Trustworthy Computing 465
Anonymous Coward writes "This is a first: the Internet Storm Center is recommending trustworthy computing. They want you to trust that the unofficial patch for the Windows Metafile Volunerability that is currently being exploited by an IM worm. No patch from Microsoft at this time, and the exploit is arranged in such a manner that it cannot be detected by most intrusion detection systems (the snort rule will peg the CPU on your router) nor filtered by packet-inspecting firewalls (it spans two or more ethernet frames). Not really a whole lot of choice about this one."
SPI Aren't meant for this type of filtering... (Score:2, Interesting)
I imagine that I could push out the deregistering fix, and associating WMF with Notepad, but that seems a little extreme because our attack vector has become limited, and our anti-virus is now updated with the newest signatures that detect this exploit.
It goes without saying (Score:5, Interesting)
You cannot wait for the official MS patch, you cannot block this one at the border, and you cannot leave your systems unprotected.
This has always been the case with Windows, if I'm not mistaken.
Trusted Computing? I think not! (Score:2, Interesting)
the manufacturers of the OS, so whatever they are offering is NOT trusted computing.
Since it's a typical binary patch you have to trust them that this
patch won't hose your system or make you pwned by these or other folks.
As a long time Linux user, I find this situation appalling. If I were stuck
using a Windows box I would be pissed off by this. Look, when I want to upgrade
my box, I just do a apt-get update; followed by either apt-get dist-upgrade
or use synaptic. I know my sources (I select them myself), I know that the reality
checks exist (gpg keys, outside sources verifying the software, etc.). I know
I'm not getting hosed when I install software from my usual Debian repositories.
Do any of you windows folks know these security folks? Do you have any
reality checks that you can apply against this binary patch? What control do
you think you have of your operating system?
I guess if you haven't been a Linux user for a long time you might not understand
the depth of how bad your security model is when you're stuck with windows.
--Johnny
Re:Is it just me (Score:4, Interesting)
Re:What's wrong with... (Score:2, Interesting)
1. Write a 1 line
2. Package and publish as a Hotfix and push to Windows Update.
3. ???
4. Profit!
"98%" of PC Users don't know how a patch works any more than they know how to disable a DLL. I'm sure they don't even know how scheduling works. Shockingly, the inner workings of a computer are as mysterious to the average user as a woman's body is to a slashdot reader. We should all just give up on them, because we don't need Joe Sixpack to drive the tech economy so we can actually afford to have computers and affordable bandwidth. Just tell them to put it back in the box, return it to BestBuy, and tell the clerk they're too fucking stupid to own a computer. The GP post suggested a method that apparently works for disabling the vulnerability. This information is useful to the slashgeeks who will end up servicing the computers of friends, family, and co-workers one way or another. A quick heads-up now on this saves a few hours later when after some porn surfing (it just popped up and it wouldn't let me close it) or email attachment (I didn't open it) you end up removing the worm and all the damage it did anyway.
Re:What's wrong with... (Score:4, Interesting)
From http://www.viruslist.com/en/weblog?discuss=1768925 30&return=1 [viruslist.com]:
"... Going back to the wmf vulnerability itself, we see number of sites mention that shimgvw.dll is the vulnerable file. This doesn't seem correct as it's possible to exploit a system on which shimgvw.dll has been unregistered and deleted. The vulnerability seems to be in gdi32.dll... "
Re:Programmers? (Score:3, Interesting)
IBM mainframes were able to designate the usage of 'pages' or 'frames' of memory by using 4-bit 'storage keys' in the mid 1960s!
You requested the storage in a specific key (in your own address space) and any program accessing that storage with a different key. The ability to change storage key was strictly controlled by OS privilleges and any program violating that rule would immediately die with a 'storage protection' exception.
The guys at Intel in the late 1970s didn't consider things like that - if they ever knew about them - as they were mostly IC designers, not proper computer architects.
I think the Motorola 68000 series was following in the footsteps of the IBM S/3x0 mainframe CPU architecture but never quite got there.
Re:Shame (Score:3, Interesting)
That's an interesting question -- is wine vulnerable to this flaw? As I understand it, it is essentially a design fault in the way WMF files work (i.e., the entire process of using a WMF file was never designed to be secure in the first place, so it is able to do stuff like set up callbacks into the application's address space).
Re:Holidays! (Score:4, Interesting)
And so do those who work as network administrator etc..
I can tell you that many a company that takes internal security seriously has had people working on this over the last weekend to make sure they are as safe as can be when everyone starts working today.
MS could have had a few employees working on this during the hollidays, get it properly fixed, and have an update installed with windows update.. as it is, they got a few thousand people working on implementing workarounds and unofficial fixes instead. Lots of extra work that has to be undone when the official fix is there.
