Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
×
Security Bug Operating Systems Software Windows IT

Microsoft to Patch WMF Exploit Early 306

Chran writes "Microsoft has just announced that they will release a security update for the .WMF-exploit today at 2pm ET, instead of Tuesday, as originally planned. Microsoft writes: "Microsoft originally planned to release the update on Tuesday, January 10, 2006 as part of its regular monthly release of security bulletins, once testing for quality and application compatibility was complete. However, testing has been completed earlier than anticipated and the update is ready for release. In addition, Microsoft is releasing the update early in response to strong customer sentiment that the release should be made available as soon as possible."
This discussion has been archived. No new comments can be posted.

Microsoft to Patch WMF Exploit Early

Comments Filter:
  • by biocute ( 936687 ) on Thursday January 05, 2006 @03:57PM (#14403641)
    Microsoft is releasing the update early in response to strong customer sentiment that the release should be made available as soon as possible.

    It would have been nicer if they make patches available as soon as possible with or without strong customer sentiment.
    • 8 Days to patch (Score:4, Insightful)

      by badriram ( 699489 ) on Thursday January 05, 2006 @04:00PM (#14403675)
      Maybe it is just me, but 8 days for a tested patch does not seem that long. However it was a 0 day which made this exploit special.
      • Re:8 Days to patch (Score:5, Insightful)

        by Anonymous Coward on Thursday January 05, 2006 @04:03PM (#14403704)
        ProTip : If a third party can patch it faster than you, without access to the original source code - you suck.

        • That doesn't necessarily mean that they regression tested the patch as microsoft would; that just means they created a patch and got it out faster.

          I'm sure it didn't take microsoft very long to create the patch, but lots of manhours to test it -- whatever that's worth.

          • I'm only getting hits on 2000, XP, and 2003:

            According to the Financial Times article [ft.com] highlighted at Drudge, Hyppönen said the vulnerability is supposed to hit "every Windows operating system since 1990".

            So is there a patch for older versions of Windows?

            • Boy, all those guys running web servers under DOS 5 must be pissing their pants!
              • Sadly no (Score:3, Informative)

                by badriram ( 699489 )
                Here is the FAQ from the KB
                -----
                Microsoft Windows 98, Microsoft Windows 98 Second Edition (SE), and Microsoft Windows Millennium Edition (ME) were previously listed as affected, but are no longer listed. Why is that?
                Although Windows 98, Windows 98 Second Edition, and Windows Millennium Edition do contain the affected component, at this point in the investigation, an exploitable attack vector has not been identified that would yield a Critical severity rating for these versions. Per the support life cycle of
                • So what about NT4?

                  There are a *lot* of companies still using that on the backend servers and on the desktop (not sure if it's still the majority but it's very significant).
                  • Re:Sadly no (Score:2, Insightful)

                    by diersing ( 679767 )
                    There are a *lot* of companies apparently with their collective heads up their asses.

                    If you are in this predicament, of supporting an NT4 environment - I feel for you, I really do. Seriously at some point avoiding the costs of upgrades is going hurt more then cutting the dang check.

                    ask not for whom the bell tolls...

            • I'm conviced that it should hit every version of Windows. I have been embedding wfm for my thesis and proposals win 1998. I had lots of memory problems using either Word or Word Perfect to open those documents. Even with only a few wmfs embedded in Excel, or other third party applications (that were obviously using windows API to render them). Then I switched to StarOffice and the problem vanished... for me. My supervisor, with a much more powerful computer still had trouble. I guessed at the time tha
            • by jschottm ( 317343 ) on Thursday January 05, 2006 @05:22PM (#14404552)
              Microsoft's policy is that they will only release critical patches for 9X/ME systems because they have EOLed them. Their study of the vulnerability found that while those systems are vulnerable, that it is not critical because no attack vector has been identified. Whether or not you trust their assessment is another question, but that's why there's no patch for them. See questions 2, 3, and 4 in the FAQ.

              http://www.microsoft.com/technet/security/Bulletin /MS06-001.mspx [microsoft.com]

              I suspect 3.x is the same, but really, if you're using 3.10 as a desktop...
        • by MatD ( 895409 ) on Thursday January 05, 2006 @04:18PM (#14403868)
          I'm a third party, and I can patch it right now without even touching the code. Just beat your hard drive with a hammer, and you will be immune to the exploit.

