Two New WMF Bugs Found 127
Resident Egoist writes "Via PCWorld the news that two new Metafile bugs have been found, just a week after the patching of previous critical WMF issues." From the article: "All three flaws concern the way Windows renders images in the Windows Metafile (WMF) format used by some CAD (computer-aided design) applications, but these latest flaws are far less serious than the vulnerability that Microsoft patched last week, according to security experts. That vulnerability was serious enough to cause Microsoft to take the unusual step of releasing an early patch for the problem, ahead of its monthly security software update."
Microsoft is up to the challenge. (Score:4, Funny)
Re:Microsoft is up to the challenge. (Score:2)
Why does everyone have to bring up libwmf? (Score:1)
The other two flaws seem to be implementation specific
Non-critical (Score:4, Informative)
In other news, Ullrich's quote in TFA was hilarious.
Re:Non-critical (Score:1, Informative)
Unofficial Translation (was:Non-critical) (Score:2)
It makes you wonder... (Score:1)
Re:It makes you wonder... (Score:3)
Re:It makes you wonder... (Score:5, Informative)
Re:It makes you wonder... (Score:3, Informative)
Re:It makes you wonder... (Score:2)
If you actually code for a living you should stop right now. (living or coding, either way works for me).
The bugs demonstrated here are not buffer overflows. They
Re:It makes you wonder... (Score:5, Informative)
Re:It makes you wonder... (Score:1)
Re:It makes you wonder... (Score:2)
Well, I'm glad I use PHP [php.net] so that I don't have any of those nasty, security problems!
It's kinda funny - things like buffer overflows just don't really happen in PHP (at least, in the PHP code, a few have been found in the C code in which PHP itself is written) but there are still a slew of security issues. A few I end up thinking about most:
1) SQL-Injection. This can be handle
Re:It makes you wonder... (Score:2)
with the exception of uninitialised variables (which can happen in C but is more likely to happen in php due to its lack of required declaration) all of theese are things that affect poor programmers working in any language.
Re:It makes you wonder... (Score:1)
Re:It makes you wonder... (Score:1)
Cooper says that the new WMF vulnerabilities are not a major cause for concern. "New malformed images that simply crash things aren't really that important unless they can be shown to cause code to execute," he said via instant message.
Those Who Ignore History Are d00m3d to Relive It (Score:1)
So Microsoft poo-poos [informationweek.com] the bugs. Not an issue, overblown, won't affect anybody.
Andy Grove could advise them [informationweek.com] on how not to handle such situations.
please tell me one of the bugs is not a bee, we're still sorting it out. [slashdot.org]
Re:Those Who Ignore History Are d00m3d to Relive I (Score:4, Insightful)
Sales Pitch of a New Millenium? (Score:1)
Announcing Bill The Cat's [dragonswest.com] PC Operating System -- As many bugs, if not more than other leading brands, such as Microsoft Windows 98, 2000 and XP!
"unusual"? (Score:1, Insightful)
What's so unusual about that? (Seriously, it seems to happen every few months.)
Re:"unusual"? (Score:2)
"Hacker" (Score:5, Insightful)
If you read the post on the security mailing list it sounds like someone trying to get this vulnerability out in the open so it can be fixed. Unless they mean a "white hat" hacker or a hacker in the real sense of the word but I doubt it. This is one of those words that should be used carefully, especially by "journalists".
Re:"Hacker" (Score:5, Insightful)
This is a good point. A "black hat" hacker does not disclose bugs, but rather keeps them quiet or shares them with select friends, and peers.
A person releasing this information to a security list is either a concerned "citizen", or a security person.
A citizen posting information to a newspaper editorial about lack of security at the courthouse, for instance "I was at the courthouse, and there was a side door that wasn't being watched at all by anyone!" wouldn't get immediately marked as a terrorist.
Why should we automatically mark a person disclosing computer-security information to the public as a whole, as a hacker?
Re:"Hacker" (Score:2)
One wonders if a sufficient population of Hacks tomes in the market will convince people that emancipation from Redmond is possible...
