Follow Slashdot blog updates by subscribing to our blog RSS feed

 



Forgot your password?
typodupeerror
×
Windows Operating Systems Software IT

Trustworthy Computing 465

Anonymous Coward writes "This is a first: the Internet Storm Center is recommending trustworthy computing. They want you to trust that the unofficial patch for the Windows Metafile Volunerability that is currently being exploited by an IM worm. No patch from Microsoft at this time, and the exploit is arranged in such a manner that it cannot be detected by most intrusion detection systems (the snort rule will peg the CPU on your router) nor filtered by packet-inspecting firewalls (it spans two or more ethernet frames). Not really a whole lot of choice about this one."
This discussion has been archived. No new comments can be posted.

Trustworthy Computing

Comments Filter:
  • Some won't (Score:5, Insightful)

    by SavoWood ( 650474 ) on Monday January 02, 2006 @09:43AM (#14378301) Homepage
    As it says in the article, some people in the corporate world won't do it if the patch didn't come from MS. It's sad, really. If I had an exploitable machine around, I would trust their patch.
    • Is it just me (Score:3, Insightful)

      by goombah99 ( 560566 )
      or Is the original healline post for this thread written in gibberish enhanced by misappropriation of terms and conflation of concepts? How is trusting the unofficial patch conceptually related to "trustworthy computing" and why should packet spanning make it invulenrable to filtering?
      • Re:Is it just me (Score:4, Insightful)

        by BushCheney08 ( 917605 ) on Monday January 02, 2006 @10:04AM (#14378427)
        It's a thing called sarcasm. MS are the ones pushing "trustworthy computing" but are showing that at a time like this, they can't be trusted to do the right thing.
        • Re:Is it just me (Score:3, Insightful)

          by Tim C ( 15259 )
          And what's the right thing? Rushing out an untested patch as fast as possible that either doesn't fix things or even makes them worse? Or is it taking your time to make sure that you get it right and don't end up making an even bigger mess of things?
        • I do not want a patch that is untested, and could cause even more hell. You really think, they could have created a patch, and tested it well to be deployed on 200+ million machines connected to Windows update, and not have any bad effects on other apps.
          If you look at the patches realeased by others, they also say it might break applications, and you might have problems with it etc. I do not think MS has that option while creating a patch.
          Microsoft accpeted there was a flaw, posted information about it, tol
          • A patch posted a couple weeks ago stopped IE from loading gif images from select sites. They show up as invalid (X) images. Strange isn't it? A 'security' patch should never break functionality.

            -M
      • The title come directly from the ISC's Handler's Diary post [sans.org] that uses it as a joke, to reflect the fact that they will ask people to trust them on this one. Quote:"I find myself in the very peculiar position of having to say something that I don't believe has ever been said here in the Handler's diary before: "Please, trust us.".
      • Re:Is it just me (Score:4, Interesting)

        by abirdman ( 557790 ) <abirdman@ m a i n e . r r.com> on Monday January 02, 2006 @10:13AM (#14378470) Homepage Journal
        You are absolutely correct, sir. This aricle has absolutely nothing to do with "trustworthy computing," (aside from the use of the word "trust"). It is perhaps interesting that the headline was enough to persuade me to read the summary, and click the link to the story. Maybe, in some strange way, they're demonstrating how the exploit works.
        • Re:Is it just me (Score:3, Insightful)

          by darkonc ( 47285 )
          The point about "trustworthy computing" is that you are giving over control of your computer to some other semi-random person who can then force your computer to do, or not do, whatever they want it to.

          It all comes down to the question: Who do you trust? A company like Microsoft that has made billions of dollars with sometimes shady and even outright illegal business practices, or a bunch of diehard security enthusiasts who just hate to see their (and other people's) computers hacked?

          No matter how you a

    • It's sad, really.

      Yes, definitely if this was an open source system.

      It can be discussed whether it's sad or smart to wait for someone with insight in the closed code to fix it.

      If I had an exploitable machine around, I would trust their patch.

      I may just have chosen to suffer from using a slightly crippled OS (i.e. no workie Fax & Picture Viewer, etc) by unregistering the DLL until it's fixed.
      • Re:Some won't (Score:4, Informative)

        by NoMercy ( 105420 ) on Monday January 02, 2006 @10:25AM (#14378537)
        They recomend both deregistering and applying the 3rd party patch, if some 3rd party application loads the DLL directly, unregistering it won't help.