          I have no idea what the side effects of this will be for your other applications (because I didn't do any regression testing), but I'm not MS, so I don't really care. Mat

        • by badriram ( 699489 ) on Thursday January 05, 2006 @04:21PM (#14403897)
          They just blocked the execution of the vulnerable function. This to me a mitigation method not a patch. Think of it as, there is a vulnerability in mod_rewrite within apache, and a third party "patch", just disables it, to secure apache.
          • By your logic, Microsoft also has not patched the vulnerability. From the MS006-001 FAQ:

            Does this update contain any security-related changes to functionality? Yes. The change introduced to address this vulnerability removes the support for the SETABORTPROC record type from the META_ESCAPE record in a WMF image. This update does not remove support for ABORTPROC functions registered by application SetAbortProc() API calls.

            So, they basically used exactly the same workaround as the 3rd party patch that'

            • NO! (Score:5, Informative)

              by baadger ( 764884 ) on Thursday January 05, 2006 @06:14PM (#14405082)
              So, they basically used exactly the same workaround as the 3rd party patch that's been out for a week.

              The MS patch removes the call in the WMF rendering engine that calls the gdi32 Escape() function with the SETABORTPROC parameter. The 3rd party runtime patch thats been around 'for a week' killed the Escape() function's ability to receive the SETABORTPROC procedure in _all user32.dll bound applications_ called by _anything_ for _any purpose_, 'breaking' more than just the WMF rendering caller.

              Microsoft couldn't have done any better because this wasn't a coding error like a buffer overflow, it was an ancient long forgotten genuine feature.
          • But apparently Microsoft's patch does the same thing. From their FAQ:

            Does this update contain any security-related changes to functionality?
            Yes. The change introduced to address this vulnerability removes the support for the SETABORTPROC record type from the META_ESCAPE record in a WMF image. This update does not remove support for ABORTPROC functions registered by application SetAbortProc() API calls.
        • Re:8 Days to patch (Score:3, Informative)

          by flynt ( 248848 )
          The third party patch didn't actually (AFAIK) patch the file in the operating system. It simply blocked the calling of the Escape() function, which broke printing on several machines and programs. So while a decent workaround for this week, it really isn't a long term solution. I got this information from SANS' ISC.
        • Patches need to follow the "do no harm" mantra... you don't want to make things worse by issuing an untested patch. How many resources does it take to ensure, within 8 days, that the patch doesn't break any of the patched versions of Windows, doesn't expose any NEW security holes, and doesn't break any known applications?
      • Re:8 Days to patch (Score:5, Insightful)

        by croddy ( 659025 ) on Thursday January 05, 2006 @04:25PM (#14403931)
        1. Release patch 8 days late
        2. Describe it as an "early" release
        3. ???
        4. Profit!!!
    • by Anonymous Coward on Thursday January 05, 2006 @04:01PM (#14403691)
      Patch has been released.
      Get it here http://www.microsoft.com/technet/security/Bulletin /ms06-001.mspx [microsoft.com]

      According to the folks at F-secure, it co-exists well with Ilfak's unofficial patch as well as the REGSVR32 workaround. Read their blog here. http://www.f-secure.com/weblog/archives/archive-01 2006.html#00000771 [f-secure.com]
    • by cnettel ( 836611 ) on Thursday January 05, 2006 @04:04PM (#14403717)
      For an out-in-the-wild exploit, I would agree. For one that is currently, to their knowledge, not known among the script kiddies of the world, I'm not so sure. Releasing a patch will, generally, make those who are not yet prepared to implement it more vulnerable, if it means that knowledge of details is more wide-spread.

      I think that some corporate users (especially) are quite thankful for patch Tuesdays; especially those that have been bitten by some compatibility issue previously and can't just run autoupdate of all desktops at night, but rather want to roll it out manually.

      Again, this is not the case here, this exploit was discovered in the wild and it's spreading right now.

