Beta

Slashdot: News for Nerds

×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Trustworthy Computing

Hemos posted more than 8 years ago | from the how-to-solve-these-issues dept.

Windows 465

Anonymous Coward writes "This is a first: the Internet Storm Center is recommending trustworthy computing. They want you to trust that the unofficial patch for the Windows Metafile Volunerability that is currently being exploited by an IM worm. No patch from Microsoft at this time, and the exploit is arranged in such a manner that it cannot be detected by most intrusion detection systems (the snort rule will peg the CPU on your router) nor filtered by packet-inspecting firewalls (it spans two or more ethernet frames). Not really a whole lot of choice about this one."

cancel ×

465 comments

Some won't (5, Insightful)

SavoWood (650474) | more than 8 years ago | (#14378301)

As it says in the article, some people in the corporate world won't do it if the patch didn't come from MS. It's sad, really. If I had an exploitable machine around, I would trust their patch.

Is it just me (2, Insightful)

goombah99 (560566) | more than 8 years ago | (#14378372)

or Is the original healline post for this thread written in gibberish enhanced by misappropriation of terms and conflation of concepts? How is trusting the unofficial patch conceptually related to "trustworthy computing" and why should packet spanning make it invulenrable to filtering?

Re:Is it just me (-1, Flamebait)

Anonymous Coward | more than 8 years ago | (#14378405)

You're just a high-falootin' nut job that expects complete sentences from /. editors! Your /. ID is high enough to know that's just not what you get here. WTF?

Oh, and the story is complete garbage. Must have the second string working today...

Re:Is it just me (3, Insightful)

BushCheney08 (917605) | more than 8 years ago | (#14378427)

It's a thing called sarcasm. MS are the ones pushing "trustworthy computing" but are showing that at a time like this, they can't be trusted to do the right thing.

You're right (1)

Pac (9516) | more than 8 years ago | (#14378429)

The title come directly from the ISC's Handler's Diary post [sans.org] that uses it as a joke, to reflect the fact that they will ask people to trust them on this one. Quote:"I find myself in the very peculiar position of having to say something that I don't believe has ever been said here in the Handler's diary before: "Please, trust us.".

Re:Is it just me (3, Interesting)

abirdman (557790) | more than 8 years ago | (#14378470)

You are absolutely correct, sir. This aricle has absolutely nothing to do with "trustworthy computing," (aside from the use of the word "trust"). It is perhaps interesting that the headline was enough to persuade me to read the summary, and click the link to the story. Maybe, in some strange way, they're demonstrating how the exploit works.

Re:Some won't (1)

Jugalator (259273) | more than 8 years ago | (#14378397)

It's sad, really.

Yes, definitely if this was an open source system.

It can be discussed whether it's sad or smart to wait for someone with insight in the closed code to fix it.

If I had an exploitable machine around, I would trust their patch.

I may just have chosen to suffer from using a slightly crippled OS (i.e. no workie Fax & Picture Viewer, etc) by unregistering the DLL until it's fixed.

Re:Some won't (1)

grasshoppa (657393) | more than 8 years ago | (#14378482)

I may just have chosen to suffer from using a slightly crippled OS (i.e. no workie Fax & Picture Viewer, etc) by unregistering the DLL until it's fixed.


And even better, it's an easier work around ( which is all this unofficial patch is ) in a large enviroment. AD, made a script to disable the dll, and bam! One reboot later, work around implemented.

Re:Some won't (0)

Anonymous Coward | more than 8 years ago | (#14378528)

RTFA it is not enough to unregister the dll.

Re:Some won't (3, Informative)

NoMercy (105420) | more than 8 years ago | (#14378537)

They recomend both deregistering and applying the 3rd party patch, if some 3rd party application loads the DLL directly, unregistering it won't help.

I'm a trusting person, and if ISC, and Fsecure's lab both recomend it, I don't mind applying it, I'd trust there code more than MS's :)

Re:Some won't (0)

Anonymous Coward | more than 8 years ago | (#14378407)

This slashdot summary is gibberish. The article says you should not rely on Microsoft to fix the bug quickly enough, and that it is a disaster waiting to happen... and that the ISC is more trustworthy so you should follow their advice.

End of story.

Not an excuse (-1, Flamebait)

TheBoostedBrain (622439) | more than 8 years ago | (#14378303)

Trustworthy computing is the worse idea ever Just use Linux

Re:Not an excuse (-1, Troll)

Anonymous Coward | more than 8 years ago | (#14378488)

What is it about the fresh smell of a new year, and unpatched MS vulnerability that brings out the linux fanbois? Can't we just sent them links to the latest kernel sources, or maybe the new x.org release? That should keep them busy enough to leave the rest of the world alone for a while.

Over/Under (3, Insightful)

chrisgeleven (514645) | more than 8 years ago | (#14378307)

What is the over/under for Microsoft getting a patch out for this?

If there is a time to deviate from their monthly patch cycle, this is it. The patch should have been out days ago, yet we are still waiting.

And Microsoft wonders why no one takes their security promises seriously.

