Please create an account to participate in the Slashdot moderation system

 



Forgot your password?
typodupeerror
×
Worms Microsoft Security IT

Businesses Urged To Use Unofficial Windows Patch 374

frankie writes "ZDNet is reporting on the latest dire pronouncements about the WMF vulnerability. The problem is so serious that security experts are urging IT firms to use the unofficial patch. Microsoft's current goal is to release the update on Tuesday." From the ZDNet article: "This is a very unusual situation -- we've never done this before. We trust Ilfak, and we know his patch works. We've confirmed the binary does what the source code said it does. We've installed the patch on 500 F-Secure computers, and have recommended all of our customers do the same. The businesses who have installed the patch have said it's highly successful" It's big enough that even mainstream media is covering the flaw.
This discussion has been archived. No new comments can be posted.

Businesses Urged To Use Unofficial Windows Patch

Comments Filter:
  • by JonN ( 895435 ) * on Tuesday January 03, 2006 @03:10PM (#14386579) Homepage
    So if this vulnerability is high on the seriousness level, is anyone else wondering the same thing as I am; How and why is it that Microsoft is days behind a third party in releasing a security patch? I mean this is hitting mainstream media, and Microsoft's security patch response team is being bested by some 'guy'?

    It brings interesting schemes into my mind. Oh don't mind me, I'm just going to grab my tin foil hat.

    • by travisco_nabisco ( 817002 ) on Tuesday January 03, 2006 @03:13PM (#14386604)
      It looks like Microsoft is allowing its user community to patch problems before it can. Oh no!! That sounds a lot like how the Linux community works. Is this going to be a more common occurence as time goes on?
      • by croddy ( 659025 ) on Tuesday January 03, 2006 @03:14PM (#14386612)
        This'd be a hell of a lot easier if they'd just give over the source code already.
      • by pete-classic ( 75983 ) <hutnick@gmail.com> on Tuesday January 03, 2006 @03:35PM (#14386804) Homepage Journal
        There is a quid pro quo in the "Linux community". Yes, J. Random Hacker is encouraged (and really expected) to patch Linux flaws. But he recieves a Free system with source code in exchange.

        It doesn't sit well with me to see Microsoft eat their cake and have it too.

        -Peter
        • Are you kidding? (Score:5, Insightful)

          by SleepyHappyDoc ( 813919 ) on Tuesday January 03, 2006 @04:28PM (#14387274)
          This guy (he may be reknowned in the security community, but I've never heard of him) was able to successfully bandage a Windows flaw before Microsoft, without access to the Windows source code or any backing from the writers of the program being patched. I doubt he'll need to look far for work for a long time, and if he does, 'Successfully wrote a patch for a Windows flaw independently' looks damn good on his resume. He still has to pay for Windows, sure, but it's not like he's going to be completely unrewarded for his work.
      • by ArghBlarg ( 79067 ) on Tuesday January 03, 2006 @05:25PM (#14387772) Homepage
        This may sound mean-spirited but I think in this case, and any like it, I couldn't blame the security community if it just threw up its hands and said:

        "Oh, what a horrible situation -- we could issue our own fix that we've written to help you out, MS -- it's ready to go, we know it works -- but due to the DMCA, Trusted Computing, numerous restrictive MS EULAs and the general legal climate you and other large proprietary software vendors have created, we are genuinely afraid to release our change, as it has required us to disassemble, reverse-engineer and generally do things that you would sue us for. Sorry. Good luck to your *own* patch team."

        Why, from a moral standpoint, should anyone help MS do their QA? They certainly have proven themselves willing to sue anyone for any number of reasons relating to reverse-engineering their code -- after all, their philosophy is that no one outside of their teams should know about the OS internals in this way.

        They can't have it both ways -- either welcome the users' rights to improve the system they paid for, or don't.

        (Yes, I realize that this patch was made to benefit the public in general, and to defend everyone's systems, not directly to benefit MS. But MS does get a free lunch out of this, in some respects.)
    • This has always been a problem with MSFT. They are usually several weeks or months behind on security bugs. I guess their new Security push is bringing it down to 1 week - or there abouts...
    • by PIPBoy3000 ( 619296 ) on Tuesday January 03, 2006 @03:16PM (#14386630)
      If you're curious as to what all they do, you can take a look here [eweek.com]. A sample quote from the article:

