Microsoft patch for WMF flaw -- WinME not covered???

My question is simple - why? I read the Microsoft message
for the patch and they seem to say that WinME is affected,
but no patch because of some non-sense I don't understand.

Can someone explain and comment if their analysis is on the
level, or bull ****? If it is BS, what do we do, aside from
upgrading (which will not happen)?

Dave,

Win Me is not effected unless you have installed a third party viewer for
WMF files such as Irfanview and possibly not even then. If you read the
various posts in this newsgroup you will also find that despite strenuous
efforts by a number of individuals they have not been able to infect their
systems via this vulnerability despite some quite exhaustive testing and
many attempts. So to answer your question, and to repeat the contents of
the Microsoft advisory, the WMF vulnerability is not considered to be a
critical vulnerability on Win 9x systems such as Win Me and due to Win Me
being in what is called "extended support" (which finishes 30 June 2006),
Microsoft are only committed to producing hotfixes for critical
vulnerabilities.

This situation might change but to date there is no evidence to suggest
that Win9x machines are effected but in the event of that situation
changing then it is possible that Microsoft will produce a patch but at
some later date. If you however have evidence of a Win9x machine having
been infected via the WMF vulnerability please contact Microsoft with full
details.
--
Mike Maltby



Dave Boland wrote:

My question is simple - why? I read the Microsoft message
for the patch and they seem to say that WinME is affected,
but no patch because of some non-sense I don't understand.

Can someone explain and comment if their analysis is on the
level, or bull ****? If it is BS, what do we do, aside from
upgrading (which will not happen)?

Dave,

There is an unofficial patch about which Dave Lipman posted that works
on Windows ME:

Quote NOD32 Switzerland

"Paolo Monti has released a temporary patch for the WMF vulnerability
( see Microsoft Security Bulletin 912840 ). This patch intercepts the
Escape GDI32 API in order to filter the SETABORTPROC (function number
9). It uses dynamic API hooks avoiding patching/modifying of the GDI32
code. Advantages of this approach: fully dynamic - no reboot is
required.
This patch also works on Windows 9x/ME. Administrator rights are
required to install it on WinNT,2000,XP, 2003 systems.

Installation: unzip the file WMFPATCH11.ZIP and run the provided
INSTALL.EXE file. Follow the instructions of the installer.

Uninstallation: go into Windows Control Panel, Add/Remove Programs,
select "GDI32 - WMF Patch" and remove it."

You can get it here http://www.nod32.ch/en/download/tools.php

I've been running Paolo's patch for a couple of days with no obvious
adverse effects. Unless there are indications otherwise, I'll keep
using it.

I respect Mike Maltby's opinion about the vulnerability being difficult
to exploit on a Win 9x system; however, I guess I've become too paranoid
to leave my system unpatched even if the risk is minimal. In part, my
paranoia probably stems from hanging around this newsgroup. That's
certainly not to say that I haven't learned anything, but quite the
opposite, that I've learned a lot.

If you decide to use Paolo Monti's patch, just be aware that you use it
at your own risk. It remains an unofficial patch, and there is no
support if it breaks something.

Dave Boland wrote:
My question is simple - why? I read the Microsoft message for the patch
and they seem to say that WinME is affected, but no patch because of
some non-sense I don't understand.

Can someone explain and comment if their analysis is on the level, or
bull ****? If it is BS, what do we do, aside from upgrading (which will
not happen)?

Dave,

Which it does - there are numerous reports that it breaks some printing
functions, PostScript especially.

--
Richard G. Harper [MVP Shell/User]
* PLEASE post all messages and replies in the newsgroups
* for the benefit of all. Private mail is usually not replied to.
* My website, such as it is ... http://rgharper.mvps.org/
* HELP us help YOU ... http://www.dts-l.org/goodpost.htm


"TomV" wrote in message
...

If you decide to use Paolo Monti's patch, just be aware that you use it at
your own risk. It remains an unofficial patch, and there is no support if
it breaks something.

On Fri, 6 Jan 2006 00:59:02 -0000, "Mike M"

This situation might change but to date there is no evidence to suggest
that Win9x machines are effected but in the event of that situation
changing then it is possible that Microsoft will produce a patch

Interesting to see how patching expectations change.