        I'm a trusting person, and if ISC, and Fsecure's lab both recomend it, I don't mind applying it, I'd trust there code more than MS's :)
    • by ilfak ( 935134 ) on Monday January 02, 2006 @01:03PM (#14379450) Homepage
      I'm the author of the hotfix and one could expect me to say 'yes, please go ahead and install it on your corporate network with thousands of machines'.

      But I won't say that.

      First of all deploying any software on a large network is a serious task. It should be carefully planned and performed with the correct (read: responsible) approach.

      The hotfix must be tested on as many machines as possible. Possible negative consequences must be determined and decided upon if they are acceptable or not.

      In short, more rigorous testing is required.

      -------
      Ilfak Guilfanov, the author of the hotfix
    • Re:Some won't (Score:3, Informative)

      by HermanAB ( 661181 )
      The old job preservation argument - Need to be able to blame Microsoft.

      As for me, I test all patches - the ones from MS too - before deployment. I don't blame Microsoft, I take responsibility for what I do.

  • Over/Under (Score:4, Insightful)

    by chrisgeleven ( 514645 ) on Monday January 02, 2006 @09:45AM (#14378307) Homepage
    What is the over/under for Microsoft getting a patch out for this?

    If there is a time to deviate from their monthly patch cycle, this is it. The patch should have been out days ago, yet we are still waiting.

    And Microsoft wonders why no one takes their security promises seriously.
    • Re:Over/Under (Score:5, Interesting)

      by Malor ( 3658 ) on Monday January 02, 2006 @10:41AM (#14378616) Journal
      It's probably a hard problem to patch. From what I've gathered, this is a feature of WMFs, not a bug. They were designed before people even knew what the Internet was. WMFs, apparently, have the ability to specify code to be run on a failure to render. So the bad guys give you a bad WMF file, cleverly renamed as JPG, and stick it in an ad banner. You browse a site (with any browser), Windows fails to render the WMF (which it will recognize even if the filename says JPG), runs the specified failure code, and you're hacked. That fast.

      Changing code that's this deeply buried in Windows is risky. The interpreter for WMF is one of the remnants of code left over from single-user computers, and they'll have to test changes very thoroughly. They're GOING to break things with this patch, because they're removing a designed-in feature. They're probably working feverishly to figure out how to minimize the damage, but some damage is inevitable. And the problem could be far worse than it appears; that DLL could be riddled with problems. It may not have been audited in many years.

      This is yet another example of how you can't retrofit security; the first Windows versions were designed when security wasn't even an issue, when the Internet was barely a twinkle in Al Gore's eye. There's a mountain of code that was written just to work, not to worry about being handed malicious data. If a user passed bad values to a system call and it crashed, oh well. It was their fault for doing it. It's not like they had anything to gain from it, after all. They owned the computer. Why on earth would the computer need to protect itself from its owner?

      With the advent of the Net, Microsoft decided to both stay backward-compatible and extend what they had onto the Internet. And their focus for many years was on new features, not security. Essentially every security person at the time warned them -- stridently -- against the choices they were making. It was obviously going to be a trainwreck. This is just the latest in that ongoing collision between a single-user operating system and exposure to every computer in the world.

      This particular exploit is BY FAR the worst one yet...even very competent administrators, doing everything exactly as they should, can get nailed by this one. As bad as this is, though, it's not like they're going to stop here.

      Trying to retrofit security onto the Win3.1/Win95 model is like trying to use scotch tape to make cheesecloth waterproof. No matter how much tape you use, even if it's a lot more tape than cloth, it will ALWAYS leak. It might hold water for a bit, but leaks will constantly spring up. They've added tremendous functionality in the NT/2k/XP kernels which can limit what users can do and limit the possible scope of compromises, but many many programs (especially games) require administrator privs just to run. So most people run as Administrator even though they shouldn't. And that makes hacks like this one very easy and *extremely* damaging.

      Hopefully Microsoft will get a patch out fast.... they certainly must understand how overwhelmingly bad this problem is. The fact that they're reacting slowly is likely an indication that it's hard to fix.
      • Re:Over/Under (Score:3, Informative)

        by Dachannien ( 617929 )
        This shouldn't be difficult to fix. They just have to change the code for gdi32.dll not to register the callback function (or not to call it, perhaps). If it breaks some WMF files, then the WMF files were technically broken anyway, since the callback only gets called when the renderer has to abort for some reason (like detecting an error in the file).

