Conscientious Risk Management and WMF

re: Conscientious Risk Management and WMF

christoffer — Tue, 03 Jan 2006 07:18:32 GMT

"There is one other problem with this protection. In order to unregister the DLL you have to be an administrator. I can see a lot of people that would put a logon script together that would unregister the DLL."

What about startup scripts within a GPO? ;)

re: Conscientious Risk Management and WMF

christoffer — Tue, 03 Jan 2006 07:19:52 GMT

re: Conscientious Risk Management and WMF

Matthew Murphy — Tue, 03 Jan 2006 08:36:41 GMT

It might be worth noting that the shimgvw.dll is merely a vector for the vulnerable component and does not, itself, suffer from the vulnerability. The vulnerability lies in gdi32.dll. The unregistration workaround merely addresses the current in-the-wild exploits which load Picture and Fax Viewer to deliver the payload.

I personally implemented the workaround, but I'm not relying on it, either.

I run as a non-admin, so I briefly launched a shell as an admin, performed the unregistration and closed it. The implementation would be tighter in a managed setting, where users wouldn't even *KNOW* an administrative password. Frankly, it's too dangerous to run as an admin. Restricting high-risk apps is a stutter step, but it needs to be done across-the-board to be most effective.

re: Conscientious Risk Management and WMF

Bernd Eckenfels — Tue, 03 Jan 2006 09:44:36 GMT

Strange enough on my disconenct Domain Laptop I can start a restricted IE, however Firefox will not start with it.

I can however start Firefox as a different user instead of a restricted one. Do you think thats fine, as long as the alternate user has no powerfull system privs?

Gruss
Bernd

re: Conscientious Risk Management and WMF

marc — Tue, 03 Jan 2006 19:38:09 GMT

i have a question please: why microsoft didn't anticipated this ? i think they should know the API of WMF and this big big potential hole and now real threat ( WMF SetAbortProc function http://msdn.microsoft.com/library/de...tspol_0d6b.asp ) so WHY ?

re: Conscientious Risk Management and WMF

marc — Tue, 03 Jan 2006 19:50:40 GMT

>i have a question please
link corrected:
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/gdi/prntspol_0d6b.asp

re: Conscientious Risk Management and WMF

Alun Jones — Tue, 03 Jan 2006 20:37:49 GMT

Re: third party patches.

I always have this to say about third-party patches:

Let me get this straight: in an attempt to prevent unknown and untrusted third-parties from running unknown and untrusted code on your machine, you are going to trust a previously unknown third-party, and trust his unknown code enough to run it on your machine?

Seems rather a bad bet, to me. I would consider running a third-party patch only if I felt I could trust the honesty, integrity, and ability, of the person who put it together - and even then, I'd worry that they had missed a subtlety of the original code. That can be said, of course, about the person(s) at Microsoft who will make the official patch, to some extent, but I know more about Microsoft's process behind patching, and that gives me a better idea of what's going to happen with that patch, and whether I'll be able to trust it.

For now, I'll stick to not visiting pages with interesting graphics, and running as a non-admin.

re: Conscientious Risk Management and WMF

Alun Jones — Tue, 03 Jan 2006 20:43:54 GMT

Re: Why didn't Microsoft anticipate this?

Here's an allegory:

I was reading a book the other night, and I stumbled over a sentence that didn't make any sense. The typesetters had used "their" instead of "there", and as a result, I had to re-read the sentence a couple of times to get its meaning correct.

Why didn't the book's editors anticipate this, or catch it before release? They know the rules of English grammar, and they know the difference between "their" and "there".

There's a lot of code in Windows, and it's written by people. If it could be written by machine, it would be; if it could be analysed by machine, it has been. Sadly, the use of a machine to analyse the code for another machine is known to be an intractable problem (search for "Halting problem" for details), so not all flaws are detectable within finite time by a finite computer using finite memory. Unfortunately, the presence of a particular flaw can be detected within finite time by an interested researcher who picks the right direction to research into.

Bugs happen. Some bugs are exploitable as security flaws (so are some poor design choices, or even some intentional and good features!), so security flaws will happen.

