Exploit Released for Unpatched Windows Flaw

woodchuck writes "Washington Post reports that another Windows hole has been found and exploit code is now running lose that makes swiss cheese of current patches and security measures. From the article: "Security researchers have released instructions for exploiting a previously unknown security hole in Windows XP and Windows 2003 Web Server with all of the latest patches applied. Anti-virus company Symantec warned of the new exploit, which it said uses a vulnerability in the way Windows computers process certain image files (Windows Meta Files, or those ending in .wmf). Symantec said the exploit is designed to download and run a program from the Web that downloads several malicious files, including tools that attackers could use to control vulnerable computers via IRC.""

Easy workaround to avoid the exploit

[kawika]

Unregister the dll that provides WMF viewing. Click Start, Run, and enter this:

    REGSVR32 /U SHIMGVW.DLL

Sunbelt has more detail here [blogspot.com].

Re:Easy workaround to avoid the exploit

[LiquidCoooled]

To add to this, the exploit may be in more than one image file viewer, it could be a common handling problem with WMF files in Windows.
If you can remove ALL associations to the fileformat (at least until the extent is known) this would be beneficial.

Users of webbrowsers (all) must be careful when saving image files of type WMF.
Once saved on your computer the associated image viewer is used to display the file.

Take care with IM and email attachments as well, because this is another possible vector.

Breaks thumbnails and Windows Picture Viewer

[bogie]

So I'm kind of curious why he states "though I have used the hack on my machine and haven't had any problems yet. " since it breaks basic XP functionaliry.

Anyway, losing thumbnails and that program is IMHO a very minor price to pay for not having your machine rooted. So just make sure and warn others before you tell them to use this temporary workaround.

I wonder how long we will have to wait for MS to fix this one? Oh well, more money for me if they don't.

Re:Breaks thumbnails and Windows Picture Viewer

[jafiwam]

Yeah, so how am I supposed to sort my porn without thumbnails?

I'll take my chances, they still gotta get me to open a stupid .wmf in the first place.

Re:Breaks thumbnails and Windows Picture Viewer

[bryhhh]

I'd read this [securityfocus.com] before you take your chances, because it appears as though the exploit will work when the .wmf is disguised as a .jpg (or other extensions)

Re:Easy workaround to avoid the exploit

[Anonymous Coward]

Just my own experience... After issuing the reg command I was unable to view thumbnails in explorer of jpegs taken by my camera. I was also quite unable to open any of them until I issued the command to register the dll again ( regsvr32 shimgvw.dll ).

Re:Easy workaround to avoid the exploit

[1u3hr]

after issuing the reg command I was unable to view thumbnails in explorer of jpegs taken by my camera. I was also quite unable to open any of them until I issued the command to register the dll again

You probbaly have some kind of image viewing app (usually bundled with digital camers). Otherwise try a free one, eg Irfanview. Install and it will take the jpeg association and display them, allow you to move, rename, and do basic image editing as well.

Re:Easy workaround to avoid the exploit

[klui]

Not totally true. You lose thumbnails, but you should be able to double-click and launch whatever program set to view/edit your files. Just make sure your filetype association is correct.

Re:Easy workaround to avoid the exploit

[bergeron76]

And break a whole bunch of other stuff in the process!

Great advice.

Small price to pay

[green pizza]

And break a whole bunch of other stuff in the process!

Small price to pay for security. I'd rather give up thumbnails (they slow down explorer anyway) and avoid being r00ted by the latest internet worm.

Microsoft has released a security note

[Rosyna]

See http://www.microsoft.com/technet/security/advisory /912840.mspx [microsoft.com] for all the goodness than can only come from MS. It just gives the same info given other places but is done in an official capacity.

how long?

[Anonymous Coward]

before MS starts using less-quick security patches as the reason to move from XP to vista?

Upside.

[grub]

With Vista you'll be able to get this from the comfort of an RSS feed!

Fix from article

[Rangsk]

Here is the fix, from the linked article in case you DNRTFA:

----
According to iDefense, Windows users can disable the rendering of WMF files using the following hack:

1. Click on the Start button on the taskbar.
2. Click on Run...
3. Type "regsvr32 /u shimgvw.dll" to disable.
4. Click ok when the change dialog appears.

iDefense notes that this workaround may interfere with certain thumbnail images loading correctly, though I have used the hack on my machine and haven't had any problems yet. The company notes that once Microsoft issues a patch, the WMF feature may be enabled again by entering the command "regsvr32 shimgvw.dll" in step three above.
----

I'm not sure if you need to type this every reboot, or just once. Since it requires re-enabling, I'm hoping it's just once.

Re:Fix from article

[CargoCultCoder]

I'm not sure if you need to type this every reboot, or just once. Since it requires re-enabling, I'm hoping it's just once.

regsvr32 registers a COM/ActiveX "server" by modifying Windows registry entries. So, in theory, you need only run it once.

It is possible, however, that if you later install other software, the installer may re-register the DLL in question, in which case you'd want to manually unregister it again.

(Hmm. I suppose it's only coincidence that this novel approach [thedailywtf.com] to registering appeared on thedailywtf yesterday...)