        This could have been a 0-day fix, quite honestly.

        • by r00t ( 33219 ) on Monday January 02, 2006 @12:08PM (#14379090) Journal
          The WMF file is really a list of Windows drawing functions to call, along with their parameters.

          Guess what else uses this.

          There are in-memory and on-disk WMF files. Some are used by apps for repainting the screen. Some are used by apps for printing; Windows printing is based on the WMF. You want error handling with printing, right?

          Now, I'm not saying how to fix this unless Microsoft shares some cold hard cash with me, but there are reasonable solutions. It's just not as simple as patching out the feature.
      • Re:Over/Under (Score:4, Interesting)

        by mce ( 509 ) on Monday January 02, 2006 @11:03AM (#14378739) Homepage Journal
        One wonders how long MicroSoft themselves have known about this one. Despite them being "The Incompetent Company", they do have a lot of very competent software people working for them. I'd be willing to bet some money that some of those have identified this particular flaw some time ago already but that, after looking at the consequences of fixing it properly, the company decided to hope that nobody would notice until they finally get around to publicly breaking backward compatibility.

        With stuff like this in their closet, one surely can understand at least to some extent why they advocate closed source. The feature in question is likely well documented, and thus reasonably "open", but the idea of what might happen if crackers get access to all the non-safe zombie code that dates from their pre-history truly must horrify them.

        • Re:Over/Under (Score:3, Insightful)

          by cpu_fusion ( 705735 )
          I completely agree. Anyone with a basic understanding of computer security would be able to see this was a wide open gaping hole. And according to the news sites I've seen, it's been in Windows for 15 years.

          ANY DECENT AUDIT of such an "important" piece of code should have seen this with big flashing red signs. Registering a callback in a DATA DOCUMENT is patently stupid.

          I agree with you that the real question is: who has known about this and for how long?

          Because of how easy it is to get someone to view o
      • Re:Over/Under (Score:3, Insightful)

        by mwvdlee ( 775178 )
        In theory they could have the render-failure code run in a sandbox environment.
      • No it's much worse. (Score:3, Informative)

        by goombah99 ( 560566 )
        What's evil about this one is not that someone couldlure you to a rigged speical website but that they can reach out and get you. For example, they can just take out a banner add from double click and have this rigged jpeg displayed on tens of millions of computers. Or they could post it as a picture on FLikkr and hope it gets into the rotation for a picture of the day. get it into google images. Post it on a bulliten board that allows thumbnail jpegs. Lots of ways to get the code onto trusted web site
        • Wiki (Score:4, Interesting)

          by r00t ( 33219 ) on Monday January 02, 2006 @12:14PM (#14379130) Journal
          Some wikis probably don't check file content.

          Wikipedia tries to block stuff like this, but I don't think it is all that reliable. They just use the UNIX file command to see if a file matches the file extension.

          WMF files start with 0x01 0x00, are are unrecognized by the file command.

          JPEG starts with 0xff, so that won't do. Well, there are other formats to try.
      • Re:Over/Under (Score:3, Interesting)

        by arminw ( 717974 )
        .......but many many programs (especially games) require administrator privs just to run......

        That in a nutshell is the biggest problem with Windows. It is still suffering from its roots as a single user computer system in the world before networking. *NIX systems, such as Linux and OSX are more secure mostly because of they do not require administrator status to run application programs. MS will have to FORCE developers to change this by making two users on every system -- one the admin and another the use
      • Re:Over/Under (Score:3, Informative)

        by 0WaitState ( 231806 )
        Malor said:

        This is yet another example of how you can't retrofit security; the first Windows versions were designed when security wasn't even an issue, when the Internet was barely a twinkle in Al Gore's eye.

        Uh, no. The internet was already alive and well and quite mainstream in academe in the early 80s, when Microsoft still thrashing around with early versions of MS-DOS, and networked PCs were well-known by the late 80s. Even before that almost every PC came with a modem.

        So, no, sorry, Microsof
        • Re:Over/Under (Score:3, Insightful)

          by Malor ( 3658 )
          Dude, how old are you? I was *there* at the time. Nobody thought about security in networks back then. Hardly anyone thought about security, period. Regular Windows barely even DID networking... they added that later in Windows for Workgroups. (heh, and it still barely did networking :)) Networks were weird and unusual. They were isolated, not tied together, and everyone just assumed you could trust anyone you could run a LAN cable to.

