Patch Windows now.
January 1, 2006 6:51 PM   Subscribe

Patch Windows now. The Windows Metafile exploits are beginning to look like one of the worst-ever Windows malware epidemics. It is a true drive-by exploit - infection with a whole raft of insidious malware just by looking at a web page with IE, or reading an email or IM with an image (depending on the program you use). It will really explode tomorrow when all the business PCs go back online, because as of now there is no good prevention with firewalls, anti-virus or IDS. The SANS Internet Storm Center handlers have been the most up to date source of information (first link above). The DSL Reports thread has good signal-to-noise. Insight and advice actually comes close to outweighing the usual microsoft-bashing in the latest /. thread on it. But Ilfak Guilfanov has outdone everyone with an unofficial patch (source included - admire the code - he is expertly patching a closed-source binary).
posted by jam_pony (339 comments total)
 
Why the fuck is there a third-party patch and not an official one? We knew about this last week. This is exactly the sort of thing Microsoft has all that money for.
posted by Protocols of the Elders of Awesome at 7:03 PM on January 1, 2006


"Will unregistering the DLL (without using the unofficial patch) protect me?

It might help. But it is not foolproof. We want to be very clear on this: we have some very stong indications that simply unregistering the shimgvw.dll isn't always successful. The .dll can be re-registered by malicious processes or other installations, and there may be issues where re-registering the .dll on a running system that has had an exploit run against it allowing the exploit to succeed. In addition it might be possible for there to be other avenues of attack against the Escape() function in gdi32.dll. Until there is a patch available from MS, we recommend using the unofficial patch in addition to un-registering shimgvw.dll."

posted by mr_crash_davis at 7:04 PM on January 1, 2006


It will really explode tomorrow when all the business PCs go back online

I thought most everyone had off tomorrow for the observed holiday?
posted by Remy at 7:06 PM on January 1, 2006


MS has a security advisory about it also. They recommend that you unregister the impacted dll. The relevant info is this:
Microsoft has tested the following workaround. While this workaround will not correct the underlying vulnerability, it helps block known attack vectors. When a workaround reduces functionality, it is identified in the following section.

Note The following steps require Administrative privileges. It is recommended that the machine be restarted after applying this workaround. It is also possible to log out and log back in after applying the workaround. However, the recommendation is to restart the machine.

To un-register Shimgvw.dll, follow these steps:

1. Click Start, click Run, type "regsvr32 -u %windir%\system32\shimgvw.dll" (without the quotation marks), and then click OK.

2. A dialog box appears to confirm that the un-registration process has succeeded. Click OK to close the dialog box.

Impact of Workaround: The Windows Picture and Fax Viewer will no longer be started when users click on a link to an image type that is associated with the Windows Picture and Fax Viewer.

To undo this change, re-register Shimgvw.dll by following the above steps. Replace the text in Step 1 with “regsvr32 %windir%\system32\shimgvw.dll” (without the quotation marks).
I've also reassigned the .wmf file association to notepad until MS releases an actual patch.

ISC recommends blocking the following IP netblocks at your firewall/router:

InterCage Inc.: 69.50.160.0/19 (69.50.160.0 - 69.50.191.255)

Inhoster: 85.255.112.0/20 (85.255.112.0 - 85.255.127.255)


I trust ISC pretty heavily, but I've not installed the patch yet. I'm waiting to see what happens tomorrow.
posted by dejah420 at 7:06 PM on January 1, 2006


I'm having second thoughts about buying that Sony BMG "Ultimate Prog Rock Metafile Collection".

"Why should consumers care? Most of them don't know what a Metafile is..."
posted by Protocols of the Elders of Awesome at 7:10 PM on January 1, 2006


So wait, Microsoft has officially recommended unregistering the DLL, but they haven't got something on Windows Update to do it automatically? That's...not...joined...up...
posted by Protocols of the Elders of Awesome at 7:11 PM on January 1, 2006


Can someone dumb this down for the dumbasses amongst us? (not me, of course!) Just who is vulnerable and through what actions can one become ... infected?
posted by papakwanz at 7:29 PM on January 1, 2006


papakwanz, Windows Metafiles (.wmf) and Extended Windows Metafiles (.emf) are image files, invented by Microsoft. They are fairly rare for most people. If you open one that has been specially designed for evil, either directly on the web, embedded in a webpage (I think) or attached to your email, the creator can run any code he likes on your machine. This is due to a flaw in Windows.

So, if you get sent a file with either of those extensions, don't open it until Microsoft gets off its arse and provides an update. And, of course, update your anti-virus software immediately.
posted by Protocols of the Elders of Awesome at 7:37 PM on January 1, 2006


This vulnerability has freaked out the admins enough at one of the forums that I read, that, they disabled posting of images entirely; which is a pretty big thing on a forum where threads are often chock full of game screenshots or scans from game magazines.

I'm also pretty sure there are some people here who wouldn't mind disabling images on MeFi too.
posted by yeoz at 7:40 PM on January 1, 2006


Can someone dumb this down for the dumbasses amongst us?

Buy a Mac already?
posted by Rothko at 7:41 PM on January 1, 2006


It's not just files with .wmf/.emf extensions.
from the link:
  • Should I just block all .WMF images?
    This may help, but it is not sufficient. WMF files are recognized by a special header and the extension is not needed. The files could arrive using any extension, or embeded in Word or other documents.
The files could be in a .doc or have a .jpg or any other extension, and would still trigger the exploit if opened.
posted by yeoz at 7:46 PM on January 1, 2006


they disabled posting of images entirely

Why stop there? WMF files include binary code... just ban the numbers 0 and 1 from being transmitted over the server and you'll be safe.
posted by Protocols of the Elders of Awesome at 7:46 PM on January 1, 2006


How will this affect the installation of an official patch in the future?
posted by chrominance at 7:47 PM on January 1, 2006


Why stop there? WMF files include binary code... just ban the numbers 0 and 1 from being transmitted over the server and you'll be safe.

Because the <img> tag was the most direct vector for this particular exploit on that particular forum?... why are you being snarky? :(
posted by yeoz at 7:57 PM on January 1, 2006


For maximum effect, release exploit while those who would fix it are home on holiday drinking wine, and while those who would get hosed are home on holiday drinking wine, put in a week or so delay for any obnoxious action to allow maximum penetration and then wait for business to open.
posted by caddis at 8:02 PM on January 1, 2006


ISC recommends blocking the following IP netblocks at your firewall/router:

InterCage Inc.: 69.50.160.0/19 (69.50.160.0 - 69.50.191.255)

Inhoster: 85.255.112.0/20 (85.255.112.0 - 85.255.127.255)
Uh, WTF do I do with this? I don't get how section A of each of those lines relates to section B & C (in parentheses.) And my router config screens seem to offer "keyword blocking" but not IP blocking.
posted by Tubes at 8:04 PM on January 1, 2006


"regsvr32 -u %windir%\system32\shimgvw.dll" (without the quotation marks)

this needs to be redone every time computer is booted. until the offical patch is out, probably good idea to commit that one to memory. I hope the windoze abused like typing. heh
posted by rodney stewart at 8:07 PM on January 1, 2006


I'll take this up with our admins first thing today. Thanks.
posted by jouke at 8:07 PM on January 1, 2006


Tubes, you need to point all those routes to null. usually done by adding static routes for the above and set to a fake next hop address.
posted by rodney stewart at 8:13 PM on January 1, 2006


Sweet pogoing Christ wearing titty tassles on a trampoline. I have a dreadful feeling work is going to be absolute hell this week - perhaps even starting as early as tommorow morning.

Is there any known way yet to filter and detect embedded (non *.WMF named) WMF data for use in active firewall or server filtering?
posted by loquacious at 8:20 PM on January 1, 2006


As a Mac user, I won't gloat.

But it's fascinating... Why does an image file need to execute code? I looked it up but I don't get what it's used for exactly.

Oh, and one of the websites linked to recommended Firefox 1.5, which will at least ask before opening a WMF.
posted by fungible at 8:31 PM on January 1, 2006


fungible, the problem involves a memory buffer overflow, which Windows currently fails to prevent. When this happens, computers can behave in many unpredictable ways, and can be taken advantage of.
posted by Protocols of the Elders of Awesome at 8:37 PM on January 1, 2006


you don't need to take any action to get infected. if windows comes in contact with one of these infected files, you're fucked, because windows detects and acts upon windows metafiles automatically, without regard to file extension. this can happen simply by reading email, receiving an IM, or looking at a web site. unregistering shimgvw.dll may only delay infection. also note MS says unregistering shimgvw.dll "helps block known attack vectors", not blocks all attack vectors. the flaw is in gdi32.dll, there are almost certainly other ways to exploit it. movie of infection happening here. this is gonna be quite a show. i'm making popcorn and burning copies of ubuntu linux for my friends.
posted by quonsar at 8:40 PM on January 1, 2006


Dumbass here: Will running Firefox make me safe?
posted by LarryC at 8:49 PM on January 1, 2006


rodney stewart: this needs to be redone every time computer is booted.

microsoft: It is recommended that the machine be restarted after applying this workaround.

skallas: I hope non "windoze" users can learn how copy and paste works

i hope rodney stewart can learn how reading works.
posted by quonsar at 8:50 PM on January 1, 2006


Blaster was worse. Yawn.
posted by cellphone at 8:55 PM on January 1, 2006


Dumbass here: Will running Firefox make me safe?
posted by LarryC at 10:49 PM CST on January 1 [!]


