Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Businesses Urged To Use Unofficial Windows Patch

Zonk posted more than 8 years ago | from the quick-quick dept.

Worms 374

frankie writes "ZDNet is reporting on the latest dire pronouncements about the WMF vulnerability. The problem is so serious that security experts are urging IT firms to use the unofficial patch. Microsoft's current goal is to release the update on Tuesday." From the ZDNet article: "This is a very unusual situation -- we've never done this before. We trust Ilfak, and we know his patch works. We've confirmed the binary does what the source code said it does. We've installed the patch on 500 F-Secure computers, and have recommended all of our customers do the same. The businesses who have installed the patch have said it's highly successful" It's big enough that even mainstream media is covering the flaw.

cancel ×

374 comments

Sorry! There are no comments related to the filter you selected.

Does MS view this as important? (4, Interesting)

JonN (895435) | more than 8 years ago | (#14386579)

So if this vulnerability is high on the seriousness level, is anyone else wondering the same thing as I am; How and why is it that Microsoft is days behind a third party in releasing a security patch? I mean this is hitting mainstream media, and Microsoft's security patch response team is being bested by some 'guy'?

It brings interesting schemes into my mind. Oh don't mind me, I'm just going to grab my tin foil hat.

Re:Does MS view this as important? (4, Interesting)

travisco_nabisco (817002) | more than 8 years ago | (#14386604)

It looks like Microsoft is allowing its user community to patch problems before it can. Oh no!! That sounds a lot like how the Linux community works. Is this going to be a more common occurence as time goes on?

Re:Does MS view this as important? (4, Funny)

croddy (659025) | more than 8 years ago | (#14386612)

This'd be a hell of a lot easier if they'd just give over the source code already.

Re:Does MS view this as important? (1, Insightful)

thc69 (98798) | more than 8 years ago | (#14386800)

Even better: The writer of the patch should enforce a copyright on the code and binary, and patent the idea...then demand Windows be open-sourced as payment.

Maybe not. I wouldn't want the guy to have his whole neighborhood bought by a pissed off Bill Gates and turned into a toxic waste dump...a mere pittance spent by Bill on a stunt like that would ruin the patch-writer financially if he owns his home.

Re:Does MS view this as important? (5, Insightful)

pete-classic (75983) | more than 8 years ago | (#14386804)

There is a quid pro quo in the "Linux community". Yes, J. Random Hacker is encouraged (and really expected) to patch Linux flaws. But he recieves a Free system with source code in exchange.

It doesn't sit well with me to see Microsoft eat their cake and have it too.

-Peter

Re:Does MS view this as important? (2, Insightful)

WebCrapper (667046) | more than 8 years ago | (#14386626)

This has always been a problem with MSFT. They are usually several weeks or months behind on security bugs. I guess their new Security push is bringing it down to 1 week - or there abouts...

MS has to test very extensively (5, Interesting)

PIPBoy3000 (619296) | more than 8 years ago | (#14386630)

If you're curious as to what all they do, you can take a look here [eweek.com] . A sample quote from the article:

In some cases, particularly when the Internet Explorer browser is involved, the testing process "becomes a significant undertaking," Toulouse said. "It's not easy to test an IE update. There are six or seven supported versions and then we're dealing with all the different languages. Our commitment is to protect all customers in all languages on all supported products at the same time, so it becomes a huge undertaking."

The issue was actually a feature... (5, Informative)

antdude (79039) | more than 8 years ago | (#14386823)

According to this F-Secure's Web log [f-secure.com] , it tells what is going wrong with the Windows Metafiles (WMF) vulnerability. It turns out this is not really a bug, it's just a bad design from another era. When Windows Metafiles were designed in late 1980s, a feature was included that allowed the image files to contain actual code. This code would be executed via a callback in special situations. This was not a bug; this was something which was needed at the time. The feature now in the limelight is known as the Escape() function and especially the SetAbortProc subfunction, and has been around since Windows 3.0, shipped in 1990...

Seen on Digg [digg.com] . This Broadband Reports' security forum thread [broadbandreports.com] mentioned this as well.

Copied and pasted from my AQFL Web site [aqfl.net] .

MOD PARENT UP (1)

Luscious868 (679143) | more than 8 years ago | (#14386893)

A very interesting post indeed.

Re:MS has to test very extensively (4, Funny)

greysky (136732) | more than 8 years ago | (#14386914)

Our commitment is to protect all customers in all languages on all supported products at the same time, so it becomes a huge undertaking.

So in other words, we won't release a cure for cancer until we have cures for all other diseases as well.