Holidays! (1)

antdude (79039) | more than 8 years ago | (#14378530)

I think the problem is the timing: Holiays. However, I do agree that MS people should be called in to work on this serious patch. I can't wait to see the messy outcomes tomorrow (back to work, school, etc).

Sure, people needs lives (e.g., vacation, time off, etc.). Just reimburse those later on (if not, then the employer isn't good). They really need to get this fixed, tested, and released ASAP. So far, MS is not doing a good job as usual. :(

Shame (5, Funny)

Jonnty (910561) | more than 8 years ago | (#14378310)

It'd be nice to have a computer that I can use the patch on.. Maybe I can Wine it?

Re:Shame (-1, Troll)

Anonymous Coward | more than 8 years ago | (#14378339)

let the linux circle jerk begin.

"Mommy, noone pays attention to me"
"Go badmouth Microsoft on slashdot, dear"
"Good idea mommy!"

Re:Shame (1)

Janek Kozicki (722688) | more than 8 years ago | (#14378340)

if not wine it, then just whine at it ;)

Re:Shame (2, Funny)

Grey Ninja (739021) | more than 8 years ago | (#14378514)

Yeah, when I heard about that WMF security vulnerability, I was up half the night trying to get it working in Wine, so that I could have the genuine Windows experience. But to no avail. It just didn't work. Maybe this patch will fix that?

Sometimes I think they do it on purpose (5, Insightful)

User 956 (568564) | more than 8 years ago | (#14378315)

Sometimes, I really start to think that security is so poor in commercial operating systems, because they want to use protection from all these exploits as the bait to get us into the "trusted computing" cage.

Trusted computing is a farce, because the one thing that *isn't* trusted, is the user.

Re:Sometimes I think they do it on purpose (0)

Anonymous Coward | more than 8 years ago | (#14378358)

"Trusted computing is a farce, because the one thing that *isn't* trusted, is the user."

Nor the vendor, apparently.

Well the truth is.... (5, Insightful)

ciroknight (601098) | more than 8 years ago | (#14378474)

..that if we all were running "trustworthy" computers, this problem would be much, much worse than it is now. Imagine that now instead of having a patch that's already been made by someone else while we sit and wait for Microsoft to get off their asses, we now have to wait on Microsoft, who still hasn't shown up.

Instead of having *some* machines patched, we'd have none. This late after the exploit has been released, and a zero-day attack has happened, we'd see no respite.

If you try to argue that Trustworthy computers wouldn't allow this to be exploited, what if the trustworthy compontent itself was exploited? As the Xbox and soon the Xbox 360 have shown, the more complex the hardware, the more complicated the bugs are. Microsoft's betting that the hardware complexity can outgrow the programmer's abilities to crack it, but if there's any truth in the world, it's that if it can be engineered, it can be destroyed. So imagine if this virus was actually signed by Microsoft through the exploit. How would this look for their company? How can you save face from a disaster like that?

No, trusted computers aren't the answer, just more secure computers, with better code. And the fact of the matter is, the more eyes that are on the code, the better it is, and that's why Open Source will always succeed. No amount of cryptography will help you if there's a hole in your crypto system.

Re:Sometimes I think they do it on purpose (1)

JulesLt (909417) | more than 8 years ago | (#14378547)

Hmm, care to name any other commercial OS known for poor security / response to security issues? Solaris, OS-X, BeOS?

What's wrong with... (0)

Anonymous Coward | more than 8 years ago | (#14378320)

...just disabling the offending .DLL. I mean it's not like people are actively using MS image viewer. There are plenty of better products.

Re:What's wrong with... (2, Informative)

chrisgeleven (514645) | more than 8 years ago | (#14378326)

Yeah because 98% of PC users know how to disable the offending DLL. Heck, 98% of PC users don't even know what a DLL is.

Re:What's wrong with... (0)

Anonymous Coward | more than 8 years ago | (#14378349)

Are those users the target audience for this site? No? Then why are you here?

Re:What's wrong with... (4, Insightful)

Claire-plus-plus (786407) | more than 8 years ago | (#14378383)

Of course they don't know what a DLL is. Windows has been marketed as a consumer OS, it was designed to be used by people without a clue. By default you can't even see the DLLs. People shouldn't need to have IT qualifications to use a computer, it should be secure enough for them to use it. What you are suggesting (to use a car metaphor and probably get flamed for it) is that people should need to strip and reassemble an engine to get a drivers liscence.

Re:What's wrong with... (0)

Anonymous Coward | more than 8 years ago | (#14378396)

Yes, they could do all of that, or as said a zillion times, they could just get a Mac.... This type of exploit would be very difficult to replicate on OSX/Unix/Linux/BSD

Re:What's wrong with... (1)

Jugalator (259273) | more than 8 years ago | (#14378525)

People shouldn't need to have IT qualifications to use a computer, it should be secure enough for them to use it.

Yeah, I wonder when we'll see such an OS though. Usually it involves tradeoffs for security at the cost of features; something big business often aren't very interested in. I feel all popular *nix OS'es are out of the picture still, but they may be getting there, perhaps in the generation of distributions to follow Ubuntu. Ubuntu still means considerable digging on forums if you want to do something "advanced", such as connecting a special peripheral. Not at the fault of the distro or OS per se, but at the support. Still, that doesn't make it less of a problem. Is OS X perhaps closer to this vision? Or is it that just because it's less common, and not something we can merit the OS itself for being?