No. Firefox has a long history of security issues, much like IE. In this case, however, you are safe from this particular vulnerability.
posted by cellphone at 8:56 PM on January 1, 2006


LarryC: NO. The Metafile vulnerability is system-wide, and doesn't rely on a particular browser. Anything that triggers the Metafile engine can exploit the vulnerability, whether it's IE, Firefox, Google Desktop, Irfanview, or any of a large number of other applications.
posted by chrominance at 8:57 PM on January 1, 2006


LarryC: No. If you are running Windows, you are not safe no matter what browsers or other applications you use. Any program which views, indexes, manipulates, or even just glances at image files will load the vulnerable Windows DLL when it encounters a WMF file.
posted by ubernostrum at 8:59 PM on January 1, 2006


Reading the comment thread on Ilfak Guilfanov's site, it's nice to see Steve Gibson checking in and verifying that the third-party patch does what it says it does, and does it well. Normally, I'd be pretty suspicious about installing some third-party DLL patch, but with a vulnerability this big, and an MS non-response this obvious, I'll be using Ilfak's workaround until there is a peep outa Redmond.
posted by delfuego at 9:03 PM on January 1, 2006


Will running Firefox make me safe?

no. en. oh. no. firefox and opera and most browsers will download any file with a .gif/.jpg/.png extension without user intervention (after all, that's what you expect it to do, it's a web browser.), and that file could be a .wmf simply renamed to .gif/.jpg/.png. once said file gets to your windows machine, windows automatically recognises it regardless of extension and you are fucked. here's a slashdotter who got infected running firefox.
posted by quonsar at 9:04 PM on January 1, 2006


cellphone: In this case, however, you are safe from this particular vulnerability.

cellphone is incorrect.
posted by quonsar at 9:05 PM on January 1, 2006


Plain english description of the exploit: if you visit a page hosting the file with IE with default security settings it'll infect you with no warning or interaction required. Here's a demo (WMV file, this is safe to view). It can be hidden in iframes or even snuck in via ad banners embedded on a page.

Firefox up to 1.07 and Opera prompt you to open the file with Windows Picture and Fax Viewer. If you do, you're infected. Firefox 1.5 tries to open it with Windows Media Player which doesn't know what to do with it (possibly a bug in Firefox). If you download the file and happen to have Google Desktop Search (and possibly other search programs) it'll helpfully index the file and infect you...the thumbnail image preview in Windows Explorer is also a vector. It's also circulating via e-mail spam.

There's been good coverage of this on Sunbelt's blog and Kaspersky Lab's Analyst's Diary. Also, the Wilders Security Forums thread.

There are already over 70 known variants, and they are easy to create. An eWeek article on AV's response effectiveness, commentary on it and another similar Wilders thread. Some aren't doing too badly, but if your AV is set to only update its definitions just once a week, that's really not gonna cut it. Lag time between new versions and updates is a killer--AVs with poor heuristics like Norton/Symantec probably won't be as effective in real world situations as the links might seem to suggest.

Sans and others have vetted and endorsed that 3rd party patch. It'll create an entry in Add/Remove Programs that can be used to safely uninstall it when an official hotfix comes out. I went ahead and applied it with no ill effects.
posted by Pryde at 9:14 PM on January 1, 2006


quonsar - that infection movie: I understand the part where the the infection happens. What I want to know is - the spyware removal bit, is that an example of the sort of payload this could carry? Ie. a spyware remover that wants to pop you for $40 to remove the exploit?

(I just think that's particularly sneaky, if that's the case)
posted by Jimbob at 9:16 PM on January 1, 2006


My sister and I are Mac users (thanks to me) but my mom still runs a Win2000 box. Should I tell her to simply avoid the internet until Microsoft offers an official patch or is that too drastic? For lay users, how great is the risk?
posted by SeizeTheDay at 9:19 PM on January 1, 2006


Thanks for the oblique tip, rodney stewart. However, these are the instructions for setting static routes for my router:
To set up a static route:

1. Click the Add button.
2. Type a route name for this static route in the Route Name box under the table.
(This is for identification purpose only.)
3. Select Active to make this route effective.
4. Select Private if you want to limit access to the LAN only. The static route will not be reported in RIP.
5. Type the Destination IP Address of the final destination.
6. Type the IP Subnet Mask for this destination.
If the destination is a single host, type 255.255.255.255.
7. Type the Gateway IP Address, which must be a router on the same segment.
8. Type a number between 2 and 15 as the Metric value.
This represents the number of routers between your network and the destination.
9. Click Apply to have the static route entered into the table.
Blahblahblahblah. I'm a pretty experienced user but I'm not a freaking network administrator. I think a whole lot of people are screwed unless a Windows Update patch for the root cause comes out soon.
posted by Tubes at 9:19 PM on January 1, 2006


Quonsar, that slashdotter who got infected said "only thing I did was to open a .wmf movie in Firefox", he seemed to have confused wmf with wmv or wmx and opened it. Still I wouldn't take any chances relying on Firefox for protection.
posted by bobo123 at 9:21 PM on January 1, 2006


a spyware remover that wants to pop you for $40 to remove the exploit?

i think it's someone using the exploit to add insult to injury by stealing a victims credit card number while allegedly selling them non-existent software.
posted by quonsar at 9:25 PM on January 1, 2006


Thank you, Pryde.

And thank you SeizeTheDay for asking my question.

--also, any one? Is my company's Windows Server vulnerable?
posted by jaronson at 9:26 PM on January 1, 2006


he seemed to have confused wmf with wmv or wmx and opened it

as pointed out above, the extension could be anything.
posted by quonsar at 9:26 PM on January 1, 2006


tubes, those pairs of IPs are equivalent. the first number x.x.x.x/n is an address/netmask pair. "n" means how many bits of the 32-bit IP address are valid; the last 32-n bits are "masked off" or in other words can be 0 or 1. the numbers in parens are equivalent to the addr/netmask when you expand out the "dont care" bits. the addr/netmask pair is shorthand.

my linksys router apparently can not do filtering of IP addresses or IP address ranges. i'm surprised by this. perhaps one could install route table entries to /dev/null for those addresses but i dont think this would prohibit incoming connections. it would probably not allow a TCP session to start up successfully though, and thus would protect you.

on preview: it looks like you have a partial answer per your post.
posted by joeblough at 9:27 PM on January 1, 2006


Oh, and not that I'm doubting anyone for a minute, but, if the sky is truly falling, why is there no story about it on Google News?
posted by jaronson at 9:29 PM on January 1, 2006


pfft. clearly you do not understand how google news works.
posted by quonsar at 9:30 PM on January 1, 2006



jaronson writes "why is there no story about it on Google News?"

Partially the excellent timing. This year we got up to a four day window at christmas for maintence (Decemember 24-27) in many large organisations. All that time then meant people weren't hanging around during the ramp up of this exploit.
posted by Mitheral at 9:34 PM on January 1, 2006


Wow -- now that the folks at SANS are endorsing Ilfak's patch, and have provided an MSI file suitable for mass-distribution via policy files, there really is no excuse for this not being on every sysadmin's critical installation list first thing tomorrow morning. And since Microsoft has indicated to SANS that no patch will be forthcoming from them until around January 9th (read the end of that SANS link), there's really no point in waiting any longer -- just install the third-party patch now, and uninstall it once MS does their thing.
posted by delfuego at 9:37 PM on January 1, 2006


For the (justly) paranoid, VMware actually recently released VMware Player, a free version of their virtualization software along with a prebuilt "Browser Appliance" that's based on Ubuntu Linux. You need a fairly powerful computer to run it well, though. (Plentiful RAM is the most important thing.) They did have to recently patch their own software because of a potential vulnerability to the host system, but overall it's pretty secure and neat to play with.

The full version of VMware actually the tool security researchers use to analyze malware on virtualized Windows installs--the demo WMV I see quonsar beat me to posting was created using it (you can tell by the icon in the systray next to the clock).
posted by Pryde at 9:38 PM on January 1, 2006


Will the official MS patch likely be available to people using pirated copies of Windows?
posted by jimmy at 9:39 PM on January 1, 2006


No.
posted by Protocols of the Elders of Awesome at 9:42 PM on January 1, 2006


fuck
posted by jimmy at 9:44 PM on January 1, 2006


Microsoft costs businesses billions upon billions of dollars worldwide every time another one of these fucking exploits shows up. Why the hell do they suck SO MUCH? And why the hell do people PUT UP WITH IT?
posted by wakko at 9:44 PM on January 1, 2006


Also, why the FUCK isn't there a fix RIGHT NOW?
posted by wakko at 9:44 PM on January 1, 2006


jimmy: who knows. Maybe not, which increases risk for everyone else.

White hats: please write a worm that patches vulnerable winboxen with Ilfak's patch. Thanks.
posted by Slithy_Tove at 9:45 PM on January 1, 2006


Why the hell do they suck SO MUCH?

In my opinion, the fact that this exploit exists is not sucky. Trying to prevent every buffer overflow in an OS is a terrifying prospect. If this was an obvious exploit, it would have been discovered years ago. I have no doubt that there are many such exploits in other operating systems which don't get discovered because too few people are trying to find and exploit them.

The fact that there isn't an official patch out is, however, highly sucky.
posted by Protocols of the Elders of Awesome at 9:48 PM on January 1, 2006


AFAIK, while windows update won't work with a pirated copy of windows, you can always download the patch itself and install that directly.
posted by yeoz at 9:48 PM on January 1, 2006


And why the hell do people PUT UP WITH IT?

Laziness, stinginess and ignorance.
posted by Rothko at 9:49 PM on January 1, 2006


Trying to prevent every buffer overflow in an OS is a terrifying prospect

Some vendors already manage this properly.
posted by Rothko at 9:53 PM on January 1, 2006


Show me a vendor who has prevented every buffer overflow in their OS.
posted by event at 9:55 PM on January 1, 2006


Trying to prevent every buffer overflow in an OS is a terrifying prospect.

It's not that terrifying.