Add the unofficial patch to the test matrix... (4, Insightful)

Chief Typist (110285) | more than 8 years ago | (#14386928)

This puts MSFT in an interesting position -- their official patch has to be tested on systems with the unofficial patch. Otherwise there's a possibility that the unofficial patch will break something in the official patch (or vice versa.)

With the unofficial patch already deployed on thousands (millions?) of machines, it would be a big deal if something went wrong.

God, I'd hate to be in Redmond right now...

-ch

Re:Add the unofficial patch to the test matrix... (0)

Anonymous Coward | more than 8 years ago | (#14386975)

The unofficial Patch doesn't do anything but install itself in registry and autoloads itself on boot. By deleting one registry key, MS could uninstall the unofficial patch and then install their official patch. Second to none testing required.

Bullshit. (5, Insightful)

Anonymous Coward | more than 8 years ago | (#14386942)

Testing?

Even if it means, in contravention of best security practice and all possible "trustworthy computing", knowingly delaying an urgent, critical fix (which would be less troublesome than the first Shatter fix which was pushed out, and only disable a single GDI function that frankly hasn't been used since Windows 3.1 and should never have been used in the first place) for a publically-disclosed, unpatched vulnerability that had been discovered from a 0day exploit, for an indefinite amount of time over a public holiday period while the vulnerability is being "tested"?

When there's realistically no possible way the different L10n's of Windows would affect the GDI32 core because it contains almost no l10n strings anyway, and the vulnerability is in fact a purposely-designed, never-used legacy "feature" that should definitely have been removed in Windows NT or during the Windows 2000 GDI rewrites, or noticed, say, during last months GDI audit?

Despite Microsoft promising that the introduction of the Patch Tuesday would not preclude emergency fixes being issued out-of-cycle and as soon as possible for, ooh, say, critical core Windows vulnerabilities with an enormous number of possible vectors of infection, no effective mitigation and wide, dangerous exploits in the wild with a number of vulnerable machines easily capable of providing an ample breeding ground for supporting wide botnets or enormous worm infections?

Which is exactly what has happened, as Windows has, frankly, just faced the worst single vulnerability in its entire history?*

What the fuck are they doing, deliberately trying to breed another big internet worm?

Sorry, but I'm calling bullshit. I'm a security researcher, and I'm really quite angry at Microsoft's piss-poor handling of this. They couldn't have done much worse if they'd heard about the bug and then have let MSRC take Christmas off anyway.

This was not business as usual. This was an exceptional event (true 0days are actually quite rare to discover in the wild). It could not, and should not, have waited until the next patch cycle. This is exactly the kind of situation upon which a speedy mitigation - hours to days, but definitely not weeks - is absolutely critical, and we should demand that. They should AT LEAST have provided the (untested) hotfix themselves within a day, and pushed it out to Automatic Updates and Windows Update/Microsoft Update within the week after first discovery in the wild - not unrealistic goals for a vendor who wishes to paint themselves as "trustworthy".

They should be brought to task on this one. Behaviour like this is what created the full-disclosure movement in the first place.

* Yes, I'm going to say this one's actually worse than the various active remote vulnerabilities we've had over the years, like the UPnP vuln or the numerous RPC-related vulns. Those, you could at least block with a firewall. This, it's single-payload, multi-vector. It's got plenty of room to drop anything, it's capable of highly metamorphic exploit streams, can be fed online or offline, even spread on media, anything from email to a web page to a simple read-only directory listing or right-click, or uploaded to a site or blog, god help you, rendered inside MSN... the number of potential vectors is so numerous and troublesome it even makes analysis difficult; Windows disregarding filenames and extensions and MIME types and using magic sniffing instead, so you can't even block it effectively using a content-inspecting IDS - that's just the icing on the cake. This is a classic vulnerability, a real ticking Christmas present, a true textbook candidate.

Re:Does MS view this as important? (4, Insightful)

bagboy (630125) | more than 8 years ago | (#14386631)

Keep in mind that MSfts team must ensure compatibility with hundreds of programs before implementing patches. An independent developer who comes up with a patch doesn't. My 2 cents.

Re:Does MS view this as important? (4, Informative)

Ucklak (755284) | more than 8 years ago | (#14386691)

I wouldn't call it hundreds.
Even so, it probably just a few code libraries to check against as I doubt they check against each and every title listed here:
http://support.microsoft.com/gp/lifeselect [microsoft.com]

Probably their main concern is the Enterprise level support they have to comply with and NOT rush a patch out.

Re:Does MS view this as important? (2, Interesting)

PinternetGroper (595689) | more than 8 years ago | (#14386632)

I would rather wait a few days to ensure this patch doesn't break anything else than receive a MS fix now that that causes more headaches than it fixes. I've been down that road way too often. I would image they are making sure everything is working the way it is supposed to before releasing it...

