Trustworthy Computing 465
Anonymous Coward writes "This is a first: the Internet Storm Center is recommending trustworthy computing. They want you to trust that the unofficial patch for the Windows Metafile Volunerability that is currently being exploited by an IM worm. No patch from Microsoft at this time, and the exploit is arranged in such a manner that it cannot be detected by most intrusion detection systems (the snort rule will peg the CPU on your router) nor filtered by packet-inspecting firewalls (it spans two or more ethernet frames). Not really a whole lot of choice about this one."
Some won't (Score:5, Insightful)
Is it just me (Score:3, Insightful)
Re:Is it just me (Score:4, Insightful)
Re:Is it just me (Score:3, Insightful)
What did they do wrong (Score:3, Insightful)
If you look at the patches realeased by others, they also say it might break applications, and you might have problems with it etc. I do not think MS has that option while creating a patch.
Microsoft accpeted there was a flaw, posted information about it, tol
Re:What did they do wrong (Score:3, Interesting)
-M
You're right (Score:2)
Re:Is it just me (Score:4, Interesting)
Re:Is it just me (Score:3, Insightful)
It all comes down to the question: Who do you trust? A company like Microsoft that has made billions of dollars with sometimes shady and even outright illegal business practices, or a bunch of diehard security enthusiasts who just hate to see their (and other people's) computers hacked?
No matter how you a
Re:Some won't (Score:2)
Yes, definitely if this was an open source system.
It can be discussed whether it's sad or smart to wait for someone with insight in the closed code to fix it.
If I had an exploitable machine around, I would trust their patch.
I may just have chosen to suffer from using a slightly crippled OS (i.e. no workie Fax & Picture Viewer, etc) by unregistering the DLL until it's fixed.
Re:Some won't (Score:4, Informative)
I'm a trusting person, and if ISC, and Fsecure's lab both recomend it, I don't mind applying it, I'd trust there code more than MS's
Its not a DLL -its Windows, and its a feature (Score:5, Informative)
Windows Metafiles are a file representation of drawing commands. They are more flexible than bitmaps and get used quite a lot in things like for caching images of every OLE object embedded inside a MS word or powerpoint document. There just happens to be one operation to set a callback when a printing aborts which can be saved to a WMF file, which, when followed by something to abort the rendering, lets you jump to the nominated location.
This back door is built into windows from version 3.0 onwards. Any app that displays WMF images from untrusted sources (lotus notes, maybe msword, even google desktop search) is vulnerable. This is potentially code red for the desktop.
I have the patch on all my systems, the author works for IDA, the debugger tool, and is well respected. I dont care whether IT central will push it out or not; I think they ought to before the back to work/school event causes major worm attacks using it. It will be pretty embarrassing for microsoft though -a third-party emergency fix for windows, in the same year that Vista, "Windows Secured" is due to ship.
Re:Its not a DLL -its Windows, and its a feature (Score:4, Informative)
After banging around the SANS site for a good 15 minutes, I *finally* found WHERE YOU CAN DOWNLOAD THE PATCH from:
http://isc.sans.org/diary.php?storyid=999 [sans.org]
http://isc.sans.org/diary.php?storyid=1004 [sans.org]
Re:Some won't (Score:4, Informative)
What is more, re-registering the dll by some bit of software is a possibility, but for this to happen without action from the user, there needs to be another vulnerability that allows running the code to do this (or another way to access this specific vulnerability). If there is another vulnerability then the hotfix won't make you safe, The hotfix does work and provide some extra protection but only for the cases where this specific vulnerability can be exploited through a different path (that does not use shimgvw.dll).
Deploying to many machines is hard (Score:5, Informative)
But I won't say that.
First of all deploying any software on a large network is a serious task. It should be carefully planned and performed with the correct (read: responsible) approach.
The hotfix must be tested on as many machines as possible. Possible negative consequences must be determined and decided upon if they are acceptable or not.
In short, more rigorous testing is required.
-------
Ilfak Guilfanov, the author of the hotfix
Re:Deploying to many machines is hard (Score:5, Insightful)
Re:Some won't (Score:3, Informative)
As for me, I test all patches - the ones from MS too - before deployment. I don't blame Microsoft, I take responsibility for what I do.
Re:Pushing the patch via Zenworks/SMS/Tivoli??? (Score:5, Informative)
wmffix_hexblog13.exe
These switches do not suppress dialog boxes about installation errors.