Re:What's wrong with... (1)

kuzb (724081) | more than 8 years ago | (#14378414)

So perhaps instead of using this as another opportunity to post your sig with the stupid referral link, you could explain to them how it's done.

Re:What's wrong with... (-1, Flamebait)

chrisgeleven (514645) | more than 8 years ago | (#14378440)

Cry me a river.

I was posting because I was adding something to the conversation, not because I have a referral link in my sig.

How about instead of bitching about another user, YOU help out and post how unregistering the DLL done.

Re:What's wrong with... (1)

kuzb (724081) | more than 8 years ago | (#14378501)

OK, start->run->cmd.exe

In the console window, type 'regsvr32 /u shimgvw.dll' without the quotes and press enter. You will see a notice telling you that the DLL has been unregistered.

That's adding something to the conversation BTW. Do us a favour and quit trying to use slashdot for your own profitable gain.

Re:What's wrong with... (2, Interesting)

Cobralisk (666114) | more than 8 years ago | (#14378509)

They don't have to.

1. Write a 1 line .bat file that does the deed for the cluefully challenged.
2. Package and publish as a Hotfix and push to Windows Update.
3. ???
4. Profit!

"98%" of PC Users don't know how a patch works any more than they know how to disable a DLL. I'm sure they don't even know how scheduling works. Shockingly, the inner workings of a computer are as mysterious to the average user as a woman's body is to a slashdot reader. We should all just give up on them, because we don't need Joe Sixpack to drive the tech economy so we can actually afford to have computers and affordable bandwidth. Just tell them to put it back in the box, return it to BestBuy, and tell the clerk they're too fucking stupid to own a computer. The GP post suggested a method that apparently works for disabling the vulnerability. This information is useful to the slashgeeks who will end up servicing the computers of friends, family, and co-workers one way or another. A quick heads-up now on this saves a few hours later when after some porn surfing (it just popped up and it wouldn't let me close it) or email attachment (I didn't open it) you end up removing the worm and all the damage it did anyway.

Re:What's wrong with... (3, Informative)

forsetti (158019) | more than 8 years ago | (#14378374)

Reading the article, the ISC (and a few others) say that you *should* disable the DLL. There are two ways, with caveats, listed:
*Unregister the DLL : some apps may actually reregister the DLL.
*Rename/Delete: make sure XP File Protection is off, otherwise it will be replaced. Also, some apps may behave badly.

So, disabling the DLL is a *good* idea -- but may not be a complete solution by itself.

Re:What's wrong with... (1, Funny)

Anonymous Coward | more than 8 years ago | (#14378423)

you... actually... _READ_ the article?!!!

*faints*

Re:What's wrong with... (4, Interesting)

MikaelC (584630) | more than 8 years ago | (#14378519)

It may not be enough.

From http://www.viruslist.com/en/weblog?discuss=1768925 30&return=1 [viruslist.com] :

"... Going back to the wmf vulnerability itself, we see number of sites mention that shimgvw.dll is the vulnerable file. This doesn't seem correct as it's possible to exploit a system on which shimgvw.dll has been unregistered and deleted. The vulnerability seems to be in gdi32.dll... "

"the snort rule will peg the CPU on your router" (0, Redundant)

iBod (534920) | more than 8 years ago | (#14378325)

What?

Could someone elucidate please?

Re:"the snort rule will peg the CPU on your router (5, Informative)

PenguinOpus (556138) | more than 8 years ago | (#14378393)

I believe this is because _any_ image is vulnerable to infection. Because Microsoft checks the header for every image file and treats it as WMF if the header matches, all jpegs, gifs, and pngs are potential vectors for the disease. A router that has to inspect _every_ image that is surfed by users behind it will immediately turn into a bottleneck.

A couple of the other comments here seem to miss this very important point:

It's not just files with ".wmf" at the end. Any image file will get unwrapped by Microsoft code and the callback will get executed. Woof.

Re:"the snort rule will peg the CPU on your router (2, Informative)

Anonymous Coward | more than 8 years ago | (#14378512)

It's not just files with ".wmf" at the end. Any image file will get unwrapped by Microsoft code and the callback will get executed.

Yes. You see, when the HTTP 1.1 protocol was being developed, they made it a solid rule - you MUST NOT GUESS the content-type when it's supplied.

Anybody want to hazard a guess as to what Internet Explorer and everything that uses its rendering engine does? Yep, that's right, it ignores the standard and guesses.

That means that instead of having to check <1% of images going through your firewall/proxy (WMFs and unlabelled content), you have to check 100% of them. Heck of a job, Billy-boy!

Re:"the snort rule will peg the CPU on your router (1)

peterpi (585134) | more than 8 years ago | (#14378395)

Sounds like an nth complexity binary loop [google.co.uk] sort of problem to me.

Not really a whole lot of choice about this one. (0, Troll)

halleluja (715870) | more than 8 years ago | (#14378327)

Not true.