Re:Does MS view this as important? (2, Funny)

Tim Browse (9263) | more than 8 years ago | (#14386787)

I would image they are making sure everything is working the way it is supposed to before releasing it...

Gah! Too late! You've been hit by the WMF image virus already!

Re:Does MS view this as important? (5, Funny)

chrish (4714) | more than 8 years ago | (#14386639)

Presumably they do some sort of testing with their patches before they release...

Re:Does MS view this as important? (2, Insightful)

winkydink (650484) | more than 8 years ago | (#14386640)

What's the liability for the 3rd party if their patch screws something up in a bad way? Zippo. That's (part of) the reason why it takes longer to put out an "official" patch.

Re:Does MS view this as important? (5, Insightful)

digidave (259925) | more than 8 years ago | (#14386673)

"What's the liability for the 3rd party if their patch screws something up in a bad way? Zippo. That's (part of) the reason why it takes longer to put out an "official" patch."

What's the liability if MS screws up a patch? They do it all the time, but I don't hear anything about them being sued or compensating businesses they've hurt.

Re:Does MS view this as important? (0)

Anonymous Coward | more than 8 years ago | (#14386676)

Read your license. Do you know what Microsoft's liabilty is if Windows buggers up your system? Zippo. At least until someone takes them to court and has the license invalidated.

Re:Does MS view this as important? (5, Insightful)

aquabat (724032) | more than 8 years ago | (#14386686)

That would be the same as the liability that Microsoft would have if its patch screwed something up, right? Zippo in either case. RTFEULA.

Liability is not always monetary. (1, Insightful)

winkydink (650484) | more than 8 years ago | (#14386696)

Loss of goodwill. Not all liability is monetary, smarty-pants.

Re:Liability is not always monetary. (2, Insightful)

DAldredge (2353) | more than 8 years ago | (#14386740)

Delaying the patch till the 10th doesn't exactly help them in the goodwill dept...

Re:Liability is not always monetary. (-1, Flamebait)

Anonymous Coward | more than 8 years ago | (#14386772)

And "goodwill" is just a made up accounting gimmick. It means zippo too. Dumbass.

Re:Liability is not always monetary. (2, Informative)

aquabat (724032) | more than 8 years ago | (#14386774)

Fair enough, I guess. I had assumed you meant legal liability. If you exclude legal liability, then it looks like the author of the unofficial patch is equally as liable as Microsoft would be.

Re:Does MS view this as important? (1)

Le Marteau (206396) | more than 8 years ago | (#14386658)

How and why is it that Microsoft is days behind a third party in releasing a security patch?

Um, maybe because thet 'third party' is just one guy working alone, with no one to answer to, and no multi-billion dollar bureaucracy to navigate through. Just a guess.

Re:Does MS view this as important? (1)

vijaya_chandra (618284) | more than 8 years ago | (#14386685)

Quite possible that the 3rd party patch doesn't fix *the* real problem (or all the problems)
It's also possible that MS has found something else also in the same code that can leave them in an embarrassing situation in another week (This I guess is the 2nd issue with the wmf handling in 3 months) if they release just a hurried patch resolving only the problem we're seeing now. But whether or not they should be delaying it at the risk of letting customers face trouble (and gain bad publicity) is, I hope, given good thought inside MS

Re:Does MS view this as important? (2, Informative)

whitehatlurker (867714) | more than 8 years ago | (#14386689)

They try to address some of this in the official advisory [microsoft.com] . (Paraphrased below)

What about 3rd party solutions?
Wait. MS'll patch it next week. We'll do it in 23 languages and thoroughly test it.

Why is it taking so long?
Our team of "designated product specific security experts" look at the problem, figure out how big it is, then how to fix, then fix it, then test the fix, then port it to all the affected platforms and languages.

Seriously? (1)

ThePyro (645161) | more than 8 years ago | (#14386707)

The answer to your question should be fairly obvious to anyone who has worked for a software development company: quality assurance. Windows is an extremely large and complicated piece of software. Any changes must go through a rigorous testing process, probably using dozens if not hundreds of configurations. Otherwise, Microsoft risks releasing a patch which breaks a few thousand servers/desktops and brings their customers' businesses to a grinding halt.

"Oops, sorry about that. We forgot to test the patch with that configuration."

Microsoft's primary responsibility here is to make sure that they don't inadvertently break something. Fixing the security vulnerability is a distant second.

Third parties, on the other hand, don't have to do any testing at all. If you really need a patch NOW then you are welcome to use their stuff, but you can be sure that it has not been put through anything close to the testing that Microsoft would perform. There's no guarantee that it'll work for you.