The
[from http://www.hexblog.com/2005/12/wmf_vuln.html [hexblog.com] ]
There's a MSI version in the works as well.
Over/Under (Score:4, Insightful)
If there is a time to deviate from their monthly patch cycle, this is it. The patch should have been out days ago, yet we are still waiting.
And Microsoft wonders why no one takes their security promises seriously.
Re:Over/Under (Score:5, Interesting)
Changing code that's this deeply buried in Windows is risky. The interpreter for WMF is one of the remnants of code left over from single-user computers, and they'll have to test changes very thoroughly. They're GOING to break things with this patch, because they're removing a designed-in feature. They're probably working feverishly to figure out how to minimize the damage, but some damage is inevitable. And the problem could be far worse than it appears; that DLL could be riddled with problems. It may not have been audited in many years.
This is yet another example of how you can't retrofit security; the first Windows versions were designed when security wasn't even an issue, when the Internet was barely a twinkle in Al Gore's eye. There's a mountain of code that was written just to work, not to worry about being handed malicious data. If a user passed bad values to a system call and it crashed, oh well. It was their fault for doing it. It's not like they had anything to gain from it, after all. They owned the computer. Why on earth would the computer need to protect itself from its owner?
With the advent of the Net, Microsoft decided to both stay backward-compatible and extend what they had onto the Internet. And their focus for many years was on new features, not security. Essentially every security person at the time warned them -- stridently -- against the choices they were making. It was obviously going to be a trainwreck. This is just the latest in that ongoing collision between a single-user operating system and exposure to every computer in the world.
This particular exploit is BY FAR the worst one yet...even very competent administrators, doing everything exactly as they should, can get nailed by this one. As bad as this is, though, it's not like they're going to stop here.
Trying to retrofit security onto the Win3.1/Win95 model is like trying to use scotch tape to make cheesecloth waterproof. No matter how much tape you use, even if it's a lot more tape than cloth, it will ALWAYS leak. It might hold water for a bit, but leaks will constantly spring up. They've added tremendous functionality in the NT/2k/XP kernels which can limit what users can do and limit the possible scope of compromises, but many many programs (especially games) require administrator privs just to run. So most people run as Administrator even though they shouldn't. And that makes hacks like this one very easy and *extremely* damaging.
Hopefully Microsoft will get a patch out fast.... they certainly must understand how overwhelmingly bad this problem is. The fact that they're reacting slowly is likely an indication that it's hard to fix.
Re:Over/Under (Score:3, Informative)
This could have been a 0-day fix, quite honestly.
can't remove the callback feature (Score:5, Informative)
Guess what else uses this.
There are in-memory and on-disk WMF files. Some are used by apps for repainting the screen. Some are used by apps for printing; Windows printing is based on the WMF. You want error handling with printing, right?
Now, I'm not saying how to fix this unless Microsoft shares some cold hard cash with me, but there are reasonable solutions. It's just not as simple as patching out the feature.
Re:can't remove the callback feature (Score:4, Insightful)
CERT may think the function is obsolete, but that doesn't mean
that apps no longer depend on it. Stuff breaks if you go ripping
pieces out of an ABI. Somebody's critical business app might
even depend on the function.
Re:Over/Under (Score:4, Interesting)
With stuff like this in their closet, one surely can understand at least to some extent why they advocate closed source. The feature in question is likely well documented, and thus reasonably "open", but the idea of what might happen if crackers get access to all the non-safe zombie code that dates from their pre-history truly must horrify them.
Re:Over/Under (Score:3, Insightful)
ANY DECENT AUDIT of such an "important" piece of code should have seen this with big flashing red signs. Registering a callback in a DATA DOCUMENT is patently stupid.
I agree with you that the real question is: who has known about this and for how long?
Because of how easy it is to get someone to view o
Re:Over/Under (Score:3, Insightful)
No it's much worse. (Score:3, Informative)
Wiki (Score:4, Interesting)
Wikipedia tries to block stuff like this, but I don't think it is all that reliable. They just use the UNIX file command to see if a file matches the file extension.
WMF files start with 0x01 0x00, are are unrecognized by the file command.
JPEG starts with 0xff, so that won't do. Well, there are other formats to try.