Re:"Hacker" (Score:3, Funny)
I even read it that way.
Re:"Hacker" (Score:2)
Because once a bug has been found, it needs to be fixed, and that costs the developer money. The bug being made public also hurts the developers reputation. Therefore, it is in developers best interest to try to keep the bugs from being made public, by, for example, suing and badmouthing the person who found it.
Just another example of enlightened self-interest and shareholder value
but wait did the MS apologist not say (Score:1, Troll)
oh this does not count as it was a different problem and can't be exploited (yet) and just because it is in the same code I am a meanie for thinking MS should have fixed WMF once and for all?
8 days should have been enough time for MS to completly check the code involved and use every attack possible. The fact that MS obviously hasn't bothered
Re:but wait did the MS apologist not say (Score:5, Insightful)
Yes becuase breaking hundreds of people off their regular duties, tracking down 10 year old code written by someone who either doesn't remember writing it or no longer works there, correcting the code in a way that prevents the exploit, but doesn't impact functionality, testing the correction on all supported versions of windows, numerous hardware configurations, and against dozens of 3rd party software packages that use the library, then documenting the problem, the change, and the disimination of the change, then getting the whole thing wrapped up into a nice neat deployment package, is easy.
Yeah, I can see how 8 days is slacking.
Try reading this article: http://blogs.msdn.com/ericlippert/archive/2003/10
-Rick
-Rick
Re:but wait did the MS apologist not say (Score:3, Interesting)
But maybe if they had been doing those in the first place they wouldn't be patching it now.
Re:but wait did the MS apologist not say (Score:2)
Have you ever worked on a large software project? No matter what you do, if your code is large, complex, and used extensively, there will be security flaws that need patching. There is no process or technique that can provide the same level of testing as 600 million users and (at least) several thousand individuals working to break your product.
Indeed, security vunerabilities have dropped in severity and number with M
Re:but wait did the MS apologist not say (Score:3, Informative)
Actually, given MS' scope and resources I fully expect them to have a staff whose regular duties consist solely of fixing these types of problems.
Re:but wait did the MS apologist not say (Score:3, Informative)
What it really boils down to is that Microsoft isn't in the business of writing quality code. Their goal is to pump out code that is good enough to maximize profits. This is why Free Sof
Re:but wait did the MS apologist not say (Score:2)
seeing is believing
Re:but wait did the MS apologist not say (Score:2)
I'll give you an example: when the last zlib overflow patch came out, I patched it immediately. If it breaks, big deal-- I lose the ability to scan inside zip archives on my mail gateways. But if I wait for it to be "fully tested", whatever that means, then I might get hit with a worm that compromises my mail gateways, or worse. I think I'll take the chance.
I'm goin
Re:but wait did the MS apologist not say (Score:2)
Re:but wait did the MS apologist not say (Score:3, Informative)
Re:but wait did the MS apologist not say (Score:2)
Tracking the code down should be no problem. They know what function in what dll it was - how hard is it to find the code for it?
correcting the code in a way that prevents the exploit, but doesn't impact functionality,
Shouldn't take more than a day. Two, tops.
testing the correction on all supported versions of windows, numerous hardware configurations, and against dozens of 3rd party softwa
Re:but wait did the MS apologist not say (Score:5, Insightful)
Most of the 8 days wasn't spent checking that the exploit was fixed. I'm sure that part went fairly quickly. The real issue is that although WMF files are fairly rare, the WMF format is used extensively inside Windows. The feature in question is only a security issue when found in arbitrary WMF files, but serves a legit purposes when used inside of applications. The 3rd party fix floating around broke some printer drivers and probably other software, whereas Microsoft's fix resulted in less (if any) broken software. The bulk of the time was spent testing the fix for unexpected consequences.
Bug Fix Issues (Score:3, Interesting)
Re:but wait did the MS apologist not say (Score:1)
then how is it possible MS
decided to release the patch 5 days earlier than they saidd they would
That day of the month
Patch Day
wouldnt be they were sitting it on ice waiting for patch day
but released it early due to public backlash
All I can say is... (Score:3, Insightful)
Name the Culprits (Score:4, Insightful)
Re:Name the Culprits (Score:4, Insightful)
Speaking as a professional software developer, I have a manager for exactly this reason - if we f*ck up (for whatever reason, but usually because deadlines mean testing doesn't happen), the project manager gets the blame.