SPI Aren't meant for this type of filtering... (2, Interesting)

PPGMD (679725) | more than 8 years ago | (#14378332)

SPI firewalls aren't meant for application filtering, on my company servers I just blocked WMF files at the Exchange server, and set our ISA Servers to block WMF from websites also. Company policy already blocks the various IM clients.

I imagine that I could push out the deregistering fix, and associating WMF with Notepad, but that seems a little extreme because our attack vector has become limited, and our anti-virus is now updated with the newest signatures that detect this exploit.

Re:SPI Aren't meant for this type of filtering... (0)

Anonymous Coward | more than 8 years ago | (#14378355)

How are you detecting the WMF files? I hope it's not just by file extension as it can also be exploited using .jpg - http://www.f-secure.com/weblog/archives/archive-01 2006.html#00000759 [f-secure.com]

Re:SPI Aren't meant for this type of filtering... (0)

Anonymous Coward | more than 8 years ago | (#14378365)

You are correct SPI Firewalls are useless against this attack. What you are unaware of is that so is Network IDS and AntiVirus. The variants are different that the A/V vendors can not keep up. Disabling the .DLL is also not a fool-proof method of preventing the worm as it the .dll is easier re-enabled. Defense in Depth is your only option and yes that includes trusting the ISC incident handlers and the community developed patch as one of the layers of defense. MS is working on a patch but the earliest reported date for release is still several days away. New delivery methods are already working to push this exploit deeper into the world - now worms are activity pushing this exploit. This is a serious situation and should be treated as such.

Re:SPI Aren't meant for this type of filtering... (5, Informative)

grenthal (822245) | more than 8 years ago | (#14378384)

FTFA

* Should I just block all .WMF images?

This may help, but it is not sufficient. WMF files are recognized by a special header and the extension is not needed. The files could arrive using any extension, or embeded in Word or other documents.

Re:SPI Aren't meant for this type of filtering... (1)

Pac (9516) | more than 8 years ago | (#14378392)

You may not be out in the open - from what I gather, the exploit can use any extension and Windows will recognize the Metafile from the headers (ie, even if it is disguised as a .gif or .jpg). So it would be wise deregistering the dll for the time being.

It goes without saying (5, Interesting)

ZerocarboN (415676) | more than 8 years ago | (#14378335)

FTA:
You cannot wait for the official MS patch, you cannot block this one at the border, and you cannot leave your systems unprotected.

This has always been the case with Windows, if I'm not mistaken.

Shows how much MS cares for its customers. (5, Insightful)

Anonymous Coward | more than 8 years ago | (#14378336)

How many late nights, allnighters, and missed holidays have you experienced, thanks to things like ILOVEYOU and Slammer? How many times have you had to clean up the mess created by Microsoft's shitty, unsecure software?

Clearly Microsoft wasn't interested in calling people in over the holidays to whip up a patch for this critical vulnerability-- something that you could go in a couple hours early tomorrow and roll out to the PCs in your organization. They're going to let you suffer. And why should they care? They've already got the money of the company you work for. People are going to return from their holiday vacations tomorrow, load the wrong web page in IE, and get pwned. And you'll be left to clean up the mess. Again. Better pack an extra sandwich with your lunch tomorrow, because you probably won't be getting out at 5.

Re:Shows how much MS cares for its customers. (1, Funny)

Anonymous Coward | more than 8 years ago | (#14378371)

How many late nights, allnighters, and missed holidays have you experienced, thanks to things like ILOVEYOU and Slammer? How many times have you had to clean up the mess created by Microsoft's shitty, unsecure software?

None. I've had plenty of all-nighters, late nights and missed holidays because of Linux though.

Re:Shows how much MS cares for its customers. (2, Funny)

A beautiful mind (821714) | more than 8 years ago | (#14378422)

Yeah, but not everyone can be you, Linus...

Re:Shows how much MS cares for its customers. (0)

Anonymous Coward | more than 8 years ago | (#14378428)

Haha - ZING!

Programmers? (4, Insightful)

Claire-plus-plus (786407) | more than 8 years ago | (#14378346)

Windows have produced a datatype that allows people to place executable code into image files? How can they call themselves programmers. Seriously whoever engineered the WMF format should be ashamed.

Re:Programmers? (0)

iBod (534920) | more than 8 years ago | (#14378382)

Sadly the CPU architecture in question does not distinguish between data memory and intruction memory, so it's possible to overwrite a return address on the stack (let's say) and have the CPU fetch the next instruction from some arbitrary memory location. If a data file is loaded into the working address space, then it's fair game for executing.

Not so much an MS problem as an x86 problem IMHO.

Re:Programmers? (1)

Claire-plus-plus (786407) | more than 8 years ago | (#14378403)

I am aware of that type of exploit, but that's not what I was talking about. For an exploit like the one we are facing to work the metafile holding the image would have to actually run a program, because if the image is placed into memory by another program it wouldn't be able to overwrite any addresses (because the program storing the image in the stack chooses it's address.

If I read the article properly it is saying that windows has metafiles that can contain code, but can be used as images. That is bad engineering.

Re:Programmers? (0)

qodfathr (255387) | more than 8 years ago | (#14378502)

I do not beleive you are reading it correctly.