Re:Seriously? (1)

Fishstick (150821) | more than 8 years ago | (#14386886)

Wonder too how much their job is complicated by the fact that there is this non-ms patch out there? I mean, in addition to all the testing that they have to do on something like this, do they have to worry about configurations where this other patch is already applied? (or will it just override the other?)

The problem is it's a GDI exploit (5, Insightful)

Sycraft-fu (314770) | more than 8 years ago | (#14386733)

The actual root of the problem is in the GDI, which is what handles all basic interface display for Windows. The unofficial patch just disables the call that the exploit uses. Ok, fair enough, but that's a hack, not a fix. That means that anything that legitmately uses that call won't work, and the underlying problem is still there.

Well, testing a fix for a system component like that takes time, espically since it affects a ton of versions.

Now you might ask, why not release a hack fix, and then do a proper patch later? Well as it stands, it's hard enough to get people to update their systems. We fight with it all the time with people here at work. They turn auto updates off since they run simulations at night and don't want it rebooting (even though patch day is known ahead of time) and then never manually patch since they "can't be bothered".

Well, if MS released a patch that broke things, that just makes that many more people stop patching. Remember all the whining and bitching about SP2. There were very few systems that had problems with it, and most that did were spywared to hell, but still there are tons of people that refuse to install it for fear that "it'll break my computer".

Thus the offical patch takes time, as they have to test and make sure that the problem really is fixed, and no new problems were created with the fix. REgression testing isn't quick.

Of course M$ views this as important . . . (1)

mmell (832646) | more than 8 years ago | (#14386796)

You can't buy publicity like this!

Re:Does MS view this as important? (1)

HavokDevNull (99801) | more than 8 years ago | (#14386835)

interesting schemes into my mind

Intresting Schemes = Microsoft's Trusted Computing, how trusting do you feel towards Microsoft now?

Now excuse me while I take off my tin foil hat and place my head in the microwave set on high for 10 mins, so I can understand the Corp. BS thats going to come flying through the fan from MS's PR dept.

Re:Does MS view this as important? (0)

danielk1982 (868580) | more than 8 years ago | (#14386907)

If this was Linux, zealots would be praising the quick community response =)

Where can I get it? (-1, Offtopic)

rodgster (671476) | more than 8 years ago | (#14386586)

I run x86 Fedora.

Re:Where can I get it? (0)

Anonymous Coward | more than 8 years ago | (#14386616)

Right here [debian.org]
No need to thank me :D

Re:Where can I get it? (-1, Offtopic)

Anonymous Coward | more than 8 years ago | (#14386693)

Great! I was looking for an inherently outdated OS!

block wmf (2, Interesting)

pizzaman100 (588500) | more than 8 years ago | (#14386620)

Why not just block wmf files at your corporate site? That would be easier than applying an unofficial patch on all the systems, and then having to roll it back when the official MS patch comes out.

Re:block wmf (1)

Ashinberry (622188) | more than 8 years ago | (#14386645)

Because the snort rule necessary to detect it pegs your IDS machine's CPU at 100%.

Re:block wmf (1, Informative)

Anonymous Coward | more than 8 years ago | (#14386647)

yeah, works with websites. but not with email, or files that are already stored on your system. even indexing a malicious file on your pc via google desktop or similar programs infect you. for more info see the FAQ at http://isc.sans.org/ [sans.org]

Re:block wmf (0)

Anonymous Coward | more than 8 years ago | (#14386654)

I thought that the exploit still worked even if you changed the file name to .gif or others?

Re:block wmf (5, Informative)

NinePenny (856053) | more than 8 years ago | (#14386655)

Its not just the extension that dictates that it's a WMF... Windows in its infinate wisdom also looks at the header bytes of the file and says "ohh! thats a WMF!" Execute! im in a damned hurry, hopfully I stated that correctly...ymmv

Re:block wmf (4, Insightful)

Zathrus (232140) | more than 8 years ago | (#14386895)

Its not just the extension that dictates that it's a WMF... Windows in its infinate wisdom also looks at the header bytes of the file and says "ohh! thats a WMF!"

So, in other words, it does exactly the same thing Unix does for every single executable file.

Do a man magic if you don't know what I'm talking about, and/or look into why scripts have that #! as the very first two bytes in order to work automatically.

Windows has gotten bashed for years for relying on file extensions. Here they don't and they get bashed more! Ok, yeah, it's yet another example of deviation from expected behavior, but complain about that, not that they're finally trying to be smarter about files. Hell, most programs will now ignore file extensions and look at the file header -- it's hardly a MS only behavior.