Re:Fix from article

[dtfinch]

I'm pretty sure that disabling shimgvw.dll will disable more than WMF rendering.

Broke thumbnail feature - big deal

[green pizza]

This workaround broke thumnail view for me in explorer, but it's no big deal, thumbnail view looks pretty but it slows down explorer. At least you have a choice -- being r00ted by some new worm or lose one little eyecandy feature.

Broadband Reports' Security Forum Thread...

[antdude]

Also, read Broadband Reports' security forum thread [broadbandreports.com] for discussions and what people observed.

Re:Broadband Reports' Security Forum Thread...

[TubeSteak]

I got tagged by a trojan using the same exploit on IRC.

I downloaded the wmf file to my desktop, but accidentally double clicked it when I was trying to submit it to trendmicro

I closed the connection with TCP View [sysinternals.com], but it took out explorer.exe with it.

This is much worse than potential spyware, this exploit is silent and can easily be used to drop keyloggers, or in my case, it opened up a shell back to the guy i was chatting with.

(btw - I knew it was a trojan when i downloaded it)

Re:Broadband Reports' Security Forum Thread...

[antdude]

Ouch! You should post in Broadband Reports' forum thread about this. I don't think anyone has mentioned this.

Post to Broadband Reports' Thread...

[TubeSteak]

http://www.dslreports.com/speak/print/default;1512 1004 [dslreports.com]

There's an excerpt of our chat in that post too.

In other news...

[guruevi]

Microsoft said in it's late night response on new years day that a patch is being made, the flaw is not critical since no-one actually uses WMF and the rest who do use them never should surf to porn and warez sites anyway. A patch will be available in Windows Shoehorn.

Scary.

[Anonymous Coward]

Surfing for porn with IE on Windows is like having unprotected anal sex with everybody on the internet.

Essential part of Windows experience

[HermanAB]

Linux just isn't ready for the desktop yet, since these programs are obviously an essential part of the Windows experience and they just won't run on Linux.

Re:Scary.

[k00110]

"Update, 12:30 p.m. ET: Several security groups are reporting that it is extremely easy to get whacked by this vulnerability/exploit just by visiting one of a growing number of malicious Web sites that are now employing this attack. F-Secure's blog post on this indicates that -- because the vulnerability lies in the way Windows parses WMF image files -- Firefox and Opera users also can get infected -- although they at least have to agree to download and run a file first"

That's what they say in the article but the only thing I did was to open a .wmf movie in Firefox. I did not click/agree/install anything else.
The thing just auto-installed it-self from that point.

Re:Scary.

[HermanAB]

How did you remove the critter? A similar piece of work called Smitfraud-C can be removed with the smitrem tool: http://noahdfear.geekstogo.com/ [geekstogo.com]

Re:Scary.

[Tenareth]

That means at some point you told FireFox "No, I'm an idiot, don't warn me about this stuff in the future!".

That still isn't a FF issue.

How/Why does thi skeep happening

[Anonymous Coward]

Can someone explain to me exactly how an image viewer
program running on my client computer can be
made to execute code? Honestly, I don't really understand
these exploits that supposedly take advantage of
a client buffer overflow (or some such thing) to execute
code on my local machine. What makes the instruction pointer in
the code that is reading (in this case) the wmf file suddenly
jump to code that is in the data segment? (Presumably embedded in
the wmf file itself).

Re:How/Why does thi skeep happening

[HermanAB]

It is a carefully crafted buffer overflow in the stack causing a return address to be overwritten. A subroutine return instruction then jumps to the exploit code, instead of the parent routine. This an old trick to implement dynamic jump tables, exploited for malicious purposes.

Re:How/Why does thi skeep happening

[dtfinch]

On x86 processors (and probably most others), the stack pushes backward in memory. Each function call pushes the return address onto the stack. Because the stack pushes backwards, a buffer overflow will overwrite the previously pushed values that follow it in memory. So when the overflowed function returns, it'll return to the new address that has been written by the overflowed buffer.

Good stack overflow exploit code is pretty reusable for exploiting newly discovered stack overflows with little modification, which makes these exploits appear so quickly after a new vulnerability is discovered. There's also something called a heap overflow, but using it to run executable code is quite a bit harder and must be tailered to each specific vulnerability.

Re:How/Why does thi skeep happening

[Anonymous Coward]

That address has to be somewhere in the memory mapped to the currently executing process. That includes both the memory used to store the program code as well as the memory used to store any data. The x86 doesn't understand a difference between the two, and until x64 also had no way of marking sections of that memory as non-executable. So the combination of non-protectable memory, a reversed stack and the return address being stored on the stack, combined with languages that have no inherent bounds check

Re:How/Why does this keep happening

[Audacious]

There were, in some older file formats, methods for running programs so that images could be overlaid with other images (as in schematics). If I remember correctly AutoCAD and some of the other CAD type files used to use this to link various files in to a give file (like layers on diagrams). Some file formats (one of the GE file formats - can't remember the name right now) actually had such things as the capability to send e-mail built in to the specs. Many of these "gotcha" things have been removed from

Bleeding snort rules here:

[Saint Aardvark]

http://www.bleedingsnort.com/cgi-bin/viewcvs.cgi/s igs/CURRENT_EVENTS/CURRENT_WMF_Exploit [bleedingsnort.com]

Genius Idiots.