          Modems existed, sure, but a FAST modem at the time was 19200 baud.
          • Re:Over/Under (Score:5, Informative)

            by 0WaitState ( 231806 ) on Monday January 02, 2006 @03:46PM (#14380374)
            Dude, I think I'm older than you--I remember when my job first gave me a 2400 baud modem, and at the time thinking ruefully of all the time I had wasted with 300 baud modems. I still have a Codex 2264 modem (It's the size of a shoebox, has a three prong plug and a fan, and seems to be immortal).

            As to your contention that microsoft gets a pass because nobody thought of security back "then", I'll take "then" to be the 10 years immediately prior to the release of Windows 3.0. Multi-user PCs were a well-known concept to every student who's done work in the general-population 'computer lab'. Remember Banyan, Appletalk, Netware (you mentioned it)? They may not have been Microsoft products, but they were ubiquitous. Unix workstations (Apollo, Sun, Microvax, etc.) were in very common use among engineers and product designers, and they all were networked. (of course, most unixes and VMS versions were very hackable, but that was part of the fun)

            What's more, there were thousands of anti-mal-ware software products for MS-DOS, some samples here. [llnl.gov] The virus vector was BBS downloads and floppy disks rather than open port attacks or browser overruns, but the concept of attacking PCs was already well known. So, no, Microsoft does not "get a pass" for a security problem that nobody could have predicted (sarcasm). They made conscious choices to de-emphasize and ignore security in order to maintain market share at all costs. The economics proved them correct, so far, but they still should carry the blame for those choices.

      • Re:Over/Under (Score:3, Insightful)

        by angulion ( 132742 )
        There's a mountain of code that was written just to work, not to worry about being handed malicious data. If a user passed bad values to a system call and it crashed, oh well. It was their fault for doing it. It's not like they had anything to gain from it, after all. They owned the computer. Why on earth would the computer need to protect itself from its owner?

        It is new, it is called DRM.

  • Shame (Score:5, Funny)

    by Jonnty ( 910561 ) <jonnty AT gmail DOT com> on Monday January 02, 2006 @09:45AM (#14378310) Homepage
    It'd be nice to have a computer that I can use the patch on.. Maybe I can Wine it?
    • if not wine it, then just whine at it ;)
    • Re:Shame (Score:3, Funny)

      by Grey Ninja ( 739021 )
      Yeah, when I heard about that WMF security vulnerability, I was up half the night trying to get it working in Wine, so that I could have the genuine Windows experience. But to no avail. It just didn't work. Maybe this patch will fix that?
    • Re:Shame (Score:3, Interesting)

      by julesh ( 229690 )
      It'd be nice to have a computer that I can use the patch on.. Maybe I can Wine it?

      That's an interesting question -- is wine vulnerable to this flaw? As I understand it, it is essentially a design fault in the way WMF files work (i.e., the entire process of using a WMF file was never designed to be secure in the first place, so it is able to do stuff like set up callbacks into the application's address space).
  • by User 956 ( 568564 ) on Monday January 02, 2006 @09:45AM (#14378315) Homepage
    Sometimes, I really start to think that security is so poor in commercial operating systems, because they want to use protection from all these exploits as the bait to get us into the "trusted computing" cage.

    Trusted computing is a farce, because the one thing that *isn't* trusted, is the user.
    • by ciroknight ( 601098 ) on Monday January 02, 2006 @10:13AM (#14378474)
      ..that if we all were running "trustworthy" computers, this problem would be much, much worse than it is now. Imagine that now instead of having a patch that's already been made by someone else while we sit and wait for Microsoft to get off their asses, we now have to wait on Microsoft, who still hasn't shown up.

      Instead of having *some* machines patched, we'd have none. This late after the exploit has been released, and a zero-day attack has happened, we'd see no respite.

      If you try to argue that Trustworthy computers wouldn't allow this to be exploited, what if the trustworthy compontent itself was exploited? As the Xbox and soon the Xbox 360 have shown, the more complex the hardware, the more complicated the bugs are. Microsoft's betting that the hardware complexity can outgrow the programmer's abilities to crack it, but if there's any truth in the world, it's that if it can be engineered, it can be destroyed. So imagine if this virus was actually signed by Microsoft through the exploit. How would this look for their company? How can you save face from a disaster like that?