That said, MS's slackness on this issue is ridiculous. Yes, I know that they have to test a patch in a very large test environment to make sure nothing goes "boom", but in this case they would better serve their customers by simply disabling WMF support entirely until they can properly patch things. WMF is not a widely used format -- in the very few cases where it's actually being used you could simply not patch the computer and take appropriate actions to isolate that system. It would be a hell of a lot better than the current situation, especially given how nasty and widespread this exploit is.

Re:block wmf (1, Funny)

Sebastopol (189276) | more than 8 years ago | (#14386963)


Then: Microsoft sucks because they use file extensions!

Now: Microsoft sucks because they don't use file extentions!

Re:block wmf (1)

gregfortune (313889) | more than 8 years ago | (#14386662)

Because you can't simply match .wmf. It has to be a content match and is very cpu intensive

Re:block wmf (2, Informative)

Hunter-Killer (144296) | more than 8 years ago | (#14386663)

A filter would be pretty easy to bypass, either by sending the wmf in a compressed file; or by renaming the extension.

One could simply block all images, but your boss might be a little miffed when he can't conduct "Internet research".

Re:block wmf (0)

Anonymous Coward | more than 8 years ago | (#14386664)

Because a WMF file can end in a different extension, like .jpg or .gif. Windows recognises it as a WMF based on the internal structure of the file.

MOD DOWN! (-1, Redundant)

jonnythan (79727) | more than 8 years ago | (#14386667)

Because that doesn't work.

Please mod this down.

Re:block wmf (3, Informative)

Raato (36080) | more than 8 years ago | (#14386671)

How do you intend to block them? Block anything with extension .wmf? Isn't enough as the file will be identified and handled as wmf, no matter what the extension is.

From http://isc.sans.org/diary.php?storyid=994/ [sans.org] you can find that "WMF files are recognized by a special header and the extension is not needed. The files could arrive using any extension, or embeded in Word or other documents."

Re:block wmf (2, Insightful)

LiquidCoooled (634315) | more than 8 years ago | (#14386672)

Because Windows in its infinate wisdom looks beyond the filename and looks at the contents of the file, allowing the following:

I save a hacked WMF on the webserver as HeaderPicture.jpg and link it into the webpage with an img tag it will be downloaded as a jpg file, and only then once it gets to my computer does it get handled using the internal WMF code.

It would be easy to block WMF files on the border, but as you can see, not every WMF identifies itself quite so easily.

To block it on the firewall, the IDS will require file content scanning which if I remember rightly would strain the poor processors and hold up all the other good traffic.

Thats what I heard about it all anyway, ymmv

I do! (-1, Troll)

Anonymous Coward | more than 8 years ago | (#14386677)

I don't allow What the Mother Fucker!

Why not? (2, Insightful)

engagebot (941678) | more than 8 years ago | (#14386625)

Why not have other people make the patches for you? For one, it works, and second, they didn't pay anyone to get it done. Hmm, this sounds familiar...

More details (5, Informative)

anandpur (303114) | more than 8 years ago | (#14386627)

Vulnerability in Graphics Rendering Engine Could Allow Remote Code Execution

http://www.securityfocus.com/bid/16074 [securityfocus.com]
http://www.microsoft.com/technet/security/advisory /912840.mspx [microsoft.com]
http://www.symantec.com/avcenter/venc/data/pf/pwst eal.bankash.g.html [symantec.com]

Unofficial Patch (0)

Anonymous Coward | more than 8 years ago | (#14386644)

Where do we apply this patch if we're in a hurry to stop the filthy Windows habit?

So, the real questions is... (-1, Troll)

WindBourne (631190) | more than 8 years ago | (#14386666)

is this a dupe? It seems like anymore posters here are interested in if this is a dupe or if it is a new overlord, then discussing rationally and intelligently on the topic.

BTW, it is not a dupe.

MOD PARENT REDUNDANT (-1, Troll)

Krach42 (227798) | more than 8 years ago | (#14386741)

Not really because it is... it'd just be funny...

(please don't actually do so... then people won't see it)

WooHoo 3rd parties! (2, Insightful)

lilmouse (310335) | more than 8 years ago | (#14386669)

We don't see 3rd parties doing patches for MS problems much :-) They joining the Open Source bandwagon yet?

Ha, so much for such "features" - times have changed...

--LWM

F-Secure are publicity sluts (2, Interesting)

winkydink (650484) | more than 8 years ago | (#14386680)

Not to trivialize the severity of this current problem, but ever notice that regardless of the severity or type of problem/virus/etc... there's allways a press release from F-Secure?

