If this is your first visit, be sure to check out the FAQ by clicking the link above. You may have to register before you can post: click the register link above to proceed. To start viewing messages, select the forum that you want to visit from the selection below. |
|
|
|
Thread Tools | Display Modes |
#1
|
|||
|
|||
Microsoft patch for WMF flaw -- WinME not covered???
My question is simple - why? I read the Microsoft message
for the patch and they seem to say that WinME is affected, but no patch because of some non-sense I don't understand. Can someone explain and comment if their analysis is on the level, or bull ****? If it is BS, what do we do, aside from upgrading (which will not happen)? Dave, |
#2
|
|||
|
|||
Microsoft patch for WMF flaw -- WinME not covered???
Win Me is not effected unless you have installed a third party viewer for
WMF files such as Irfanview and possibly not even then. If you read the various posts in this newsgroup you will also find that despite strenuous efforts by a number of individuals they have not been able to infect their systems via this vulnerability despite some quite exhaustive testing and many attempts. So to answer your question, and to repeat the contents of the Microsoft advisory, the WMF vulnerability is not considered to be a critical vulnerability on Win 9x systems such as Win Me and due to Win Me being in what is called "extended support" (which finishes 30 June 2006), Microsoft are only committed to producing hotfixes for critical vulnerabilities. This situation might change but to date there is no evidence to suggest that Win9x machines are effected but in the event of that situation changing then it is possible that Microsoft will produce a patch but at some later date. If you however have evidence of a Win9x machine having been infected via the WMF vulnerability please contact Microsoft with full details. -- Mike Maltby Dave Boland wrote: My question is simple - why? I read the Microsoft message for the patch and they seem to say that WinME is affected, but no patch because of some non-sense I don't understand. Can someone explain and comment if their analysis is on the level, or bull ****? If it is BS, what do we do, aside from upgrading (which will not happen)? Dave, |
#3
|
|||
|
|||
Microsoft patch for WMF flaw -- WinME not covered???
There is an unofficial patch about which Dave Lipman posted that works
on Windows ME: Quote NOD32 Switzerland "Paolo Monti has released a temporary patch for the WMF vulnerability ( see Microsoft Security Bulletin 912840 ). This patch intercepts the Escape GDI32 API in order to filter the SETABORTPROC (function number 9). It uses dynamic API hooks avoiding patching/modifying of the GDI32 code. Advantages of this approach: fully dynamic - no reboot is required. This patch also works on Windows 9x/ME. Administrator rights are required to install it on WinNT,2000,XP, 2003 systems. Installation: unzip the file WMFPATCH11.ZIP and run the provided INSTALL.EXE file. Follow the instructions of the installer. Uninstallation: go into Windows Control Panel, Add/Remove Programs, select "GDI32 - WMF Patch" and remove it." You can get it here http://www.nod32.ch/en/download/tools.php I've been running Paolo's patch for a couple of days with no obvious adverse effects. Unless there are indications otherwise, I'll keep using it. I respect Mike Maltby's opinion about the vulnerability being difficult to exploit on a Win 9x system; however, I guess I've become too paranoid to leave my system unpatched even if the risk is minimal. In part, my paranoia probably stems from hanging around this newsgroup. That's certainly not to say that I haven't learned anything, but quite the opposite, that I've learned a lot. If you decide to use Paolo Monti's patch, just be aware that you use it at your own risk. It remains an unofficial patch, and there is no support if it breaks something. Dave Boland wrote: My question is simple - why? I read the Microsoft message for the patch and they seem to say that WinME is affected, but no patch because of some non-sense I don't understand. Can someone explain and comment if their analysis is on the level, or bull ****? If it is BS, what do we do, aside from upgrading (which will not happen)? Dave, |
#4
|
|||
|
|||
Microsoft patch for WMF flaw -- WinME not covered???
Which it does - there are numerous reports that it breaks some printing
functions, PostScript especially. -- Richard G. Harper [MVP Shell/User] * PLEASE post all messages and replies in the newsgroups * for the benefit of all. Private mail is usually not replied to. * My website, such as it is ... http://rgharper.mvps.org/ * HELP us help YOU ... http://www.dts-l.org/goodpost.htm "TomV" wrote in message ... If you decide to use Paolo Monti's patch, just be aware that you use it at your own risk. It remains an unofficial patch, and there is no support if it breaks something. |
#5
|
|||
|
|||
Microsoft patch for WMF flaw -- WinME not covered???