There is a system DLL (code) which processes the metadata of images (say, to create a preview thumbnail). A buffer overflow in the DLL is the root cause of the problem -- the buffer overflow gets exploited by placing executable code in the metadata of the image. There is not an 'EXEC' segement type in the metadata specification itself, if you will. It's more like 'put this really long ImageSubject in the metadata with these special magic bytes at the end, and then place this executable code over here in the image file, and voila, you can exploit the overdlow.'

Re:Programmers? (2, Interesting)

iBod (534920) | more than 8 years ago | (#14378541)

Agree with you there C++, but this kind of sloppy design/coding would not be possible with a an architecture that implemented memory protection at the hardware level.

IBM mainframes were able to designate the usage of 'pages' or 'frames' of memory by using 4-bit 'storage keys' in the mid 1960s!

You requested the storage in a specific key (in your own address space) and any program accessing that storage with a different key. The ability to change storage key was strictly controlled by OS privilleges and any program violating that rule would immediately die with a 'storage protection' exception.

The guys at Intel in the late 1970s didn't consider things like that - if they ever knew about them - as they were mostly IC designers, not proper computer architects.

I think the Motorola 68000 series was following in the footsteps of the IBM S/3x0 mainframe CPU architecture but never quite got there.

Re:Programmers? (1)

jimktrains (838227) | more than 8 years ago | (#14378391)

I can't tell from the 3 sentences if you are joking or not. Executable code can be placed in ANY file (.doc, .jpg, .wmf, .anything) and if you can get it into the right place, it will run. Windows (and I would venture many OS, to an extent) do not place restrictions around what is data and what is execuable. To the OS it's all a string of bytes.

Re:Programmers? (1)

Claire-plus-plus (786407) | more than 8 years ago | (#14378495)

You can place executable code in any file. The problem is executing it. That is, operating systems don't "execute" text files. If you place a text file into memory the program that reads text files reads it and assumes it's all text. I am perfectly aware that the CPU and the OS it's all the same thing, but the operating system keeps track of the memory locations of running processes. It is impossible for a data file to run executable code because it is not a process. To run the executable code in a data file something has to either tell the scheduler to run it or copy the code over a process that is already on the list.

Windows has a unique problem in that it has data formats that are runnable as scripts. That is bad engineering. It was also done intentionally. That was bad.

Re:Programmers? (1)

daboochmeister (914039) | more than 8 years ago | (#14378550)

Uhh ... can you say "Postscript"? They didn't invent the idea of embedding code as part of graphic/print rendering.

Unless you're willing to say that everyone involved in engineering Postscript should be equally ashamed (and maybe you are).

I deployed it (4, Informative)

rylin (688457) | more than 8 years ago | (#14378352)

Today was supposed to be my fifth vacation day this christmas.
I've had two; and decided to come in to the office today to make sure we were patched up against the exploit.

Yes, I took the plunge.
The patch is now deployed in our small office (30 windows PCs atm); and so far so good.
Would I have felt safer if the sourcecode was released? Perhaps.

That said, I'd rather take the ISC's word on the fix than have a guaranteed hell within a couple of days.
The dedication of the people involved with ISC, as well as that of Mr. Guilfanov brightened my start of the new year.

Kudos, people.

Re:I deployed it (4, Informative)

tsvk (624784) | more than 8 years ago | (#14378454)

Would I have felt safer if the sourcecode was released? Perhaps.

But the source code is released, too . The installation package should have copied it into the "WindowsMetafileFix" folder under the "Program Files" folder.

Sourcecode IS available (0)

Anonymous Coward | more than 8 years ago | (#14378478)

Here [hexblog.com] .

TFA conclusion is BS (1)

prgrmr (568806) | more than 8 years ago | (#14378364)

Not really a whole lot of choice about this one

Sure there is. Don't use MSN to IM, for starters. Don't open e-mail from senders you don't recognize. Don't click on hyperlinks in e-mail without verifying that the URL is really what the text states it is. And if you are in a coporate setting and the Network Admin hasn't blocked IM, you've already got bigger problems to worry about.

Re:TFA conclusion is BS (1)

X-chan (782883) | more than 8 years ago | (#14378536)

You don't really think all users would investigate email senders and links before clicking, do you? This flaw is pretty bad because an image is like the ideal vector for a nasty piece of code. Images can be embedded in a bunch of thing, making it a pain to filter them out. Being careful with what you open/click on is a good policy for aware individuals. However, with a large group of average users, some shit *will* slip in one day or another. Either you take the risk to use an unofficial patch, or you take the risk to wait for official patch while the flaw might get happily exploited in your network. And while I loathe the thought of using a unofficial fix because someone said "hey use it, it's good and secure" without any consistent proof, it still might be better than watching my network turned into an army of zombies.

patch here (0)

Anonymous Coward | more than 8 years ago | (#14378366)

Since the only link to the patch appears on the SANS front page (and not on the blog page for some reason), here's a copy of it. [sans.org]

MD5: 14d8c937d97572deb9cb07297a87e62a

Haha! (3, Funny)

Trip Ericson (864747) | more than 8 years ago | (#14378367)

Saturday's word was "transferbangle." Today's word is "volunerability." I wonder what tomorrow's word will be!