    • by targo ( 409974 ) <.moc.liamtoh. .ta. .t_ograt.> on Thursday January 05, 2006 @04:06PM (#14403740) Homepage
      It would have been nicer if they make patches available as soon as possible with or without strong customer sentiment.

      This doesn't make any sense. All patch release dates are a function of:
      1) impact of the problem
      2) complexity of required testing
      The idea being that the patch shouldn't cause more harm than the original flaw.
      If the impact is huge, testing of more obscure cases can be deferred somewhat. If the impact is small, more time can be taken.
      So if there hadn't been any customer sentiment (i.e. no one cared), it would make no sense to rush the patch and risk breaking something.
      • by grcumb ( 781340 ) on Thursday January 05, 2006 @04:51PM (#14404196) Homepage Journal

        "If the impact is huge, testing of more obscure cases can be deferred somewhat. If the impact is small, more time can be taken."

        I'm with you so far....

        "So if there hadn't been any customer sentiment (i.e. no one cared), it would make no sense to rush the patch and risk breaking something."

        Err, that's a non-sequitur. Whether customers care or not has nothing to do with the cost/benefit analysis that decides the timing and scope of an initial patch. A software company should never rely on its customers to perform risk analysis. If it's serious (and the WMF flaw is egregiously so), then you find a way to protect your customers as quickly and effectively as you can. In some cases - though certainly not all - you can even accept shortcomings in the patch itself if significantly reduces the risk.

        The third-party patch, for example, causes issues with the Windows printing subsystem. People voiced suspicions that this might be the case right from the start, though confirmation only came through earlier today. To my mind, that was an acceptable risk. A server that can't perform some print tasks and won't show pretty preview icons is worth a heck of a lot more to me than one that's 0wned by some random script kiddy.

        And before some astroturfing twit spouts the simplistic, binary logic of 'MS is damned if they do and damned if they don't', I'd like to say from experience that deciding the timing of a security patch is a terribly difficult process. It requires the right amount of analytical skill, deep technical expertise, a healthy dose of horse sense and exactly the right measure of patience. Too much or too little of any of these can result in exactly the wrong kind of response.

        Patching is not about being a nice guy. It's not about what your customers think of you. There should be no marketing or sales angle in the creation or timing of a security patch. You determine the scope and severity of the threat, be as thorough as you can reasonably hope to be (and that's never as thorough as you'd like), and deliver it as soon as you reasonably can.

        I'm in complete agreement with this handler's diary [sans.org] from isc.sans.org [sans.org] concerning Microsoft's announcement that they would issue the patch at the regularly scheduled time. Given the severity of the flaw, it's unconscionable that they should leave their customers exposed for so long. The fact that they only decided to release the patch out of cycle in response to their users demonstrates that they're far more worried about their image than they are about their software. This does not bode well at all for them. Or for their customers, for that matter.

    • The problem MS has with their patching strategy is that problems are not one size fits all. There are things in various parts of Windows and other MS products that are low priority to update and will not be happy if I have to push out something out of cycle. On the other hand, there are very serious critical flaws that are very high priority that I would like to have immediately and would push out to every machine I could find immediately.

      All problems are not the same quality or severity so why is MS tryi
  • by B00yah ( 213676 ) on Thursday January 05, 2006 @03:58PM (#14403647) Homepage
    Thank you for your interest in obtaining updates from our site.

    To use this site, you must be running Microsoft Internet Explorer 5 or later.

    To upgrade to the latest version of the browser, go to the Internet Explorer Downloads website.
    • If you haven't been there since IE 5 was current, you're going to be a while.
    • by SenorCitizen ( 750632 ) on Thursday January 05, 2006 @04:21PM (#14403896)
      Thank you for your interest in obtaining updates from our site. To use this site, you must be running Microsoft Internet Explorer 5 or later.

      Funny, yes, but not true. The patch is available here:

      http://www.microsoft.com/technet/security/Bulletin /MS06-001.mspx [microsoft.com]

      Just downloaded it with Firefox. It's just Windows Update that requires IE.