      In some cases, particularly when the Internet Explorer browser is involved, the testing process "becomes a significant undertaking," Toulouse said. "It's not easy to test an IE update. There are six or seven supported versions and then we're dealing with all the different languages. Our commitment is to protect all customers in all languages on all supported products at the same time, so it becomes a huge undertaking."
      • by antdude ( 79039 ) on Tuesday January 03, 2006 @03:38PM (#14386823) Homepage Journal
        According to this F-Secure's Web log [f-secure.com], it tells what is going wrong with the Windows Metafiles (WMF) vulnerability. It turns out this is not really a bug, it's just a bad design from another era. When Windows Metafiles were designed in late 1980s, a feature was included that allowed the image files to contain actual code. This code would be executed via a callback in special situations. This was not a bug; this was something which was needed at the time. The feature now in the limelight is known as the Escape() function and especially the SetAbortProc subfunction, and has been around since Windows 3.0, shipped in 1990...

        Seen on Digg [digg.com]. This Broadband Reports' security forum thread [broadbandreports.com] mentioned this as well.

        Copied and pasted from my AQFL Web site [aqfl.net].
        • A very interesting post indeed.
        • by wo1verin3 ( 473094 ) on Tuesday January 03, 2006 @05:27PM (#14387787) Homepage
          When can I expect a patch for Windows for Workgroups 3.11?
        • by mrsbrisby ( 60242 ) on Tuesday January 03, 2006 @05:50PM (#14387939) Homepage
          It's a bug because it doesn't have the .exe extension- if Microsoft tells us "don't download executables from untrustworthy sources" they mean .exe files- they don't mean .jpg files.

          Read the Fucking Back Story: This would be almost 0% issue if any of the following were true:

          1. MSIE/SHELLDOC used extensions or mime-types (MSIE) in determining what file format something was [[ This flaw is transparent to users: it can be in almost any file extension ]]

          2. MSIE/SHELLDOC had a feature like the mailcap file on UNIX which allows us to only list programs that can operate on untrustworthy files(!)

          3. The WMF magic was outside of a critical system component (that could simply be unregistered and removed)

          As a result, this is a very serious problem, and by playing Microsoft's tune about how "it's not that big of a deal", you're only making the problem worse.

          By the way, someone should (quick!) make some WMF files that use the AbortProc routines to disable printscreen and stuff when they're visible so they can sue MS for DCMA (copy protection circumvention) violations...
      • by greysky ( 136732 ) on Tuesday January 03, 2006 @03:48PM (#14386914)
        Our commitment is to protect all customers in all languages on all supported products at the same time, so it becomes a huge undertaking.

        So in other words, we won't release a cure for cancer until we have cures for all other diseases as well.
      • by Chief Typist ( 110285 ) on Tuesday January 03, 2006 @03:49PM (#14386928) Homepage
        This puts MSFT in an interesting position -- their official patch has to be tested on systems with the unofficial patch. Otherwise there's a possibility that the unofficial patch will break something in the official patch (or vice versa.)

        With the unofficial patch already deployed on thousands (millions?) of machines, it would be a big deal if something went wrong.

        God, I'd hate to be in Redmond right now...

        -ch
      • Bullshit. (Score:5, Insightful)

        by Anonymous Coward on Tuesday January 03, 2006 @03:50PM (#14386942)
        Testing?

        Even if it means, in contravention of best security practice and all possible "trustworthy computing", knowingly delaying an urgent, critical fix (which would be less troublesome than the first Shatter fix which was pushed out, and only disable a single GDI function that frankly hasn't been used since Windows 3.1 and should never have been used in the first place) for a publically-disclosed, unpatched vulnerability that had been discovered from a 0day exploit, for an indefinite amount of time over a public holiday period while the vulnerability is being "tested"?

        When there's realistically no possible way the different L10n's of Windows would affect the GDI32 core because it contains almost no l10n strings anyway, and the vulnerability is in fact a purposely-designed, never-used legacy "feature" that should definitely have been removed in Windows NT or during the Windows 2000 GDI rewrites, or noticed, say, during last months GDI audit?

        Despite Microsoft promising that the introduction of the Patch Tuesday would not preclude emergency fixes being issued out-of-cycle and as soon as possible for, ooh, say, critical core Windows vulnerabilities with an enormous number of possible vectors of infection, no effective mitigation and wide, dangerous exploits in the wild with a number of vulnerable machines easily capable of providing an ample breeding ground for supporting wide botnets or enormous worm infections?

        Which is exactly what has happened, as Windows has, frankly, just faced the worst single vulnerability in its entire history?*

        What the fuck are they doing, deliberately trying to breed another big internet worm?

        Sorry, but I'm calling bullshit. I'm a security researcher, and I'm really quite angry at Microsoft's piss-poor handling of this. They couldn't have done much worse if they'd heard about the bug and then have let MSRC take Christmas off anyway.