In a perfect world software developers unit test their code, and then testers run through a test plan that was written before development began. Unfortunately we don't live in a perfect world - which is why ideas like "extreme programming" came about.
Re:Name the Culprits (Score:1)
We Share Your Pain (WE-SUP) (Score:1)
Re:Name the Culprits (Score:2)
Do you know how many people that would be for WMF? It's been around as a file format almost 20 years. I bet there's at least a hundred people who have touched the MS WMF parsing code. Find who whote the exploitable lines of code you say? Fine, spend the time going back through that 20 years of versioning to blame someone for code they probably wrote over a decade ago - a process that would take longer than patching the exploit. Th
Re:Name the Culprits (Score:5, Insightful)
Software is developed by a team. No, not a team of programmers, but a team of people that may include architects, designers, UI designers, programmers, integrators, testers at various levels, management and marketing. This list changes in different environments. Often smaller, but sometimes larger.
When a bug is found, who is responsible? Is it the programmer? Is it the tester that missed the bug? Is this "bug" actually a feature requested by marketing? Is this bug the result of mis-design? Was this bug either ignored or not found because of insufficient time allotted by management?
It's easy to point fingers, but how do you decide who to point them at?
Re:Name the Culprits (Score:2)
Actually I have -- and do.
Re:Name the Culprits (Score:2)
1- Viruses didn't need vulnerabilities such as this one to run since most people didn't have antivirus software and would execute any program they got from anyone.
2- Knowledge about security wasn't as widespread as it is now.
So should they blame the original developers of the WMF code or the people who decided to use their code in new windows versions without having it reviewed?
Re:Name the Culprits (Score:2)
And the WMF "vulnerability" was NOT a vulnerability. It was a feature (you could attach executable code in the WMF for some reason, yes). Of course it was created when there was no internet, but it was a feature and it might have been a useful feature at that time.
Re:Name the Culprits (Score:2)
The distinction between feature and vunerability is fuzzy. The fact that Windows XP ships with a blank administrator password is a feature too. Many home users find passwords bothersome. But the feature making the machine vunerable to administrator level access with no password is a vunerability. The code placed in the Sony rootkit remover that allowed the web browser to execute arbitrary code remotely was a feature too. But the fact that it could be used to run arbitrary code was also a vunerability.
The real question is... (Score:5, Insightful)
Knowing that the WMF code is now under the microscope, will they divert resources to specifically re-vet that code, or will they sit on their rear ends and wait until another exploit is found for them?
As a tidbit of information, I have "converted" three of my neighbors to Linux -- at least dual booting, if not whole penguin -- in the last two months. Each time was at their request and for the exact same reason. Their Windows PC regularly gets trashed by spyware, viruses and worms and they've just damn well had enough in having to deal with it all. They want to get their work done, not fight with malware and have to upgrade machines because their old one isn't powerful enough to run their apps AND all the "keep me safe" software.
-Charles
Re:The real question is... (Score:2, Interesting)
Re:The real question is... (Score:2)
You're right, they were all doing something "wrong". They all had virused
Re:The real question is... (Score:3, Funny)
So did you talk them into upgrading? I find loading up anything good on an old box is a noticable slowdown
Actually have the same problem at office, i cant run the AV/Firewall and actually use our main program at the same time
Re:The real question is... (Score:3, Insightful)
I almost always convinced them to install more RAM. Many of the machines were an anemic 128 Mb of RAM. Boosting them to 512 Mb made a big difference, Windows or Linux.
Beyond that, only one person had an old, old machine (350 MHz P-2, 128 Mb RAM Dell Optiplex GX-1) and Slackware 10.2 runs fine on that. It runs absolutely great after I had them upgrade the RAM to 512 Mb. They use it for e-mail, web
I just trashed an old Pentium III machine (Score:2)
I ran the old thing behind a firewall and got my wife used to OpenOffice, FireFox and Thunderbird so it was pretty safe.