Before, folks expected patches to precede ITW exploits and attacks;
perhaps a foolish and untenable expectation, but representing the
standard that was aspired to by vendors and early-patchers alike.

Now, it's "we know about the defect, and if it starts getting attacked
we'll probably bring out a patch sooner or later". Hmm.



---------- ----- ---- --- -- - - - -
Don't pay malware vendors - boycott Sony
---------- ----- ---- --- -- - - - -

Chris
In my limited testing with this exploit, I've found that all attack vectors
were via ADS Streams- if that is a precondition for the vulnerability to be
activated, then it is obvious that Win9x systems are not exploitable,
although they are infectable, inasmuch as the infecting file is downloaded
to the machine and may open up the image viewer, and an AV scan should show
the presence of the file.

--
Noel Paton (MS-MVP 2002-2006, Windows)

Nil Carborundum Illegitemi
http://www.crashfixpc.com/millsrpch.htm

http://tinyurl.com/6oztj

Please read http://dts-l.org/goodpost.htm on how to post messages to NG's
"cquirke (MVP Windows shell/user)" wrote in
message ...
On Fri, 6 Jan 2006 00:59:02 -0000, "Mike M"

This situation might change but to date there is no evidence to suggest
that Win9x machines are effected but in the event of that situation
changing then it is possible that Microsoft will produce a patch

Interesting to see how patching expectations change.

Before, folks expected patches to precede ITW exploits and attacks;
perhaps a foolish and untenable expectation, but representing the
standard that was aspired to by vendors and early-patchers alike.

Now, it's "we know about the defect, and if it starts getting attacked
we'll probably bring out a patch sooner or later". Hmm.



---------- ----- ---- --- -- - - - -
Don't pay malware vendors - boycott Sony
---------- ----- ---- --- -- - - - -

Chris,

Rather than make negative posts why not spend some time demonstrating that
(current) exploits of this flaw can effect Win Me and then pass the
details on to Microsoft? To date none of those who have tried including
myself have been able to show Win 9x systems are vulnerable. With respect
I'm also not clear which part of "out of support" and "extended support"
you don't understand. Win 9x systems are dead development wise in the
same way as the Model T Ford.
--
Mike


cquirke (MVP Windows shell/user) wrote:

Interesting to see how patching expectations change.

Before, folks expected patches to precede ITW exploits and attacks;
perhaps a foolish and untenable expectation, but representing the
standard that was aspired to by vendors and early-patchers alike.

Now, it's "we know about the defect, and if it starts getting attacked
we'll probably bring out a patch sooner or later". Hmm.

On Sun, 8 Jan 2006 15:33:33 -0000, "Noel Paton"

Chris

Hi!

In my limited testing with this exploit, I've found that all attack vectors
were via ADS Streams- if that is a precondition for the vulnerability to be
activated, then it is obvious that Win9x systems are not exploitable

If so, then the hidden story is that XP on FATxx is immune, too -
which means the systems I built are already immune.

It must be galling to attempt to create new products that are safer
and more secure (XP, NTFS) only to find that in practice, sometimes
the older technologies they are supposed to replace are actually the
ones that are less exploitable(Lovesan, Sasser, ADS abusers, etc.)

Still - if that's the shape of the game, we must call it as we see it.

I wish MS luck with new developments and hope these are shaped by
these real-world slings and arrows, but I won't collude with "creative
silences" as a way of promoting these.



---------- ----- ---- --- -- - - - -
Don't pay malware vendors - boycott Sony
---------- ----- ---- --- -- - - - -

On Sun, 8 Jan 2006 15:35:10 -0000, "Mike M"

Chris,

Hi!

Rather than make negative posts why not spend some time demonstrating that
(current) exploits of this flaw can effect Win Me and then pass the
details on to Microsoft?

Ah, that's where the non-developer's perspective is less hubric.

A developer is likely to say "I can't exploit this, so it can't be
exploited". A non-coder (or ex-coder) has no such illusions :-)

To date none of those who have tried including myself have been
able to show Win 9x systems are vulnerable.

It may very well be true that none of the current exploits will work
in Win9x. What I am trying to do is understand the situation from the
perspecive of three factors identified so far...