Patch tuesday? (1)

Mathiasdm (803983) | more than 8 years ago | (#14378370)

I'm still not sure myself whether or not I will install this unofficial patch.

Reasons for not installing it:
-I'm behind a router and use a firewall, virus scanner and several anti-spyware programs.
-I don't visit any suspicious websites (though this is probably not limited to 'suspicious' websites.
-I use Firefox for browsing, which (if I remember correctly) is not directly affected, unless you accept to run the .wmf-file.

My possible reasons for installing this patch beforehand:
-I don't know if the virus scanner and anti-spyware programs will pick this up in time.
-I have exams in two weeks from now. I don't have the time to spend hours on end to remove crap like this (and yes, I do have time to type this message :-P ).

Oh, and patch tuesday, is that tomorrow or next week?

Re:Patch tuesday? (0)

Anonymous Coward | more than 8 years ago | (#14378492)

Given your reasons for not installing it, I highly recommend you actually read the article.

Re:Patch tuesday? (1)

ciroknight (601098) | more than 8 years ago | (#14378549)

Reasons you should install it:
-You refuse to (or can't) use an operating system where executability is set by a filesystem flag and not an extension.
-The simple act of clicking on this image anywhere in your filesystem will cause the arbitrary code to be executed.
-Firefox, while being a more secure broswer than Internet Explorer, isn't going to do any bit of good for an image that may already be on your computer as we speak.
-This exploit isn't limited to the WMF extension; any file with Windows Meta information is subject to the insertion attack, which includes all image formats and a lot of document formats (Word).

The fact is, you're being ignorant of the problem instead of trying to be part of the solution, and your post outlines the different various reasons why. The fact is, Microsoft might not even include a fix for this specific bug on the next patch Tuesday. They've been known to forego fixing certain bugs for arbitrary amounts of time. This is fact, not opinion.

Here's to hoping you don't get infected before Microsoft gets a patch out.

Shame on Hemos (5, Insightful)

slavemowgli (585321) | more than 8 years ago | (#14378378)

No flamebait intended, but that's a typical sensationalist misleading Slashdot headline. Noone's advocating "trusted computing" or similar initiatives here; all they do is saying "here's an unofficial fix, and we'd like to recommend even though it *is* unofficial, considering the seriousness of the vulnerability and also considering it was written by a reputable windows expert, namely Ilfak Guilfanov (author of IDA Pro)".

And for that matter, there's no mention of "the Snort rules will hog your router's CPU", either - that's total rubbish, probably made up by the article submitter. And it slipped, too, since the Slashdot "editors" never care to actually edit stories before they publish them.

Shame on you, Hemos!

Shame on your low-IQ, no-humor self (0)

Anonymous Coward | more than 8 years ago | (#14378449)

ISC is advocating the "trust us!" model of computing by posting a patch that we basically have no option but to apply, without posting the source code.

Let me know if there are any other half-assed jokes that you can't understand, I'll try and work them out for you too.

vvj

Re:Shame on Hemos (1)

Jugalator (259273) | more than 8 years ago | (#14378453)

Noone's advocating "trusted computing"

"Trustworthy" was what was spoken of though (distinction sometimes used [wikipedia.org] ), but yeah, I thought that looked out of the subject here. I thought that was more of an initiative to add "trust" as in digital signatures, DRM, "Fritz chips", etc, thereby making systems/data "trustworthy" and not having been tampered with (which can also be used to protect media from piracy), not something having to do with this. I may be confused though as it feels like a pretty broad subject..

Re:Shame on Hemos (1)

BushCheney08 (917605) | more than 8 years ago | (#14378473)

I'm guessing you missed the part where the blog entry linked in the summary that advocates the use of this unofficial patch is titled "Trustworthy Computing".

Get the joke, will travel... (4, Informative)

Pac (9516) | more than 8 years ago | (#14378475)

So we have to explain the joke again:
The title comes from the original note in the Handler's Diary [sans.org] . You see, it creates a mental tension between "Trustworth Computing", the lack of an official patch and ISC's "Please, trust us". It makes some readers smile.

Re:Shame on Hemos (1)

Pinky3 (22411) | more than 8 years ago | (#14378535)

Noone's advocating "trusted computing"

The posted slashdot submission uses the headline and the words "trustworthy computing." The article at sans (Handler's Diary) is titled "Trustworthy Computing." The article asks the reader to "Please, trust us."

This is all about trustworthy computing and who is worthy of your trust.

Shame on you for not reading carefully.

Oh, you post on slashdot, never mind.

Re:Shame on Hemos (5, Informative)

Saint Aardvark (159009) | more than 8 years ago | (#14378545)

There should've been a link to this: [sans.org]

There is one important note in regards to ALL published signatures including this one. All these signatures will fail to detect the exploits when the http_inspect preprocessor is enabled with default settings. By default, the flow_depth of the preprocessor is 300 which is too short to cover the whole exploit. Should the exploit be transmitted on port 80 and http_inspect is enabled, no alert will occur. Note that it will still alert on any ports (using the all port sig below) that are not configured in http_inspect (ie FTP).