On Fri, 6 Jan 2006 00:59:02 -0000, "Mike M"
This situation might change but to date there is no evidence to suggest that Win9x machines are effected but in the event of that situation changing then it is possible that Microsoft will produce a patch Interesting to see how patching expectations change. Before, folks expected patches to precede ITW exploits and attacks; perhaps a foolish and untenable expectation, but representing the standard that was aspired to by vendors and early-patchers alike. Now, it's "we know about the defect, and if it starts getting attacked we'll probably bring out a patch sooner or later". Hmm. ---------- ----- ---- --- -- - - - - Don't pay malware vendors - boycott Sony ---------- ----- ---- --- -- - - - - |
#6
|
|||
|
|||
Microsoft patch for WMF flaw -- WinME not covered???
Chris
In my limited testing with this exploit, I've found that all attack vectors were via ADS Streams- if that is a precondition for the vulnerability to be activated, then it is obvious that Win9x systems are not exploitable, although they are infectable, inasmuch as the infecting file is downloaded to the machine and may open up the image viewer, and an AV scan should show the presence of the file. -- Noel Paton (MS-MVP 2002-2006, Windows) Nil Carborundum Illegitemi http://www.crashfixpc.com/millsrpch.htm http://tinyurl.com/6oztj Please read http://dts-l.org/goodpost.htm on how to post messages to NG's "cquirke (MVP Windows shell/user)" wrote in message ... On Fri, 6 Jan 2006 00:59:02 -0000, "Mike M" This situation might change but to date there is no evidence to suggest that Win9x machines are effected but in the event of that situation changing then it is possible that Microsoft will produce a patch Interesting to see how patching expectations change. Before, folks expected patches to precede ITW exploits and attacks; perhaps a foolish and untenable expectation, but representing the standard that was aspired to by vendors and early-patchers alike. Now, it's "we know about the defect, and if it starts getting attacked we'll probably bring out a patch sooner or later". Hmm. ---------- ----- ---- --- -- - - - - Don't pay malware vendors - boycott Sony ---------- ----- ---- --- -- - - - - |
#7
|
|||
|
|||
Microsoft patch for WMF flaw -- WinME not covered???
Chris,
Rather than make negative posts why not spend some time demonstrating that (current) exploits of this flaw can effect Win Me and then pass the details on to Microsoft? To date none of those who have tried including myself have been able to show Win 9x systems are vulnerable. With respect I'm also not clear which part of "out of support" and "extended support" you don't understand. Win 9x systems are dead development wise in the same way as the Model T Ford. -- Mike cquirke (MVP Windows shell/user) wrote: Interesting to see how patching expectations change. Before, folks expected patches to precede ITW exploits and attacks; perhaps a foolish and untenable expectation, but representing the standard that was aspired to by vendors and early-patchers alike. Now, it's "we know about the defect, and if it starts getting attacked we'll probably bring out a patch sooner or later". Hmm. |
#8
|
|||
|
|||
Microsoft patch for WMF flaw -- WinME not covered???
On Sun, 8 Jan 2006 15:33:33 -0000, "Noel Paton"
Chris Hi! In my limited testing with this exploit, I've found that all attack vectors were via ADS Streams- if that is a precondition for the vulnerability to be activated, then it is obvious that Win9x systems are not exploitable If so, then the hidden story is that XP on FATxx is immune, too - which means the systems I built are already immune. It must be galling to attempt to create new products that are safer and more secure (XP, NTFS) only to find that in practice, sometimes the older technologies they are supposed to replace are actually the ones that are less exploitable(Lovesan, Sasser, ADS abusers, etc.) Still - if that's the shape of the game, we must call it as we see it. I wish MS luck with new developments and hope these are shaped by these real-world slings and arrows, but I won't collude with "creative silences" as a way of promoting these. ---------- ----- ---- --- -- - - - - Don't pay malware vendors - boycott Sony ---------- ----- ---- --- -- - - - - |
#9
|
|||
|
|||
Microsoft patch for WMF flaw -- WinME not covered???