[mumblestheclown]

The people who took advantage of this loophole did so with a clear economic motive. This is because the loophole is used basically to a) install spysherriff, a bogus anti-spyware program and try to get the user to pay for it with a credit card b) install surfsidekick and other idiot spyware programs c) install a spam sender, in order to make a few more billionths of a cent.

In other words, whatever asshat took advantage of this loophole did so because he thought he could make a buck. If his goal was simply to bring Windows to its knees, cause havoc, or make a political/economic statement of some sort, he would have chosen something else. Wiping out My Documents of all the infected machines, for example.

Whoever did this is obviously deluded. While some money will of course ultimately flow from this nonsense to the "see no evil" people who are the beneficiaries of spamvertisements, spyvertisements and so forth, the actual exploiter basically has little to know chance of getting it (even if he is in Russia, as I'd suspect is a good bet) as his affiliate commission links will be tracked, as will wherever the hell that credit card box for SpySherriff was pointing to and so forth.

So we have somebody smart enough (and make no mistake, it takes some smarts) to either discover or be in a small clique of people discovering a quite obscure loophole (it must be obscure, given just how old the affected .dll is), but have ABSOLUTELY NO FUCKING CLUE how to go about exploiting it other than in the most juvenile and unlikely way to fail imaginable. Furthermore, even though it is likely to fail, the guy has shown himself to basically be a psychopath, with little to no concern about the hundreds of thousands of hours (read: PEOPLE-LIFE-EQUIVALENTS) that will be spent agonizing over and fixing this.

Whoever that person is, they are human filth. But, there's a lot of human filth out there. The sad thing is that this person obviously has potential to do so much more but simply pisses it away intead. Pathetic.

Smitfraud-C

[HermanAB]

Isn't this just another incarnation of the Smitfraud extortion by the nice New Zealand company SpyAxe?

The tool to remove that crapware is called smitrem, available here: http://noahdfear.geekstogo.com/ [geekstogo.com]

Watch out for Google Desktop

[Repton]

From F-secure's blog [f-secure.com]:

Do note that it's really easy to get burned by this exploit if you're analysing it under Windows. All you need to do is to access an infected web site with IE or view a folder with infected files with the Windows Explorer.

You can get burned even while working in a DOS box! This happened on one of our test machines where we simply used the WGET command-line tool to download a malicious WMF file. That's it, it was enough to download the file. So how on earth did it have a chance to execute?

The test machine had Google Desktop installed. It seems that Google Desktop creates an index of the metadata of all images too, and it issues an API call to the vulnerable Windows component SHIMGVW.DLL to extract this info. This is enough to invoke the exploit and infect the machine. This all happens in realtime as Google Desktop contains a file system filter and will index new files in realtime.

steps ahead (again)

[fihzy]

Once again, as noted previously here [slashdot.org] and here [slashdot.org]:

10) find big remote vulnerability in product
20) perfect the exploit
30) have fun with it for months
40) find another big hole in same product
50) perfect exploit for hole
60) alert vendor about original hole
70) have fun with new hole
80) goto 40

Already being used by scumware sites?

[allankim]

Coincidentally I was browsing an ad-heavy lyrics site in another tab (Firefox, of course) and was prompted for an action to handle "track5.wmf" ... Geez, they don't waste any time, do they?

Additional Resources

[Heembo]

Internet Storm Center Coverage - Alert moved to yellow as of this morning. http://isc.sans.org/diary.php?rss&storyid=975 [sans.org]
Also, take a look at this movie from websense: http://www.websensesecuritylabs.com/images/alerts/ wmf-movie.wmv [websensesecuritylabs.com] it shows step-by-step what happens to a clean machine as it gets exploited by this new menace.

Nasty!

[sdh968251]

This thing is nasty! I was browsing the internet this afternoon and got it. I have a fully patched copy of Windows XP SP2 with Symantec Antivirus Corporate 9.0. Neither stopped it. I spent about 6 hours running virus scans, Ad-Aware, and Spy-Bot in safe mode. This didn't even come close to detecting everything. I had to manually remove files based on searches by creation date. Interestingly, none of the three tools picked up any of the DLLs mentioned in the next paragraph.

I traced it to an ad within an ad within an ad that sources a WMF file in an iframe. If you want to see this thing in action then use VMWare to load the following link: h**p://iframeurl.biz/dl/xpladv470.wmf. After all is said and done, you'll have trojan.byteverify, trojan.dropper, trojan.bookmarker, download.trojan, w32.conycspa.G@mm, backdoor.shellbot, backdoor.trojan, w32.looksky.A@mm, among others. I also had some new DLLs that were particularly hard to get rid of - msupdate32.dll, msctl32.dll, uytpu.dll, qrlmq.dll - all in the system32 directory.

This has actually never happened to me. I am religious about keeping Windows and my antivirus software up-to-date. It was a good learning experience to see it all in action.