        This was not business as usual. This was an exceptional event (true 0days are actually quite rare to discover in the wild). It could not, and should not, have waited until the next patch cycle. This is exactly the kind of situation upon which a speedy mitigation - hours to days, but definitely not weeks - is absolutely critical, and we should demand that. They should AT LEAST have provided the (untested) hotfix themselves within a day, and pushed it out to Automatic Updates and Windows Update/Microsoft Update within the week after first discovery in the wild - not unrealistic goals for a vendor who wishes to paint themselves as "trustworthy".

        They should be brought to task on this one. Behaviour like this is what created the full-disclosure movement in the first place.

        * Yes, I'm going to say this one's actually worse than the various active remote vulnerabilities we've had over the years, like the UPnP vuln or the numerous RPC-related vulns. Those, you could at least block with a firewall. This, it's single-payload, multi-vector. It's got plenty of room to drop anything, it's capable of highly metamorphic exploit streams, can be fed online or offline, even spread on media, anything from email to a web page to a simple read-only directory listing or right-click, or uploaded to a site or blog, god help you, rendered inside MSN... the number of potential vectors is so numerous and troublesome it even makes analysis difficult; Windows disregarding filenames and extensions and MIME types and using magic sniffing instead, so you can't even block it effectively using a content-inspecting IDS - that's just the icing on the cake. This is a classic vulnerability, a real ticking Christmas present, a true textbook candidate.
        • Re:Bullshit. (Score:3, Interesting)

          by Pxtl ( 151020 )
          Of course, there's also another question with the WMF patch: many programs still allow exporting to WMF. There wasn't really much of a standard vector graphics format for win32 for a long time - iirc during my undergrad, I would frequently export my Matlab, Maple, and Autocad images to EMF before importing them into Word.

          Early on, I distincly remember using WMF, mostly because I assumed something with Windows in the name would have better support from Word and the operating system. Presumably other users
    • by bagboy ( 630125 ) <neo@nOSpam.arctic.net> on Tuesday January 03, 2006 @03:16PM (#14386631)
      Keep in mind that MSfts team must ensure compatibility with hundreds of programs before implementing patches. An independent developer who comes up with a patch doesn't. My 2 cents.
    • I would rather wait a few days to ensure this patch doesn't break anything else than receive a MS fix now that that causes more headaches than it fixes. I've been down that road way too often. I would image they are making sure everything is working the way it is supposed to before releasing it...
    • by chrish ( 4714 ) on Tuesday January 03, 2006 @03:17PM (#14386639) Homepage
      Presumably they do some sort of testing with their patches before they release...
      • the testing will be signed off as soon as the patch breaks one or more of the following: iTunes, Samba, GoogleDesktop, Palm Desktop... they only care about testing against their own applications, breaking third party programs in the process is a bonus, breaking old versions of ms apps while not breaking the latest versions is a double bonus... as it forces an upgrade
    • What's the liability for the 3rd party if their patch screws something up in a bad way? Zippo. That's (part of) the reason why it takes longer to put out an "official" patch.
    • Quite possible that the 3rd party patch doesn't fix *the* real problem (or all the problems)
      It's also possible that MS has found something else also in the same code that can leave them in an embarrassing situation in another week (This I guess is the 2nd issue with the wmf handling in 3 months) if they release just a hurried patch resolving only the problem we're seeing now. But whether or not they should be delaying it at the risk of letting customers face trouble (and gain bad publicity) is, I hope, give
    • They try to address some of this in the official advisory [microsoft.com]. (Paraphrased below)

      What about 3rd party solutions?
      Wait. MS'll patch it next week. We'll do it in 23 languages and thoroughly test it.

      Why is it taking so long?
      Our team of "designated product specific security experts" look at the problem, figure out how big it is, then how to fix, then fix it, then test the fix, then port it to all the affected platforms and languages.

    • The answer to your question should be fairly obvious to anyone who has worked for a software development company: quality assurance. Windows is an extremely large and complicated piece of software. Any changes must go through a rigorous testing process, probably using dozens if not hundreds of configurations. Otherwise, Microsoft risks releasing a patch which breaks a few thousand servers/desktops and brings their customers' businesses to a grinding halt.

      "Oops, sorry about that. We forgot to test the pa
    • by Sycraft-fu ( 314770 ) on Tuesday January 03, 2006 @03:27PM (#14386733)
      The actual root of the problem is in the GDI, which is what handles all basic interface display for Windows. The unofficial patch just disables the call that the exploit uses. Ok, fair enough, but that's a hack, not a fix. That means that anything that legitmately uses that call won't work, and the underlying problem is still there.