      No, trusted computers aren't the answer, just more secure computers, with better code. And the fact of the matter is, the more eyes that are on the code, the better it is, and that's why Open Source will always succeed. No amount of cryptography will help you if there's a hole in your crypto system.
      • what if the trustworthy compontent itself was exploited?

        There's no "if" about it. The vulnerable component is a genuine Microsoft DLL, shipped as part of Windows, intended to render an official Windows file format. If you were running a "Trusted"(tm) PC, this DLL would 0WNZ0R you with no way out.

        • by ultranova ( 717540 ) on Monday January 02, 2006 @11:10AM (#14378767)

          There's no "if" about it. The vulnerable component is a genuine Microsoft DLL, shipped as part of Windows, intended to render an official Windows file format. If you were running a "Trusted"(tm) PC, this DLL would 0WNZ0R you with no way out.

          You have it backwards. If you were running a DRM'd PC, this DLL would allow you to retake your own computer.

          Remember, security flaws are only bad when security is protecting you. DRM protects Disney against you, so any hole in a DRM'd computers security makes it more, not less, valuable to its owner.

          Maybe, in ten years time when only DRM'd computers are legal to buy, and attempt to install anything but Windows Whatever into them is a crime punishable by death, we will yet end up praising Microsofts total incompetence with anything resembling security.

      • by hanssprudel ( 323035 ) on Monday January 02, 2006 @12:00PM (#14379046)
        There seems to be a lot of confusion in this thread regarding these two terms. It isn't that surprising, since they are both purposely misleading, but still.

        "Trustworthy computing" is Microsoft's bullshit name for their so-called initiative to start taking security seriously. It was under this banner that Bill sent all his coders to secure coding seminars so they could learn what a buffer overflow is. The article is ironic in its title: that Microsoft have failed to find such a glaring issue as a native image format that purposely allows images to execute arbitrary code, and that they have not offered a patch even now when exploits are in the wild since almost a week, shows how trustworthy they really are.

        "Trusted computing", on the other hand, is the bullshit name for a nefarious scheme involving hardware and software whereby control over PCs should be taken out of the hands of their owners, and given to the software and hardware vendors. This is sometimes claimed to be about security, but is actually motivated by DRM and DRM only (the name is short for "Trusted Client Computing" and comes from the ability of DRM vendors to trust that your computer, the client, will obey their directions).

        The people pushing "trusted computing" are actually not so much Microsoft as Intel and IBM: Microsoft completely support the concept of trying to put the freely programmable computer back in the bottle, but they have had their own ideas about implementation (their version was first called "Palladium", but when they realized that it is bad to have a recognizable name for something customers actually don't want it was renamed "Next Generation Secure Computing Base" and after that it was renamed to nothing at all so they can be snuck into the coming versions of Windows without people noticing.) // oskar
  • SPI firewalls aren't meant for application filtering, on my company servers I just blocked WMF files at the Exchange server, and set our ISA Servers to block WMF from websites also. Company policy already blocks the various IM clients.

    I imagine that I could push out the deregistering fix, and associating WMF with Notepad, but that seems a little extreme because our attack vector has become limited, and our anti-virus is now updated with the newest signatures that detect this exploit.

  • by ZerocarboN ( 415676 ) on Monday January 02, 2006 @09:49AM (#14378335)
    FTA:
    You cannot wait for the official MS patch, you cannot block this one at the border, and you cannot leave your systems unprotected.

    This has always been the case with Windows, if I'm not mistaken.

  • by Anonymous Coward on Monday January 02, 2006 @09:49AM (#14378336)
    How many late nights, allnighters, and missed holidays have you experienced, thanks to things like ILOVEYOU and Slammer? How many times have you had to clean up the mess created by Microsoft's shitty, unsecure software?

    Clearly Microsoft wasn't interested in calling people in over the holidays to whip up a patch for this critical vulnerability-- something that you could go in a couple hours early tomorrow and roll out to the PCs in your organization. They're going to let you suffer. And why should they care? They've already got the money of the company you work for. People are going to return from their holiday vacations tomorrow, load the wrong web page in IE, and get pwned. And you'll be left to clean up the mess. Again. Better pack an extra sandwich with your lunch tomorrow, because you probably won't be getting out at 5.
  • Programmers? (Score:5, Insightful)

    by Claire-plus-plus ( 786407 ) on Monday January 02, 2006 @09:51AM (#14378346) Journal
    Windows have produced a datatype that allows people to place executable code into image files? How can they call themselves programmers. Seriously whoever engineered the WMF format should be ashamed.
  • I deployed it (Score:4, Informative)

    by rylin ( 688457 ) on Monday January 02, 2006 @09:52AM (#14378352)
    Today was supposed to be my fifth vacation day this christmas.
    I've had two; and decided to come in to the office today to make sure we were patched up against the exploit.