1) By-design feature allowing WMF to re-direct code
2) Possible further code defect exploit required
3) Possible dependence on Alternate Data Streams, thus NTFS

....as this IMO is the key to exploitability, as opposed to whether
current ITW attacks would be effective.

In (1), documentation cites a callback function to handle the
cancellation of print jobs. It's not obvious tome how that function
can facilitate exploit just by viewing or indexing WMF content, unless
this callback function code is also called when the WMF object is
initialized (e.g. to set up that vector in advance of use).

The original patching goal is to block possible exploits before they
get exploited by malware. In that sense, if only (1) is required, but
all current attacks leverage (2)and/or (3) to work, then I would still
want to patch (1) in Win9x even if no current attacks work.

How have you been testing; by using ITW examples of exploiters, or by
coding PoC stuff based on exploit documentation?

With respect I'm also not clear which part of "out of support" and
"extended support" you don't understand.

I was surprised (and heartened) by an assertion that patches for Win9x
would still be developed if a "critical" (worm-facilitating) exploit
arose. I had expected no further patching for Win9x, period.

Win 9x systems are dead development wise in the same way
as the Model T Ford.

Well, yes and no. Yes, I don't expect MS to dev for Win9x, nor do I
expect much further 3rd-party product development. No, I don't expect
it to become magically impossible for malware to be developed for
Win9x, and I can forsee scenarios that could leverage a backbone of
unpatchable Win9x systems to mount attacks on the rest of us.



---------- ----- ---- --- -- - - - -
Don't pay malware vendors - boycott Sony
---------- ----- ---- --- -- - - - -

"cquirke (MVP Windows shell/user)" wrote:

It may very well be true that none of the current exploits will work
in Win9x. What I am trying to do is understand the situation from the
perspecive of three factors identified so far...

1) By-design feature allowing WMF to re-direct code

Yes. Callback code allowed in the WMF since Win 3.0.

2) Possible further code defect exploit required

Yes. Incorrect length (too short) specified for the record containing
the exploit code in the WMF, or (and which leads to) subsequent
invalid WMF records.

3) Possible dependence on Alternate Data Streams, thus NTFS

No. The exploit works on W2k with FAT16 or FAT32.

...as this IMO is the key to exploitability, as opposed to whether
current ITW attacks would be effective.

In (1), documentation cites a callback function to handle the
cancellation of print jobs.

Also handles errors according to a poster on aca-v, which is
consistent with my findings.

It's not obvious tome how that function
can facilitate exploit just by viewing or indexing WMF content,

WMFs are a collection of records which can be passed directly to the
Windows GDI. There is no need for a graphics application to parse or
pre-process them (there is now!). I don't understand the indexing
aspect. There should be no need to play-back a metafile in order to
index it.

unless
this callback function code is also called when the WMF object is
initialized (e.g. to set up that vector in advance of use).

Possible, but I don't see why an indexing application would need to
instantiate a metafile object. Unless, of course, it was preparing
bit-mapped thumbnails in advance. That would do it.

The original patching goal is to block possible exploits before they
get exploited by malware. In that sense, if only (1) is required, but
all current attacks leverage (2)and/or (3) to work, then I would still
want to patch (1) in Win9x even if no current attacks work.

1 and 2, but I've not been able to run the exploit on Win 95.
However, something is happening on Win 95. If I do a Quickview on
one of the the files nothing happens for about a minute, then the
Quickview window appears with the text "serious error unable to view
this file [EX]".

How have you been testing; by using ITW examples of exploiters, or by
coding PoC stuff based on exploit documentation?

I've been testing with POCs provided by isc.sans.org and Ilfak
Guilfanov, and using a binary editor. Ilfak's test is simply a WMF
with one invalid length record containing the setabortproc escape
call which pops up a message box when viewed. If I correct the
length, the code doesn't run because no error is encountered.

I've not been able to prevent the exploit running for the sans test
by correcting the record length. This file contains many other
rectangle, createpenindirect and createbrushindirect records, some of
which may be invalid, but if I edit out the exploit record, the WMF
displays in Irfanview. It may not be so fussy about some errors.

I imagine the code would have to be recompiled in order to test it on
ME and below because the low-level parameters, address layout, stack
frame, or entry point to the GDI may be different.