      Well, testing a fix for a system component like that takes time, espically since it affects a ton of versions.

      Now you might ask, why not release a hack fix, and then do a proper patch later? Well as it stands, it's hard enough to get people to update their systems. We fight with it all the time with people here at work. They turn auto updates off since they run simulations at night and don't want it rebooting (even though patch day is known ahead of time) and then never manually patch since they "can't be bothered".

      Well, if MS released a patch that broke things, that just makes that many more people stop patching. Remember all the whining and bitching about SP2. There were very few systems that had problems with it, and most that did were spywared to hell, but still there are tons of people that refuse to install it for fear that "it'll break my computer".

      Thus the offical patch takes time, as they have to test and make sure that the problem really is fixed, and no new problems were created with the fix. REgression testing isn't quick.
      • The problem is... (Score:3, Informative)

        by Svartalf ( 2997 )
        It's not that it's a GDI bug. It's a DESIGN MISFEATURE- the code does exactly what it's intended to do. The problem is that the feature is NOT secure, not a good idea on a system in the first place, and code and images shouldn't even be USING this thing.

        F-Secure's hack, and yes, it's a hack, is an adequate fix until MS gets their damn hole that's been lurking since Windows 3.1 fixed.
        • More importantly, any 3rd party program that incorporates the use of WMF should be redesigned. You can't fix a vulnerability caused by a data structure that is insecure by design and still try to allow programs using WMF to function as normal. The logical thing to do would be to remove WMF implementation from Windows--thus disabling any application that uses WMF and are essentially vectors for potential exploits, then leave it up to the various 3rd party application authors to fix their own design flaws, wh
    • interesting schemes into my mind

      Intresting Schemes = Microsoft's Trusted Computing, how trusting do you feel towards Microsoft now?

      Now excuse me while I take off my tin foil hat and place my head in the microwave set on high for 10 mins, so I can understand the Corp. BS thats going to come flying through the fan from MS's PR dept.

  • block wmf (Score:2, Interesting)

    by pizzaman100 ( 588500 )
    Why not just block wmf files at your corporate site? That would be easier than applying an unofficial patch on all the systems, and then having to roll it back when the official MS patch comes out.
    • Re:block wmf (Score:5, Informative)

      by NinePenny ( 856053 ) on Tuesday January 03, 2006 @03:18PM (#14386655)
      Its not just the extension that dictates that it's a WMF... Windows in its infinate wisdom also looks at the header bytes of the file and says "ohh! thats a WMF!" Execute! im in a damned hurry, hopfully I stated that correctly...ymmv
      • Re:block wmf (Score:5, Insightful)

        by Zathrus ( 232140 ) on Tuesday January 03, 2006 @03:46PM (#14386895) Homepage
        Its not just the extension that dictates that it's a WMF... Windows in its infinate wisdom also looks at the header bytes of the file and says "ohh! thats a WMF!"

        So, in other words, it does exactly the same thing Unix does for every single executable file.

        Do a man magic if you don't know what I'm talking about, and/or look into why scripts have that #! as the very first two bytes in order to work automatically.

        Windows has gotten bashed for years for relying on file extensions. Here they don't and they get bashed more! Ok, yeah, it's yet another example of deviation from expected behavior, but complain about that, not that they're finally trying to be smarter about files. Hell, most programs will now ignore file extensions and look at the file header -- it's hardly a MS only behavior.

        That said, MS's slackness on this issue is ridiculous. Yes, I know that they have to test a patch in a very large test environment to make sure nothing goes "boom", but in this case they would better serve their customers by simply disabling WMF support entirely until they can properly patch things. WMF is not a widely used format -- in the very few cases where it's actually being used you could simply not patch the computer and take appropriate actions to isolate that system. It would be a hell of a lot better than the current situation, especially given how nasty and widespread this exploit is.
        • Re:block wmf (Score:5, Interesting)

          by Shimmer ( 3036 ) on Tuesday January 03, 2006 @04:25PM (#14387245) Journal
          That's great, but it's all irrelevant. The HTTP 1.1 protocol says that a browser shouldn't try to guess the MIME type of a document if it's specified by the server. IE ignores this and tries to guess the MIME type anyway.