From the link:
  • What is DEP (Data Execution Protection) and how does it help me? With Windows XP SP2, Microsoft introduced DEP. It protects against a wide range of exploits, by preventing the execution of 'data segements'. However, to work well, it requires hardware support. Some CPUs, like AMD's 64 Bit CPUs, will provide full DEP protection and will prevent the exploit.
People have been working on techniques to prevent buffer overflows for some time now. No clue if it actually'll do anything in regard to this exploit though. (Just checking my own AMD64 machine at home, Hardware DEP is enabled for all programs; I don't know if that was a default though.)

On Preview:
Some vendors already manage this properly.

Like OpenBSD, which has has some degree of built in buffer-overflow protection for a few releases now? :P
posted by yeoz at 9:56 PM on January 1, 2006


And why the hell do people PUT UP WITH IT?

because there's software ... lots of software that doesn't run on any other platform

aside from games, music apps are something i run in windows ... many of them don't have an effective equivalent elsewhere ... and don't talk to me about linux music apps ... i've tried them and they're just not at the same level ... and macs are too expensive

microsoft needs to STOP development for a while and fix what they have
posted by pyramid termite at 9:58 PM on January 1, 2006


protocols, MS does make security patches available without checking that the copy of windows is legit.

Those IP ranges are for network administrators who are used to putting firewall rules in place - probably not worth bothering for home users. Those netblocks are home to some bad guys but the exploits can be anywhere on the net. A common method is making a wmf (with any filename extension) the source of an iframe.

The hardware DEP reportedly prevents it but the software DEP supposedly does not.
posted by jam_pony at 9:58 PM on January 1, 2006


Speaking as a Mac user, I'd just like to say we all pity you poor Windows users and it serves you right.
posted by keswick at 9:58 PM on January 1, 2006


Sun's Trusted Solaris goes pretty far. StackGuard, libsafe and other options help vendors write safer code, some of which finds its way into military apps.
posted by Rothko at 10:02 PM on January 1, 2006


I'm 99% sure, that, while windows update won't work with a copy of XP that fails the "Windows Genuine Advantage" validation, users can still get "critical fixes" via automatic updates.
posted by yeoz at 10:03 PM on January 1, 2006


macs are too expensive

Cheaper than tech support, but its your dollar.
posted by Rothko at 10:04 PM on January 1, 2006


You realize, keswick, that there are a lot of smart people who know that Macs haven't been hit with viruses and vulnerabilities like Windows has, and yet don't feel the need to play "I told you so!" whenever something like this pops up.
posted by chrominance at 10:05 PM on January 1, 2006


Trying to prevent every buffer overflow in an OS is a terrifying prospect.

It's not that terrifying.

Then let's rephrase it: Trying to prevent every possible exploit in an OS is a terrifying prospect.

Even the vaunted OpenBSD team has had vulnerabilities. You can raise the bar for difficulty of triggering the exploit (like OpenBSD does, like StackGuard does, like libsafe, etc.), but you can't make it impossible.
posted by event at 10:08 PM on January 1, 2006


The hardware DEP reportedly prevents it but the software DEP supposedly does not.

According to Kaspersky Lab, it isn't foolproof:

At first glance it seems that hardware-based Data Execution Protection, which is available only with XP/SP2 on NX-bit (AMD) and XD-bit (Intel) enabled CPUs, prevents successful exploitation of the vulnerability.

We've tested on AMD and Intel platforms and HW DEP seemed initially to prevent successful exploitation in Internet Explorer and Windows Explorer. However, when testing the latest builds of third party image viewers like Irfanview and XnView HW DEP didn't prevent exploitation, even with HW DEP enabled for all programs. This is because both Irfanview and XnView are packed with ASPack and Windows disables HW DEP for ASPack packed files.

posted by Pryde at 10:09 PM on January 1, 2006


("an exploit" not "the exploit")
posted by event at 10:10 PM on January 1, 2006


Cheaper than tech support, but its your dollar.

my tech support is on google.com and groups.google.com ... works fine for me
posted by pyramid termite at 10:11 PM on January 1, 2006


I'm a windows and linux user who avoids Macintosh for good reasons. Yet I recommend them often.

The criteria are (a) can afford one (b) likes the interface (c) wants things to "just work" without having to bother too much about security, tinkering etc.. This describes a lot of the computer user population.
posted by jam_pony at 10:12 PM on January 1, 2006


Can anyone answer my questions upthread: Should I tell her to simply avoid the internet until Microsoft offers an official patch or is that too drastic? For lay users, how great is the risk?

And for god's sake Rothko, computers in their current form are built for Windows. For better or for worse, just like the US economy, the world is stuck with Windows. So your silly attempts to sell Apple are effectively meaningless and a derail to this thread.
posted by SeizeTheDay at 10:15 PM on January 1, 2006


my tech support is on google.com and groups.google.com ... works fine for me

Then you are in the minority of the minority capable of understanding a) what to search for on google.com/groups.google.com; and, b) how to interprete the search results.

I wouldn't send my loved ones on their own like this, given that Microsoft can't support their own OS, and so I either fix my friends' and familiies' Windows boxes repeatedly or gently push them to safer, less expensive alternatives. (The only reason Macs are "more expensive" is because of less software piracy, anyway.)
posted by Rothko at 10:19 PM on January 1, 2006


So your silly attempts to sell Apple are effectively meaningless and a derail to this thread.

I'm not "selling" anything. Using a legitimate alternative to Windows is a perfectly legitimate option for fixing this problem in the long-term, and I'm well within my rights to suggest this solution — if only to curtail these unnecessary threads that are not worthy of "best of the web", by any stretch.
posted by Rothko at 10:25 PM on January 1, 2006


CarpeDiem: She's a typical user who uses IE, Outlook, default settings?

Either get her dll deregistered and the patch installed, or have her stay offline for a while, whichever is easier for both of you.

How great is the risk in general? It's hard to tell how likely one is to encounter this in casual use. Certainly the risk is greater in sleazy areas of the internet - porn, poker and such. And anyone who has poor spam filtering, takes attachments from strangers and so on is more at risk.

Probably there's less of it for those who just go to mainstream websites. The risk there is from sub-sub-contracted ads that may show up on pages.
posted by jam_pony at 10:25 PM on January 1, 2006


Excuse feeble attempt at cleverness, it occurs to me now there may be someone else with "carpediem" instead of "seize the day".
posted by jam_pony at 10:27 PM on January 1, 2006


Oh, come on. The fact that this exploit exists is a fucking joke. Seriously, at some point some developer had to have considered that allowing an image file to execute arbitrary code might, kinda, y'know, maybe be a bad idea.

No, this is a really, really stupid mistake, and I agree that it's emblematic of what a horrid company Microsoft is.
posted by spiderwire at 10:37 PM on January 1, 2006


Will the official MS patch likely be available to people using pirated copies of Windows?

Switching on automatic background updates (if you have SP2) will keep your system up to date, whether you have a disallowed key or not, even if the windowsupdate site says you're naughty and locks you out.

Not that it'll help with this new issue any time soon, but just as an FYI.
posted by stavrosthewonderchicken at 10:39 PM on January 1, 2006


Seriously, at some point some developer had to have considered that allowing an image file to execute arbitrary code might, kinda, y'know, maybe be a bad idea.

Looks like you need to learn about buffer overflows.

...or just read the thread...

posted by event at 10:41 PM on January 1, 2006


.....that said, there are a whole host of other reasons why the "developing an OS is haaaard" excuse doesn't fly (e.g. the use of DLLs in the first place), but I'm just sayin' -- even on face this exploit doesn't pass the laugh test.
posted by spiderwire at 10:41 PM on January 1, 2006


So this thing might be an issue for people who go to the "seedier" sites on the internet? It sounds like the risk for lay users is no more than usual.

wtf, geeks? chicken little much?

Thanks for the heads up just the same. pfft.
posted by jaronson at 10:42 PM on January 1, 2006


I've read the thread, chief. I'm saying that in principle, it's a really moronic idea -- from a developer's perspective -- to allow an image file to execute arbitrary code, buffer overflow or no.
posted by spiderwire at 10:44 PM on January 1, 2006


So this thing might be an issue for people who go to the "seedier" sites on the internet? It sounds like the risk for lay users is no more than usual.

You, sir, are a fool. Have fun with your spyware-infected paperweight.
posted by spiderwire at 10:45 PM on January 1, 2006


Also, with regards to updating pirated systems, there's this and this.

I've only used the latter (which is very good indeed) and can't vouch personally at all for the former, so caveat piratus or some fake latin like that.
posted by stavrosthewonderchicken at 10:48 PM on January 1, 2006


Metafilter: wtf, geeks?
posted by papakwanz at 10:49 PM on January 1, 2006


Thanks for the reply, spiderwire. Why do you assume I will have a spyware-infected paperweight?
posted by jaronson at 10:50 PM on January 1, 2006


I'm saying that in principle, it's a really moronic idea -- from a developer's perspective -- to allow an image file to execute arbitrary code, buffer overflow or no.

Agreed, data in image files shouldn't ever be executed.

But this isn't a Microsoft problem -- no Microsoft programmer made the decision to allow this. The problem is far more fundamental, at the level of the processor/programming language.
posted by event at 10:51 PM on January 1, 2006


Thanks stavros.
posted by jimmy at 10:51 PM on January 1, 2006


Um, I'm no techno weenie, but my NAV seems to have caught an attempted infection via this exploit during recent Web surfing: "[tempdir]/[filename].wmf: Download.Trojan". Might it just be enough to update our anti-virus definitions...?
posted by twsf at 10:53 PM on January 1, 2006


jaronson: because the implication that your computer can be infected only by surfing, quote, "seedier" sites is patently false. Your system can be infected by loading any image, even if you don't display it. Additionally, your computer could become infected via any other number of vectors -- IM, email, etc -- from any other infected system.