Re:Over/Under (Score:5, Interesting)
Changing code that's this deeply buried in Windows is risky. The interpreter for WMF is one of the remnants of code left over from single-user computers, and they'll have to test changes very thoroughly. They're GOING to break things with this patch, because they're removing a designed-in feature. They're probably working feverishly to figure out how to minimize the damage, but some damage is inevitable. And the problem could be far worse than it appears; that DLL could be riddled with problems. It may not have been audited in many years.
This is yet another example of how you can't retrofit security; the first Windows versions were designed when security wasn't even an issue, when the Internet was barely a twinkle in Al Gore's eye. There's a mountain of code that was written just to work, not to worry about being handed malicious data. If a user passed bad values to a system call and it crashed, oh well. It was their fault for doing it. It's not like they had anything to gain from it, after all. They owned the computer. Why on earth would the computer need to protect itself from its owner?
With the advent of the Net, Microsoft decided to both stay backward-compatible and extend what they had onto the Internet. And their focus for many years was on new features, not security. Essentially every security person at the time warned them -- stridently -- against the choices they were making. It was obviously going to be a trainwreck. This is just the latest in that ongoing collision between a single-user operating system and exposure to every computer in the world.
This particular exploit is BY FAR the worst one yet...even very competent administrators, doing everything exactly as they should, can get nailed by this one. As bad as this is, though, it's not like they're going to stop here.
Trying to retrofit security onto the Win3.1/Win95 model is like trying to use scotch tape to make cheesecloth waterproof. No matter how much tape you use, even if it's a lot more tape than cloth, it will ALWAYS leak. It might hold water for a bit, but leaks will constantly spring up. They've added tremendous functionality in the NT/2k/XP kernels which can limit what users can do and limit the possible scope of compromises, but many many programs (especially games) require administrator privs just to run. So most people run as Administrator even though they shouldn't. And that makes hacks like this one very easy and *extremely* damaging.
Hopefully Microsoft will get a patch out fast.... they certainly must understand how overwhelmingly bad this problem is. The fact that they're reacting slowly is likely an indication that it's hard to fix.
Re:Programmers? (Score:5, Interesting)
However, the WMF format allows you to embed a code in it that basically says "when you've finished drawing this, call the function at this address to execute it". The reason that this exists is that WMF was not originally intended to be a file format. It was intended to allow Windows applications to record the steps necessary to draw an object, so they could do it again later (presumably using less processing at that point because everything's precalculated).
So is there a patch ? (Score:4, Interesting)
according to Microsoft [windowsonecare.com]
That sounds like they must have some kind of patch out there, or are they hoping to get more users "hooked" on OneCare ?Otherwise, this statement doesn't make sense :
Maybe I'm being picky, but I think all their customers have a quite urgent need, right now !Written from the sublime security of Fedora Core, thanks.
Re:Programmers? (Score:1, Interesting)
Read this to find out where you went wrong [f-secure.com]
Re:Over/Under (Score:4, Interesting)
With stuff like this in their closet, one surely can understand at least to some extent why they advocate closed source. The feature in question is likely well documented, and thus reasonably "open", but the idea of what might happen if crackers get access to all the non-safe zombie code that dates from their pre-history truly must horrify them.
Re:Over/Under (Score:3, Interesting)
That in a nutshell is the biggest problem with Windows. It is still suffering from its roots as a single user computer system in the world before networking. *NIX systems, such as Linux and OSX are more secure mostly because of they do not require administrator status to run application programs. MS will have to FORCE developers to change this by making two users on every system -- one the admin and another the user, one or more ordinary users with limited privileges. Programs that ask for higher privs, would just die with a nasty message from the OS.
The other change would be to get rid of the registry which is used to ensure that malware runs when the system is booted, among other functions. If in VISTA, ordinary programs, games or anything other than system utilities and installers STILL require the user to be an admin, there certianly is no reason to upgrade in the hopes of finally getting a system at least as secure from malware as OSX. In combination with this MS should then spend some serious money to educate their customers not to EVER give their admin password unless they KNOW they are installing some new software. An internet greeting card, picture or e-mail should not EVER allow the introduction of new, executeable code onto a computer without the explicit permission of the educated user.
Wiki (Score:4, Interesting)
Wikipedia tries to block stuff like this, but I don't think it is all that reliable. They just use the UNIX file command to see if a file matches the file extension.
WMF files start with 0x01 0x00, are are unrecognized by the file command.
JPEG starts with 0xff, so that won't do. Well, there are other formats to try.
Re:TFA conclusion is BS (Score:3, Interesting)
> email means ANYTHING.
Well, yeah. I had to explain to two coworkers just last week that the scary messages they were getting weren't really from eBay, and they were quite surprised. (So I told them that if they were concerned that they might need to check their eBay accounts, to use the bookmarks they usually use to go there, because they would know that those really go to eBay. The link in this message only says it goes to eBay, and really it goes someplace else, to another site. Such gasps of outrage and astonishment as I then heard, you'd have thought I was telling them that their husbands lied about the business trip and were really with in Las Vegas with girlfriends.)