Re:Over/Under (Score:3, Interesting)
That in a nutshell is the biggest problem with Windows. It is still suffering from its roots as a single user computer system in the world before networking. *NIX systems, such as Linux and OSX are more secure mostly because of they do not require administrator status to run application programs. MS will have to FORCE developers to change this by making two users on every system -- one the admin and another the use
Re:Over/Under (Score:3, Informative)
This is yet another example of how you can't retrofit security; the first Windows versions were designed when security wasn't even an issue, when the Internet was barely a twinkle in Al Gore's eye.
Uh, no. The internet was already alive and well and quite mainstream in academe in the early 80s, when Microsoft still thrashing around with early versions of MS-DOS, and networked PCs were well-known by the late 80s. Even before that almost every PC came with a modem.
So, no, sorry, Microsof
Re:Over/Under (Score:3, Insightful)
Modems existed, sure, but a FAST modem at the time was 19200 baud.
Re:Over/Under (Score:5, Informative)
As to your contention that microsoft gets a pass because nobody thought of security back "then", I'll take "then" to be the 10 years immediately prior to the release of Windows 3.0. Multi-user PCs were a well-known concept to every student who's done work in the general-population 'computer lab'. Remember Banyan, Appletalk, Netware (you mentioned it)? They may not have been Microsoft products, but they were ubiquitous. Unix workstations (Apollo, Sun, Microvax, etc.) were in very common use among engineers and product designers, and they all were networked. (of course, most unixes and VMS versions were very hackable, but that was part of the fun)
What's more, there were thousands of anti-mal-ware software products for MS-DOS, some samples here. [llnl.gov] The virus vector was BBS downloads and floppy disks rather than open port attacks or browser overruns, but the concept of attacking PCs was already well known. So, no, Microsoft does not "get a pass" for a security problem that nobody could have predicted (sarcasm). They made conscious choices to de-emphasize and ignore security in order to maintain market share at all costs. The economics proved them correct, so far, but they still should carry the blame for those choices.
Re:Over/Under (Score:3, Insightful)
Just to make my points more briefly, by MS-Dos 3.0 it was well known that one needed a virus scanner/disk cleaner. And the internet worm of 1988 was devastating [std.com]. I still assert that by the end of the 80s O/S vendors had no excuse for ignoring security concerns. Unixes slowly got better (took Sun until about 1995 to clean up the easy SunOS hacks), but the Microsoft platforms didn't. VMS could be locked down, though oft
Re:Over/Under (Score:3, Insightful)
It is new, it is called DRM.
Re:Holidays! (Score:4, Interesting)
And so do those who work as network administrator etc..
I can tell you that many a company that takes internal security seriously has had people working on this over the last weekend to make sure they are as safe as can be when everyone starts working today.
MS could have had a few employees working on this during the hollidays, get it properly fixed, and have an update installed with windows update.. as it is, they got a few thousand people working on implementing workarounds and unofficial fixes instead. Lots of extra work that has to be undone when the official fix is there.
Shame (Score:5, Funny)
Re:Shame (Score:2)
Re:Shame (Score:3, Funny)
Re:Shame (Score:3, Interesting)
That's an interesting question -- is wine vulnerable to this flaw? As I understand it, it is essentially a design fault in the way WMF files work (i.e., the entire process of using a WMF file was never designed to be secure in the first place, so it is able to do stuff like set up callbacks into the application's address space).
Sometimes I think they do it on purpose (Score:5, Insightful)
Trusted computing is a farce, because the one thing that *isn't* trusted, is the user.
Well the truth is.... (Score:5, Insightful)
Instead of having *some* machines patched, we'd have none. This late after the exploit has been released, and a zero-day attack has happened, we'd see no respite.
If you try to argue that Trustworthy computers wouldn't allow this to be exploited, what if the trustworthy compontent itself was exploited? As the Xbox and soon the Xbox 360 have shown, the more complex the hardware, the more complicated the bugs are. Microsoft's betting that the hardware complexity can outgrow the programmer's abilities to crack it, but if there's any truth in the world, it's that if it can be engineered, it can be destroyed. So imagine if this virus was actually signed by Microsoft through the exploit. How would this look for their company? How can you save face from a disaster like that?
No, trusted computers aren't the answer, just more secure computers, with better code. And the fact of the matter is, the more eyes that are on the code, the better it is, and that's why Open Source will always succeed. No amount of cryptography will help you if there's a hole in your crypto system.