In other words, the claim that "the risk for lay users is no more than usual" is also false, and it's irresponsible to be claiming it. I assure you that you do run a risk of having your system disabled if you don't protect it properly, and by all appearances this is a very serious exploit.

Do what you want with your own computer, but since you don't have a clue what you're talking about, please, STFU and take it elsewhere, because your advice puts other people at risk.
posted by spiderwire at 10:59 PM on January 1, 2006


So this thing might be an issue for people who go to the "seedier" sites on the internet? It sounds like the risk for lay users is no more than usual.


ack spiderwire beat me to it. unless by lay user, you mean someont that doesnt use email/im?

Um, I'm no techno weenie, but my NAV seems to have caught an attempted infection via this exploit during recent Web surfing: "[tempdir]/[filename].wmf: Download.Trojan". Might it just be enough to update our anti-virus definitions...?

NAV is picking up the signature of the payload and not the signature of the vector. If the bad guys write up some new payload then NAV will miss it. Something I read by surfing outwards from the original post said that.
posted by juv3nal at 11:01 PM on January 1, 2006


from a developer's perspective -- to allow an image file to execute arbitrary code, buffer overflow or no.

It's a buffer overflow. You're not speaking "from a developer's perspective" if you think a buffer overflow constitutes "allowing" an image file to do anything. You're speaking from "an ignorant perspective".
posted by swell at 11:02 PM on January 1, 2006


Why do you assume I will have a spyware-infected paperweight?

because you don't even understand how google news works, for one thing.
posted by quonsar at 11:02 PM on January 1, 2006


But this isn't a Microsoft problem -- no Microsoft programmer made the decision to allow this.

It's endemic to the entire Microsoft development culture. No software house worth its salt should have ever written an OS as miserable in even the most basic fundamentals of security as Windows. The image-execution problem is only one small example of this issue, although it's an informative one if you consider just how stupid it is. It's a QC issue, plain and simple.

This is a nice overview that was on Reddit a few days ago that I think explains this nicely. (Although it's real real long.) Fun read.
posted by spiderwire at 11:03 PM on January 1, 2006


Something I read by surfing outwards from the original post said that.

Actually it's in the first link of the original post if you scroll down:
here
posted by juv3nal at 11:05 PM on January 1, 2006


swell: It's a buffer overflow. You're not speaking "from a developer's perspective" if you think a buffer overflow constitutes "allowing" an image file to do anything. You're speaking from "an ignorant perspective".

From the SANS FAQ:

"What is the actual problem with WMF images here?

WMF images are a bit different then most other images. Instead of just containing simple 'this pixel has that color' information, WMF images can call external procedures. One of these procedure calls can be used to execute the code."


But yeah, they're a bunch of ignoramuses, too.
posted by spiderwire at 11:07 PM on January 1, 2006


Alright, now we're gettin' somewhere...

Thank you again, spiderwire.

So I downloaded the fix from hexblog.com, and I have my anti-virus (avast) and my firewall in place and don't open spam emails (like usual) and don't use instant messenger. Have I done everything I can to reduce my vulnerability?

and quonsar, I've always appreciated your comic relief.
posted by jaronson at 11:11 PM on January 1, 2006


Thank you again, spiderwire.

I'm not sure if you're being sarcastic, but if not, I apologize for the 'STFU.' I think that this is a serious problem and that it shouldn't be sold short.

The Guilfanov patch seems to be the way to go at the moment. The point I was making is that -- especially in the case of an exploit with such an innocuous infection method -- pretty much all Windows users are vulnerable to it.
posted by spiderwire at 11:14 PM on January 1, 2006


As a Mac user, I won't gloat

Me either. But my machine at work is a whole other story. Crap.
posted by damclean2 at 11:17 PM on January 1, 2006


Seriously, at some point some developer had to have considered that allowing an image file to execute arbitrary code was a bad idea, buffer overflow or no.

spiderwire, you are confusing me. Don't buffer overflow exploits overwrite the stack of a running program? The average C programmer does not normally shag about directly with the stack, but leaves it to the runtime to manage. I wouldn't have thought this exploit required anything from the programmer other than accepting a string of data longer than the destination buffer.

It's a bad idea to allow buffer overflows but it's awfully easy to do in C and no doubt this is an older chunk of code that predates the widespread awareness of just how bad it is.
posted by i_am_joe's_spleen at 11:19 PM on January 1, 2006


...Don't buffer overflow exploits overwrite the stack of a running program? The average C programmer does not normally shag about directly with the stack,...
I think what spiderwire is getting at is that the buffer overrun is being initiated by code that is run from the image file (WMF). And, yeah, it's not the brightest idea ever to create an image file format that runs code. Personally, I have never run across a use for it.
posted by Thorzdad at 11:25 PM on January 1, 2006


spiderwire: No, I'm not being sarcastic. You are answering my questions and I appreciate it .

I'm just trying to understand this thing, folks.
posted by jaronson at 11:27 PM on January 1, 2006


Where are people getting this idea that it's a buffer overflow?
posted by spiderwire at 11:29 PM on January 1, 2006


Thorzdad gets it. I guess it was from another comment upthread? Here's a very cogent explanation. Also provides an explanation for why it was previously needed, but the fact that it still exists is a friggin' travesty.
posted by spiderwire at 11:30 PM on January 1, 2006


From comments upthread, including yours.
posted by i_am_joe's_spleen at 11:30 PM on January 1, 2006


OK, read your link. Crikey that IS a bad idea, and yes I agree now it's not a buffer overflow.
posted by i_am_joe's_spleen at 11:31 PM on January 1, 2006


Unfortunately this isn't a buffer overflow, WMF files, when they fail to load correctly can call an external procedure. This is a system that in fact someone at microsoft did design so that the file could have a "failsafe" and be able too do something even in the event of a failure. So, yes, this is poor design. People are creating malformed WMF files that always "fail" and then the specified procedure can be run.
posted by rhyax at 11:34 PM on January 1, 2006


I didn't say it was a buffer overflow, that was Protocol, et. al.
posted by spiderwire at 11:34 PM on January 1, 2006


Sun's Trusted Solaris goes pretty far. StackGuard, libsafe and other options help vendors write safer code, some of which finds its way into military apps.

StackGuard doesn't "help vendors write safer code" at all; it's entire purpose is to stop stack overflows in poorly written software from fucking a system up. It requires recompilation, and it does nothing to help a vendor that releases unprotected binaries without source code, unless the vulnerability is in a protected system library that the vendor relies on. Libsafe? Another method of making up for shitty software development practices.

Those all just stop stack overflows. They don't stop heap overflows, and they don't stop format exploits. They certainly don't prevent overflows in the kernel. And they all have nothing to do with writing safer code. I don't know how you lumped RBAC into all of that, RBAC is next to useless for general use.

Disclaimer: I work/worked for the company that developed StackGuard and marketed a Linux distro based on it.
posted by cmonkey at 11:35 PM on January 1, 2006


Thanks to the folks who quickly provided the info lay users need to make our computers safe. Just unregistering the .dll file has made me feel a whole lot better. I hope it's enough, but it looks like I should also install the third-party patch to be sure, since MS has apparently dropped the ball. That Handler's Diary link is pretty frightening shit to some of us out here.

One question: How difficult is it for a lay user to install the currently available patch?
posted by mediareport at 11:36 PM on January 1, 2006


mediareport: I am a "lay user" and I just installed it. It was very easy. Just downloaded it, accepted the terms, etc.

I noticed it is listed in my Add/Remove Programs list and, if I understood the instructions from hexblog.com, you should uninstall that one before you install the Microsoft patch (that I assume is coming in the near future).
posted by jaronson at 11:42 PM on January 1, 2006


this all looks very hilarious from over here in linux land.
posted by ori at 11:57 PM on January 1, 2006


And, yeah, it's not the brightest idea ever to create an image file format that runs code. Personally, I have never run across a use for it.

I use it all the time. Since WMF files consist of just calls to the Windows graphics system, any software which can draw shapes can import and export them. Thus WMF is a defacto vector-image standard on Windows. For example, the only way to get vector images from an old cad program I use ( which doesn't export anything compatible) into powerpoint is to cut and paste metafiles.

That's not to say they couldn't Not that they couldn't have made the calls less exploitable. I've said it before, and I'll say it again: C is the devil's language.
On preview: Oh. It's not a buffer overflow. Well C is still evil, and your hair is too long.
posted by Popular Ethics at 11:59 PM on January 1, 2006


this all looks very hilarious from over here in linux land.

*laughs* Why do you people even post in threads like this?
posted by mediareport at 12:06 AM on January 2, 2006


Not that they couldn't
Pardon my stutter.
posted by Popular Ethics at 12:07 AM on January 2, 2006


Why do you people even post in threads like this?

Schadenfreude, I'm guessing.
posted by spiderwire at 12:08 AM on January 2, 2006


Sorry, I was told it was a buffer overflow thing.
posted by Protocols of the Elders of Awesome at 12:16 AM on January 2, 2006


Thanks to everyone here who has been contributing useful information about this issue that affects millions of us.

No thanks to anyone trying to derail this thread into an OS war.
posted by Afroblanco at 12:20 AM on January 2, 2006


Prediction: The sky is not falling and the world will go on pretty much as normal for most of us on Tuesday.
posted by Justinian at 12:22 AM on January 2, 2006


Schadenfreude, I'm guessing.

My guess is they see all the excitement and despite their oh-so-superior pronouncements want to be involved somehow. It's funny.
posted by mediareport at 12:24 AM on January 2, 2006


This is going to make this first week back at work in the new year suck major balls, isn't it? Not just for inside my company (where people install custom cursors and moving desktops if they're allowed to) but for all of our clients who are going to be getting crushed by this.

