Exploit Released for Unpatched Windows Flaw

woodchuck writes "Washington Post reports that another Windows hole has been found and exploit code is now running lose that makes swiss cheese of current patches and security measures. From the article: "Security researchers have released instructions for exploiting a previously unknown security hole in Windows XP and Windows 2003 Web Server with all of the latest patches applied. Anti-virus company Symantec warned of the new exploit, which it said uses a vulnerability in the way Windows computers process certain image files (Windows Meta Files, or those ending in .wmf). Symantec said the exploit is designed to download and run a program from the Web that downloads several malicious files, including tools that attackers could use to control vulnerable computers via IRC.""

They call hackers researchers now?

[Anonymous Coward]

So they're researchers now? I'm sorry, but I have to disagree, they are computer hackers.

how long?

[Anonymous Coward]

before MS starts using less-quick security patches as the reason to move from XP to vista?

Just checking...

[sootman]

... there has not yet been a real, severe, in-the-wild exploit (like Sasser) since XP SP2, right? I hate to admit it as much as the next guy, but MS has been pretty tight for a while--unless there's something I've missed. Have I?

Re:They call hackers researchers now?

[GaryPatterson]

You're fighting a lost battle there. The common understanding of the word 'hacker' now implies criminal behaviour.

The whole 'white hat' and 'black hat' thing never made it to the media, so all hackers are 'black hats' now.

Re:Just checking...

[Anonymous Squonk]

If a 100 security flaws exist but are never found, does this still make the OS tight?

If even only one unpatched security flaw exists, an OS should never be called "pretty tight". This flaw has always been there, even if it has only been exploited just now...

Re:They call hackers researchers now?

[Anonymous Coward]

They can be called "hackers" all right. While I know that you and a handful of other language fascists would like to change how the rest of the world uses their language, it's a fact that "hacker" now means (in addition to the definition you want it to have -- there's nothing wrong about a word having several meanings which become apparent upon reflecting on the context in which they are used) what you mean by "cracker". What they can't be called is "researchers". Publishing a vulnerability can be considered research, POC code is highly doubtful in most cases, and a full-fledged app starting shit up connecting to an IRC server is just plain maliciousness. Thus, hacker or cracker -- take your pick. But researchers they ain't.

Submitter, stop helping these people feel legitimate. The parent poster and I agree on one thing: they're just assholes.

Re:They call hackers researchers now?

[Anonymous Coward]

That this comment is modded -1, Troll shows how extremely intolerant Slashdot has become to dissenting views. It's funny that a community which is supposed to be so strongly against censorship is so quit to remove anyone who has a contrary opinion from view.

I agree with the parent. A researcher may perhaps publish code to prove that the exploit work, but no serious researcher writes a whole app that connects to an IRC server only as proof of concept. That is not research, it's clear malicious intent.

Moderator, if you're beef is with the parent's use of the word hacker: just grow the fuck up. You and ESR aren't going to be able to police the whole world's use of language anyway, so just give up already.

As for people (as one doofus who replied to this post apparently does) who thinks hackers should be called crackers -- what do you propose people who break copy protection should be referred to as then? You hack into a system, you crack a protection mechanism. If you people would have it your way, the scene would become very confusing very quickly.

Let people use those words however they want to, mmkay? If you don't like it, run home to mommy and cry if you want to, but stop using this forum to whine about it everytime someone doesn't use your non-standard definition of a word in common use.

Genius Idiots.

[mumblestheclown]

The people who took advantage of this loophole did so with a clear economic motive. This is because the loophole is used basically to a) install spysherriff, a bogus anti-spyware program and try to get the user to pay for it with a credit card b) install surfsidekick and other idiot spyware programs c) install a spam sender, in order to make a few more billionths of a cent.

In other words, whatever asshat took advantage of this loophole did so because he thought he could make a buck. If his goal was simply to bring Windows to its knees, cause havoc, or make a political/economic statement of some sort, he would have chosen something else. Wiping out My Documents of all the infected machines, for example.

Whoever did this is obviously deluded. While some money will of course ultimately flow from this nonsense to the "see no evil" people who are the beneficiaries of spamvertisements, spyvertisements and so forth, the actual exploiter basically has little to know chance of getting it (even if he is in Russia, as I'd suspect is a good bet) as his affiliate commission links will be tracked, as will wherever the hell that credit card box for SpySherriff was pointing to and so forth.

So we have somebody smart enough (and make no mistake, it takes some smarts) to either discover or be in a small clique of people discovering a quite obscure loophole (it must be obscure, given just how old the affected .dll is), but have ABSOLUTELY NO FUCKING CLUE how to go about exploiting it other than in the most juvenile and unlikely way to fail imaginable. Furthermore, even though it is likely to fail, the guy has shown himself to basically be a psychopath, with little to no concern about the hundreds of thousands of hours (read: PEOPLE-LIFE-EQUIVALENTS) that will be spent agonizing over and fixing this.

Whoever that person is, they are human filth. But, there's a lot of human filth out there. The sad thing is that this person obviously has potential to do so much more but simply pisses it away intead. Pathetic.

Re:How/Why does thi skeep happening

[HermanAB]

It is a carefully crafted buffer overflow in the stack causing a return address to be overwritten. A subroutine return instruction then jumps to the exploit code, instead of the parent routine. This an old trick to implement dynamic jump tables, exploited for malicious purposes.

Already being used by scumware sites?