Re:Well the truth is.... (Score:3, Insightful)
There's no "if" about it. The vulnerable component is a genuine Microsoft DLL, shipped as part of Windows, intended to render an official Windows file format. If you were running a "Trusted"(tm) PC, this DLL would 0WNZ0R you with no way out.
Re:Well the truth is.... (Score:5, Insightful)
You have it backwards. If you were running a DRM'd PC, this DLL would allow you to retake your own computer.
Remember, security flaws are only bad when security is protecting you. DRM protects Disney against you, so any hole in a DRM'd computers security makes it more, not less, valuable to its owner.
Maybe, in ten years time when only DRM'd computers are legal to buy, and attempt to install anything but Windows Whatever into them is a crime punishable by death, we will yet end up praising Microsofts total incompetence with anything resembling security.
Trustworthy Computing != Trusted Computing (Score:5, Informative)
"Trustworthy computing" is Microsoft's bullshit name for their so-called initiative to start taking security seriously. It was under this banner that Bill sent all his coders to secure coding seminars so they could learn what a buffer overflow is. The article is ironic in its title: that Microsoft have failed to find such a glaring issue as a native image format that purposely allows images to execute arbitrary code, and that they have not offered a patch even now when exploits are in the wild since almost a week, shows how trustworthy they really are.
"Trusted computing", on the other hand, is the bullshit name for a nefarious scheme involving hardware and software whereby control over PCs should be taken out of the hands of their owners, and given to the software and hardware vendors. This is sometimes claimed to be about security, but is actually motivated by DRM and DRM only (the name is short for "Trusted Client Computing" and comes from the ability of DRM vendors to trust that your computer, the client, will obey their directions).
The people pushing "trusted computing" are actually not so much Microsoft as Intel and IBM: Microsoft completely support the concept of trying to put the freely programmable computer back in the bottle, but they have had their own ideas about implementation (their version was first called "Palladium", but when they realized that it is bad to have a recognizable name for something customers actually don't want it was renamed "Next Generation Secure Computing Base" and after that it was renamed to nothing at all so they can be snuck into the coming versions of Windows without people noticing.)
Your TPM software might refuse to run (Score:5, Insightful)
A much tougher case would be the "rely on others" programs where you have to prove to an external instance that your system has not been hacked. Take the "death to game cheaters" implementations as an example:
Want to fix your vulnerable Windows with a non-official patch?
World Of Warcraft II won't let you play anymore
I also don't believe this is temporary. Except in the sense that TPM might be (hopefully!) a colossal failure in the market. And considering the current vulnerability, this looks like more than a slight theoretical risk to me.
Re:Well the truth is.... (Score:5, Insightful)
So let's say I'm JoeISP. Hi JoeISP you might say, I'd laugh and go about my business. Some nasty cruel internet underdwellers would go about writing their programs as they do today, and start delivering their payloads to people over my network. I can't really stop them from doing this; there's simply too much data that goes through my network to look at every packet and assure that the content isn't executable or worse, a virus. I can take some countermeasures, but not to many. Nope, it's the end users who have to be trusted.
So over there is Miss Jane. She loves the internet, and her newly bought Laptop from Dell with a pretty new TPM chip in it. She's a customer as JoeISP, and I love her for it, she pays me a pretty penny a month she could be getting for free if her neighbor would share his wireless access point, but sadly for Jane, her computer doesn't detect that his WAP has a TPM chip, and her operating system says to her that even if the network weren't protected by WPA2, she still wouldn't be allowed to connect to it because it isn't a Trusted connection. She shrugs it off.
So, Jane goes about checking her email when she sees a really funny picture her aunt sent her. Oh boy that's funny she said, and she saves the picture on her desktop so she can look at it later, or maybe even send it to a friend! But what's this? Her computer suddenly locks up tighter than a steel drum and a little popup tells her that "Windows Trusted Computing has detected unauthorized code in memory, and will not allow it to be executed." But she wants to save the image! She dismisses the popup, and saves it again, same message.
She is disheartened and goes to Trusted Go^W Microsoft Search to find an answer. Turns out, lots of people have been having this same exact problem, and nobody knows why. Some guy with a pocket protector and glasses tell them to reboot their computers, go into their BIOS and turn off TPM protection, and she does.