Thanks MS! Sell it first, patch it later! Woot!
posted by fenriq at 12:25 AM on January 2, 2006


fenriq: raise time! :)
posted by spiderwire at 12:25 AM on January 2, 2006


Question:

When it specifically comes to browsers - does turning "load images" off help in any way?
posted by divabat at 12:29 AM on January 2, 2006


Rothko, you're a complete fucking moron if you think you're safe just because you use a mac. There is nothing about the Mac's architecture that makes it secure against exploits like this, it's just not as deeply probed and targeted as much as windows.

This glitch is pretty major, but the fact is security problems on windows have been coming in less and less. The real problem, though, is Spyware which gets 'legitimately' installed by users.

I also don't understand why people are so worried, since you can get the third party patch here right from SANS. It seems to be thoroughly vetted.
posted by delmoi at 12:35 AM on January 2, 2006


When it specifically comes to browsers - does turning "load images" off help in any way?

Yes, it would. However, you can't get infected in firefox simply by viewing images, you need to download them and let them be opened by MS fax viewer (or get a thumbnail loaded in explorer)
posted by delmoi at 12:37 AM on January 2, 2006


this all looks very hilarious from over here in linux land.

That kind of attitude will really help sell Linux to the masses, dick.
posted by delmoi at 12:38 AM on January 2, 2006


What's really crazy is this:

This bug seems to affect all versions of Windows, starting from Windows 3.0 - shipped in 1990!

Good thing my mom's old machine just died and she doesn't have a modem in her new one yet.
posted by delmoi at 12:40 AM on January 2, 2006



One question: How difficult is it for a lay user to install the currently available patch?


You just have to click a few buttons, it's like installing any other program (the setup was done with install sheild).
posted by delmoi at 12:46 AM on January 2, 2006


Oh, come on. The fact that this exploit exists is a fucking joke. Seriously, at some point some developer had to have considered that allowing an image file to execute arbitrary code might, kinda, y'know, maybe be a bad idea.

This code was written in the late 1980s, and released in windows 3.0 in '90. The developer probably had no idea that windows machines would ever be connected to the internet, and I think only one worm had ever been written.
posted by delmoi at 12:49 AM on January 2, 2006


bah, i'm sorry if my comment was interpreted as particularly snug -- it was actually an honest impression, albeit probably one i should've kept for myself. my amusement was also decidedly not schadenfreude: i had just watched the video linked to earlier, and found it analogous to one of those roadrunner moments when the cayote falls off a cliff, only to have a boulder land on him, then a bigger boulder, and finally some lit dynamite. the majority of infected users will only suffer through decreased productivity and some annoyance, so i didn't think it was especially bastardly to chuckle a bit. anyhow, i help out XP users whenever i can on ask.mefi, and i have never (to my recollection) chided anyone for picking the "wrong OS". i would've added something useful but everything i know has already been covered. anyhow, again, sorry if i came off like a total dick.
posted by ori at 12:51 AM on January 2, 2006


apology accepted :P

Although, it's pretty surprising no one at MS thought to take a look at this.
posted by delmoi at 12:58 AM on January 2, 2006


*laughs* Why do you people even post in threads like this?

Just a guess, because if you were using Linux, you wouldn't be having the problem?

What will it take to get you to switch to Linux? For that matter, what will it take to get me to switch? I'm using Windows XP (came with my laptop) and Firefox.

The answer is, when the hassle and danger from the security flaws finally outweigh the utility of all the programs we use Windows for. An operating system's utility is measured directly in the software that runs on it. The number of programs that lock me into Windows has steadily been declining over the past few years, but Linux still has nothing like Corel Painter, and it still doesn't have the best hardware support (my wireless card isn't recognized). Maybe soon though....
posted by JHarris at 1:05 AM on January 2, 2006


delmoi: Yes, it would. However, you can't get infected in firefox simply by viewing images, you need to download them and let them be opened by MS fax viewer (or get a thumbnail loaded in explorer)

Which means that firefox is basically safe, despite what the panic mongers want us to believe...

jaronson: It sounds like the risk for lay users is no more than usual.

It sounds that way to me too. Especially for lay users who don't use MS default apps - IE, messanger, outlook, whatever.

No doubt this will be a big nightmare for admins, but it is stupid to put every windows user in a panic because some admins are going to have a long night - shades of y2k. Don't worry folks, you don't need to buy bottled water for this one...
posted by Chuckles at 1:22 AM on January 2, 2006


When did this turn into slashdot?

Windows is the most popular OS in the world, and it is this reason, and this reason alone which explains why so many exploits are developed for it. If you think BSD, Linux or OSX are safer by design, then you're wrong. They're safer because less people use them.

I'll bet that Microsoft are treating this extremely seriously, but you have to understand that there is a world of difference between Microsoft releasing something and a hacker releasing the same. Microsoft have a much higher standard when it comes to testing and internationalising its releases, and there is an obvious extra delay for them when it comes to rolling out patches.
posted by seanyboy at 1:23 AM on January 2, 2006


From here:When the HappyNewYear.jpg hits the hard drive and is accessed (file opened, folder viewed, file indexed by Google Desktop), it executes and downloads a Bifrose backdoor (detected by us as Backdoor.Win32.Bifrose.kt) from www[dot]ritztours.com. Admins, filter this domain at your firewalls.

Now there is one of those incredibly stupid things MS does... Why in hell does it even look at the file when I access a directory? Ya ya, thumbnail previews, length of movie, meta information in sound files... But it is just plain dumb. It is exists so that Windows can corner the market in applications that properly deal with those special types of files. I don't want my file browser accessing files, just tell me the names, thanks...

Of course google is doing it too - a necessary part of their product to be sure, but god knows why anybody wants what that product does...
posted by Chuckles at 1:31 AM on January 2, 2006


If one is running Win2KPro, not XP, will the patch work? It just says it was tested on XP.
TIA.
posted by NorthernSky at 1:32 AM on January 2, 2006


If you think BSD, Linux or OSX are safer by design, then you're wrong. They're safer because less people use them.

None of those reasons are why they are safer.

They are safer because people working on a free OS aren't motivated by selling the product. They don't care about pushing that next buggy release out the door and, more importantly, don't have to keep the source secret. Anyone with the skills to do so can find a vulnerability and anyone can make a patch.
posted by joegester at 1:37 AM on January 2, 2006


NorthernSky: Ilfak Guilfanov also wrote a little WMF Vulnerability Checker (link to his blog entry about it). I just ran it, after unregistering shimgvw.dll, patching, and rebooting. I run Win2K. The vulnerability checker says I'm okay.
posted by Slithy_Tove at 1:46 AM on January 2, 2006


Ironically, Intel processors have had the capability of full hardware memory protection going back more than 20 years to the 80286. The mechanism allowed slicing and dicing the memory map into various segments for each running process and declaring attributes such as access privilege, data, code, executable or not executable. Any illegal access generated an exception -- buffer overruns are impossible. This is an extremely sophisticated and powerful memory protection mechanism that has been present in all of the subsequent Intel processors but almost completely unused by the OS. It's only real use in Windows was for limiting access to I/O ports.

Unfortunately these features made programming more complicated and back then software engineers were just happy to get away from the old segment and offset model of the 8086 so they just created one big 32-bit flat segment for everything having all privileges and called it good. It is analogous to always logging in as administrator, but on the lowest hardware level.

There were reasons more than just simplicity for ignoring these hardware features. It would have been extremely difficult to port the OS to other processors such as 68K, PowerPC or Alpha since the hardware models were so different.
posted by JackFlash at 1:49 AM on January 2, 2006


I have flagged every single comment that has attempted to derail this thread into the "Your OS sucks" conversation. That conversation is NEVER interesting or useful. People post about it because they have nothing to say, yet they really enjoy typing.

This vulnerability is a problem that effects millions of people, and it would be nice if we could discuss it without the noise.

Thank you.
posted by Afroblanco at 1:50 AM on January 2, 2006


Thanks slithy, I just installed the patch anyway (not very patient am I) and the computer did not asplode. I have to hope this doesn't turn into a horrible nasty thing. People suck sometimes, huh.
posted by NorthernSky at 1:54 AM on January 2, 2006


joegester: You're assuming that because problems exist uniquely within the Microsoft development methodology, then no problems exist in the admittedly different open source methodology. I think this is a dangerous way to think, and it doesn't take into account the fact, that any complex computer program is going to contain bugs and exploits.

We're probably never going to agree on this either, so there's little point in arguing it.
posted by seanyboy at 1:54 AM on January 2, 2006


I consider the "switch your OS" argument to be off-topic at all. The long article I posted earlier makes the argument that these sorts of problems are inevitable given Microsoft's myriad development problems. You do know why they had to scrap Longhorn, right?

Since the ostensible purpose of patching one's computer is to protect it from corruption, which is in turn aimed at preserving the computer's functionality, then any discussion of serious exploits like these should certainly consider the question of whether it would be much more time-effective to simply switch to a more secure OS. The ease-of-use and built-in security that OSX offers provides an opportunity to compare that question in a cost-benefit analysis.

For a lot of novice-to-intermediate computer users out there, the people who will be affected worst by this exploit and all that follow as a result of Microsoft's broken development process, switching to OSX is actually an argument that's well worth considering. Since that's all the majority of users, it's a relevant question for large organizations as well, and thus quite germane to this thread.

And really, all the important info isn't too hard to sort out anyway -- there's more than enough in the FPP itself.
posted by spiderwire at 2:00 AM on January 2, 2006


I just got hit with a live, in-the-wild WMF exploit attempt. NOD 32 caught the known trojan attempt. Now scanning with antivirus variants.

If one is running Win2KPro, not XP, will the patch work? It just says it was tested on XP. TIA.