Also, the quote in the headline is from F-Secure recommending installation of the 3rd party patch, not from ZDNet as the headline may lead you to believe.

Re:F-Secure are publicity sluts (2, Insightful)

lilmouse (310335) | more than 8 years ago | (#14386716)

They may be, but they have a very good series of releases on the problem - a lot of information. Compare that to other anti-virus, and you don't see much.

No complaints.

--LWM

Re:F-Secure are publicity sluts (1)

Saint Aardvark (159009) | more than 8 years ago | (#14386919)

I agree. I've been getting more, and better, and more frequent, information from F-Secure and the ISC [sans.org] than I have from MS.

Also worthy of note is the ISC's latest comments [sans.org] on all this:

And, somehow, as if by magic, all of this work will wind down at precisely the right moment so that the WMF patch doesn't have to be released "out of cycle." How convenient! Especially if you're wanting to avoid all of that nasty "Microsoft Releases Emergency Patch" publicity.
FTR, I've applied the patch on about 35 computers at work. Beyond a few complaints about thumbnails not working in Explorer any more, no problems at all^W^Wso far.

Re:F-Secure are publicity sluts (1)

MoonChildCY (581211) | more than 8 years ago | (#14386853)

Not to ruin your rant but...

When your job is selling IT Infrastructure security services to corporations, it is required by you to issue a warning to your clients (as well as potential clients). And an announcement on their website, which is a valid communication method, is not merely a press release. It becomes a press release when someone in the press uses it. It is mainly a warning to clients an dpotential customers.

Besides, where do you expect the incompetent reporters of today to get their information? Reading comments on Slashdot or reports by professional organizations?

If that makes them a publicity slut, I wonder what it makes people that post on Slashdot just so they post something, even if it is irrelevant, not thought out and a plain waste of electrons.

Exploit! (0)

Anonymous Coward | more than 8 years ago | (#14386692)

I went to a site yesterday, and when the page loaded, Windows Image Viewer popped up for a split second, and then the windows logon program (winlogon.exe) keeps trying to access the net...

Its Firefox only until a patch for this comes out.

Re:Exploit! (0)

Anonymous Coward | more than 8 years ago | (#14386763)

You're already owned. A patch is too late, only solution is complete reinstall.

One Gets the Feeling... (3, Insightful)

Nom du Keyboard (633989) | more than 8 years ago | (#14386694)

One gets the feeling that the MS programmer didn't want to come in over the New Year's holiday to work on some piece of legacy code from 1990 that he was handed several years ago when the last programmer whose responsibility it was, was promoted/left for Google. This latest programmer has never looked into this code before this last weekend.

It may not have been anything like this at all, but this is the feeling one gets.

One also wonders about the job security of the MS programmer who didn't get this fix out in a timely manner.

Re:One Gets the Feeling... (1, Troll)

Tankko (911999) | more than 8 years ago | (#14386803)

One gets the feeling that you're the kind of person that comes in on the weekend, slaps out a patch for 100,000,000 machines sends it out with a note saying "works on my machine".

Maybe MS is testing the patch. They do have a large list of alpha testers in the real world that everything is tested through.

Get a clue.

Re:One Gets the Feeling... (3, Insightful)

gowen (141411) | more than 8 years ago | (#14386930)

There's nothing to test.

This is a very small code snippet that prevents the Escape() call with a certain argument. If you allow that, your system is vulnerable; if you don't, it isn't.

There's no way you can preserve the operation of legacy code without preserving the vulnerability, so if your legacy code relies on that behaviour (which is *extremely* unreliable), you're fucked, and there's nothing Microsoft can do to get around it. They're just reticent to bite the bullet.

Re:One Gets the Feeling... (1)

Nom du Keyboard (633989) | more than 8 years ago | (#14386941)

Get a clue.

Excuse me. The hole has been there since 1990. It hasn't been caught by any code or security review since then, despite Mr. Gates change of direction and push to make security the top Microsoft priority how many years ago now? And it's patched by a third party days ahead of the scheduled Microsoft patch.

Maybe Microsoft -- and you -- should be the ones getting clues.

This is slashdot, wheres the pictures? (5, Funny)

LiquidCoooled (634315) | more than 8 years ago | (#14386703)

Its ok, I found th...!&^!")NO CARRIER

Re:This is slashdot, wheres the pictures? (1)

cryptocom (833376) | more than 8 years ago | (#14386785)

lol
: )

Re:This is slashdot, wheres the pictures? (5, Funny)

TheHawke (237817) | more than 8 years ago | (#14386958)

No Spot! Don't Chew on the power*ZAP!* %^@!NO TERRIER.