    Yes, I took the plunge.
    The patch is now deployed in our small office (30 windows PCs atm); and so far so good.
    Would I have felt safer if the sourcecode was released? Perhaps.

    That said, I'd rather take the ISC's word on the fix than have a guaranteed hell within a couple of days.
    The dedication of the people involved with ISC, as well as that of Mr. Guilfanov brightened my start of the new year.

    Kudos, people.
    • Re:I deployed it (Score:5, Informative)

      by tsvk ( 624784 ) on Monday January 02, 2006 @10:11AM (#14378454)

      Would I have felt safer if the sourcecode was released? Perhaps.

      But the source code is released, too . The installation package should have copied it into the "WindowsMetafileFix" folder under the "Program Files" folder.

  • Not really a whole lot of choice about this one

    Sure there is. Don't use MSN to IM, for starters. Don't open e-mail from senders you don't recognize. Don't click on hyperlinks in e-mail without verifying that the URL is really what the text states it is. And if you are in a coporate setting and the Network Admin hasn't blocked IM, you've already got bigger problems to worry about.
    • Comment removed (Score:4, Insightful)

      by account_deleted ( 4530225 ) on Monday January 02, 2006 @10:47AM (#14378652)
      Comment removed based on user account deletion
      • > Geeze, here it is 2006 and people still think that the return address in unsigned
        > email means ANYTHING.

        Well, yeah. I had to explain to two coworkers just last week that the scary messages they were getting weren't really from eBay, and they were quite surprised. (So I told them that if they were concerned that they might need to check their eBay accounts, to use the bookmarks they usually use to go there, because they would know that those really go to eBay. The link in this message only says it
  • Haha! (Score:4, Funny)

    by Trip Ericson ( 864747 ) on Monday January 02, 2006 @09:54AM (#14378367) Homepage
    Saturday's word was "transferbangle." Today's word is "volunerability." I wonder what tomorrow's word will be!
  • Shame on Hemos (Score:5, Insightful)

    by slavemowgli ( 585321 ) on Monday January 02, 2006 @09:57AM (#14378378) Homepage
    No flamebait intended, but that's a typical sensationalist misleading Slashdot headline. Noone's advocating "trusted computing" or similar initiatives here; all they do is saying "here's an unofficial fix, and we'd like to recommend even though it *is* unofficial, considering the seriousness of the vulnerability and also considering it was written by a reputable windows expert, namely Ilfak Guilfanov (author of IDA Pro)".

    And for that matter, there's no mention of "the Snort rules will hog your router's CPU", either - that's total rubbish, probably made up by the article submitter. And it slipped, too, since the Slashdot "editors" never care to actually edit stories before they publish them.

    Shame on you, Hemos!
    • by Pac ( 9516 ) <paulo...candido@@@gmail...com> on Monday January 02, 2006 @10:14AM (#14378475)
      So we have to explain the joke again:
      The title comes from the original note in the Handler's Diary [sans.org]. You see, it creates a mental tension between "Trustworth Computing", the lack of an official patch and ISC's "Please, trust us". It makes some readers smile.
    • Re:Shame on Hemos (Score:5, Informative)

      by Saint Aardvark ( 159009 ) * on Monday January 02, 2006 @10:27AM (#14378545) Homepage Journal
      There should've been a link to this: [sans.org]

      There is one important note in regards to ALL published signatures including this one. All these signatures will fail to detect the exploits when the http_inspect preprocessor is enabled with default settings. By default, the flow_depth of the preprocessor is 300 which is too short to cover the whole exploit. Should the exploit be transmitted on port 80 and http_inspect is enabled, no alert will occur. Note that it will still alert on any ports (using the all port sig below) that are not configured in http_inspect (ie FTP).

      One solution is to add the statement "flow_depth 0" to the http_inspect preprocessor (actually the appropriate http_inspect_server line in the config). This will tell the preprocessor not to truncate the reassembled pseudo-packet, but it will have an adverse impact on performance. On busy networks, this will lead to 100% CPU utilization of the Snort process and major packet drops.

      And you should've checked before saying it was all made up.