Excellent question. I don't know. Since this DLL is an oldy and moldy, I'm going to guesstimate and say "Yes. It should work." But perhaps I shouldn't say that, and perhaps it didn't work. Read on:

Like I said, I just got hit by a WMF exploit attempt off the web. I'm running FireFox 1.0x, Win2K Pro SP 2, NOD 32 antivirus and the Ilfak patch.

NOD 32 just killed an attempted trojan execution via the WMF exploit. How did it even get to the point that it could even be detected by NOD 32? It shouldn't have even executed at all. I didn't download the WMF-named file and try to load it in any of the above listed programs. It just attempted to execute, drive-by style. No clicky, no download, nothing.

If this trojan wasn't a known signature or didn't cause a heuristics match in NOD 32, and the payload had been ultimately malicious rather than what I assume was an adware/spyware trojan, it's likely I wouldn't even be typing this right now. Effectively I was just nailed.

Let me put this into a bit of personal perspective:

In all of my computing life, from Apple 2 days beginning in early 1984 until today, I've had exactly 1 actual virus, 1 actual trojan, 0 worms, and 2 seperate instances of IE browser hijacking.

Considering I've been online in various forms since about 86, have owned dozens of computers, am what would be known as a "high risk" user, and haven't been without broadband since 97 or 98 or so, those statistics are strongly approaching zero.

This is the very first time, ever, that something has slipped through my layers of defenses and even so much as triggered an antivirus alert/quarantine, much less an attempt to actually execute. I'm super careful.

My work week is going to fucking suck, thank you very much.

No doubt this will be a big nightmare for admins, but it is stupid to put every windows user in a panic because some admins are going to have a long night - shades of y2k. Don't worry folks, you don't need to buy bottled water for this one...
posted by Chuckles at 1:22 AM PST on January 2


Uh, yeah. Don't worry. Leave it to the admins. Thank you. Argh. Pointy. Must not kill.

You might want to rethink that buying bottled water thing, though. People tend to cry a lot when they lose all their photos, music, movies, email, and whatever else that comprises this digital life we've got going.

I have a really bad feeling about this, and I was totally non-plussed by Mellissa, ILOVEYOU and Blaster, and was either helpdesking, tech-ing or admining during the major outbreaks for each of those.

You haven't lived until you've seen a Compaq Proliniant multi-CPU server running nothing but MS Exchange for just a thousand users explode like a barrel of Thermite and magnesium shavings and leave a smoking crater in the server room.
posted by loquacious at 2:05 AM on January 2, 2006


Seanyboy: the problem is within the Microsoft development ideology, which is basically "release first, patch later," and that's only the beginning of their problems. Up until the Longhorn scrap, their dev process involved trying to grab then entire OS' spaghetti code, do a full build, and then send the segments back to their departments for bug fixing.

I don't subscribe to the "OSS is inherently better" philosophy and all its weird marxist/altruist undergarbage, but the fact is that Microsoft's flawed development process leads to these problems, and OSX and most of the OSS community just write better software, because they actually follow good coding practices.

There are well-researched, well-documented, well-practiced processes and rules for writing good, secure software, and Microsoft doesn't follow them. That's why their software sucks. Period. This latest exploit is just a tragic real-world effect and example of what their poor development practices ultimately do 15+ years down the line (literally, in this case).

Again, that article I've linked twice now gives a pretty good, somewhat technical rundown, if you really want to understand some of the issues. I assure you that you are not talking from a very informed nor nuanced position right now.
posted by spiderwire at 2:06 AM on January 2, 2006


The "switch your OS argument" is pointless and useless. When people engage in it, I am always surprised that they don't annoy themselves. I have never seen anybody actually convinced to change their OS in one of these arguments, and they have been going on for a LONG TIME.

The argument gives people a change to vent their aggression at each other, and that's always fun. I just wish they would do it somewhere else.

I've known people who were evangelists for one system or another, and they inevitably do harm to their own cause. I don't care how much you love your Mac/Linux/Windows box. No, really. I don't.
posted by Afroblanco at 2:09 AM on January 2, 2006


If one is running Win2KPro, not XP, will the patch work? It just says it was tested on XP. TIA.

"It should work for Windows 2000, XP 32-bit, XP 64-bit, and Windows Server 2003."
posted by stavrosthewonderchicken at 2:12 AM on January 2, 2006


Specifically, this page hits some of the salient technical points (e.g. DLLs) regarding why Windows is just a miserably-designed piece of software. There's some good (if vitriolic) points in the /. thread linked in the FPP, too.
posted by spiderwire at 2:12 AM on January 2, 2006


The "switch your OS argument" is pointless and useless.

Regardless of how you feel about the people arguing it, this statement is patently false. The choice of OS and how we can transition to a better OS (whatever that might be) is a very, very important one.

There are literally billions of dollars being wasted patching holes that shouldn't exist in the first place. It makes a lot of people's jobs very miserable and occasionally causes people to get fired for problems that they didn't create. It makes the internet a generally less pleasant place to be and stops everyday people from being able to do things that you might take for granted, like send email or use the internet. It makes businesses choose their poison between oustanding overhead costs going to compatibility or to support.

You might not be interested in it, and you might not understand how this question affects you (although don't fool yourself -- it does), and you might not care about the people whom it affects, but calling this argument "pointless and useless" is just obtuse.
posted by spiderwire at 2:19 AM on January 2, 2006


MetaTalk

I beg you to keep the OS debate out of this thread. It is nothing but noise here, and now. Stop, damnit. Please. I'm begging you. This is neither the time nor place to discuss it. It's like arguing we should have bought a metal ship while we're out at sea and the wood one we're in is burning.

I'm going to be checking in here tommorow from work to help solve this motherfucker. Please don't make me wade through your noise to do so.
posted by loquacious at 2:20 AM on January 2, 2006


If one is running Win2KPro, not XP, will the patch work?

I've just run the patch on w2kpro and unregistered the .dll as well. I then used Ilfak's WMF Vulnerability Checker and it reports the box as "invulnerable" to the exploit, w/ the caveat of "this specific exploit".
posted by well_balanced at 2:20 AM on January 2, 2006


Notice that I'm not evangelizing one way or another here, even though I think that OSX is pretty clearly the better choice -- but I do think it's relevant that we start to consider as a computer-dependent society jsut how important access controls and secure standards and, y'know, middling little crap like that actually is, rather than sweeping it under the rug until the next shitstorm appears. I'd fully support Microsoft if they would just pull their heads out of their asses. Given their market share, they're actually the ones in the position to do the most good.
posted by spiderwire at 2:21 AM on January 2, 2006


Fucking hell. I've got to go to bed. I just know the phone is going to ring in the morning with the dreaded phrase "Can you come in early?" being uttered. All XP laptop shop, roving computers coming back to campus after a long winter break, not the sharpest userbase in the netblock, tiny support department... I'm so fucking doomed.
posted by loquacious at 2:25 AM on January 2, 2006


good luck loquacious!
posted by spiderwire at 2:26 AM on January 2, 2006


I don't have the nearly religious fervor some people do about open source either. I agree that the switch your OS argument is tiresome and inane.

That said, it's not totally pointless. Clearly I'm not going to change change seanyboy's mind. I didn't expect to in making my comment. It was directed at the many other people who read his comment who don't know about the other side of the argument. I just hate the, "Oh well, there's no one that's better. Nothing can be done anyways."-attitude that people have about software. It's so defeatist.
posted by joegester at 2:29 AM on January 2, 2006


loquacious: Leave it to the admins.

Don't be silly... I'm the only admin that takes care of any computer I ever touch (except my girlfriend's, if I try to 'admin' her machine she gets plenty pissy). You completely misread my statement - it is guaranteed to be a massive headache for admins, but many(most?) regular users probably won't even notice*.

* Well, your description sounds a little scary actually... We'll see.
posted by Chuckles at 2:35 AM on January 2, 2006


Chuckles: No, I wasn't assuming you would personally leave it to the admins... but... damn. This is how we ended up with a userbase addicted to Windows. Graargh, must sleep.
posted by loquacious at 2:41 AM on January 2, 2006


The "change your OS" argument is indeed valid, but right now more immediate mitigation strategies are probably more useful. You're not going to get the massive Windows userbase to switch to OS X or Linux anytime soon, let alone in the next couple of days, so you may as well chill.

loquacious: you installed the patch and unregistered the DLL? And the WMF still got through? Do you have more info?
posted by chrominance at 2:48 AM on January 2, 2006


Yes, patched and unregistered. Yes, it still got through.

Firefox attempted to open the WMF, it asked what I wanted to use to open it, and like an idiot, I went to go point it at textpad - launching a Windows Explorer "Open file..." dialog in the proccess. NOD 32 AV caught the Trojan as Explorer was tapped by the WMF.

I'm assuming that the source of the WMF was a 2nd or 3rd party ad server linked to from a page I was visiting.

Frankly I was so startled at seeing my antivirus 'ware actually do anything I simply nuked it and shut it all down without taking notes on the filename, the source, the first party page, or any attempts at determing the offending server. Which, for the moment, was probably the best thing I could have done. I may have time to attempt to recreate it from a VMWare instance or test box at work tomorrow.

I'll update - time permitting - from work tomorrow. Otherwise it might have to wait until I get home.

Those that can update and gather links in this thread, please do. Thank you. I have a feeling I'm going to need them.
posted by loquacious at 3:05 AM on January 2, 2006


Speaking as a Mac user, I'd just like to say we all pity you poor Windows users and it serves you right.
Seconded. I just love reading about these things in Opera on my iBook.
posted by nlindstrom at 3:13 AM on January 2, 2006


this all looks very hilarious from over here in linux land.
*Waves from over here in Mac land*
posted by nlindstrom at 3:21 AM on January 2, 2006


And why the hell do people PUT UP WITH IT?