And, by the way, I was not browsing for porn. I was doing a google search for a old Macintosh program named Cache Killer. One of the links listed was "Download Cache Killer Pro v5.0 crack / keygen / serial / patch ...". I clicked on this and ... WHAM! Here's the Google search - http://www.google.com/search?q=cache+killer&hl=en& lr=&start=0&sa=N [google.com]. It's the last link on the page - h**p://www.crackz.ws/down/25335/Cache.Killer.Pro.v 5.0_crack_serial_keygen.html. This is the page that contains the ad within an ad within an ad. Beware!!!

Re:Nasty!

[toddestan]

Out of curiousity, were you browsing in Internet Explorer or some other browser? I'm half tempted to click on those links in Opera to see what happens, but I don't particularly feel like rebuilding my Windows install at the moment.

Re:Nasty!

[J. Random Luser]

Good news: Google seem to have pulled that link, but
Bad news: the file offered for download is dsi_ckp5.exe which is not likely to run on your Mac.

The site is infested with the usual warez crop of pr0n & gambling camp followers. I went there using Safari on a Mac, and collected a cookie from fuck-access.com, and exhibitionist.ws, which will both be valid for 15 years ;-) I had my access counted by ads.clicksor.com, banner.paypopup.com, counter.yadro.ru, gfx.passwordbyphone.com, popunder.paypopup.com,

The file extension is not critical

[whitehatlurker]

I want to point out that the file extension is not used exclusively for file type detection, and the magic string at the beginning of the file will trigger the use of the WMF processing. A ".tiff" extension will also work in a similar manner. (Likely there are several good candidates.)

A few people on this thread don't seem to be familiar with the WMF format [wikipedia.org] or GDI [wikipedia.org]. This format provides for a set of commands which are supposed to be graphics only. (I guess they got carried away in this case.) As the viewer is basically a scripting engine, the exploiters would certainly try to target it for vulnerabilities. I don't have a copy of the dangerous file, so I don't know whether this particular exploit is a buffer overflow or something else.

this may sound bad but

[Revek]

Hell bring it on. I opened my own shop about 4 months ago and can clean most anything off a machine. Its 95% of my buisness so far and im tired of being poor. This week alone Ive cleaned 8 xp home boxes all still sp1 with no antispy or antivirus still running. Only one of the machines needed parts. It had a winlogon popup running that killed windows update and automatic update (senslogn key was missing). I think the real proplem with the current state of affairs is not that the exploits are produced and released but that microsoft builds to fast and to often. They need to can vista and put more R&D into fast fixes. If they want discreet disclosure of exploits they should offer $$ for it. Just tell them and get a check :)..... nah never happen they will just build the new big security hole called a OS.

wmf?

[digitaldc]

I hear Windows Vista is going to fix all of these previously unknown problems...stay tuned for the exciting conclusion in 2006.

Interpretation vortex

[Pete]

From the summary: "...and exploit code is now running lose..."

For a second - just for a second - I thought this might be an extremely clever play on words, making fun both of Windows ("Win") by referring to it as "Lose" (as the exploit code would be running on Windows and controlling it, so you could (in a slightly ungrammatical way, but whatever) say the code is running Win, or indeed Lose) and combining this with a witty rejoinder at all the individuals who write "lose" instead of "loose" (and vice vers

Does it affect LUAs?

[QCompson]

Anyone know if you can get hit with this if you are running a limited user account?

AH, I miss the 90's

[SmallFurryCreature]

Those wild days when the sky was the limit and the internet was called the information superhighway and you could run an succesfull company with half the workers playing on the consoles drinking beer.

Oh and those wonderfull windows exploits, works, spyware, wild tangent, trojan horses, worms and blue screens. And then, linux. What I never thought I could afford happened. I had a unix at home. It looked just like the real thing. Root easily accesible from your user account to make it workable to split your accounts. Didn't you hate it when in windows if you wanted to install any software no matter how trivial you had to logout and login as admin to do it and the only way to get some work done was to always get admin privileges on every machine?

Nowadays when someone gives me the root password on a unix like machine I always demand a pay raise. It probably means they expect me to fix it in the weekend.

Thank you MS for making me stick with linux. The energy bill had me y contemplating scrapping my dual P3 linux desktop and only keep my P4 gaming rig. Windows 2003 is actually pretty stable, now all they got to do is clear the goddamn fucking security holes.

Geez, just a few articles ago people were actually talking about how MS was changing and bam we get the mother of all exploits. The only thing worse would be a worm. This is so easily exploitable. Just make an account on forum that allows those awfull avatar images and bam.

I can't believe the slashdot reader reaction either, first bunch of posts are some insane ramblings about hackers/crackers and the rest have some insane fix that even the most moronic idiot can see is a total failure.

Yes fucktards who suggest that whole unregister crap, because of the way MS has setup its OS many a windows program comes with its own copy of the dll it uses EVEN if it is a copy of a Windows OS dll. To avoid versioning problems it is easier to include it then hope the user OS has the right version.

Do a dupe check your dll's in the main windows directories and where you install your programs some times. What do you think the chances are they will all be patched? It is a well known problem and in fact one of the reasons the whole dynamic linking idea was so attractive.