Now when she gets back on the Internet (this of course, assuming that she can, more on this in a minute), she saves the picture and poof, she's now got the exploit running on her machine. Her virus protector (assuming she has one) goes haywire! Of course, Windows File Protection make certain that she can't easily select the file and delete it, after all, it is a running executable now. (Or, even if WFP *did* allow it, most viruses these days are smart enough to break virus protectors in a way that they can't remove the virus on their own, even if their data files are up to date).
She's smarter than your average bear, however, and is able to go to another computer and get back on the internet. She finds a patch for the bug, and a clean up tool that allows her to remove the code from the image. "Goodie" she thinks.
She goes back to the other machine, fixes the DLL, turns back on TPM, and goes to get on the internet.
My ISP (remember me, JoeISP?) instantly alerts an error. Someone has connected to our network with TPM on, but has modified their files! Our policy is not to let those people on our network at all, since that's what Microsoft told us to do. So we block her MAC and continue about our day. She calls in later, furious that she can't get the Internet to work in her house anymore. Any attempts to quell her ar
useless for game cheats and other purposes (Score:3, Interesting)
You seem to be ignoring - willfully or not - that the fundamental model of trusting MS is broken. Making that model more severe by forcing trust compounds the brokenness. It Has Been Shown that MS will be late with patches. It Has Been Shown that they are not proficient at security and will remain so until the market penalties are severe. What is t
SPI Aren't meant for this type of filtering... (Score:2, Interesting)
I imagine that I could push out the deregistering fix, and associating WMF with Notepad, but that seems a little extreme because our attack vector has become limited, and our anti-virus is now updated with the newest signatures that detect this exploit.
Re:SPI Aren't meant for this type of filtering... (Score:5, Informative)
* Should I just block all
This may help, but it is not sufficient. WMF files are recognized by a special header and the extension is not needed. The files could arrive using any extension, or embeded in Word or other documents.
Re:SPI Aren't meant for this type of filtering... (Score:2)
It goes without saying (Score:5, Interesting)
You cannot wait for the official MS patch, you cannot block this one at the border, and you cannot leave your systems unprotected.
This has always been the case with Windows, if I'm not mistaken.
Shows how much MS cares for its customers. (Score:5, Insightful)
Clearly Microsoft wasn't interested in calling people in over the holidays to whip up a patch for this critical vulnerability-- something that you could go in a couple hours early tomorrow and roll out to the PCs in your organization. They're going to let you suffer. And why should they care? They've already got the money of the company you work for. People are going to return from their holiday vacations tomorrow, load the wrong web page in IE, and get pwned. And you'll be left to clean up the mess. Again. Better pack an extra sandwich with your lunch tomorrow, because you probably won't be getting out at 5.
Re:Shows how much MS cares for its customers. (Score:3, Funny)
Re:So...what "proper" steps secured you from this? (Score:3, Interesting)
Programmers? (Score:5, Insightful)
Re:Programmers? (Score:2)
If I read the article properly it is saying that windows has metafiles that can contain code, but can be used as images. That is
Re:Programmers? (Score:3, Interesting)
IBM mainframes were able to designate the usage of 'pages' or 'frames' of memory by using 4-bit 'storage keys' in the mid 1960s!
You requested the storage in a specific key (in your own address space) and any program accessing that storage with a different key. The ability to change storage key was strictly controlled by OS privilleges and any
Re:Programmers? (Score:4, Informative)
In the internet age, it's hard to believe, but in fact, yes, there is [f-secure.com]. This isn't a buffer overflow exploit; this is actually the way metafiles were intended to work. AC makes the same point a bit more rudely.
Re:Programmers? (Score:5, Interesting)
However, the WMF format allows you to embed a code in it that basically says "when you've finished drawing this, call the function at this address to execute it". The reason that this exists is that WMF was not originally intended to be a file format. It was intended to allow Windows applications to record the steps necessary to draw an object, so they could do it again later (presumably using less processing at that point because everything's precalculated).
Re:Programmers? (Score:5, Insightful)
An 'arbitrary jump' is fine inside your own address-space, so long as you jump to storage you own, AND you have requested, AND have the 'key' to, AND is marked 'executable' in your current key/ring.
Jeeze! The mainframe guys had this figured out decades ago.
Don't trust the coder first - trust the computer architect first!