Because of compatibility, choice, functionality, cost. You know, little things like that.
posted by bobbyelliott at 3:28 AM on January 2, 2006


There are well-researched, well-documented, well-practiced processes and rules for writing good, secure software.

Ha, ha, ha ha ha, ha , ha ha ha, ha.
I'm going to forget about your subtle and nuanced jibe because frankly, that's the funniest thing I've read all (checks date) year.
posted by seanyboy at 3:55 AM on January 2, 2006


Skallas - does that exploit do anything at all that's useful to casual users? The site says it has "all payload removed" - presumably that means you'd get the same results (nothing happening) whether your system has the patch installed or not.
posted by Jimbob at 4:23 AM on January 2, 2006


In reviewing the various security websites about this vulnerability it seems that, in addition to
(a) disabling regsvr32 and
(b) downloading/running Ilfak's patch, it's also a good idea to
(c) turn off Google Desktop for the time being.
posted by mono blanco at 5:00 AM on January 2, 2006


Is it really necessary to install the patch and unregister the dll or is just patching enough?
posted by sic at 6:04 AM on January 2, 2006


sic, do both. It can't hurt you.
posted by nkyad at 6:46 AM on January 2, 2006


Seconded. I just love reading about these things in Opera on my iBook.

As a Mac user for nearly twenty years or so now (my first was a II cx), I could never figure out why most PC users regarded us as such twats.

Thanks for clarifying, nlindstrom.
posted by PeterMcDermott at 7:30 AM on January 2, 2006


dll pickle? What are you talking about?
posted by ParisParamus at 7:32 AM on January 2, 2006


Speaking as a Mac user, I'd just like to say we all pity you poor Windows users and it serves you right.

Why? I'm going to assume you're not a cock so why would you say people deserve it?

As a Windows user, a Mac user, a Solaris user, and having friends and relatives who use a mix of them (including Linux) I really don't understand how you can equate a person's choice of OS with them deserving something bad?

Seconded. I just love reading about these things in Opera on my iBook.
posted by nlindstrom at 6:13 AM EST on January 2 [!]


I just love seeing people make assholes of themselves.
posted by juiceCake at 7:48 AM on January 2, 2006


dll pickle? What are you talking about?
posted by ParisParamus at 7:32 AM PST on January 2 [!]


It has nothing to do with Republicians, George Bush or American Politics.

So you don't need to worry about it.


And why the hell do people PUT UP WITH IT?
Because of compatibility, choice, functionality, cost. You know, little things like that.
posted by bobbyelliott at 3:28 AM PST on January 2 [!]


Huh. Here I thought it was ignorance on the consumers part.

FreeBSD is what I use and it has compatibillity (can run SCO, GNU/Linux binaries, many window apps via WINE, and some have gotten Solaris and NeXTSTEP binaries working on the platform) Choice/functionality - over 8000+ apps in ports. Cost - $0 out of my pocket for software licencing fees.

That and I don't have to take time to 'secure' the box, nor spend addl. money on new antivirus software because the software authors have a history of failure, nor do I have to spend time fixing the box after an infection like Window Users have to.

I got educated long ago about Unix. And when Microsoft said "NT will be a better Unix than UNIX" kinda shows where one should be.

Now - Anyone care to explain why Microsoft says 'unregister the dll' VS have an actual patch?

Anyone?
posted by rough ashlar at 7:48 AM on January 2, 2006


Windows is the most popular OS in the world, and it is this reason, and this reason alone which explains why so many exploits are developed for it. If you think BSD, Linux or OSX are safer by design, then you're wrong. They're safer because less people use them.

Even if it were that simple, and it's not, why would you care what the reason is? "Mac OS is far more secure, but it's only because it's not as popular, so why switch." Such backwards thinking.

Because of compatibility, choice, functionality, cost. You know, little things like that.
posted by bobbyelliott


Funniest comment I've read in ages. Some people would buy a piece of coal and rationalize it.
posted by Dennis Murphy at 7:53 AM on January 2, 2006


I really don't understand how you can equate a person's choice of OS with them deserving something bad?

Everyone makes choices, and in a responsibility society, you have to be responsible for that choice.

If they pick something with a known track record of failure, are you suggesting that bad choice should be met with:

1) Pity
2) Attempt to take opportunity to educate or remind why the choice has flaws
3) Mocking laughter

After you try #2 and it doesn't sink in.....#3 is quite the natural choice.

There is a difference between "deserving" and "Well, DUH what did you think would happen?"

This is yet another "DUH" moment.
posted by rough ashlar at 7:55 AM on January 2, 2006


The answer is, when the hassle and danger from the security flaws finally outweigh the utility of all the programs we use Windows for. An operating system's utility is measured directly in the software that runs on it.

In theory that software can work on Linux as well, under wine, but it's definetly not plug'n'play.
posted by delmoi at 8:00 AM on January 2, 2006


rough ashlar : "Anyone care to explain why Microsoft says 'unregister the dll' VS have an actual patch?"

I am no Microsoft apologist, but as someone have pointed earlier, when you're developing a security patch for half-a-dozen operating systems available in two hundred different locales, it may be worth taking your time and testing your solution well before releasing it. This exploit goes way back in time, since Metafiles were included in Windows very early. A friend pointed that the exploit probably needs Win32 to run so Windows 3.0 users won't be affected. But anything newer may conceivably be vulnerable (and that includes NT, 95, etc).

A quick but bugged official patch may give users and admins a false sense of security, making the problem worse. A bugged patch could also damage a vast array of machines while trying to solve the problem, causing more even harm. So, there, that would be a reason for MS not having a patch available yet.
posted by nkyad at 8:00 AM on January 2, 2006


Learned about this one almost a week ago, and I've been pretty adamant about not surfing anything outside of the CNN/MSNBC/Slashdot/Metafilter cluster (and that with my laptop which I always treat as infected), all of which use adservers I have blocked outright in any case.

Like loquacious, I've been building my own computers for 10 years now - starting when I was 15 - and have been infected zero times since I was 16. Despite that track record, this thing has me scared as fucking piss. Anything could be vulnerable - AIM icons in Trillian, those little clan tag images in fucking Battlefield 2 that display when you click on a server, maybe. Anything.

That said, I'm curious as to why someone hasn't written an AIM icon worm for this already. Seems like you could infect a fat fucking percentage of the Internet's userbase thusly.

The real problem here, in my opinion, is not so much the behavior of the WMF processing (although that is stupid) as it is when GDI decides to do its sanity-checking. If it weren't for that fact the ONLY thing needed would be to unregister the one DLL and sit back until January 9th. That's the stupid mistake, and it should have been fixed a long time ago.
posted by Ryvar at 8:08 AM on January 2, 2006


under wine, but it's definetly not plug'n'play.

In many cases you need the Microsoft (and others) .dlls, so you STILL need to pay Microsoft to run that application.

(and yes, not plug and play)

That's the stupid mistake, and it should have been fixed a long time ago.

One in a very long chain, and yet people STILL keep buying their software.

Either the other choices are far worse, or consu mers are lazy and/or stupid.

"Never give a sucker an even break"
posted by rough ashlar at 8:14 AM on January 2, 2006


Ironically, Intel processors have had the capability of full hardware memory protection going back more than 20 years to the 80286. The mechanism allowed slicing and dicing the memory map into various segments for each running process and declaring attributes such as access privilege, data, code, executable or not executable. Any illegal access generated an exception -- buffer overruns are impossible. This is an extremely sophisticated and powerful memory protection mechanism that has been present in all of the subsequent Intel processors but almost completely unused by the OS. It's only real use in Windows was for limiting access to I/O ports.

JackFlash: You have absolutely no idea what you're talking about. Please to shut up. TIA.

A friend pointed that the exploit probably needs Win32 to run so Windows 3.0 users won't be affected.

You could load win16 code if you wanted too, but that probably won't happen. The sad thing is, there are probably lots of places in windows that actually need this code.

There are well-researched, well-documented, well-practiced processes and rules for writing good, secure software.

FreeBSD is what I use and it has compatibillity (can run SCO, GNU/Linux binaries, many window apps via WINE, and some have gotten Solaris and NeXTSTEP binaries working on the platform)

FreeBSD is for people with dicks to small for Linux.
posted by Paris Hilton at 8:18 AM on January 2, 2006


Everyone makes choices, and in a responsibility society, you have to be responsible for that choice.

Of course. And this means one should be happy that they get what they supposedly deserve? Wonderful world isn't it?

I've used Windows and the Macintosh for years. I prefer Windows for a number of reasons. I have no problem with others who prefer something else. Maybe I should laugh at them and jump up and down like a clown when they can't run this or that software?

Problem is, I have this weird ability to realize that people have different priorities, preferences, and interests. So forgive me if I don't gloat and feel superior. I guess I just don't have the class.
posted by juiceCake at 8:18 AM on January 2, 2006


side question: are dictionary attacks on IM users possible?
posted by gsb at 8:18 AM on January 2, 2006


If you use your PC for gaming, there is no choice of OS. Fortunately a power user has little problem protecting Windows from itself with various third party programs, firewalls, etc.

Thanks for the heads up, I'm patched and happy.
posted by mek at 8:27 AM on January 2, 2006


Certainly. An unabridged version will do considerable damage if thrown vigorously.
posted by Slithy_Tove at 8:27 AM on January 2, 2006


Oops: "There are well-researched, well-documented, well-practiced processes and rules for writing good, secure software." Should have been in italics, and I was going to take it out anyway. I was just going to say that, yeah, 'well-practiced' isn't exactly a good description.

here for example is a concrete example of a bug that could allow any malicious software authors to install kernel level code on a Mac. That's from almost a year ago so I'm sure the exploits were fixed. But still, they were there. here is remote buffer overflow attack that worked on older versions of Firefox. It's an absolute fact that these two exploits combined would leave a Mac user just as vulnerable as windows users are right now, even without the kernel-level 'sploit a web page could still write code that could delete all of your personal files, become a spam relay, or whatever.
posted by Paris Hilton at 8:28 AM on January 2, 2006


"It has nothing to do with Republicians, George Bush or American Politics.