This is at least partly because of the way mailreaders present the data. Instead of showing the headers as part of the message (which is, essentially, how they're transmitted), most mail readers parse the headers and present certain pieces of data from them (the From address, for instance) separately from the message, as metadata. Well, yeah, it *is* metadata in a sense, but the way it's presented makes it appear, to the casual user, as if it's something the mailreader knows about the message, rather than something the message claims about itself. Other critical headers, such as Receives:, are not shown at all (unless the user specifically goes looking for them in a "Show All Headers" or "View Message Source" option or somesuch.
There are, of course, good solid usability reasons why these things are the way they are, but it doesn't take a doctor of psychology to tell you what people are going to think as a result.
Personally I'd like to see the information parsed out of the headers, especially the sender information, labelled just a little differently, e.g., "Claims to be From:". I'm not sure that would entirely solve the problem, but it might help a little. I'm also deeply annoyed that our ISP's mail server accepts HTML messages for delivery (if we had our own mail server in house it sure wouldn't), and that all the decent, deployable, user-friendly mail clients I can find happily render and display HTML mail. Even recent versions of Pegasus cannot, as near as I can determine, be configured to show the source or treat the HTML as an attachment.
Re:"the snort rule will peg the CPU on your router (Score:3, Interesting)
An interesting fix for this problem- Rather than having your hardware router/firewall sniff all the packets, you could write a pluggable MIME filter registered to ALL image types on your PC (Google it for more info- I've done a lot of research on MIME filters and Asynchronous Pluggable Protocols for IE, but I'm too lazy to dig it all up right now). If the MIME filter examines the returned image data stream and sees evidence of the WMF exploit, trash the stream and substitute your own image (maybe a jpeg of a skull and crossbones). If registered as a permanent MIME filter it would have the benefit of blocking the exploit in anything that uses IE as a rendering engine- which includes many e-mail applications (Outlook!), and some IM apps.
I looked at doing this myself, but dropped it assuming MS would have created a fix by now. Maybe I should start working on it again....
In case you haven't heard this... (Score:2, Interesting)
Suspend your disbelief? (Score:3, Interesting)
The checkpoint page you point to just lists this as a vulnerability and gives a password protected link to "FULL ADVISORY and SOLUTION" (caps theirs). Since I don't have a checkpoint login, I have no clue as to what they are saying. I therefore have no reason whatever to believe that they have anything to offer.
Re:Holidays! (Score:2, Interesting)
I think the problem is the timing: Holiays.
}
If they can force, er, "encourage" microserfs to pull 60 to 100 hour workweeks away from their families for months at a time to squeeze more features into Winbloat Vista and Microsoft Office, certainly they can ask one or two developers and QA folks to implement a security patch and roll it out quickly as at least a BETA release?
reason 8,181,842 I quit running Windows.
Re:Why do folks still use Windows? (Score:3, Interesting)
The fact is that you can install almost any shrink wrapped Linux distribution, do a default installation and have almost zero support issues for the next year. Honestly, I almost never patch my Linux servers and only upgrade them every 3 years.
In a small business situation, any Linux box is as reliable as a refrigerator. Just leave it alone and it will keep working for a long, long time.
Think of that ancient UNIX machine you talked about - how much effort do you invest in maintaining it? Pretty much zero huh? After all, you don't even know how it works. Now imagine if all your computers were that reliable...
useless for game cheats and other purposes (Score:3, Interesting)
You seem to be ignoring - willfully or not - that the fundamental model of trusting MS is broken. Making that model more severe by forcing trust compounds the brokenness. It Has Been Shown that MS will be late with patches. It Has Been Shown that they are not proficient at security and will remain so until the market penalties are severe. What is the point of requiring official binaries when the binaries are going to be broken for weeks at a time? The net WILL be flooded with spam by those who RELIED on the official binaries. You have it so amazingly backward I wonder if you previewed the post.
MS blew it. They have added to their terrible reputation and I'm just not interested anymore.
There's also an outlook to your position I find frankly weird: that there is an official source of goodness. The "right" and correct version of the dll to run at this time is clearly the unofficial patch. The right version of a file to run in the future is going to be the one that reduces your chances of being 0wn3d, not the one with the pedigree. THis is "duh" territory.
Re:So...what "proper" steps secured you from this? (Score:3, Interesting)
Re:Non NT-based Windows? (Score:3, Interesting)
info [grc.com]
Re:Well the truth is.... (Score:1, Interesting)
Oh? XP stopped me running a CD crack for a game (a game I own, I might add). It absolutely refused, because it was an unsigned binary. You know, unauthorised code?
So, yeah. There y'go.
Re:What did they do wrong (Score:3, Interesting)
-M