Re:Programmers? (Score:3, Insightful)
I don't think you could guard against execution (separately from read, on a S/360 successor) until IBM introduced data spaces. Execution is limited to data space 0, and if you don't let a program write to that space you are OK. But even now, though the architecture *can* separate read/write space fro
I deployed it (Score:4, Informative)
I've had two; and decided to come in to the office today to make sure we were patched up against the exploit.
Yes, I took the plunge.
The patch is now deployed in our small office (30 windows PCs atm); and so far so good.
Would I have felt safer if the sourcecode was released? Perhaps.
That said, I'd rather take the ISC's word on the fix than have a guaranteed hell within a couple of days.
The dedication of the people involved with ISC, as well as that of Mr. Guilfanov brightened my start of the new year.
Kudos, people.
Re:I deployed it (Score:5, Informative)
Would I have felt safer if the sourcecode was released? Perhaps.
But the source code is released, too . The installation package should have copied it into the "WindowsMetafileFix" folder under the "Program Files" folder.
I Compiled it myself (Score:3, Informative)
The code is only 200 lines, and is primarily patching logic with a switch in there. The biggest risk is that it patches the wrong place and doesnt provide protection, the next that it doesnt uninstall. Those are hard to test.
TFA conclusion is BS (Score:2)
Sure there is. Don't use MSN to IM, for starters. Don't open e-mail from senders you don't recognize. Don't click on hyperlinks in e-mail without verifying that the URL is really what the text states it is. And if you are in a coporate setting and the Network Admin hasn't blocked IM, you've already got bigger problems to worry about.
Comment removed (Score:4, Insightful)
Re:TFA conclusion is BS (Score:3, Interesting)
> email means ANYTHING.
Well, yeah. I had to explain to two coworkers just last week that the scary messages they were getting weren't really from eBay, and they were quite surprised. (So I told them that if they were concerned that they might need to check their eBay accounts, to use the bookmarks they usually use to go there, because they would know that those really go to eBay. The link in this message only says it
Haha! (Score:4, Funny)
Shame on Hemos (Score:5, Insightful)
And for that matter, there's no mention of "the Snort rules will hog your router's CPU", either - that's total rubbish, probably made up by the article submitter. And it slipped, too, since the Slashdot "editors" never care to actually edit stories before they publish them.
Shame on you, Hemos!
Get the joke, will travel... (Score:5, Informative)
The title comes from the original note in the Handler's Diary [sans.org]. You see, it creates a mental tension between "Trustworth Computing", the lack of an official patch and ISC's "Please, trust us". It makes some readers smile.
Re:Shame on Hemos (Score:5, Informative)
There is one important note in regards to ALL published signatures including this one. All these signatures will fail to detect the exploits when the http_inspect preprocessor is enabled with default settings. By default, the flow_depth of the preprocessor is 300 which is too short to cover the whole exploit. Should the exploit be transmitted on port 80 and http_inspect is enabled, no alert will occur. Note that it will still alert on any ports (using the all port sig below) that are not configured in http_inspect (ie FTP).
One solution is to add the statement "flow_depth 0" to the http_inspect preprocessor (actually the appropriate http_inspect_server line in the config). This will tell the preprocessor not to truncate the reassembled pseudo-packet, but it will have an adverse impact on performance. On busy networks, this will lead to 100% CPU utilization of the Snort process and major packet drops.
And you should've checked before saying it was all made up.
Hah (Score:2)
OK, that just makes it too easy.
*awaits avalanche of "Linux is the cure"-style replies*
Which, of course, is correct, as it's not affected by this, but not suitable more than as a worn joke, as many organizations can't make the switch easily either for lack of own competence, will to hire those who have, lacking software compatibility and/or counterparts, etc.
Trust not the issue... (Score:2)
The problem there (aside from the FP's atrocious grammar) comes from how the "unofficial" patch will interact with MS's eventual real fix.
I certainly don't consider myself a Microsoft apologist, but I KNOW that anyone who installs this patch, then discovers some bizarre (potentially very serious) problem from Microsoft's solution, will bitch loudly that Microsoft shou
Re:Trust not the issue... (Score:3, Informative)
Because the flaw isn't in the image previewer used by the shell, it's in GDI32 which is a core OS component and can't be unregistered. Unregestering the image previewer will prevent a lot of attack vectors, sure, but there are probably others.