  • Not really a whole lot of choice about this one.

    OK, that just makes it too easy.

    *awaits avalanche of "Linux is the cure"-style replies*

    Which, of course, is correct, as it's not affected by this, but not suitable more than as a worn joke, as many organizations can't make the switch easily either for lack of own competence, will to hire those who have, lacking software compatibility and/or counterparts, etc.
  • They want you to trust that the unofficial patch for the Windows Metafile Volunerability that is currently being exploited by an IM worm.

    The problem there (aside from the FP's atrocious grammar) comes from how the "unofficial" patch will interact with MS's eventual real fix.

    I certainly don't consider myself a Microsoft apologist, but I KNOW that anyone who installs this patch, then discovers some bizarre (potentially very serious) problem from Microsoft's solution, will bitch loudly that Microsoft shou
    • Personally, I don't see the problem with temporarily unregistering the affected DLL...

      Because the flaw isn't in the image previewer used by the shell, it's in GDI32 which is a core OS component and can't be unregistered. Unregestering the image previewer will prevent a lot of attack vectors, sure, but there are probably others.
  • by peterpi ( 585134 ) on Monday January 02, 2006 @09:57AM (#14378385)
    I love the way the story starts 'Anonymous Coward writes', with an email address link to the author.
  • by Anonymous Coward
    I wouldn't call what they are offering as trusted computing. They are not
    the manufacturers of the OS, so whatever they are offering is NOT trusted computing.

    Since it's a typical binary patch you have to trust them that this
    patch won't hose your system or make you pwned by these or other folks.

    As a long time Linux user, I find this situation appalling. If I were stuck
    using a Windows box I would be pissed off by this. Look, when I want to upgrade
    my box, I just do a apt-get update; followed by either apt-get d
  • o.O (Score:4, Funny)

    by xx_toran_xx ( 936474 ) on Monday January 02, 2006 @10:00AM (#14378398)
    They want you to trust that the unofficial patch for the Windows Metafile Volunerability that is currently being exploited by an IM worm.

    OK, tell me how that sentence is supposed to make sense. Come on :|.
  • by mendaliv ( 898932 ) on Monday January 02, 2006 @10:18AM (#14378499)
    Think users are bad in the corporate sector? Wait until everyone gets back to the college dorms after winter break with their completely unpatched computers. And all the people who have new computers that they got over the holidays. It wouldn't matter if Microsoft had patched it last week, I guarantee that the student users who need it won't have it.

    Speaking as a poor sap who has to fix these computers, I have one thing to say: "Thanks for the easy money". And a heads up to all you dorm technicians, get ready to start burning virus CDs.
  • by TexVex ( 669445 ) on Monday January 02, 2006 @10:30AM (#14378561)
    Anonymous Coward writes
    Writes? Wouldn't a high school English teacher send this back with a little markup and a big fat red "F" on it?
    "This is a first: the Internet Storm Center is recommending trustworthy computing.
    I think this is the one valid sentence in this whole summary!
    They want you to trust that the unofficial patch for the Windows Metafile Volunerability that is currently being exploited by an IM worm.
    Obviously one instance of "that" is an extra. But which? Remove one, it means one thing; remove the other, it means something different.
    No patch from Microsoft at this time,
    Fragment (consider revising).
    and the exploit is arranged in such a manner that it cannot be detected by most intrusion detection systems
    Flowers and furniture are arranged. Music is arranged. Why the hell is the bolded phrase even in there? Try "the exploit cannot be detected by most modern intrusion detection systems" on for size. That edit gets rid of the passive voice and that meaningless phrase all at once!
    (the snort rule will peg the CPU on your router)
    I guess somebody's snorting something. What the hell does this mean?
    nor filtered by packet-inspecting firewalls (it spans two or more ethernet frames).
    Ooh, somebody just loves the parentheses! Why not kill them and insert ", since" after "firewalls"?
    Not really a whole lot of choice about this one.
    Fragment (consider revising).

    I don't know who's more of an idiot -- the submitter or the "editor" who accepted this turd of an article summary.
  • by smoker2 ( 750216 ) on Monday January 02, 2006 @10:50AM (#14378669) Homepage Journal
    or not ?

    according to Microsoft [windowsonecare.com]

    If you are a Windows OneCare user and your current status is green, you are already protected from known malware that tries to attack this possible vulnerability.
    That sounds like they must have some kind of patch out there, or are they hoping to get more users "hooked" on OneCare ?