Sorry, had to do that. ^.^

The Business Mindset (3, Insightful)

zaliph (939896) | more than 8 years ago | (#14386712)

Businesses are only going to respond to a problem by calling on the person/entity that is supposed to cover it, i.e. the one they're paying, Microsoft, in this case. They're not going to go around installing an independent patch willy-nilly on dozens of computers if it takes another day to get it from Microsoft. Many of these are small businesses without IT departments to advise them one way or the other. The important point here is that by waiting the extra day, a few of them are going to get burned badly and Microsoft will lose much of their trust.

MS workaround (3, Informative)

Telepathetic Man (237975) | more than 8 years ago | (#14386715)

The current official suggestion from MS is to limit problems is of course to unregister the related driver, shimgvw.dll.

Whoa, that's really bizarre (5, Interesting)

frankie (91710) | more than 8 years ago | (#14386718)

This article isn't anything like the one that I submitted.

  • 2006-01-03 17:15:05 No Microsoft WMF update until next week (Index,Windows) (accepted)

Mine looked more like this (body content from memory):

" The usual suspects [google.com] are reporting Microsoft's latest announcement about the WMF vulnerability (link to previous /. article). To quote (link to MS technet article): "Microsoft's goal is to release the update on Tuesday, January 10, 2006, as part of its monthly release of security bulletins." So do you install the unofficial patch (link to previous /. article), or cross your fingers for a week?"

And Vista will fix all of this, won't it? (2, Insightful)

gelfling (6534) | more than 8 years ago | (#14386726)

Oh sorry, what I meant was Vista will have ever more voracious hardware requirements, 3-D widgets, DRM up the yin yang, 12 different versions so it runs on everything from the computer to the home theater to the microwave oven, bugs crawling out of everywhere from day one and the same broken piece of shit security model wrapped up in corporate hype and buzztalk for only 30% more retail cost than the version of Windows you're running today.

Yeah that's what I meant to say. Sorry.

Re:And Vista will fix all of this, won't it? (1)

meringuoid (568297) | more than 8 years ago | (#14386838)

12 different versions so it runs on everything from the computer to the home theater to the microwave oven

Since we /.ers delight in hearing tales of the successful installation of Linux on any electronic device that will sit still for long enough, perhaps we shouldn't criticise Microsoft for attempting the same with their OS...

What will be especially interesting... (4, Interesting)

Spazntwich (208070) | more than 8 years ago | (#14386744)

will be to compare the Microsoft released patch to the unofficial one.

It would be deliciously muddying for Microsoft if someone discovered significant parts of the unofficial patch in the official one.

Re:What will be especially interesting... (0)

Anonymous Coward | more than 8 years ago | (#14386956)

if the bug is small, there must be only good solution, with few syntactic variants that are semantically the same, and since this is closed source, the patch has to have a unique binary form

FF users (1, Informative)

naChoZ (61273) | more than 8 years ago | (#14386757)

Tip for Firefox users. Adblock extension, add filter, *.wmf, click Ok...

Re:FF users (0)

Anonymous Coward | more than 8 years ago | (#14386817)

First of all, firefox seems to ask before opening the file.

Additionally... It doesn't have to be a WMF. Internet Explorer, for example, recognizes it by the header, not the extension...

Not good enough... (3, Informative)

rewt66 (738525) | more than 8 years ago | (#14386939)

Not all WMF files have the .wmf extension. Some may have .bmp, .gif, .jpeg, or about a dozen others.

I saw a list a few minutes ago, but I don't remember where...

Re:FF users (0)

Anonymous Coward | more than 8 years ago | (#14386973)

No no no!

The infected files can have a bmp, png, jpg or various other extensions. If it appears to be an image file of any sort Windows checks if it's a WMF, using the CONTENTS of the file, and treats it accordingly.

This behaviour is probably to deal with all those idiots with websites who rename freely between GIF and JPG, thinking they're changing the format.

Patch download sites (2, Informative)

Anonymous Coward | more than 8 years ago | (#14386775)

here [redhat.com] here [netbsd.org] here [suse.com] here and here [freebsd.org]

The Best Patch (1)

Luscious868 (679143) | more than 8 years ago | (#14386932)

The best patch by far is located here [apple.com]

avast (2, Interesting)

game kid (805301) | more than 8 years ago | (#14386782)

One site (maybe one of ebaumsworld's ads, I believe--I won't link there) tried to do something with it. avast! [avast.com] alerted me with its usual "Caution. A virus has been detected" sound and "abort connection" dialog and all of that. Don't know if it succeeded (nothing unusual now, though my browser did show a naughtier site instead that time; I visited a few times again and it showed my intended site as usual, with much less naughtiness)

Oblig. Star Trek (2, Funny)

Wilson_6500 (896824) | more than 8 years ago | (#14386788)

Kirk: Fix the WMF hole!