Security management must always be a matter of risk management - how much effort are you willing to put in, and how much risk of susceptibility are you willing to accept? Since you can't get the risk down to 0, you have to balance effort against risk - if you spend all your time addressing risk, you have no time to do the work you intend to do.

re: Conscientious Risk Management and WMF

peter — Tue, 03 Jan 2006 23:56:19 GMT

Re: Why didn't Microsoft anticipate this?

It is true that bugs happen, but it is also true that MS made a lot of noise about how they put everything on hold a couple of years ago to go through all those lines of code line by line and root out problems.

Seems like something as basic as this should have been caught.

re: Conscientious Risk Management and WMF

Alun Jones — Wed, 04 Jan 2006 01:44:03 GMT

What I posted was a simplification - the truth, as ever, is more complexificated.

"going line by line through code" is not as effective as you might think. Many flaws are spread across hundreds of lines, and expose themselves more readily to discovery by data fuzzing and algorithm guessing attacks than by code review. [Frequently, the big benefit of code review is that you recognise a pattern of design or implementation that can be found automatically, and corrected in-place]

Code is not static. By the time you've reached the end of the complete code review, another year has gone by, and you're on a different version of the product.

Bugs - even security bugs - shouldn't always be fixed immediately even when they are found. A fix that requires a reboot, and whose analysis would allow an attacker to reverse-engineer the fix to discover the flaw, would be dangerous to ship - if only a few administrators installed it, but a lot of worms were written to exploit it, thanks to new information provided in the fix. The best strategy in such cases is often to wait until the next time the code is updated for other reasons, and provide the fix there, where it is not possible to reverse engineer, and where it will be installed on the most machines [after all, administrators can offer users a new feature in exchange for a reboot, rather than "it works the same as before, but you won't be vulnerable to attacks that we weren't seeing anyway".

Next, of course, you have no idea how "basic" this vulnerability is. I've worked on adding code annotations to aid in automated discovery of buffer overflows, and I can confirm that the automatic discovery of buffer overflows is a "hard" problem. Let's say it takes N seconds to track a buffer overflow in a non-branching section of code of a certain length. Add the ability to branch, or to call a subroutine with a buffer that might get overflowed, and the time to scan approaches 2^N. That's with one level of branching / calling. The progression is exponential - at each level of function depth, you increase the number that you raise to the power of N. Just automatically searching for buffer overflows quickly takes longer than the lifetime of the universe, let alone the length of a product release cycle.

Finally, engineers - even those that work at Microsoft - are human, and miss even the obvious from time to time. That's why the process of security review is cyclic.

re: Conscientious Risk Management and WMF

Weese — Wed, 04 Jan 2006 02:55:43 GMT

A problem I encountered when running IE with the check box ticked for "Protect my computer and data from unauthorised program activity" is that I cannot view https sites. i.e https://blogs.technet.com/jesper_johansson/comments/416762.aspx.

Running on WXP SP2 with all updates till Dec 2005.

re: Conscientious Risk Management and WMF

Tzim — Thu, 05 Jan 2006 05:15:01 GMT

And what about DEP (Data Execution Prevention) ? I heard it could stop the exploits of this particular flaws among others... or is it only for Hardware DEP ?

I personaly use DEP on optout mode. Isn't this what everyone should use ? And why the setting isn't part of the security center ?

re: Conscientious Risk Management and WMF

Jordan — Thu, 05 Jan 2006 09:41:37 GMT

For those doubting the reliability and security of the third-party patch, I'd like to reiterate the comments made by the SANS folks. The patch is not only simple and transparent in its design, but it's possible to verify it by looking at the source, or even recompiling if so desired -- it's included in the patch installer. The author is a known entity, trusted by many, and the install and uninstall method appears to be safe.

I agree that the issue is indeed a risk management issue. As the senior security engineer for a large (60k+ seats on the network) educational institution, I recommended departments and individuals apply the patch. The reason being? The risks of remaining unpatched against a vulnerability with so many attack vectors seriously outweigh the threat of a patch that is as verifiable as it is. I fully expect to spend the next 6 months cleaning up after students as a direct result of this vulnerability (ok, ok, who am I kidding, I'm always cleaning up after them, I'll have more this time). They're the prime target for such email/web/IM borne malware given their propensity to click on anything and everything. That's compounded by the number of brand new laptop christmas presents they're toting onto campus just in time to turn on and email all their buddies and check all their favorite illicit websites just before the official patch is released and while they're still likely vulnerable.