One solution is to add the statement "flow_depth 0" to the http_inspect preprocessor (actually the appropriate http_inspect_server line in the config). This will tell the preprocessor not to truncate the reassembled pseudo-packet, but it will have an adverse impact on performance. On busy networks, this will lead to 100% CPU utilization of the Snort process and major packet drops.

And you should've checked before saying it was all made up.

Hah (1)

Jugalator (259273) | more than 8 years ago | (#14378379)

Not really a whole lot of choice about this one.

OK, that just makes it too easy.

*awaits avalanche of "Linux is the cure"-style replies*

Which, of course, is correct, as it's not affected by this, but not suitable more than as a worn joke, as many organizations can't make the switch easily either for lack of own competence, will to hire those who have, lacking software compatibility and/or counterparts, etc.

Trust not the issue... (1)

pla (258480) | more than 8 years ago | (#14378381)

They want you to trust that the unofficial patch for the Windows Metafile Volunerability that is currently being exploited by an IM worm.

The problem there (aside from the FP's atrocious grammar) comes from how the "unofficial" patch will interact with MS's eventual real fix.

I certainly don't consider myself a Microsoft apologist, but I KNOW that anyone who installs this patch, then discovers some bizarre (potentially very serious) problem from Microsoft's solution, will bitch loudly that Microsoft should have taken the interim fix into consideration. These same people currently bitch that Microsoft should throw caution to the wind and issue a fix ASAP, out of their normal patch cycle and without adequate testing.


Personally, I don't see the problem with temporarily unregistering the affected DLL... I NEVER view thumbnails through explorer (slows it down beyond belief), and MS's built-in image viewing/printing software lacks even the basic editing capabilities necessary to print "grandma" rather than "a grandma-like dark smear, 27 unknown people, and 90% sky".

Re:Trust not the issue... (1)

coolGuyZak (844482) | more than 8 years ago | (#14378503)

They want you to trust that the unofficial patch for the Windows Metafile Volunerability that is currently being exploited by an IM worm.

The problem there (aside from the FP's atrocious grammar) comes from how the "unofficial" patch will interact with MS's eventual real fix.

And let's not forget that "vulnerability" is misspelled. ;)

Re:Trust not the issue... (1)

Rufty (37223) | more than 8 years ago | (#14378544)

If a security guard firm refused to alter their "normal patrol cycle" to deal with an in-progress intrusion, would they get the next contract???

Talking of 'Trustworthy Computing' (3, Funny)

peterpi (585134) | more than 8 years ago | (#14378385)

I love the way the story starts 'Anonymous Coward writes', with an email address link to the author.

Trusted Computing? I think not! (2, Interesting)

Anonymous Coward | more than 8 years ago | (#14378386)

I wouldn't call what they are offering as trusted computing. They are not
the manufacturers of the OS, so whatever they are offering is NOT trusted computing.

Since it's a typical binary patch you have to trust them that this
patch won't hose your system or make you pwned by these or other folks.

As a long time Linux user, I find this situation appalling. If I were stuck
using a Windows box I would be pissed off by this. Look, when I want to upgrade
my box, I just do a apt-get update; followed by either apt-get dist-upgrade
or use synaptic. I know my sources (I select them myself), I know that the reality
checks exist (gpg keys, outside sources verifying the software, etc.). I know
I'm not getting hosed when I install software from my usual Debian repositories.

Do any of you windows folks know these security folks? Do you have any
reality checks that you can apply against this binary patch? What control do
you think you have of your operating system?

I guess if you haven't been a Linux user for a long time you might not understand
the depth of how bad your security model is when you're stuck with windows.

--Johnny

Re:Trusted Computing? I think not! (1)

tsvk (624784) | more than 8 years ago | (#14378548)

I wouldn't call what they are offering as trusted computing. They are not the manufacturers of the OS, so whatever they are offering is NOT trusted computing.

"Trustworthy" was here used only as a saying. As in "Please, trust us". Please read the ISC diary entry [sans.org] .

Since it's a typical binary patch you have to trust them that this patch won't hose your system or make you pwned by these or other folks.

The patch is distributed [hexblog.com] by Ilfak Guilfanov [datarescue.com] , who develops the IDA Pro Disassembler and Debugger [datarescue.com] . The WMF fix installation package includes source code for the DLL it installs.

Look, when I want to upgrade my box, I just do a apt-get update; followed by either apt-get dist-upgrade or use synaptic. I know my sources (I select them myself), I know that the reality checks exist (gpg keys, outside sources verifying the software, etc.). I know I'm not getting hosed when I install software from my usual Debian repositories.

Sure, you use apt-update when your os vendor has relased a fix. But what do you do when no official fix is yet unavailable, as the situation is now for Windows users?

Re:Trusted Computing? I think not! (1)

Svippy (876087) | more than 8 years ago | (#14378551)

I assume the issue comes from the method Microsoft wants to distribute their systems. If they allowed "unofficial" people to create "updates" for their system, then they would have to release source codes which could get leaked. Microsoft would not risk that.

And then of course, Windows is probably the worst structured OS that exists.

What unofficial patch? (0)

Anonymous Coward | more than 8 years ago | (#14378389)

I read that notice over and over and the best I could find was

The very best response that our collective wisdom can create is contained in this advice - unregister shimgvw.dll and use the unofficial patch. You need to trust us.