Talking of 'Trustworthy Computing' (Score:4, Funny)
Trusted Computing? I think not! (Score:2, Interesting)
the manufacturers of the OS, so whatever they are offering is NOT trusted computing.
Since it's a typical binary patch you have to trust them that this
patch won't hose your system or make you pwned by these or other folks.
As a long time Linux user, I find this situation appalling. If I were stuck
using a Windows box I would be pissed off by this. Look, when I want to upgrade
my box, I just do a apt-get update; followed by either apt-get d
o.O (Score:4, Funny)
OK, tell me how that sentence is supposed to make sense. Come on
Corporate? Try college. (Score:4, Insightful)
Speaking as a poor sap who has to fix these computers, I have one thing to say: "Thanks for the easy money". And a heads up to all you dorm technicians, get ready to start burning virus CDs.
This Is Incomprehensible! (Score:5, Funny)
I don't know who's more of an idiot -- the submitter or the "editor" who accepted this turd of an article summary.
So is there a patch ? (Score:4, Interesting)
according to Microsoft [windowsonecare.com]
That sounds like they must have some kind of patch out there, or are they hoping to get more users "hooked" on OneCare ?Otherwise, this statement doesn't make sense :
Maybe I'm being picky, but I think all their customers have a quite urgent need, right now !Written from the sublime security of Fedora Core, thanks.
Win98 patch? (Score:4, Insightful)
I do trust Microsoft... (Score:3, Funny)
What does Microsoft do best? Why, get the money out of the pockets of suckers, of course.
Suckers.
Cheers!
there is always choice (Score:3, Insightful)
You *can* run 2 instances of snort in-line to get around this CPU-pegging issue.
Not really a whole lot of choice about this one.
There is always choice - have you considered a defense-in-depth multi-layered approach? I'm taking the following steps
1. unregister the ms pic and fax viewer dll
2. make WMF file extension default to an erroneous app like notepad
3. turn DEP up a notch
4. turn off downloads in IE if you must use it (set default security settings to HIGH)
5. block all WMF files at the perimiter
6. keep antivirus up to date and consider frequent manual updates and scans of key machines
These things in combo with being vigilant over the next few days should keep you and your corporate networks safe. There are even MSI versions of the patch for mass distribution.
Re:there is always choice (Score:4, Informative)
Ahhhh! (Score:3, Funny)
ActiveX for streaming video
AOL ART Image Format Support
Intel Indeo codecs
Media Center
MIDI audio support
Movie Maker
Old CDPlayer and Sound Recorder
Speech Support
Windows Media Player
Windows Media Player 6.4
Client for Netware Networks
FrontPage Extensions
Internet Connection Wizard
Internet Explorer
Internet Explorer Core
IP Conferencing
MSN Explorer
Netmeeting
Outlook Express
Vector Graphics Rendering (VML)
Windows Messenger
Desktop Cleanup Wizard
Framework
Help
Out of Box Experience (OOBE)
Shell Media Handler
Tour
Web View
Zip Folders
Fax Services
Imapi
Indexing Service
System Restore
(nliteos.com)
AND I AM STILL VULNERABLE!???
Perhaps I should switch to linux
There is an official fix available! (Score:3, Funny)
In an interview with an anonymous MiroScoft employee, it has been reported that MS has found a working fix!
"We've all turned off our computers, and are sitting on our hands. This has effectively blocked all intrusion attempts."
When asked when the fix would be distributed, he replied:
"Once the threat has passed, it will be safe for us to turn our computers back on and email everyone with instructions for turning their computers off and sitting on their hands. Until that time comes, we're asking everyone to be patient."
Re:What's wrong with... (Score:3, Informative)
Re:What's wrong with... (Score:5, Insightful)
Re:What's wrong with... (Score:2)
Re:What's wrong with... (Score:4, Informative)
*Unregister the DLL : some apps may actually reregister the DLL.
*Rename/Delete: make sure XP File Protection is off, otherwise it will be replaced. Also, some apps may behave badly.
So, disabling the DLL is a *good* idea -- but may not be a complete solution by itself.