          Note the key difference between an OS (your example) and a browser (reality).
          • Re:block wmf (Score:3, Informative)

            by Shimmer ( 3036 )
            For those interested, here's the relevant portion of the spec [w3.org] (emphasis added):

            Any HTTP/1.1 message containing an entity-body SHOULD include a Content-Type header field defining the media type of that body. If and only if the media type is not given by a Content-Type field, the recipient MAY attempt to guess the media type via inspection of its content and/or the name extension(s) of the URI used to identify the resource. If the media type remains unknown, the recipient SHOULD treat it as type "application/

        • Re:block wmf (Score:3, Informative)

          by Yartrebo ( 690383 )
          It has to do with the MS Windows community expecting extensions to be used to link files to programs exclusively. There is no execute bit in their filesystems. Linux users don't have that mindset. A text file might end in .txt, but it is just as often without an extension. Executables have no extension and anything with .exe is obviously a Win32, Win16, or DOS executable. Linux users also expect data to NOT be given execute priviledges.

          I'm suprised virus writers waited until this millenium to finally exploi
          • Re:block wmf (Score:3, Insightful)

            by Zathrus ( 232140 )
            It has to do with the MS Windows community expecting extensions to be used to link files to programs exclusively

            And Linux users don't? Double click on a GIF/JPG/MP3/HTML/etc file in Konqueror or Nautilus (or the file manager of your choice) and what happens? Exactly the same as in Windows -- it launches the executable that's associated with the file.

            There is no execute bit in their filesystems.

            Yes there is. Admittedly, it's not used very much, and I don't expect that to change anytime soon. Not that it woul
        • So, in other words, it does exactly the same thing Unix does for every single executable file.

          No, if it did it exactly the same way UNIX did, then there wouldn't be a problem.

          UNIX only looks up magic headers with using the execve() system call, and not with open()- and only if the file is marked +x - and only if it's on a filesystem marked exec.

          So in other words, you don't know what you're talking about.

          One of the problems here is that Windows' rape victims cannot disable WMF support and continue using Wind
    • Because you can't simply match .wmf. It has to be a content match and is very cpu intensive
    • Re:block wmf (Score:2, Informative)

      A filter would be pretty easy to bypass, either by sending the wmf in a compressed file; or by renaming the extension.

      One could simply block all images, but your boss might be a little miffed when he can't conduct "Internet research".
    • Re:block wmf (Score:3, Informative)

      by Raato ( 36080 )
      How do you intend to block them? Block anything with extension .wmf? Isn't enough as the file will be identified and handled as wmf, no matter what the extension is.

      From http://isc.sans.org/diary.php?storyid=994/ [sans.org] you can find that "WMF files are recognized by a special header and the extension is not needed. The files could arrive using any extension, or embeded in Word or other documents."
    • Re:block wmf (Score:2, Insightful)

      Because Windows in its infinate wisdom looks beyond the filename and looks at the contents of the file, allowing the following:

      I save a hacked WMF on the webserver as HeaderPicture.jpg and link it into the webpage with an img tag it will be downloaded as a jpg file, and only then once it gets to my computer does it get handled using the internal WMF code.

      It would be easy to block WMF files on the border, but as you can see, not every WMF identifies itself quite so easily.

      To block it on the firewall, the IDS
  • Why not? (Score:2, Insightful)

    by engagebot ( 941678 )
    Why not have other people make the patches for you? For one, it works, and second, they didn't pay anyone to get it done. Hmm, this sounds familiar...
  • More details (Score:5, Informative)

    by anandpur ( 303114 ) on Tuesday January 03, 2006 @03:16PM (#14386627)
    Vulnerability in Graphics Rendering Engine Could Allow Remote Code Execution

    http://www.securityfocus.com/bid/16074 [securityfocus.com]
    http://www.microsoft.com/technet/security/advisory /912840.mspx [microsoft.com]
    http://www.symantec.com/avcenter/venc/data/pf/pwst eal.bankash.g.html [symantec.com]
  • by lilmouse ( 310335 ) on Tuesday January 03, 2006 @03:19PM (#14386669)
    We don't see 3rd parties doing patches for MS problems much :-) They joining the Open Source bandwagon yet?

    Ha, so much for such "features" - times have changed...

    --LWM
  • Not to trivialize the severity of this current problem, but ever notice that regardless of the severity or type of problem/virus/etc... there's allways a press release from F-Secure?

    Also, the quote in the headline is from F-Secure recommending installation of the 3rd party patch, not from ZDNet as the headline may lead you to believe.
    • They may be, but they have a very good series of releases on the problem - a lot of information. Compare that to other anti-virus, and you don't see much.

      No complaints.

      --LWM
      • I agree. I've been getting more, and better, and more frequent, information from F-Secure and the ISC [sans.org] than I have from MS.