On Sun, 8 Jan 2006 15:35:10 -0000, "Mike M"
Chris, Hi! Rather than make negative posts why not spend some time demonstrating that (current) exploits of this flaw can effect Win Me and then pass the details on to Microsoft? Ah, that's where the non-developer's perspective is less hubric. A developer is likely to say "I can't exploit this, so it can't be exploited". A non-coder (or ex-coder) has no such illusions :-) To date none of those who have tried including myself have been able to show Win 9x systems are vulnerable. It may very well be true that none of the current exploits will work in Win9x. What I am trying to do is understand the situation from the perspecive of three factors identified so far... 1) By-design feature allowing WMF to re-direct code 2) Possible further code defect exploit required 3) Possible dependence on Alternate Data Streams, thus NTFS ....as this IMO is the key to exploitability, as opposed to whether current ITW attacks would be effective. In (1), documentation cites a callback function to handle the cancellation of print jobs. It's not obvious tome how that function can facilitate exploit just by viewing or indexing WMF content, unless this callback function code is also called when the WMF object is initialized (e.g. to set up that vector in advance of use). The original patching goal is to block possible exploits before they get exploited by malware. In that sense, if only (1) is required, but all current attacks leverage (2)and/or (3) to work, then I would still want to patch (1) in Win9x even if no current attacks work. How have you been testing; by using ITW examples of exploiters, or by coding PoC stuff based on exploit documentation? With respect I'm also not clear which part of "out of support" and "extended support" you don't understand. I was surprised (and heartened) by an assertion that patches for Win9x would still be developed if a "critical" (worm-facilitating) exploit arose. I had expected no further patching for Win9x, period. Win 9x systems are dead development wise in the same way as the Model T Ford. Well, yes and no. Yes, I don't expect MS to dev for Win9x, nor do I expect much further 3rd-party product development. No, I don't expect it to become magically impossible for malware to be developed for Win9x, and I can forsee scenarios that could leverage a backbone of unpatchable Win9x systems to mount attacks on the rest of us. ---------- ----- ---- --- -- - - - - Don't pay malware vendors - boycott Sony ---------- ----- ---- --- -- - - - - |
#10
|
|||
|
|||
Microsoft patch for WMF flaw -- WinME not covered???
"cquirke (MVP Windows shell/user)" wrote:
It may very well be true that none of the current exploits will work in Win9x. What I am trying to do is understand the situation from the perspecive of three factors identified so far... 1) By-design feature allowing WMF to re-direct code Yes. Callback code allowed in the WMF since Win 3.0. 2) Possible further code defect exploit required Yes. Incorrect length (too short) specified for the record containing the exploit code in the WMF, or (and which leads to) subsequent invalid WMF records. 3) Possible dependence on Alternate Data Streams, thus NTFS No. The exploit works on W2k with FAT16 or FAT32. ...as this IMO is the key to exploitability, as opposed to whether current ITW attacks would be effective. In (1), documentation cites a callback function to handle the cancellation of print jobs. Also handles errors according to a poster on aca-v, which is consistent with my findings. It's not obvious tome how that function can facilitate exploit just by viewing or indexing WMF content, WMFs are a collection of records which can be passed directly to the Windows GDI. There is no need for a graphics application to parse or pre-process them (there is now!). I don't understand the indexing aspect. There should be no need to play-back a metafile in order to index it. unless this callback function code is also called when the WMF object is initialized (e.g. to set up that vector in advance of use). Possible, but I don't see why an indexing application would need to instantiate a metafile object. Unless, of course, it was preparing bit-mapped thumbnails in advance. That would do it. The original patching goal is to block possible exploits before they get exploited by malware. In that sense, if only (1) is required, but all current attacks leverage (2)and/or (3) to work, then I would still want to patch (1) in Win9x even if no current attacks work. 1 and 2, but I've not been able to run the exploit on Win 95. However, something is happening on Win 95. If I do a Quickview on one of the the files nothing happens for about a minute, then the Quickview window appears with the text "serious error unable to view this file [EX]". How have you been testing; by using ITW examples of exploiters, or by coding PoC stuff based on exploit documentation? I've been testing with POCs provided by isc.sans.org and Ilfak Guilfanov, and using a binary editor. Ilfak's test is simply a WMF with one invalid length record containing the setabortproc escape call which pops up a message box when viewed. If I correct the length, the code doesn't run because no error is encountered. I've not been able to prevent the exploit running for the sans test by correcting the record length. This file contains many other rectangle, createpenindirect and createbrushindirect records, some of which may be invalid, but if I edit out the exploit record, the WMF displays in Irfanview. It may not be so fussy about some errors. I imagine the code would have to be recompiled in order to test it on ME and below because the low-level parameters, address layout, stack frame, or entry point to the GDI may be different. |
|
Thread Tools | |
Display Modes | |
|
|
Similar Threads | ||||
Thread | Thread Starter | Forum | Replies | Last Post |
Winzip woes~further | Rodney | General | 43 | February 4th 05 03:22 PM |
Invalid page fault MSPAINT.EXE | Ramon A | General | 17 | July 19th 04 10:22 PM |
Microsoft Security Bulletin MS04-024 - Vulnerability in Windows Shell Could Allow Remote Code Execution (839645) | Gary S. Terhune | General | 2 | July 14th 04 05:06 AM |
Microsoft Security Bulletin MS04-024 - Vulnerability in Windows Shell Could Allow Remote Code Execution (839645) | Gary S. Terhune | General | 2 | July 14th 04 05:06 AM |
Please help! Display settings !! | Mitzi | Monitors & Displays | 12 | July 11th 04 05:19 AM |