Windows Major Foul-Up

[spellraiser]

Larry Seltzer has a concise column [eweek.com] about this exploit, where he doesn't exactly pull the punches on Microsoft. The most interesting piece of information there is this:

The problem with the WMF (Windows Metafile) file format turns out to be one of those careless things Microsoft did years ago with little or no consideration for the security consequences.

Almost all exploits you read about are buffer overflows of some kind, but not this one. WMF files are allowed to register a callback function, meaning that they are allowed to execute code, and this is what is being exploited in the WMF bug.

I find this mind-boggling to the point of absurdity. Regardless of any supposed benefit gained by this, allowing a data file to execute arbitrary code upon it being viewed is simply begging for an exploit like this. No matter whan spin Microsoft will try to put on this one, it makes them look bad. Extremely bad.

Re:They call hackers researchers now?

[dorkygeek]

They're not hackers, they are crackers. Or intruders. Or black hats. Or fucking idiots. But not hackers. Linus Torvalds is a hacker. Alan Cox is one, and RMS definitely. Maybe even ESR.

Thank you.

Re:They call hackers researchers now?

[slavemowgli]

ESR is not a hacker... he's a nut. :)

Re:They call hackers researchers now?

[Ohreally_factor]

So, if you root his box, that makes you a nut cracker? Sweet!

Re:They call hackers researchers now?

[GaryPatterson]

You're fighting a lost battle there. The common understanding of the word 'hacker' now implies criminal behaviour.

The whole 'white hat' and 'black hat' thing never made it to the media, so all hackers are 'black hats' now.

Re:

[account_deleted]

Comment removed based on user account deletion

Re:They call hackers researchers now?

[Scarblac]

You're fighting a lost battle there. The common understanding of the word 'hacker' now implies criminal behaviour.

The whole 'white hat' and 'black hat' thing never made it to the media, so all hackers are 'black hats' now.

He's not even fighting that battle, he's fighting the one before that. What he calls a "hacker" is not what you call a "white hat hacker". A hacker is an exceptionally gifted programmer, the term has nothing to do with security. People trying to break into computers are crackers, regardless of their intentions. So-called "white hats" are crackers.

That said, yeah, that battle is rather lost...

Re:They call hackers researchers now?

[Anonymous Coward]

They can be called "hackers" all right. While I know that you and a handful of other language fascists would like to change how the rest of the world uses their language, it's a fact that "hacker" now means (in addition to the definition you want it to have -- there's nothing wrong about a word having several meanings which become apparent upon reflecting on the context in which they are used) what you mean by "cracker". What they can't be called is "researchers". Publishing a vulnerability can be considere

Re:They call hackers researchers now?

[ninja_assault_kitten]

The exploit was published by HD Moore after reverse engineering some malware. HD Moore is absolutely a very prominent researcher and hacker. Secondly the person(s) who discovered the vulnerabilty and wrote the initial malware to exploit it are also hackers. Even by the historical definition. Intent has no bearing on the term. Skill does. And you can't tell me discoverying a 0day affecting any MS platform doesn't require skill. There are tens of thousands of researchers out there right now who can't.

Re:They call hackers researchers now?

[hugzz]

They're not hackers, they are crackers. Or intruders. Or black hats. Or fucking idiots. But not hackers. Linus Torvalds is a hacker. Alan Cox is one, and RMS definitely. Maybe even ESR.

Crackers are hackers*. You cant crack someone's system without being very skilled in toying with technology (ie a hacker).

However, hackers aren't nessearily (or usually) crackers.

*This excludes script kiddies et al, since they dont crack someone's system really. they just run someone elses' crack

Re:They call hackers researchers now?

[lawpoop]

I knew a very smart and experienced admin from Slovenia. He was trying to tell me about script-kiddies. He asked me what the word was for "the froth of piss". I told him we didn't have such a word in English. Well, that was his ideas of script kiddies.

SO, to re-cap:

• Crackers are hackers
• hackers aren't nessearily (or usually) crackers.
• Script-kiddies are the froth of piss.

Re:They call hackers researchers now?

[Ignominious Cow Herd]

The last scene was interesting from the point of view of a professional logician, because it contained a number of logical fallacies, that is invalid propositional constructions and syllogistic forms, of the type so often committed by my wife.

"All wood burns", states Sir Bedivere. Therefore he concludes, "all that burns is wood". This is, of course, pure bullshit.

Universal affirmatives can only be partially converted; all of Al McCogan is dead, but only some of the class of dead people are Al McCogan. Obvious, one would think.

However, my wife does not understand this necessary limitation of conversion of a proposition, so consequently she does not understand me. For how can a woman expect to appreciate a professor of logic if the simplest cloth-eared syllogism causes her to flounder.

For example, given the premise all fish live underwater and all mackerel are fish, my wife will conclude not that all mackerel live underwater, but that if she buys kippers it will not rain, or that trout live in trees or even that I do not love her any more.

This she calls "using her intuition". I call it "crap" and it gets me very irritated because it is not logical.