Performance was pathetic but since the box originally cost me nothing (a 'freebie' with tuition) I figured I was ahead of the game.
It was XMas, her iTunes had stopped working because of a DLL hell problem, so I bought the new box. (I actually bought 2 boxes, and one is slicing and dicing on slackware Linux and its noticably faster
Re:The real question is... (Score:1)
Re:The real question is... (Score:2)
I've heard a lot of people say that. Usually it emerges that their ISP filters things.
I use firefox with noscript and adblock on my home windows machine.
So you're the person responsible for having those unintrusive banner ads replaced by cpu-sucking flash ads. Anyway, why should you need to block scripts?
I surf the web, but generally not to www.trytohackmywindow
What browser are you using though? (Score:2)
What browser do you use though? If it's Mozilla or a derivative (e.g. FireFox) I'd say you should be more careful. Mozilla is probably in the same order of magnitude of bugginess as IE (if not more so - just look at Mozilla's track record). It's just not targetted as much publicly. Just wait till it gains even more marketsha
Re:What browser are you using though? (Score:1)
Re:What browser are you using though? (Score:2)
Konqueror. I don't trust anything extensible that has to deal with remote content.
Basically any software that has had a history of crashing can probably be exploited[1].
Konq doesn'
Re:What browser are you using though? (Score:2)
With regards to the google desktop thing, I don't run google desktop myself, the problem is there may be other stuff in the background that go about doing similar things (maybe not on my personal PC but other people's PCs e.g. mom's), and I worry that those processes just might be running with higher privileges than normal restricted user (which I've got mom etc to run as - with no comp
Re:What browser are you using though? (Score:2)
Good point. I wonder whether XP's indexed search feature could trigger this, if so, ouch.
Re:The real question is... (Score:2, Informative)
http://www.microsoft.com/technet/security/Bulleti
http://www.microsoft.com/technet/security/Bulleti
Re:The real question is... (Score:2)
The first one is about a web fonts exploit
The second has something to do with Microsoft Outlook, Microsoft Exchange, or customers who have the Microsoft Office Multilingual User Interface Packs, Microsoft Multilanguage Packs or Microsoft Office 2003 Language Interface Packs
both are critical, but only the first one affects Windows. #2 only exploits office/exchange/etc
That's not the best part... (Score:1)
misplaced modifier (Score:1)
Thinking a bit more about this... (Score:1)
Re:Thinking a bit more about this... (Score:1)
All right, thinking even more about this... (Score:3, Interesting)
Oh, do you really believe that it is difficult to predict that failure to check for null pointers in C code might lead to serious problems? Criticizing coding and QC practices that don't measure up to professional standards is hardly facile or unworthy. It's sort of like criticizing rampant fraud, waste, and abuse in our government. Never excuse
Microsoft Security Resource Center (MSRC) Blog (Score:5, Informative)
M$ not working hard enough on bugs.... (Score:2, Funny)
Turn it all off? (Score:2)
(Or do I?)
Re:Turn it all off? (Score:2)
Re:Turn it all off? (Score:2)
Re:Turn it all off? (Score:1)
Re:Turn it all off? (Score:2)
Actually... (Score:3, Informative)
Just because you don't think you're using it, doesn't mean Microsoft's not using it for you.
Re:Actually... (Score:1, Interesting)
Its no different in design to a PICT resource that the Mac toolbox uses (and I'm sure OS X to this day still has an interpreter in it).
Indeed... (Score:2)
I am sorry to report . . . (Score:3, Funny)
Darn banner ads!
Comment removed (Score:5, Informative)
Re:Uhh, WMF is used by more than just CAD programs (Score:1, Redundant)
Re:Uhh, WMF is used by more than just CAD programs (Score:2)
From TFA: "...the latest vulnerabilities appear to pose the risk of simply crashing the WMF-viewing software, typically Internet Explorer".