    • go get the IEtab extension for Firefox and whitelist update.microsoft.com to use the IE engine instead of the gecko engine and viola...
  • Feh ! (Score:5, Funny)

    by witte ( 681163 ) on Thursday January 05, 2006 @03:58PM (#14403659)
    No problem... there's plenty of other exploits for windows.
  • whatever (Score:4, Funny)

    by TheRealMindChild ( 743925 ) on Thursday January 05, 2006 @03:59PM (#14403662) Homepage Journal
    testing has been completed earlier than anticipated

    Sure.
  • Splendid... (Score:4, Insightful)

    by Hymer ( 856453 ) on Thursday January 05, 2006 @03:59PM (#14403665)
    ...only 10 days too late...
    ---
    tis is not a FP
    • A few days earlier than they were notified about it, and before even the first /. duping? Nah, then Zonk and Taco couldn't outpost each other...
  • 3rd person (Score:5, Funny)

    by kennygraham ( 894697 ) on Thursday January 05, 2006 @03:59PM (#14403670)
    Microsoft writes: "Microsoft originally planned...
    kennygraham is glad that they're patching it early.
  • by zietlow ( 199661 ) on Thursday January 05, 2006 @04:00PM (#14403679)
    "in response to strong customer sentiment" Ie we look foolish that the community was able to fix it sooner than we were. Here you go, we're not that bad afterall, see?

    Let's be friends again.
    • Only if the real fix is such a "shut the thing off" workaround as both the unregistering and real unofficial GDI disabling patch was, which both disabled a lot of valid cases.
    • Re:is their face red (Score:3, Informative)

      by Sheepdot ( 211478 )
      Regarding the third-party patch...

      I simply unregistered the dll file on both work and home XP computers, but not the others I help supervise. The folks that are concerned about hackers "re-registering" it are working with the assumption that there is either another 0-day exploit out there that allows the hackers to do that, or don't understand how the vulnerability works. Also, the need for a patch on Windows 98, NT, or 2K is non-existant.

      I honestly think relying on a third-party to patch a system is ridicu
  • It's already out.. (Score:2, Insightful)

    by Anonymous Coward
    http://www.microsoft.com/technet/security/Bulletin /MS06-001.mspx [microsoft.com]

    WSUS picks it up on synch so start deploying once you've tested it internally. 5 days early? Not bad. Not great, but an official patch is always welcome. Hats of to the SANS team for applying the pressure. It's unfortunate that they were not mentioned in the Acknowlegements section of the MS06-001 release notes.
  • So early? (Score:4, Funny)

    by flicken ( 182650 ) <flicken-slashdotNO@SPAMflicken.net> on Thursday January 05, 2006 @04:01PM (#14403690) Homepage
    They would have released it earlier, but their test machines kept getting hacked...
    • They would have released it earlier, but their test machines kept getting hacked...

      I heard it was because they were having a tough time to come up with the $40 a computer needed to aquire the software to distribute in the patch.
  • The security update will be available at 2:00 pm PT as MS06-001 [microsoft.com]. In any case, I'm glad to see Microsoft listening to customers and security advocates to release before the regular monthly patch date.
  • Really? (Score:2, Interesting)

    by Life700MB ( 930032 )

    Is really a problem of customer sentiment, or is actually the public embarassment of a third party releasing a patch quicker even without the source code of the libraries?


    --
    Superb hosting [tinyurl.com] 20GB Storage, 1_TB_ bandwidth, ssh, $7.95
    • There's speculation that when sober.z goes into action tomorrow it may try to download a WMF exploit, hence the quick turnaround on the patch.

      I think that by this point Microsoft is pretty much numbed when it comes to public embarrassment.

    • is actually the public embarassment of a third party releasing a patch quicker even without the source code of the libraries?

      If by "patch" you mean "untested workaround that disables other functionality" then you might have a point.

