WMF vulnerability

[fdv]

hi folks, i know this is like a week old, but in case you've been too busy partying, due to a WMF vulnerability, "browsing the web was not safe anymore, regardless of the browser."

http://www.hexblog.com/2005/12/wmf_vuln.html

An unofficial, non-slipstreamable patch is available. It is NOT an MS patch, please read about it, don't ask how to slipstream it, don't ask why it isn't listed in the hotix list posts, just read and decide if you want to deploy it, since MS isn't doing anything at all to fix it.

[Tomcat76]

Microsoft: "Un-register the Windows Picture and Fax Viewer (Shimgvw.dll) (...). While this workaround will not correct the underlying vulnerability, it will help block known attack vectors."

So it should be possible to unregister it with a CMD as a temporary fix until the real problem is dealt with by MS.

If we had to take into account "unknown attack vectors" as well we'd be better off switching to Linux immediately.

[tommyp]

That is pretty cool! Even MSFT doesn't know how to fix their code. Hey, is the problem just the Shimgvw.dll file? If it is, how does it get installed (what INFs)? If such is the case, we can let HFSLIP fix it! All that is needed is a few files placed in the HFCLEANUP folder and we're home free (and bug free too).

If anyone knows the INFs I'll write up some files for your HFSLIPing pleasure.

[I_Broke_My_MHZ]

Some facts about this new troublesome vulnerablility:

1) Effects Win98/ME/2000/XP/2003

2) Indexing programs like googledesktop further enhance the ability of the virus to infect the computer.

3) Some browsers cannot open the image without the aid of another program. If the browser is set to prompt before doing so, this can reduce the risk.

4) Even if the extention is changed (say .bmp or .jpg), some image programs will still attempt to render the image correctly and thusly infect the system.

[Tomcat76]

MultiCompiler makes a silent installer out of the Hex Blog hotfix. So far, this installer should work on Windows 2000, Windows XP, and during Windows XP installation (SVCPACK). Windows 2000 installation (SVCPACK) still needs to be tested.

Put it in HFSVPK when using HFSLIP.

@TommyP:

As far as I can understand this, the real problem is GDI32.DLL.

[muiz]

http://www.hexblog.com/security/files/wmffix_hexblog14.exe

UPD: Version 1.4: completely silent mode, suitable for use in the scripts

How to use silent :

http://www.hexblog.com/2006/01/silent_wmf_hotfix_installer.html

[fdv]

HAHAHA I love it.

A quick and dirty hotfix that's not even Microsoft's and we've already dealt with slipstreaming it.

I read in a discussion on Slashdot that unregistering SHIMGVW.DLL won't fix the problem; the problem is apprently in the GDI32.DLL.

[Yzöwl]

Does anyone know if we can just copy the resultant wmfhotfix.dll and register it!

From the installation of the program on an existing system I cannot see that it needs anything else, however running the checker still shows the system is vulnerable...

[Tomcat76]

UPD: Version 1.4: completely silent mode, suitable for use in the scripts

I see no real difference with version 1.3; both can be run silently without dialog boxes using the exact same switches.

For anyone that wants to know: suppress the reboot with /NORESTART. That's what I'm using in my silent installer.

[Mr Snrub]

MS security advisory updated 3/1:

http://www.microsoft.com/technet/security/...ory/912840.mspx

Some of the updated text:

Microsoft has completed development of the security update for the vulnerability. The security update is now being localized and tested to ensure quality and application compatibility. Microsoft’s goal is to release the update on Tuesday, January 10, 2006, as part of its monthly release of security bulletins. This release is predicated on successful completion of quality testing.

The update will be released worldwide simultaneously in 23 languages for all affected versions of Windows once it passes a series of rigorous testing procedures. It will be available on Microsoft’s Download Center, as well as through Microsoft Update and Windows Update. Customers who use Windows’ Automatic Updates feature will be delivered the fix automatically.

Based on strong customer feedback, all Microsoft’s security updates must pass a series of quality tests, including testing by third parties, to assure customers that they can be deployed effectively in all languages and for all versions of the Windows platform with minimum down time.

FAQ section also updated.

[cluberti]

For those of you bashing Microsoft about the latest vulnerability (and yes, we do deserve some of the licks, but not all):

The patch has been available for a few days, but it needs to be tested in over 20 localized languages, and by certain third-parties before it will be released as stable to the public. Everyone want hotfixes released right away, but no one wants the hotfix doing anything negative to their systems - so you want a hotfix coded, tested, and released in 24 hours for what amounts to 4 different operating systems in over 20 different languages, on millions of hardware and software configurations? I think that's being just a wee bit overzealous here - I think it's important to remember that Microsoft has a responsibility for the hotfixes and patches it releases, not to mention the publicity hit we'd take if a hotfix wasn't released in top form.

What would happen if a hotfix was released a week ago, but broke 10% of systems out there (that's millions of PC's and servers)? We'd be bashed for releasing an untested or unstable hotfix - perhaps you see the conundrum? The hotfix will be released when it's tested and stable, and won't cause more harm than it fixes. I know the workaround isn't the best, but at least it's a workaround .

[saugatak]

Mr. Cluberti, thanks for posting on this forum.

I think everyone here acknowledges that patches should be tested before being released and that takes time, but M$ has no excuses.

M$ has virtually an unlimited amount of money. Would it really make a big dent in your billions of dollars of profit to hire 40 more testers to get patches out faster?

Couldn't you prioritize localized languages, say by profit, and release patches for each localized language as they're done?

Frankly, I really don't care that doing it this way is not convenient for M$ or might cost you some $. If a hacker takes down my computers because of your mistake, I lose almost a week in lost data and rebuilding my computers. You owe it to your customers to do a better job of fixing your bugs.

You guys make monopoly profits, but you're so damned cheap or lazy that you can't even bother to make a decent SP5 for Win2k, so TommyP and others on this forum had to do it for you.

You guys are so allergic to the idea of competition and that someone else also has the right to make money off of software that you integrate IE, Windows Media Player, Messenger, and all sorts of other crap into your OS so that FDV, Dino Nuhagic and others have to go to great lengths to give consumers of the OS a choice as to what they want on their desktop.

So Mr. Cluberti, while I respect what you do and am glad that you and others at M$ are working every month to fix yet another critical flaw in your OS, please refrain from complaining when we bash M$.

We're suffering from your mistakes, and you're laughing all the way to the bank with our money.

[Tomcat76]

Whoops...

[WWWebb]

I think it's important to remember that Microsoft has a responsibility for the hotfixes and patches it releases, not to mention the publicity hit we'd take if a hotfix wasn't released in top form.

Seems like you're *already* taking a publicity hit.

I've never seen the normally staid SANS Institute ridicule a security advisory before.

WWWebb

[Gouki]

Is it cool to type M$? Cause I really dont understand this stupid thing!

Hotfix will be released next wek.

Edited January 4, 2006 by Gouki