...

Let me guess: Tuesday?

investigation? (3, Funny)

Fishstick (150821) | more than 8 years ago | (#14386789)

Microsoft (Research) said in a security bulletin on its Web site, "we are working closely with our antivirus partners and aiding law enforcement in its investigation."

Cool - law enforcement is investigating Microsoft? About time!

get a rope!

This really IS as bad as SANS says... (4, Insightful)

nweaver (113078) | more than 8 years ago | (#14386809)

Worse, in fact. There are SEVERAL ways, all well known, which could leverage this exploit to compromise millions of hosts in a matter of hours.

The unofficial patch is 100% necessary. This is BAD folks.

And if the evil people are smart, they'd have a very VERY nasty suprise come monday, when most people are still not patched and M$ hasn't released the official patch yet.

Amazing new things keep popping up! (1)

fak3r (917687) | more than 8 years ago | (#14386819)

Funny, I talked about this yesterday; how could a graphic cause something so severe? This is a picture [fak3r.com] So now an email, IM, webclick or maybe even a popup could kick off a payload from a graphic? I thought only new things would attack windows rep, as if all the old stuff had been discovered, but now, there's more and more daily!

Re:Amazing new things keep popping up! (1)

fak3r (917687) | more than 8 years ago | (#14386950)

That's the beauty of Mirco$oft - the spagetti code allows for discovery after discovery of bad thinking! This is the best exploit yet, but there will be better ones I'm sure!

Download (5, Informative)

reconn (578681) | more than 8 years ago | (#14386827)

If you want the patch itself, try here:
http://isc.sans.org/diary.php?storyid=1010 [sans.org]

Second time this story came up with no links to the patch.

Watch the video! (1)

fak3r (917687) | more than 8 years ago | (#14386836)

Don't forget to watch the video, I have a link to it at the end of this article: This is a picture [fak3r.com] click on "watch it in action"

Re:Watch the video! - COOL! (0)

Anonymous Coward | more than 8 years ago | (#14386896)

So it installs inself, then an anti-malware app - tells you the original crap is installed but won't uninstall it with the 'trial version' so it sends you to a website and makes you pony up 39.95$ to have it clean your machine! Only in america! Thanks for the video Fak3r.

Re:Watch the video! - COOL! (2, Interesting)

fak3r (917687) | more than 8 years ago | (#14386967)

No problem, always happy to share, but WTF? Can't they call the company whose malware remover gets installed? Why can't they ask them some questions or lean on them to uncover the originator of this scam?

I read MS's Press release.... (2, Insightful)

Xserv (909355) | more than 8 years ago | (#14386850)

Read the Microsoft Security Article [microsoft.com] about it. It's basically a bunch of crap but they are saying:

If you are a Windows OneCare user and your current status is green, you are already protected from known malware that uses this vulnerability to attempt to attack systems.
My question in all of this is if it's fixed in this "OneCare" thing, then what's the difference in the rollout to everyone else? Please, God, tell me this isn't some stupid marketing ploy (the delay that is) to get more people on this damn OneCare thing...

Xserv

How to proceed? (2, Funny)

trollable (928694) | more than 8 years ago | (#14386892)

The problem is so serious that security experts are urging IT firms to use the unofficial patch.

Do I have to install Wine first?
Please help!

The WMF snowball continues downhill... (1)

bp+m_i_k_e (901456) | more than 8 years ago | (#14386908)

Does anyone really care what ZDNet has to say about this? ZDNet had to release a wmf article...Computerworld already did. But, the only relevance of either article is to demonstrate that the mainstream media is reporting on this. If anyone in IT relies on ZDNet for technical advice related to security...yikes.

Exploit to fix the exploit? (3, Interesting)

OneSeventeen (867010) | more than 8 years ago | (#14386924)

Is it possible to use the .wmf exploit to install the .wfm exploit patch?

It's good to see that Microsoft is keeping things consistent in this new year. As an administrator, I was worried I would have to learn something new. Rinse, lather, patch, repeat.

A stupid question (1)

Tibor the Hun (143056) | more than 8 years ago | (#14386964)

OK, why does every link to the patch link to the same Handler's Diary page?
Where can one download the patch?
Thx.

My company already used the unofficial patch... (2, Interesting)

doormat (63648) | more than 8 years ago | (#14386968)

Yesterday (Jan 2). All 1300+ computers got patched and rebooted. I'm patching my home computers tonight...
Load More Comments
Slashdot Login

Need an Account?

Forgot your password?

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>