        Also worthy of note is the ISC's latest comments [sans.org] on all this:

        And, somehow, as if by magic, all of this work will wind down at precisely the right moment so that the WMF patch doesn't have to be released "out of cycle." How convenient! Especially if you're wanting to avoid all of that nasty "Microsoft Releases Emergency Patch" publicity.

        FTR, I've applied the patch on about 35 c

    • by slavemowgli ( 585321 ) on Tuesday January 03, 2006 @05:40PM (#14387862) Homepage
      Huh? How'd get this modded Insightful? It's pretty much the opposite, actually - considering that F-Secure is in the business of security solutions, it's *expected* of them to uncover new problems, and I at least think it's *GREAT* that they decide to make the information available to everyone instead of just rolling it into the next update for their enterprise products.

      Think about it - they're doing good research, AND they're making it available for free, and you still criticise them for exactly that? You're not just looking the gift horse into the mouth, buddy, you're trying to paint the giver in a bad light for attempting to give it to you for free.

      Seriously, get a grip.
  • by Nom du Keyboard ( 633989 ) on Tuesday January 03, 2006 @03:23PM (#14386694)
    One gets the feeling that the MS programmer didn't want to come in over the New Year's holiday to work on some piece of legacy code from 1990 that he was handed several years ago when the last programmer whose responsibility it was, was promoted/left for Google. This latest programmer has never looked into this code before this last weekend.

    It may not have been anything like this at all, but this is the feeling one gets.

    One also wonders about the job security of the MS programmer who didn't get this fix out in a timely manner.

  • by LiquidCoooled ( 634315 ) on Tuesday January 03, 2006 @03:24PM (#14386703) Homepage Journal
    Its ok, I found th...!&^!")NO CARRIER
  • by zaliph ( 939896 ) on Tuesday January 03, 2006 @03:24PM (#14386712)
    Businesses are only going to respond to a problem by calling on the person/entity that is supposed to cover it, i.e. the one they're paying, Microsoft, in this case. They're not going to go around installing an independent patch willy-nilly on dozens of computers if it takes another day to get it from Microsoft. Many of these are small businesses without IT departments to advise them one way or the other. The important point here is that by waiting the extra day, a few of them are going to get burned badly and Microsoft will lose much of their trust.
  • MS workaround (Score:3, Informative)

    by Telepathetic Man ( 237975 ) on Tuesday January 03, 2006 @03:25PM (#14386715)
    The current official suggestion from MS is to limit problems is of course to unregister the related driver, shimgvw.dll.
  • by frankie ( 91710 ) on Tuesday January 03, 2006 @03:25PM (#14386718) Journal

    This article isn't anything like the one that I submitted.

    • 2006-01-03 17:15:05 No Microsoft WMF update until next week (Index,Windows) (accepted)

    Mine looked more like this (body content from memory):

    " The usual suspects [google.com] are reporting Microsoft's latest announcement about the WMF vulnerability (link to previous /. article). To quote (link to MS technet article): "Microsoft's goal is to release the update on Tuesday, January 10, 2006, as part of its monthly release of security bulletins." So do you install the unofficial patch (link to previous /. article), or cross your fingers for a week?"
    • by BushCheney08 ( 917605 ) on Tuesday January 03, 2006 @03:58PM (#14387025)
      Just further shows that the "editors" don't even "get" their roles as editors. Attributing words that weren't written to the submitter is not something they should be doing. Or if they do, they should use the standard square brackets to indicate that those words weren't said, but were what was implied. Changing the title is fine. Adding additional commentary or extra sources (as Zonk did with the 'From the ZDNet article' bit) is fine. Putting words in people's mouths is a HUGE editorial no-no.
  • Oh sorry, what I meant was Vista will have ever more voracious hardware requirements, 3-D widgets, DRM up the yin yang, 12 different versions so it runs on everything from the computer to the home theater to the microwave oven, bugs crawling out of everywhere from day one and the same broken piece of shit security model wrapped up in corporate hype and buzztalk for only 30% more retail cost than the version of Windows you're running today.

    Yeah that's what I meant to say. Sorry.
    • 12 different versions so it runs on everything from the computer to the home theater to the microwave oven

      Since we /.ers delight in hearing tales of the successful installation of Linux on any electronic device that will sit still for long enough, perhaps we shouldn't criticise Microsoft for attempting the same with their OS...

  • by Spazntwich ( 208070 ) on Tuesday January 03, 2006 @03:28PM (#14386744)
    will be to compare the Microsoft released patch to the unofficial one.