"There will be no supper tonight!", she will sometimes cry, upon my return home. "Why not?", I will ask ask; "Because I have been screwing the milkman all day!", she will say, quite oblivious of the howling error she has made.

"But", I will wearily point out, "even given that the activities of screwing the milkman and getting supper are mutually exclusive, now that the screwing is over, surely then, supper may now logically be got."

"You do not love me anymore!" she will now often postulate. "If you did you would give me one now and again, so I would not have to rely on that rancid Pakistani for my orgasms."

"I will give you one", I now scream, "after you have gotten my supper, not before." as you see, making her bang contingent on the arrival of my supper.

"Good, you turn me on when you're angry you ancient brute", forcing her sweetly throbbing tongue down my throat.

"Fuck supper!" I now invariably conclude, throwing logic somewhat joyously to the four winds. And so we thrash about on our milk-stained floor, until we sink back exhausted onto the cartons of yougurt. ...I seem to have strayed somewhat from my original brief. But in a nutshell, sex is more fun than logic. One cannot prove this. But it is in the same sense that Mt. Everest is or that Al McCogan isn't.

Good night.

(from the Soundtrack, of the Trailer, of the Film, of Monty Python and the Holy Grail)

Re:They call hackers researchers now?

[Anonymous Coward]

They're not hackers, they are crackers.

UUuummm no. Ever since the 1980's underground scene the word cracker has refered to a person who breaks the protection on copywritten software. It was that way for years until that ruddy faced blowhard "ESR" decided to start using the term "cracker" as a synonym for "computer criminal."

Talk about hypocrisy. ESR gets all pissed about the media misusing the word hacker so he turns around and starts misusing the word cracker. And because of his position as editor of "The Jargon File" he has influenced the web culture (newbies at least) that the word cracker is synonymous with cybercriminal even though anyone who was in the pirate scene back in the eighties can tell you that a cracker was by the following DEFINITION:

"Software cracking is the modification of software to remove encoded copy prevention. Distribution of cracked software (warez) is generally an illegal (or more recently, criminal) act of copyright infringement. Software cracking is most often done by software reverse engineering."

Re:They call hackers researchers now?

[dorkygeek]

Yes, I remember these days. But what do you want to prove with that argument? I said that the term cracker should be used because it already had a malevolent connotation, instead of hacker.

So, yes, let's come up with some third term! But remember, it must sound cool, otherwise the media is not going to adopt it. Although I feel that this is already in the making. I guess that in some years, everybody who would have been called a hacker by today's media is going to be called cyber terrorist by then. Just im

Re:They call hackers researchers now?

[Ucklak]

Bill Gates is a hacker too.
He dropped out of college and programmed what he did with no training (before he started to buy programmers).
A hacker is an untrained person that has professional skills that profess in a certain area that should have taken them years, education, and experience to receive. They could also be enthusiastic about a diversion (music, sports, computing).

It could be music, sports, computers, driving, etc...

There are plenty of sport hacks and musician hacks. You hear it alot in music es

Re:They call hackers researchers now?

[dorkygeek]

Bill Gates is a hacker too. [...] A hacker is an untrained person that has professional skills that profess in a certain area that should have taken them years, education, and experience to receive.

No, Bill Gates is not a hacker, and has never been one, because the definition of hacker is not having professional skills although somebody is untrained, it means having exceptional skills, no matter whether trained or not!

It's kind of sad how the computer revolution has turned this word into implying someth

Re:They call hackers researchers now?

[hkb]

No, they're hackers, too. See also DefCon, 2600, Phrack, and history itself. Only Slashdotians/ESR fanboys use the term "cracker" to describe a type of "hacker".

Don't be an idiot and "correct" someone when you're wrong.

Re:They call hackers researchers now?

[dorkygeek]

No, they're not. They are malevolent fuckfaces.

Security experts instead might very well be hackers, because they are skilled. But security experts are not malevolent! Crackers who break into other's systems to enrich themself or simply to cause other people damage are idiots, and shall not be called hackers (which are benevolent people!). Period.

Re:They call hackers researchers now?

[dorkygeek]

the general population is quite capable of overloading word definitions and parsing the precise meaning from the context

No, it is not. What do you think would happen if I said in public I'd be a hacker. What do you think would my mother think about me then? OMG, my son's a criminal. No, I'm not!

Re:They call hackers researchers now?

[dorkygeek]

You are redefining hackers, just like those clueless (and hopeless) people who called all the attackers hackers.

Ok, then thell me where exactly I redefine hackers?? When the term hacker was first used, it did not have the connotation of being malevolent, trying to harm other people. It was used for individuals who were extremely skilled in some area, or came up with ideas others weren't thinking about.

It was only later when the media started to pay attention to computer related threats. Assholes as thes

Re:They call hackers researchers now?

[dorkygeek]

Yeah, and the businesses generate half of their income by using overloaded terms to describe the properties of their products, knowing exactly that Joe Average does not know that the term they've used also means other things than the one they think it means.

That's why I am against overloading terms with meanings which are quite opposite to each other.

Re:They call hackers researchers now?