    Otherwise, this statement doesn't make sense :

    Upon completion of this investigation, Microsoft will take appropriate action to help protect our customers. This will include providing a security update through our monthly release process or providing an out-of-cycle security update, depending on customer needs. [microsoft.com]
    Maybe I'm being picky, but I think all their customers have a quite urgent need, right now !

    Written from the sublime security of Fedora Core, thanks.

  • Win98 patch? (Score:4, Insightful)

    by GreatDrok ( 684119 ) on Monday January 02, 2006 @11:16AM (#14378799) Journal
    I wonder if anyone is going to be able to patch Win98 against this? There are still a lot of machines and this vulnerability could make them essentially useless and force an upgrade. While we would all love for them to upgrade to Linux or OS X it is more likely that they will shell out for WinXP and MS will benefit from a windfall of sales as a result of their inept programming. If someone produced a workable patch this would at least allow people to keep using their computers without pouring more money down the MS bottomless pit.
  • by eyepeepackets ( 33477 ) on Monday January 02, 2006 @11:42AM (#14378948)
    ...to do what they do best. Which is why I use a different OS and suggest others do so as well.

    What does Microsoft do best? Why, get the money out of the pockets of suckers, of course.

    Suckers.

    Cheers!

  • by Heembo ( 916647 ) on Monday January 02, 2006 @01:01PM (#14379433) Journal
    it cannot be detected by most intrusion detection systems (the snort rule will peg the CPU on your router) nor filtered by packet-inspecting firewalls (it spans two or more ethernet frames).

    You *can* run 2 instances of snort in-line to get around this CPU-pegging issue.

    Not really a whole lot of choice about this one.

    There is always choice - have you considered a defense-in-depth multi-layered approach? I'm taking the following steps
    1. unregister the ms pic and fax viewer dll
    2. make WMF file extension default to an erroneous app like notepad
    3. turn DEP up a notch
    4. turn off downloads in IE if you must use it (set default security settings to HIGH)
    5. block all WMF files at the perimiter
    6. keep antivirus up to date and consider frequent manual updates and scans of key machines

    These things in combo with being vigilant over the next few days should keep you and your corporate networks safe. There are even MSI versions of the patch for mass distribution.
    • by Sedennial ( 182739 ) on Monday January 02, 2006 @01:11PM (#14379494)
      Did you miss the fact that blocking .wmf files/extensions means nothing for XP users? Because XP took a page from the 'magic bytes' of Unix and recognizes .wmf files from the image header, it can (and will) in some circumstances render them regardless of the extension. So naming it .bbb will bypass your perimeter filters completely.
  • Ahhhh! (Score:3, Funny)

    by gQuigs ( 913879 ) on Monday January 02, 2006 @01:16PM (#14379527) Homepage
    I've removed:
    ActiveX for streaming video
    AOL ART Image Format Support
    Intel Indeo codecs
    Media Center
    MIDI audio support
    Movie Maker
    Old CDPlayer and Sound Recorder
    Speech Support
    Windows Media Player
    Windows Media Player 6.4
    Client for Netware Networks
    FrontPage Extensions
    Internet Connection Wizard
    Internet Explorer
    Internet Explorer Core
    IP Conferencing
    MSN Explorer
    Netmeeting
    Outlook Express
    Vector Graphics Rendering (VML)
    Windows Messenger
    Desktop Cleanup Wizard
    Framework
    Help
    Out of Box Experience (OOBE)
    Shell Media Handler
    Tour
    Web View
    Zip Folders
    Fax Services
    Imapi
    Indexing Service
    System Restore
    (nliteos.com)
    AND I AM STILL VULNERABLE!???

    Perhaps I should switch to linux :) |scroll lock||scroll lock| (KVM)
  • by Admiral Burrito ( 11807 ) on Monday January 02, 2006 @01:49PM (#14379724)

    In an interview with an anonymous MiroScoft employee, it has been reported that MS has found a working fix!

    "We've all turned off our computers, and are sitting on our hands. This has effectively blocked all intrusion attempts."

    When asked when the fix would be distributed, he replied:

    "Once the threat has passed, it will be safe for us to turn our computers back on and email everyone with instructions for turning their computers off and sitting on their hands. Until that time comes, we're asking everyone to be patient."

"The great question... which I have not been able to answer... is, `What does woman want?'" -- Sigmund Freud

Working...