      The unofficial patch isn't really comparable.
  • by Anonymous Coward
    Let me guess, they've added a warning message that says you're about to download or open a WMF then let's you do it anyway? It took them all week to develop because they needed to translate "OK" and "Cancel" to 47 different languages.
  • by Gadren ( 891416 ) on Thursday January 05, 2006 @04:03PM (#14403710)
    "It appeared that there had even been demonstrations to thank Big Brother for raising the chocolate ration to twenty grammes a week. And only yesterday, he reflected, it had been announced that the ration was to be reduced to twenty grammes a week. "
  • I call bullshit (Score:2, Insightful)

    by Anonymous Coward
    Somebody within M$ finally awoke to the public outcry from the sysadmins and ISC. Leaving your customers swinging in the breeze for weeks to release such a critical patch is criminal.
  • Here's the actual link to MS's site that describes the patch: Microsoft Security Bulletin MS06-001 [microsoft.com]
  • by Quiet_Desperation ( 858215 ) on Thursday January 05, 2006 @04:06PM (#14403737)
    "I usually sleep in to a reasonable hour for a Thursday, like, noon," said Microsoft, appearing at 8am at a press conference outside a Hardee's in Iowa, dressed in slippers and a blue bathrobe with the words 'Sexy Grandpa' emblazoned on the back. "But all you whiiiiiiiiners wouldn't let me get my rest. So I'll crank this thing out and have it on Windows Update by 11am."

    "When will the patch for the patch be released?" asked Fox News correspondent Bubbles McConnifer, causing the press corps to giggle like schoolgirls in heat.

    "Smile when you said that, bitch," growled a visibly angered Microsoft, who then motioned to two pinstripe suited thugs who escorted Ms. McConnifer from the press conference.

    "Any other questions, whores?" asked Microsoft, placing fists on hips and allowing his 'MS Certified Otakus Rule!' T-Shirt to be seen. His query was greeted by silence. "Well alright, then."

  • I'd like to know how many people downloaded and installed the "hacked" version(s). Any firm numbers out there? Thousands, hundreds of thousands, millions?
  • by ctid ( 449118 ) on Thursday January 05, 2006 @04:09PM (#14403775) Homepage
    testing has been completed earlier than anticipated

    Our customers are getting pwn3d.
  • I know, I know... (Score:3, Insightful)

    by Eberlin ( 570874 ) on Thursday January 05, 2006 @04:11PM (#14403788) Homepage
    Damned if they send out patches as they're made (too many, too confusing) and damned if they wait 'til Patch Tuesday (negligent, inconsiderate).

    We can't have it both ways, and neither should they. I say send out patches as they're made and let the sysadmins be responsible for whether they can keep up or not. It may be difficult to admin many machines that have to be patched but I'd rather have fixes available ASAP and put the burden on IT to apply them.

    Yeah, there are patches that will break stuff and ample testing should be done anyway...but does rolling them all into a Patch Tuesday really change that fact? Probably not.

    With this sentiment, we can put more pressure on Patch Tuesday for what it really is -- a Trustworthy Computing PR stunt in which the number of fixes and vulnerabilities seems to be lower (since we're only patching once a month...maybe).

    All that said, kudos to MS for reacting...but unkudos for taking this long...and major unkudos for being naive about the WMF design to begin with.
    • Damned if they send out patches as they're made (too many, too confusing) and damned if they wait 'til Patch Tuesday (negligent, inconsiderate).

      Yup, but not damned if they fix the obvious design blunders that lead to many of these exploits, do security audits before releasing new technologies, and build an architecture that is not so brittle so that users don't have to worry that a patch to the web browser will break both core OS functions and third party applications.

  • by LinuxDon ( 925232 ) on Thursday January 05, 2006 @04:13PM (#14403801)
    The exploit writers have had the exploit ready for quite a while now.
    While MS was 'testing' everyone has been installing 'fixes' from other sites..
    Even IF their patch was not 100% it wouldn't really have mattered in this case.

    There was a gaping security hole in their OS and they still needed 12 days to come up with a fix!
    For such a large company whose software is being used by *millions* of people worldwide and 7 billion a quarter profit, they've sure taken their sweet time!

    Why don't they take some 0.01 procent of that 7 billion and test/release it sooner?
  • by Ransak ( 548582 ) on Thursday January 05, 2006 @04:15PM (#14403831) Homepage Journal
    The security update will be available at 2:00 pm PT as MS06-001.