    It would be deliciously muddying for Microsoft if someone discovered significant parts of the unofficial patch in the official one.
  • FF users (Score:2, Informative)

    by naChoZ ( 61273 )
    Tip for Firefox users. Adblock extension, add filter, *.wmf, click Ok...
    • Not good enough... (Score:4, Informative)

      by rewt66 ( 738525 ) on Tuesday January 03, 2006 @03:50PM (#14386939)
      Not all WMF files have the .wmf extension. Some may have .bmp, .gif, .jpeg, or about a dozen others.

      I saw a list a few minutes ago, but I don't remember where...
      • by Aero ( 98829 )
        To elaborate, what makes a WMF a WMF is a few magic bytes at the beginning of the file. Windows sees these magic bytes and hands the file off to the GDI for processing, regardless of the extension. Hence the "M" in "WMF".

        It's being disguised as "safe" image files for easier transmission, since the more-awake folks have already blocked *.wmf at the gate. (As a challenge, can anyone see if calling it an HTML file works to trigger the exploit? Or find a site where it's been done?)

        And don't think that visiting
  • Patch download sites (Score:2, Informative)

    by Anonymous Coward
    here [redhat.com] here [netbsd.org] here [suse.com] here and here [freebsd.org]
  • avast (Score:2, Interesting)

    by game kid ( 805301 )
    One site (maybe one of ebaumsworld's ads, I believe--I won't link there) tried to do something with it. avast! [avast.com] alerted me with its usual "Caution. A virus has been detected" sound and "abort connection" dialog and all of that. Don't know if it succeeded (nothing unusual now, though my browser did show a naughtier site instead that time; I visited a few times again and it showed my intended site as usual, with much less naughtiness)
  • by Wilson_6500 ( 896824 ) on Tuesday January 03, 2006 @03:33PM (#14386788)
    Kirk: Fix the WMF hole!

    ...

    Let me guess: Tuesday?
  • by Fishstick ( 150821 ) on Tuesday January 03, 2006 @03:33PM (#14386789) Journal
    Microsoft (Research) said in a security bulletin on its Web site, "we are working closely with our antivirus partners and aiding law enforcement in its investigation."

    Cool - law enforcement is investigating Microsoft? About time!

    get a rope!
  • by nweaver ( 113078 ) on Tuesday January 03, 2006 @03:36PM (#14386809) Homepage
    Worse, in fact. There are SEVERAL ways, all well known, which could leverage this exploit to compromise millions of hosts in a matter of hours.

    The unofficial patch is 100% necessary. This is BAD folks.

    And if the evil people are smart, they'd have a very VERY nasty suprise come monday, when most people are still not patched and M$ hasn't released the official patch yet.
    • Yeah, riiigghhhttt... look, Nick, when the Warhol worm arrives [berkeley.edu], I might start worrying about this ;)

      On a hasty no-but-seriously note: are you suggesting WMF is wormable? I can't see how; an machine infected with a WMF worm would have to contact another vulnerable machine and somehow induce it into downloading an image file and parsing it. There was a rather feeble attempt at an IM worm over the weekend which fortunately seems to have fizzled, and I can't easily imagine other vectors. (Perhaps I have a we

  • Funny, I talked about this yesterday; how could a graphic cause something so severe? This is a picture [fak3r.com] So now an email, IM, webclick or maybe even a popup could kick off a payload from a graphic? I thought only new things would attack windows rep, as if all the old stuff had been discovered, but now, there's more and more daily!
  • Download (Score:5, Informative)

    by reconn ( 578681 ) on Tuesday January 03, 2006 @03:39PM (#14386827) Homepage
    If you want the patch itself, try here:
    http://isc.sans.org/diary.php?storyid=1010 [sans.org]

    Second time this story came up with no links to the patch.
  • Don't forget to watch the video, I have a link to it at the end of this article: This is a picture [fak3r.com] click on "watch it in action"
  • Read the Microsoft Security Article [microsoft.com] about it. It's basically a bunch of crap but they are saying:

    If you are a Windows OneCare user and your current status is green, you are already protected from known malware that uses this vulnerability to attempt to attack systems.

    My question in all of this is if it's fixed in this "OneCare" thing, then what's the difference in the rollout to everyone else? Please, God, tell me this isn't some stupid marketing ploy (the delay that is) to get more people on thi

  • by trollable ( 928694 ) on Tuesday January 03, 2006 @03:45PM (#14386892) Homepage
    The problem is so serious that security experts are urging IT firms to use the unofficial patch.

