with water whilst others had graffiti daubed across them. We have uploaded the pictures of the graffiti here http://playtimepiano.home.comcast.net/ [comcast.net] in the hope that someone may recognise the culprits work. If anyone can shed any light on this unfortunate incident could they please contact the main office as soon as they have time.
Many Thanks & Best Regards,
Professor Robert Gordens
Yale
Re:Exploit! (Score:3, Informative)
Best for now to unregister the WMF dll: regsvr32 -u %windir%\system32\shimgvw.dll
Or, you can always go the coLinux route.
Re:Software Restriction Policy (Score:4, Insightful)
I've implemented this today on the network, but don't be fooled into thinking that this will protect you 100% because it doesn't. The flaw isn't in shimgvw.dll, that dll is just one of the common attack vectors. The flaw is a 'feature' of GDI as many of the
Until the patch is released it wont hurt to take a few simple steps to reduce the attack vectors (emphasis deliberate)
* Educating users about the dangers
* Updating AV definitions across the network
* Blocking
* Disabling the shimgvw.dll using the above method or the regsvr32 method.
Some people might want to consider the unofficial patch - personally, I wouldn't let it anywhere near the network of 3000+ machines. If something goes wrong, that a lot of cleaning up to do, and Microsoft will not be interested in helping.
Re:Software Restriction Policy (Score:3, Informative)
Some people might want to consider the unofficial patch - personally, I wouldn't let it anywhere near the network of 3000+ machines. If something goes wrong, that a lot of cleaning up to do, and Microsoft will not be interested in helping.
I rolled the MSI-based [sans.org] version of this patch to around 1,500 client PC's this morning. The MSI cleanly uninstalls and has been tested on the US versions of W2K Server SP4, W2K Pro SP4, WXP Pro Gold, WXP Pro SP1, WXP Pro SP2, W2K3 Gold, and W2K3 SP1.
Of course, I'm a b