[dorkygeek]

Wow, have you ever looked up the meanings of the verb to hack? It doesn't mean what you think it means. "To hack into a system" is a sentence derived from the term "hacker". It's not god given, nor does it bear much resemblance to the original meanings of the verb "to hack". Let's have a look at M-W's entry:

• a : to cut or sever with repeated irregular or unskillful blows
  b : to cut or shape by or as if by crude or ruthless strokes
  c : ANNOY, VEX -- often used with off
• to clear or make by or as if by cutti

Re:They call hackers researchers now?

[DavidTC]

No.

You crack things by breaking them, or part of them. This can be copy protection or security software or DRM. You can even crack into hardware you aren't supposed to be able to open. The metaphor is 'cracking them open' like a coconut.

You hack something by modifying it in a clever way, or using it in a clever way without modifications. The metaphor of 'carving with axes' doesn't really work here.

A hack can be a crack, and crack can be a hack. Witness the X-Box ones that let you run unsigned programs vi

Re:Virus company

[BushCheney08]

From what I read about this earlier (sorry, don't have the link), this exploit was already in the wild and was being used before any of the security companies learned of it. So no, the AV companies did not "let this one loose".

Microsoft Corporation

[Penguinoflight]

... let this one loose. It is a problem with windows, and it was disclosed by a responsible hacker. If you want to protect the general population still using MS software, this is the only option. Microsoft isn't about to make a secure platform on their own, so until the next big mistake hits the news they wont do anything about it.

If anything, we need earlier reporting so the public can realize just how little microsoft cares about security.

Re:Not Previously Unknown

[ninja_assault_kitten]

Actually that's not true at all. This vulnerability was discovered by some analysis HD Moore performed on a spyware infection which broke through a completely patched XP SP2 system a couple days ago. It was reverse engineered and made into a Metasploit plugin. Get your facts straight.

Re:Not Previously Unknown

[Martin Blank]

It's completely new. The WMF patch released before does not protect against this exploit.

http://www.securityfocus.com/bid/16074 [securityfocus.com]

Re:Not Previously Unknown

[Anonymous Coward]

MS has released a patch for it...

so that explains why fully patched systems are still vulnerable, yes?

I guess you are really not doing your research. Read the Sunbelt article:
http://sunbeltblog.blogspot.com/2005/12/new-exploi t-blows-by-fully-patched.html [blogspot.com]

particular where it says: "We saw a new nasty exploit yesterday around 5:00 PM. This is a totally new exploit and is not the same one posted by FrSIRT back on 11/30/05."

The previous one they referred to is here:
http://www.frsirt.com/exploits/20051130.MS05-053.c .php [frsirt.com]

Microsoft Windows Metafile (WMF) "mtNoObjects" Header Remote Exploit (MS05-053)
Date : 30/11/2005

Advisory ID : FrSIRT/ADV-2005-2348
Rated as : Critical
Note : Proof of concept exploit (DoS) /*
* Author: Winny Thomas
* Pune, INDIA
*
* The crafted metafile (WMF) from this code when viewed in explorer crashes it.
* The issue is seen when the field 'mtNoObjects' in the Metafile header is set to 0x0000.
* The code was tested on Windows 2000 server SP4. The issue does not occur with the
* hotfix for GDI (MS05-053) installed.

This is the one that has been patched by Microsoft.

I guess you thought it's just not possible for there to be more than one hole per rendering engine, right?

Re:Amazing

[k00110]

Because we never know what else can be installed and I lost all trust in Security companies since the Sony Root Kit. Removing it my-self implies searching infos over the internet and it's not a good idea to browse the web when your computer is compromised. I had nothing important installed so it did'nt matter. I had a new OS installed in a few minutes after that with ZoneAlarm and AVG(both free) and all the latest patches. I also just did the "REGSVR32 /U SHIMGVW.DLL" to not be infected again.

Re:so what else is new?

[jp10558]

Also watch out for Google desktop search, as that caused a downloaded file to be run and exploited the machine.

Kye-U also has released a filter for proxomitron that will block wmf file downloads:

[HTTP headers]
In = FALSE
Out = TRUE
Key = "URL-Killer: Kill WMF Connection [Kye-U] (Out)"
URL = "(^*=(^http://./ [.]^([a-z]+{2,4})(^/))))*.wmf(*)\1$TS T(\1=(^/))"
Match = "*&($CONFIRM(.WMF FILE EXTENSION FOUND\n\nAllow connection to the URL below?\n\n\u\n\1)|$SET(1=URL with .WMF Extension Killed\k))"
Replace = "\1"

[Patte

Re:so what else is new?

[grcumb]

""Kye-U also has released a filter for proxomitron that will block wmf file downloads[....]"

Careful, The folks at the Internet Storm Center [sans.org] are warning that Windows often ignores the file extension and reads the 'magic bits' at the beginning of the file to decide how to process it. This means that someone could rename a .wmf to .jpg, for example, in order to get it past that filter.

The best workaround currently available is to un-register the shimgvw.dll as suggested above.

Re:so what else is new?

[Ohreally_factor]

Hey, I typed "regsvr32 /u shimgvw.dll" in the terminal, and I got "tcsh: regsvr32: Command not found." Does this mean I was racked or hooted?