Crashing. Whoop-dee-doo. Annoying, sure. Hardly a security issue. (And no, the crash hasn't been shown to allow executed code, either.)
Re:Uhh, WMF is used by more than just CAD programs (Score:3, Insightful)
Too little too late? (Score:3, Interesting)
But still released many days after independent programmers (e.g. Ilfak Guilfanov [hexblog.com]) managed to build a fix. At work (a national lab), we were explicitly instructed not to wait for the early windows patch.
Re:Too little too late? (Score:2)
Take that... (Score:1)
Compatibility vs. security (Score:5, Informative)
Take WMF files for example. Obviously nobody making new software today, would incorporate WMF technology. It's obsolete and unpopular. The only people who use WMF tech today are those who are using software that was designed to make use of that format. And therein lies the problem. At some point in time, software programs were created that used WMF technology. MS could come out and say "WMF is obsolete, and rather than take the risk of continuing to include a software component that may compromise security, we're going to completely remove support for it in future versions of Windows, since barely anybody uses it anyway." If MS were to say that with enough legacy technologies, people would get mad at them. If you're using or writing software for some new technology, you AT LEAST want to take solace in knowing that, even if it's unpopular and discontinued, it will at least remain USABLE on future systems.
So I can sort of understand MS's pickle from that point of view. It's sort of like users complaining that some security hole in Windows 3.1 has, in 2005, still not been patched. And on the other hand, a whole wave of users would potentially be up in arms if MS decided to, in the name of security, remove support for running old 16-bit Windows 3.1 programs in Windows XP.
And incidentally, I have a box of clip art CDs in WMF format.
The same people on this forum who would criticize MS for not patching AND not removing WMF support, probably wish that Windows XP had better support for the old early-mid 90's DOS games. And yet it might be a completely impractical task (not to mention an expensive one given the limited appeal of the feature) to eliminate all of the security risks posed by support for DOS (and, don't forget, back in the DOS era, a virus was more likely to format your hard drive than email your address book).
Windows may be a feature-driven, compatibility-over-security operating system, but just because we all want security, let's not pretend we don't like features and compatibility.
Re:Compatibility vs. security (Score:2)
It's not that tough a concept. Linux distros did it a long, long time ago (disabling services by default).
Re:Compatibility vs. security (Score:2)
This particular example is not too good; old DOS games work perfectly fine in an x86 emulator like Dosbox.
Re:Compatibility vs. security (Score:2)
There's workarounds, adapters, modifcations, etc, for lots of obsolete technologies. That doesn't help the millions of DOS gamers who aren't savvy enough to download DosBox.
But perhaps a better example that's similar to the WMF exploit is electrical outlets: Modern consumer electronics have plugs designed to only be compatible with outlets that indicate the proper polarity. They won't fit into older out
Re:Compatibility vs. security (Score:2)
Google search for "old dos games" [google.com]. Check out the "essential utilities" link. I also doubt there are really "millions of DOS gamers", especially ones who are running win2k/xp and aren't savvy enough to figure it out.
If thats too nitpicky:
These "legacy" adapters are similar to MS's continued inclusion of WMF. They provide some backwards compatibility, at the expense of safety/security.
These "legacy adapters" don't come wit
Re:Compatibility vs. security (Score:2)
However many people were buying and playing DOS games in the early-mid 90's, that's how many potential "I want to play DOS games" gamers exist today. I don't know if it's a few hundred thousand or a few million, but I'm guessing it's the latter. Nearly everyone is running Win2k/XP today. You don'
Re:Compatibility vs. security (Score:2)
If you're going to put it this way, then I can't disagree!
Why blame the file format? (Score:2)
Like the last so-called WMF bug, this is not a bug in the format, it is a flaw in a specific renderer (the MS Windows graphics susbsystem, in this case) that supports the format.
In fact, data does not in general ever contain software bugs. It is in fact the executables that might interpret that data, which contain the bugs. That there may exist datastreams that can exploit vulnerabilities in ex
Re:I feel safe now. (Score:2)
Re:A fix for all WMF Exploits? (Score:1)