Zero Day WMF Exploit - Possible worst ever! [Archive] - Glock Talk

PDA

View Full Version : Zero Day WMF Exploit - Possible worst ever!


Toyman
01-02-2006, 13:48
This is bad, real bad. Make that very real bad.

Anyone following this exploit in the news? I've posted some links on my blog about this: http://www.fishous.com/?p=14

Just wondering if any of you might have some other good links and news coverage?

podwich
01-02-2006, 14:05
Here's a patch by Ilfak Guilfanov that should protect you until MS comes out with an official one. http://www.grc.com/sn/notes-020.htm

nickg
01-03-2006, 10:46
you can also get more info here and download the fix as well:

http://www.hexblog.com/2005/12/wmf_vuln.html

havensal
01-03-2006, 11:59
Here is a copy of an emal I recieved.

SERIOUS WINDOWS FLAW



In the past several days, I have become aware of a serious flaw within Windows (all versions 95 through XP) that Microsoft has not patched as of yet. Articles I have read have made it clear this is a serious flaw, and that hackers immediately stepped up their attempts to take advantage of this opportunity to infect PC's around the world. A brief article is at the following address: http://news.com.com/2001-1009_3-0.html?tag=ne.tab.hd



This one, from the Internet Storm Center, makes it seem even more serious: http://isc.sans.org/diary.php?rss&storyid=996



With windows not providing a fix for the problem as of yet and antivirus/firewall programs having limited ability to stop any attack attempt, experts are suggesting a fix to patch the flaw. I have found a file that is supposed to be effective and safe to install-- it is mentioned in the link above, created by Ilfak Guilfanov. Follow the link below:



http://grc.com/sn/notes-020.htm



If you go to this site, you can read more about the problem and decide for yourself if you want to install the patch (the green box near the bottom of the page). Steve Gibson, who runs this site and his 'Security Now' podcast, is a security expert and I for one trust what he is saying. I have installed the fix on my 2 computers and have had no ill effects and I've not heard of any problems caused by this fix. The internet storm center says "We have very carefully scrutinized this patch. It does only what is advertised, it is reversible, and, in our opinion, it is both safe and effective."



Once Microsoft repairs the problem and your version of Windows is updated, you can uninstall the patch like any other program.



I normally don't go to clients with issues such as this, but I felt it serious enough to pass on the information and let you make an informed decision. If you have any questions, please don't hesitate to contact me.



Sincerely,

Barry

havensal
01-03-2006, 12:12
Does anyboy have the file in the links above? The sites seem to be down.;g

Ok, I got a copy. Here is a link to a copy I am hosting.

www.s94257325.onlinehome.us/Tony/wmffix_hexblog14.exe

StoneGiant
01-03-2006, 13:01
Does anyone know if the "fix" is clean? If it has been certified, then why hasn't the Gates Crew paid some money to the developer and redistributed it?

johnstrr
01-03-2006, 13:09
I have run it on my machine and it is recommended by ISC (http://isc.sans.org/) so it's probably a safe bet...

it's available as a .msi from the above site...

Toyman
01-04-2006, 07:57
Originally posted by StoneGiant
Does anyone know if the "fix" is clean? If it has been certified, then why hasn't the Gates Crew paid some money to the developer and redistributed it?

The fix is clean, it comes with the code for it, which Steve Gibson of GRC.com has reviewed. It's a tiny bit of code.

StoneGiant
01-04-2006, 08:01
Originally posted by Toyman
The fix is clean, it comes with the code for it, which Steve Gibson of GRC.com has reviewed. It's a tiny bit of code.

After reviewing the notes at Internet Storm Center, I implemented the "fix".

And isn't the Gates Crowd a wonder? We get to wait until the 10th for their fix to a known problem. As Dan Rather would say,


"Courage."

Toyman
01-04-2006, 09:57
Originally posted by StoneGiant
...And isn't the Gates Crowd a wonder? We get to wait until the 10th for their fix to a known problem. ...

You have no idea just how large and complex the Windows Environment is. They have to regression test against numerous things, including all the development environments and hundreds of products.

If this thing was released right away and broke something, the first thing you guys would say is "Why didn't MS test it?" They can't win for loosing with you guys. Maybe there's an app or something that uses the escape sequence functionality, which is probably why it's in there in the first place, duh.

And yes, I do have an idea of how extensive it is, I used to work for Microsoft, in testing and in development.

StoneGiant
01-04-2006, 10:10
I, too, have extensive software engineering experience. One of my programs was a flight simulator / Monte Carlo analysis that took 11 HP9000's 26 hours to run.

Even back in the dark ages of 1992 I employed automatic regression test software; your assertion that MS is too complex to test in a timely manner implies a lack of well-architected scope and extension.

Two questions for you:
How long has Microsoft known about the security flaw, and why have they been so slow in responding?

Are you saying that the "fix" as published on the Internet is too simple? On the surface, it appears to lack the kind of complexity that demands over a week of testing by an organization with arguably the greatest software development resources in the world.

Toyman
01-04-2006, 10:56
Originally posted by StoneGiant
...Even back in the dark ages of 1992 I employed automatic regression test software; your assertion that MS is too complex to test in a timely manner implies a lack of well-architected scope and extension.

Two questions for you:
How long has Microsoft known about the security flaw, and why have they been so slow in responding?

Are you saying that the "fix" as published on the Internet is too simple? On the surface, it appears to lack the kind of complexity that demands over a week of testing by an organization with arguably the greatest software development resources in the world.



December 28, 2005. Make a matrix of all the versions of windows, all the service packs, and all the products and then ask yourself how long it takes to setup machines for these and test them. It's in the 1,000's of combinations.

The fix provided on the net seems to work, but hasn't been completely tested. I did find one instance of it making IE and WMP to fail to launch this morning until I uninstalled it and re-booted (my own machine).

nickg
01-04-2006, 11:01
here is an interesting story about AV products who have been testing the WMF problem.
------------------------------------------------------------------------------

http://www.edbott.com/weblog/?p=1191

AV-Test, which tests anti-malware products, has been tracking the situation closely and has, so far, analyzed 73 variants of malicious WMF files. Products from the following companies have identified all 73:

* Alwil Software (Avast)
* Softwin (BitDefender)
* ClamAV
* F-Secure Inc.
* Fortinet Inc.
* McAfee Inc.
* ESET (Nod32)
* Panda Software
* Sophos Plc
* Symantec Corp.
* Trend Micro Inc.
* VirusBuster

These products detected fewer variants:

* 62 eTrust-VET
* 62 QuickHeal
* 61 AntiVir
* 61 Dr Web
* 61 Kaspersky
* 60 AVG
* 19 Command
* 19 F-Prot
* 11 Ewido
* 7 eSafe
* 7 eTrust-INO
* 6 Ikarus
* 6 VBA32
* 0 Norman

The difference for the more effective products is likely to be heuristic detection, tracking the threat by identifying the basic techniques of the exploit, rather than looking for specific patterns for specific exploits.

johnstrr
01-06-2006, 19:26
MS Patch is now out.. install it, reboot and then uninstall the other one.. it is something like "WMF... MFI.. Hotfix" or something like that.

epsylum
01-06-2006, 20:03
Originally posted by johnstrr
MS Patch is now out.. install it, reboot and then uninstall the other one.. it is something like "WMF... MFI.. Hotfix" or something like that.

I left my computer on last night. It updated by itself.