Re:so what else is new?

[tonyr60]

Neither. You are just one of the .00001% of /. posters that don't run Windows.

Re:Other platforms?

[ninja_assault_kitten]

No, it's a buffer overload in Windows Picture and Fax Viewer.

No kernel problem, but Winows only

[Sycraft-fu]

It's a Windows only format, or at least seems to be. I don't find any references of ports to other platforms. It's an old format for doing vector graphics in Windows 3.1.

Re:No kernel problem, but Winows only

[AEton]

It may be unfashionable, but I still rely on a clip art CD set that comes in WMF.

(Illustrator CS2 on OS X opens the things just fine.)

Re:No kernel problem, but Winows only

[Ucklak]

I know plenty of designers that still use Corels vector art from Corel 4.

Re:No kernel problem, but Winows only

[whitehatlurker]

There is an OpenSource [sourceforge.net] project which uses WMF. WMF is still the default format for a lot of graphics transfer under Windows.

I don't think libwmf is vulnerable though.

About the WMF format

[Nurgled]

The WMF format is simply a stream of GDI commands. GDI (Graphics Device Interface) is the Windows API and abstraction layer for graphics, allowing the same set of drawing functions to be targetted at a variety of different "device contexts" such as printers and the screen.

A WMF file is (traditionally) created by obtaining a device context on a file and drawing to it using the GDI API functions, which "records" the sequence of commands to disk ready to be replayed later to recreate the image. These days, of

Re:Just checking...

[Anonymous Squonk]

If a 100 security flaws exist but are never found, does this still make the OS tight?

If even only one unpatched security flaw exists, an OS should never be called "pretty tight". This flaw has always been there, even if it has only been exploited just now...

Re:Just checking...

[NaruVonWilkins]

Give me a break. There are thousands of unpatched flaws in every OS on the market, they just haven't been found yet. So yes, if 100 security flaws exist but are never found, it does make the OS tight.

Re:Just checking...

[Lehk228]

no, 5 years to stop the flood of wormable remote exploits isn't "pretty tight"

Re:I'd feign surprise if I felt it was worth it...

[mumblestheclown]

Your argument basically is that:

• computer systems should not be released until they pass some theoretical threshold of security
• and if the above is not done, then the authors of said systems shall be held (financially? criminally?) liable.

In other words, you have just basically killed off free (both as in beer and as in speech) software as we know it.

Not to mention about the fact that we're talking about an exploit in an older DLL that has gone unnoticed for years. Exactly how many years until your theoretical notion of "reasonably" safe is met? If you dont think (OS of your choice) has similar weaknesses, you are deluding yourself. And so what if it 'affects only one user, not the whole system?' To that user, that IS his world.

Re:I'd feign surprise if I felt it was worth it...

[grcumb]

"Your argument basically is that:"

• computer systems should not be released until they pass some theoretical threshold of security

Sounds reasonable, except that the threshold should be measurable. This is relatively easily achieved, even in very complex applications, if responsible coding practices and code management are used. I refuse to work for companies that do less than that, and avoid recommending any software that wasn't developed using that method. Which, of course, is why I've only suppor

Re:But ...

[HermanAB]

No, you just have to visit a porn site with Internet Exploder to get automatically infected by this worm. It doesn't require any user action, apart from clicking links in normal browsing.

If you are using Firefox, then what you say is true, since FF requires the user to confirm that he really wants to run the malicious program, so the user actually has to click a confirmation button. The infection is not automatic on FF.

Re:Say it isn't so!!

[raistphrk]

Say it isn't so!! (Score:1, Redundant) by Foofoobar (318279) Alter Relationship on Wednesday December 28, @07:56PM (#14355427) Windows Exploit? Isn't that redundant?

Wow...sometimes, Slashdot ratings really DO match the content in posts!

Re:Why does /. report so much on Windows flaws?

[The Ape With No Name]

Please indicate a recent worm on an FOSS operating system.

Re:Why does /. report so much on Windows flaws?

[HermanAB]

Well actually, there are many times more Linux machines in the world than Windows machines. Windows only dominates the desktops. Linux dominates servers, routers, cell phones and so on. Last I saw, IBM Marketing estimated that there are more than 2 billion Linux systems in the world (mostly cell phones).

Hmm

[Azureflare]

I would say about 80% of the comments on this site tend to be pretty evenhanded in their treatment of windows security. If you actually read comments on stories about windows flaws, you would see that the people that get modded up are those that say "really, this isn't that serious, this is just Anti-MS stuff." You don't see people saying "OSS RULES MS SUCKS" getting modded up. Sure, people making jokes get +5 funny, but so do the people making jokes on the firefox articles about firefox vulnerabilities.

Re:PATCH!!

[Anonymous Coward]

Umm, numbnutz, there is no patch there. Just an advisory.

Hmmm, I think I remember them

[porkThreeWays]

Was Thor Larholm ever assosiated with this company? As my memory recalls, he had an extensive list of his own, and I'm thinking maybe they are on in the same.

Re:WMF

[Lehk228]

old versions of powerpoint and publisher used it for clipart vector graphics