    Do I have to install Wine first?
    Please help!
  • by OneSeventeen ( 867010 ) * on Tuesday January 03, 2006 @03:48PM (#14386924) Homepage Journal
    Is it possible to use the .wmf exploit to install the .wfm exploit patch?

    It's good to see that Microsoft is keeping things consistent in this new year. As an administrator, I was worried I would have to learn something new. Rinse, lather, patch, repeat.
  • by doormat ( 63648 ) on Tuesday January 03, 2006 @03:53PM (#14386968) Homepage Journal
    Yesterday (Jan 2). All 1300+ computers got patched and rebooted. I'm patching my home computers tonight...
  • Comment removed (Score:5, Insightful)

    by account_deleted ( 4530225 ) on Tuesday January 03, 2006 @03:58PM (#14387018)
    Comment removed based on user account deletion
  • by rcw-work ( 30090 ) on Tuesday January 03, 2006 @04:22PM (#14387218)
    ...zero-day
    SETABORTPROC Escape
    Linux geeks are not afraid.

    IDS, thanks for playin'
    Unofficial patch burn
    World serves its own needs
    Dummy serve your own needs.

    Feed the news from ISC,
    Go insane
    The blogs all start to clatter
    With fear fight down height.

    Wire is on fire
    On a new years' holiday
    And the mafia for hire
    At a pharma site.

    Tuesday now it's coming in
    A hurry with the worries
    breathing down your neck.

    Team by team the coders baffled,
    trumped, tethered cropped.
    Feature? That's insane!

    Fine, then. Uh oh,
    A week 'till it's released to you
    But it'll do

    Unregister a DLL
    World serves its own needs,
    Patch this at your own speed
    Crummy packet capture
    And it's never quite
    Right, right.

    Admin now an alcoholic
    Can't take bright light
    Feeling pretty tired.

    It's the end of the world as we know it.
    It's the end of the world as we know it.
    It's the end of the world as we know it and I feel fine.
  • they found the Weapon of Mass Frustration
  • by WoTG ( 610710 ) on Tuesday January 03, 2006 @04:49PM (#14387457) Homepage Journal
    Will Windows Update be able to overwrite the unofficial patch when the official one is released? Does WU do a hash check of some sort to verify if the files that is is replacing are versions that it is allowed to replace?
  • by dtfinch ( 661405 ) * on Tuesday January 03, 2006 @05:15PM (#14387687) Journal
    The next big Windows worm will be unleashed on a Wednesday.
    • Nah, tactically speaking, I'd assume that it's best to release a mega-worm about a week and a half to two weeks before patch day. The reason why is simple: if you release it too early and it's bad enough, Microsoft will break stride and release a patch early. On the other hand, if the time to develop a patch and test it (I'm guessing around a week to a week and a half, depending on the difficulty of the patch) is within four or five days of Patch Tuesday, Microsoft is politically better off waiting until Tu

  • by Phatmanotoo ( 719777 ) on Tuesday January 03, 2006 @06:31PM (#14388259)
    Like antdude [slashdot.org] said above, the real problem with this is that the exploit affects something which is actually a feature of WMF files. A feature which is used by certain apps.

    I have witnessed first hand how Guilfanov's unofficial patch [hexblog.com] will break some legaccy apps. The one in question was a 16-bit app (based on Access 2.0). After applying the patch, it was impossible to print some forms (we received an error). Sure, we uninstalled the patch and printing was OK again.

    So therefore the interesting thing about the upcoming Microsoft patch is, how are they going to patch the hole without breaking the legitimate uses of the affected gdi functions???

  • by ScaryFroMan ( 901163 ) <scaryfroman@hotmail. c o m> on Tuesday January 03, 2006 @10:04PM (#14389392)
    Got it from some professor at "Yale." The link opens up some WMF file, or at least it tried to, when Firefox asked me what program to open it with. MacAfee caught it then too. A txt file was attached. Beware, I suppose. Here's the full text.

    Hello,

    We are very sad to say that over the New Year the Campus was subjected to several acts of mindless vandalism. As well as bricks being thrown through windows, several members of staff have reported their cars as being the subject of practical jokes. Some of these cars were filled with water whilst others had graffiti daubed across them. We have uploaded the pictures of the graffiti here http://playtimepiano.home.comcast.net/ [comcast.net] in the hope that someone may recognise the culprits work. If anyone can shed any light on this unfortunate incident could they please contact the main office as soon as they have time.

    Many Thanks & Best Regards,

    Professor Robert Gordens

    Yale

"Trust me. I know what I'm doing." -- Sledge Hammer

Working...