Of course I'd prefer the official microsoft patch. I assume it will be very well tested, and the authoritative response is almost always the best choice. (Though I have to say, if rumors of a leaked 'official' patch causing BSOD's are true, then Ilfak may have done better with his first try)

A lot of us in the trenches are getting hit with this right now, doing cleanup and multiply rebuilding up-to-date machines. If the only patch is unofficial, well, I'll take it.

re: Conscientious Risk Management and WMF

Andy McKnight — Thu, 05 Jan 2006 15:11:24 GMT

Unless something changes significantly in the next few days, I'll be waiting on the official MS patch rather than applying the unofficial one.

There's been plenty of chatter on this subject, plenty of talk on potential attack vectors and new variants but there's been little report of *actual* impact from the trenches. Even the ISC's (who have been arguably the biggest supporters of the unofficial patch) current poll of nearly 4000 respondants has 76% saying they've seen no impact yet.

If this mutates into something more ugly before the MS patch then I'll review it again but in the meantime the benefit doesn't outweigh the risk for me. That's a decision for each organisation to make themselves though.

Scope of WMF vulnerability

Derek Stevens — Thu, 05 Jan 2006 21:17:47 GMT

I question the assessment of the scope of the problem in the Microsoft Security Advisory (912840):
"Microsoft has been carefully monitoring the attempted exploitation of the WMF vulnerability since it became public last week, through its own forensic capabilities and through partnerships within the industry and law enforcement. Although the issue is serious and malicious attacks are being attempted, Microsoft’s intelligence sources indicate that the attacks are limited in scope and are not widespread."

I disagree with this assessment. Since Dec 31st I've had 5 PCs (out of 13 I look after) which have had virus/spyware, which, as far as I could tell, were as a result of the WMF vulnerability. One happened right in front of my eyes - a popup window opened a wmf file, a few seconds late the PC had locked up and I ended up re-installing Windows. For comparison I generally have about 1 problem per year of this nature over the 13 PCs, so 5 problems in 6 days is about 60 times the norm.

re: Conscientious Risk Management and WMF

DF — Thu, 05 Jan 2006 23:08:09 GMT

I installed the unofficial patch and my Wifi PC Card stopped working. Uninstalling the patch did not fix this, nor did reinstalling the driver / controller. I'm still looking for a fix.

re: Conscientious Risk Management and WMF

John Flakh — Fri, 06 Jan 2006 12:41:31 GMT

Well, now that the official patch has come out, it appears that (a) Microsoft has changed its assessment of the risk and decided to release the patch out-of-cycle, and (b) Microsoft's solution, which is to remove support for the SETABORTPROC function, is not fundamentally different from Ilfak Guilfanov's unofficial patch.

re: Conscientious Risk Management and WMF

Alun Jones — Fri, 06 Jan 2006 19:51:31 GMT

Sure it's different. Even if the code was exactly the same (which it isn't - Guilfanov's was a hot-patch, Microsoft's is a source-code alteration), the official patch is backed with all the support you could possibly want.

Consider this - what if the patch you apply causes a LOB application to fail? If you have run Guilfanov's patch, all you can do is hope that his uninstall is good; if you have run Microsoft's patch, you can call 1-866-PCSAFETY or your regular support number, and get free assistance with the issue until it is resolved.

More options on protecting against recent IE vulnerabilities on a domain

Jesper's Blog — Sat, 23 Sep 2006 00:34:31 GMT

The VML vulnerability continues to haunt us. According to SANS the exploit is &quot;spreading,&quot;

Desktop Firewall oder Anwendungs-Paketfilter - Seite 2 | hilpers

Desktop Firewall oder Anwendungs-Paketfilter - Seite 2 | hilpers — Tue, 20 Jan 2009 17:36:55 GMT

PingBack from http://www.hilpers.com/6452-desktop-firewall-oder-anwendungs-paketfilter/2

[Info] vulnerabilita' WMF - Pagina 2 | hilpers

[Info] vulnerabilita' WMF - Pagina 2 | hilpers — Wed, 21 Jan 2009 18:54:35 GMT

PingBack from http://www.hilpers.it/2575927-info-vulnerabilita-wmf/2