Re:What's wrong with... (Score:4, Interesting)
From http://www.viruslist.com/en/weblog?discuss=1768925 30&return=1 [viruslist.com]:
"... Going back to the wmf vulnerability itself, we see number of sites mention that shimgvw.dll is the vulnerable file. This doesn't seem correct as it's possible to exploit a system on which shimgvw.dll has been unregistered and deleted. The vulnerability seems to be in gdi32.dll... "
Re:"the snort rule will peg the CPU on your router (Score:5, Informative)
A couple of the other comments here seem to miss this very important point:
It's not just files with ".wmf" at the end. Any image file will get unwrapped by Microsoft code and the callback will get executed. Woof.
Re:"the snort rule will peg the CPU on your router (Score:3, Interesting)
An interesting fix for this problem- Rather than having your hardware router/firewall sniff all the packets, you could write a pluggable MIME filter registered to ALL image types on your PC (Google it for more info- I've done a lot of research on MIME filters and Asynchronous Pluggable Protocols for IE, but I'm too lazy to dig it all up right now). If the
Re:"the snort rule will peg the CPU on your router (Score:2)
Re: Migrate to Linux, not Vista Migrate to Linux (Score:2)
Re:Why do folks still use Windows? (Score:5, Insightful)
I work for a very small company, probably typical of thousands of other very small companies. Our company is too small to afford a full-time IT staff; I'm the entire IT department, and it's a very small part of my job. I'm the IT guru because I'm the only one there who knows a DLL from a dungheap.
I have formal training in computers, but so long ago that the field was still called EDP and time-sharing was a big deal. I've spent years learning what I know about Windows and Windows networks, in my spare time. It would take me years more to reach a similar level of expertise with a brand-new OS. And until I reached that level, we'd be more vulnerable than with Windows.
My company has about a dozen computers, including a single domain server with no backup server. We have about $60,000 invested in software (other than OS's) that will only run under Windows. We have no hardware to set up a test server, no money (or time) to spend on unsuccessful experiments.
The only person in our company who has ever used Linux is our 21-year-old secretary. We have one Unix machine, which I despise, because its desktop GUI is primitive and its command interface makes MS-DOS look well-designed and intuitive.
I rarely get to spend more than two or three hours a week on network maintenance, security monitoring, and research combined. If I hadn't automated them I wouldn't have time to do file backups some weeks. I have no time to spend trying to research the seventeen hundred different distros of Linux available, or whether Wine will support our COM+-dependent network applications--or whether the WMF exploit still applies if we run Windows applications on Linux.
We can't afford to have a regular support contract with a local computer-specialist firm. That's assuming we could even find someone in town we can trust--the overpriced morons who did our last batch of installations gave us a two-NIC server with only one NIC enabled (so no firewall), and set up user workstations with the Administrator password left blank!
I loathe Microsoft, and have since I first saw Windows 3.11. But what possible reason do I have for trusting the claims of Red Hat or Debian more? What research I can do is hardly reassuring. Remember Saturday's story here [slashdot.org]: researchers found 812 flaws in the Windows operating system, 2,328 problems in various versions of the Unix/Linux operating systems (Mac included)?
I didn't choose Windows; I inherited it and have no resources to replace it. My company didn't really choose Windows; it was forced on us by the marketplace. Be realistic! My wife just bought an Apple, and the first thing she installed on it was the OS-X version of MS Office, necessary for compatibility with her company.
Maybe in another ten years Linux will be enough of a force that applications will be written for cross-compatibility, but little companies like mine can't wait that long. We have to use what we can, right now.
Re:Why do folks still use Windows? (Score:3, Insightful)
I rarely get to spend more than two or three hours a week on network maintenance, security monitoring, and research combined.
OK, so you're not a full-time IT guy. That's cool. But if you can't manage 12 machines and only $60K worth of vendor lock-in, then you absolutely, positively need some outside help. It's not
Re:Why do folks still use Windows? (Score:3, Interesting)
The fact is that you can install almost any shrink wrapped Linux distribution, do a default installation and have almost zero support issues for the next year. Honestly, I almost never patch my Linux servers and only upgrade them every 3 years.
In a small business situation, any Linux box is as reliable as a refrigerator. Just leave i
Suspend your disbelief? (Score:3, Interesting)
The checkpoint page you point to just lists this as a vulnerability and gives a password protected link to "FULL ADVISORY and SOLUTION" (caps theirs). Since I don't have a checkpoint login, I have no clue as to what they are saying. I therefore have no reason whatever to believe that they have anything to offer.
Re:Non NT-based Windows? (Score:3, Interesting)
info [grc.com]