    ... meaning all us east coast admins will be staying late tonight. Joy.

  • Clip Art (Score:2, Interesting)

    by scolby ( 838499 )
    Intrigued with the broo-haha surrounding WMFs, I did a search for them on my machine. The only WMFs I found were Microsoft's clip art. Which begs the question: is there anyone out there who isn't Microsoft who commonly uses this file type?
  • by briqui ( 256917 ) on Thursday January 05, 2006 @04:17PM (#14403854) Homepage
    Telling everyone that they are going to wait till Tuesday to patch the problem, then releasing a patch 5 days earlier might actually be quite a neat trick.

    I'm sure a lot of people out there who were planning to taking advantage of this problem have been thinking that they have till Tuesday to write a really good exploit, and therefore not hurrying too much.

    Now Microsoft come along and patch it early.

    I don't know about anyone else but I was expecting Monday do be a day from hell...

    • "I'm sure a lot of people out there who were planning to taking advantage of this problem have been thinking that they have till Tuesday to write a really good exploit, and therefore not hurrying too much."

      I don't believe that for a second. People who wanted to take advantage of this flaw had their code done with 48hrs of the public disclosure. No serious hackers we waiting till this weekend to try and catch some people. It's a race you see. The last thing they wanted was to wait a week and let Antivirus ma
  • Right... (Score:2, Funny)

    by Anonymous Coward
    Does this mean I can't have an image file that creates bouncing pictures hopping around on my screen with some guy screaming that I am looking at gay porno?

    srsly, fuck u miKKKro$haft
  • The Real Reason (Score:3, Insightful)

    by guaigean ( 867316 ) on Thursday January 05, 2006 @04:20PM (#14403891)
    Actually they are doing this to save face. The reason it is being put out "early" is because someone else wrote a fix for it already. People apparently flowed to this other site for the patch, and people started wondering what the problem was. Here was a person who without the Windows source fixed the bug, while Microsoft itself with full access to the code was delaying. In order to save face they had to rapidly deploy it rather than sit on it as they normally do.
  • by shoptroll ( 544006 ) on Thursday January 05, 2006 @04:23PM (#14403914)
    This wouldn't have anything to do with the fact that the fix got leaked early, would it?

    http://grc.com/sn/notes-020.htm [grc.com]
  • Why not... (Score:2, Funny)

    by darthservo ( 942083 )
    Use the exploit to their advantage? Just change their logo to a WMF and use the exploit to push the patch out?
  • will? or did.. (Score:4, Interesting)

    by mottie ( 807927 ) on Thursday January 05, 2006 @04:29PM (#14403963)
    Posted by CmdrTaco on Thursday January 05, @12:56PM (3:56PM EST)

    Chran writes "Microsoft has just announced that they will release a security update for the .WMF-exploit today at 2pm EST


    talk about releasing the news late.. the patch was already out by the time slashdot had the "news" that microsoft would be releasing the patch.
  • From the bulletin [microsoft.com]:
    The change introduced to address this vulnerability removes the support for the SETABORTPROC record type from the META_ESCAPE record in a WMF image.

    So all of you out there with WMFs with SETABORTPROCs in your META_ESCAPE records, beware!
    (Not sure what I just said.)
  • by antispam_ben ( 591349 ) on Thursday January 05, 2006 @04:38PM (#14404038) Journal
    Translation: "Our ass needed covering even earlier than anticipated."
  • Early? (Score:2, Insightful)

    by BumpyCarrot ( 775949 )
    Early would have been before the original flawed release, surely?
  • I was intending to submit this as a story, but I'm sure someone else will save me the trouble in a few days' time ;)

    The - final? - twist in the long, strange trip of the WMF bug - the vulnerability that just keeps on giving - has been revealed by H D Moore, the author of the Metasploit exploits (which is now on a third generation and even tricksier than ever!:)

    After all the jokes about WINE compatibility [google.co.uk]... it turns out that WINE is vulnerable, too!! [neohapsis.com]

    To quote the words of a song by H D's namesake, Du

"An idealist is one who, on noticing that a rose smells better than a cabbage, concludes that it will also make better soup." - H.L. Mencken

Working...