Trust you? You can't even put the "unofficial" patch there on the page, or write the one-liner needed to unregister the dll (I know it, but the corporate types you want to try and convince of this don't). Where can you get the unofficial patch?

o.O (5, Funny)

xx_toran_xx (936474) | more than 8 years ago | (#14378398)

They want you to trust that the unofficial patch for the Windows Metafile Volunerability that is currently being exploited by an IM worm.

OK, tell me how that sentence is supposed to make sense. Come on :|.

Re:o.O (1)

repruhsent (672799) | more than 8 years ago | (#14378464)

I was thinking exactly the same thing. At first I thought it was because I haven't read a book (non-technical) in a very long time and my reading skills are suffering or that I'm becoming dyslexic, but it's nice to see that someone else around here has difficulties with the lack of editing on this site.

Re:o.O (1)

eluusive (642298) | more than 8 years ago | (#14378508)

I think the slashdot editors pick out the worst submissions for any given topic and post those -- just for fun. Now Josh Hudson looks like a fool in front of everyone on slashdot. Mwahaha..

Migrate to Linux, not Vista Migrate to Linux (0)

Anonymous Coward | more than 8 years ago | (#14378402)

Migrate to Linux.

Our company did last year, city of Vienna did as well as many other companies and organizations, it should work out very nicely for you too. Our former XP users love KDE.

No need to put yourself through pains when you can improve security, save money and achieve some level of vendor independence all at the same time.

Re: Migrate to Linux, not Vista Migrate to Linux (1)

kuzb (724081) | more than 8 years ago | (#14378433)

They loved it so much you posted anonymously, in your room, with the lights out, under a blanket?

Is Trustworthy Computing same as this? (1)

pioni (694427) | more than 8 years ago | (#14378441)

http://www.lafkon.net/tc/ [lafkon.net]

If it is, I can live without it.

Why do folks still use Windows? (1, Insightful)

putko (753330) | more than 8 years ago | (#14378442)

What is the calculation that Windows users -- esp. businesses -- make that allows them to keep on using Windows?

When I had to pick an OS, I did research and picked one that I felt was secure enough for my needs. Windows didn't make my cut.

Somehow the Windows folks keep on choosing to use Windows, even though after the WMF exploit is history, they'll just be waiting for yet another "shoe to drop".

I understand that legacy apps/data formats get you locked-in to Windows, but doesn't "remote exploit" concern you enough to make you think "must switch!"?

you must be a genius (1)

js3 (319268) | more than 8 years ago | (#14378480)

because the os you pick will have no exploits ever

Re:Why do folks still use Windows? (1)

TrueBuckeye (675537) | more than 8 years ago | (#14378522)

For one thing, it is a significant investment for a company like mine (medium size, about 1200 systems, 100 servers) to make a move like that. Current enterprise software runs in the millions of dollars for us, so to do a complete switchover would be unbelievably expensive.

Then you have to hire/retrain all of the support staff (currently about 25 of us).

Then you have to retrain all 1200 end users.

Somewhere in there you have to find solutions to fill the roles that you currently use such as tablet computers with broadband wireless access for certain users.

All in all it is very easy for Linux idealists to sit back in their chair and preach about the evils of Microsoft (which I don't necessarily disagree with) and call any company using Windows a bunch of idiots, but that sort of migration would probably cost a company like mine tens of millions of dollars and months, if not years, of headaches.

Not really an "IM Worm".... (1)

Paperghost (942699) | more than 8 years ago | (#14378491)

...because the IM side of things had a limited spread in the Netherlands. The main jump off for this thing was rotating banner ads (along with about six billion pics on Myspace by this stage of the game)..

I trust the patch, the source is included (1)

ei4anb (625481) | more than 8 years ago | (#14378497)

I have read the source and compiled it before installing, of course I trust it ;-)

Corporate? Try college. (4, Insightful)

mendaliv (898932) | more than 8 years ago | (#14378499)

Think users are bad in the corporate sector? Wait until everyone gets back to the college dorms after winter break with their completely unpatched computers. And all the people who have new computers that they got over the holidays. It wouldn't matter if Microsoft had patched it last week, I guarantee that the student users who need it won't have it.

Speaking as a poor sap who has to fix these computers, I have one thing to say: "Thanks for the easy money". And a heads up to all you dorm technicians, get ready to start burning virus CDs.

In English please... (1, Insightful)

samj (115984) | more than 8 years ago | (#14378527)

WTF are you trying to say:

"They want you to trust that the unofficial patch for the Windows Metafile Volunerability that is currently being exploited by an IM worm."

Possibly the worst story ever.

Treacherous Computing (1)

Dogmeat83 (891431) | more than 8 years ago | (#14378532)

Don't be deceived by the headline! To see how ugly this beast really is, take a look at Ross Anderson's excellent TC FAQ http://www.cl.cam.ac.uk/~rja14/tcpa-faq.html [cam.ac.uk] . It's the best investment you can make (20 minutes) to get informed on computer ethics, and now is the time to be informed.
Load More Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Create a Slashdot Account

Loading...