[allankim]

Coincidentally I was browsing an ad-heavy lyrics site in another tab (Firefox, of course) and was prompted for an action to handle "track5.wmf" ... Geez, they don't waste any time, do they?

Re:They call hackers researchers now?

[dorkygeek]

Yes, I remember these days. But what do you want to prove with that argument? I said that the term cracker should be used because it already had a malevolent connotation, instead of hacker.

So, yes, let's come up with some third term! But remember, it must sound cool, otherwise the media is not going to adopt it. Although I feel that this is already in the making. I guess that in some years, everybody who would have been called a hacker by today's media is going to be called cyber terrorist by then. Just imagine the headlines: "Cyber Terrorist Exploits Security Hole in IE to Send Spam".

Hmm

[Azureflare]

I would say about 80% of the comments on this site tend to be pretty evenhanded in their treatment of windows security. If you actually read comments on stories about windows flaws, you would see that the people that get modded up are those that say "really, this isn't that serious, this is just Anti-MS stuff." You don't see people saying "OSS RULES MS SUCKS" getting modded up. Sure, people making jokes get +5 funny, but so do the people making jokes on the firefox articles about firefox vulnerabilities. Jokes get modded up not necessarily because they're true, but because they identify with a common recurring theme.

The fact is, the impression that slashdot is anti-MS and pro-linux is wrong. We just like to know about vulnerabilities in an operating system that 90% of computer users have installed on their systems, and utilize every day. Not many people care about vulnerabilities in gqview for gnome (to take a random app for example). There are just so many apps that are not core to the system. Now, if there was a vulnerability in PHP or Apache that had an exploit in the wild, then that would make the news I'm sure.

Honestly, I think someone should go through all the windows vulnerability stories and count the number of anti-ms, pro-ms, and the smart people posts (i.e., those who realize that simply bashing an OS because of a discovered security flaw is silly, because all Operating Systems have flaws). In the end I think you would see that the majority of people on slashdot do not see Microsoft Windows as the Ultimate Evil. I could be wrong of course. I'm not exactly an authority on the subject. I haven't gone through counting the number of posts.

BTW where on slashdot does it say it's geared towards linux users?

Re:Just checking...

[Lehk228]

no, 5 years to stop the flood of wormable remote exploits isn't "pretty tight"

Re:They call hackers researchers now?

[Anonymous Coward]

The metasploit framework module is a direct rip of the original exploit. All I did was remove the download+exec code and allow the user to specify their own payload instead. I needed to test the bug on a few platforms and didn't feel like attaching a debugger each time :-)

The source can be found here:
http://metasploit.com/projects/Framework/exploits. html#ie_xp_pfv_metafile [metasploit.com]

-HD

Re:They call hackers researchers now?

[DavidTC]

No.

You crack things by breaking them, or part of them. This can be copy protection or security software or DRM. You can even crack into hardware you aren't supposed to be able to open. The metaphor is 'cracking them open' like a coconut.

You hack something by modifying it in a clever way, or using it in a clever way without modifications. The metaphor of 'carving with axes' doesn't really work here.

A hack can be a crack, and crack can be a hack. Witness the X-Box ones that let you run unsigned programs via holes. A hack and a crack.

A hack is not always a crack. In fact, it can be the opposite of one, where a clever modification prevents a crack.

A crack is not always a hack. Sticking a screwdriver into a plastic case and ripping it open with brute-force is a crack, but it not by any means a hack.

The definations are perfectly consistent, and neither requires malicious intent. However, you can hack someone else's stuff in a non-malicious way, but cracking their stuff is almost always malicious, as you're breaking something.

Re:Hmm

[Anonymous Coward]

You are missing the point!

If you actually read comments on stories about windows flaws, you would see that the people that get modded up are those that say "really, this isn't that serious, this is just Anti-MS stuff."

Really, this is serious, M$ cannot code a simple image viewer without creating a new vulnerability! This has already happened once (just search for JPG vulnerability); now it has happened in a format that M$ championed because they didn't like NIH! and they still fscked it up!

You gotta wonder: are they capable at all?

Essential part of Windows experience

[HermanAB]

Linux just isn't ready for the desktop yet, since these programs are obviously an essential part of the Windows experience and they just won't run on Linux.

Re:Microsoft has released a security note

[Dave AM]

Sounds like the lawyers thoroughly edited these lines:

"Microsoft is aware of the public release of detailed exploit code that could allow an attacker to execute arbitrary code in the security context of the logged-on user, when such user is visiting a Web site that contains a specially crafted Windows Metafile (WMF) image. An attacker would have no way to force users to visit a malicious Web site. Instead, an attacker would have to persuade them to visit the Web site, typically by getting them to click a link that takes them to the attacker's Web site."

Microsoft makes it sound like we have nothing to fear, because the attacker can't make you go to his site, but how many times a day do you misspell a URL and go to some strange site?

Luke: "I am not scared master."
Yoda: "Oh you will be, you WILL be..."

Re:They call hackers researchers now?

[Scarblac]

You're fighting a lost battle there. The common understanding of the word 'hacker' now implies criminal behaviour.

The whole 'white hat' and 'black hat' thing never made it to the media, so all hackers are 'black hats' now.

He's not even fighting that battle, he's fighting the one before that. What he calls a "hacker" is not what you call a "white hat hacker". A hacker is an exceptionally gifted programmer, the term has nothing to do with security. People trying to break into computers are crackers, regardless of their intentions. So-called "white hats" are crackers.

That said, yeah, that battle is rather lost...