So you don't need to worry about it."

No, I don't need to worry about it because I'm not design-blind, or aesthetic blind. I have a Mac.

And you're in a dll pickle.
posted by ParisParamus at 8:29 AM on January 2, 2006


The only reason to think that OSX is more secure then windows is ignorance.

(Now 'safer'? Maybe. It's like having a shitty lock and living in a good neighborhood, vs. having a shitty lock on the door and living in a bad neighborhood)
posted by Paris Hilton at 8:30 AM on January 2, 2006


FreeBSD is for people with dicks to small for Linux.

So THAT explains why Steve Jobs is using it as the base for Mac OS X.

I'd post the market valuation/stock preformance for Apple and compare/contrast with RedHat, VA Research (or whatever they are called now), The Caldera group (they used to publish a GNU/Linux Fork) or TurboLinux, but I'm betting you don't actually care about the billions of dollars investors no longer have due to their investments.
posted by rough ashlar at 8:34 AM on January 2, 2006


The only reason to think that OSX is more secure then windows is ignorance.

Yea, woe be to thee who takes SANS announcements and compares the numbers of alerts for Mac OS X VS Windows.

Because, what does SANS know about security?
posted by rough ashlar at 8:39 AM on January 2, 2006


juiceCake an mek just nailed it as far as the OS crap goes.

ashlar: the reason they don't have a patch, for whatever it's worth, is that we're probably talking about some overhauling of how GDI itself works. GDI is absolutely core to graphics in Windows - regardless of whether I'm coding a graphics demo for Microsoft's DirectX or the cross-plat OpenGL the first thing I'm going to be doing in Windows is grabbing a device context from GDI.

If I'm reading things correctly here, GDI has the unfortunate behavior of actually analyzing the data format of a file it processes regardless of what the three letter extension is. GDI is not the only example of this behavior, btw, if you want a quick example - you can make a .png file that looks like a color spectrum in an image viewer and then plays Blur's Song2 when you load it in Winamp. I have one that does just this. The sanity checking needs to be moved elsewhere in the image processing process.

Getting the necessary changes done, correctly, across all Windows versions and without breaking any of tens of thousands of software packages in all sorts of various versions without breaking functionality is no small task. Getting such a patch out by January 9th would, I'd think, entail a Herculean effort.
posted by Ryvar at 8:40 AM on January 2, 2006


rough ashlar writes "I got educated long ago about Unix."

Congratulations. You see, if only everyone was so sage-like and as wise as you then we wouldn't be in this predicament. Sadly, us folks that have to actually deal with reality and look beyond what we're solely capable of to those whose interests/skills may lie elsewhere (or, by your logic, uneducated people) are not interested in what you know. You're clearly not someone that we have to worry about.

Get off your soapbox. We know that Windows is not secure, but the sad fact is that the vast, vast majority of software specifically designed for corporate environments (financial, human resources, facilities management, security etc.) runs on Windows. The costs associated with moving all these diverse systems is enormous just from an end-user training perspective. Licensing is just one small component of the overall cost.
posted by purephase at 8:48 AM on January 2, 2006


Obviously a lot of people in the PC World have a vested interest in not recommending to their employers/clients that they switch to Mac--it would put them out of a job.

No one can be completely objective on this issue, but no one is less objective than the person who is forced to use a PC at work, but uses a Mac for their own separate business, and for personal use. And I suspect that such people prefer Macs decisively.
posted by ParisParamus at 8:52 AM on January 2, 2006


the reason they don't have a patch, for whatever it's worth, is that we're probably talking about some overhauling of how GDI itself works.

And yet, a 3rd party...who has no source code....was able to come up with a patch.

VS Microsoft's 'delete this dll in the regestry and, well some software might break'

If the behavior was known, why not fix it in 2000 or 2003 or XP? If it was not known, what kind of software work is being done there?

Getting such a patch out by January 9th would, I'd think, entail a Herculean effort.

From where I sit, it is a bed of their own making, which many consumers get to lie in.
posted by rough ashlar at 8:53 AM on January 2, 2006


And yet, a 3rd party...who has no source code....was able to come up with a patch.

Which also, from what I'm hearing, breaks things. Oops.

From where I sit, it is a bed of their own making, which many consumers get to lie in.

I've given OS X a fair shake. I didn't like it. I'm a heavy gamer as well, so even I did it isn't like I have any options.
posted by Ryvar at 8:56 AM on January 2, 2006


ur...more objective
posted by ParisParamus at 8:58 AM on January 2, 2006


One other thing: I am, for what it's worth, also a diehard OpenBSD evangelist. I'm a big fan of open source, but on the desktop right now I don't enjoy KDE or OS X, and I'd sooner go commandline-only than use Gnome.
posted by Ryvar at 9:00 AM on January 2, 2006


We know that Windows is not secure,

Then why do people keep buying it?

Vote with your wallets if you care about security. Because the Windows ("VMS done Right") environment doesn't have a good track record WRT security.

but the sad fact is that the vast, vast majority of software specifically designed for corporate environments (financial, human resources, facilities management, security etc.) runs on Windows.

And yet you can vote with your feet and use other packages on UNIX based platforms.
posted by rough ashlar at 9:05 AM on January 2, 2006


You have absolutely no idea what you're talking about.

I guess we will have to disagree. Sorry.
posted by JackFlash at 9:05 AM on January 2, 2006


Paris Hilton : "The only reason to think that OSX is more secure then windows is ignorance. "
ParisParamus : "Obviously a lot of people in the PC World have a vested interest in not recommending to their employers/clients that they switch to Mac--it would put them out of a job."

I guess we will always have Paris.

Now, you two, get the act together:

Paris Hilton, that's BS. Some systems are more secure than others. Windows was never more secure than any flavor of Unix because eons ago Microsoft made a marketing decision to strive for usability. So, all design decisions from Window 3.0 up were based on the premise that when in doubt, make it so the most clueless end user will eventually manage to operate it.

ParisParamus, that is also kind of lame. Corporations around the world would absolutely love to put all their support personnel out of work, if only someone could prove them the enormous costs of migrating their systems and retraining their employees would pay for itself in the long run.
posted by nkyad at 9:09 AM on January 2, 2006


And yet you can vote with your feet and use other packages on UNIX based platforms.

music apps are much better on windows ... and don't tell me they aren't, because i've tried what's on linux and didn't find it to be up to the same level
posted by pyramid termite at 9:11 AM on January 2, 2006


Corporations around the world would absolutely love to put all their support personnel out of work, if only someone could prove them the enormous costs of migrating their systems and retraining their employees would pay for itself in the long run.

I have yet to find a corporation that keeps track of the 'training costs' and 'upgrade costs' beyond 'we spend $x on Jane the Tech' and 'we send Frank to software class for $y'.

Relying on a Gardner report for costs, given their track records on 'trend announcements' - that is as advisable as running unpatched Windows XP on the Internet.

Consultants will recommend what they can make a buck on selling. Microsoft has fine discounts, so the consultant can make a buck on selling the software solution.
posted by rough ashlar at 9:18 AM on January 2, 2006


NOD 32 just killed an attempted trojan execution via the WMF exploit. How did it even get to the point that it could even be detected by NOD 32? It shouldn't have even executed at all. I didn't download the WMF-named file and try to load it in any of the above listed programs. It just attempted to execute, drive-by style.

loquacious, I'm a Nod32 user too, so I'm familiar with the way it works and I think it's very possible that Nod detected it without it having to be executed. Which module detected it according to your threat log? AMON is the resident one that monitors the system, so if it was that one, then yeah it tried to execute. If it was IMON it means your computer had started to download it but Nod intercepted it before it reached the point it could have executed. The first time I ever saw that happen (using Opera at the time) I freaked a bit, but it turned out I wasn't in real danger at that stage. (By the by, this was probably a year ago and wasn't a seedy pr0n or warez site--it was a lyrics sited linked to from MeFi or MoFi.)

For non-Nod32 users wondering what the hell I'm talking about...Nod32's blessing and its curse is that it has a scary interface that doesn't hide much from the user. The program has several different scanner modules that perform different roles; IMON (Internet Monitor) is one that sits on the winsock level and monitors network traffic--POP3 (e-mail) and HTTP (web). So if you download a piece of malware it has two chances to be caught--first by IMON when you download it, then by AMON, the filesystem monitor, if it's actually executed.
posted by Pryde at 9:21 AM on January 2, 2006


Thanks Pryde. This whole business has gotten me to install Nod32 so I appreciate the heads up.
posted by Ryvar at 9:29 AM on January 2, 2006


The other true is, however, that the more complex the system, the less likely most people will be to appreciate a better alternative. Most people don't see Mac as vastly superior to PC because they are blind to the superiority; it's just like the rest of the design world. Which makes this whole debate futile: you can't convince someone who is colorblind that something is yellow, when they insist its orange.
posted by ParisParamus at 9:31 AM on January 2, 2006


Loquacious' story gives me the chills. Are you sure that Nod32 caught a recent variant? My understanding was that a large part of the problem was that the new set of variants that came out this weekend were proving extremely difficult to fit into a heuristic.
posted by spiderwire at 9:32 AM on January 2, 2006


This question may be a bit naive but is this that much of a worry to those running a good virus software? I visited a site this morning and Kaspersky said it detected a virus and advised that I should delete it, which I did. It also left a WMF file on my desktop which I deleted straight away without opening. I then scanned my computer twice with Kaspersky and it said everything was fine. Is it possible I'm still infected?
posted by gfrobe at 9:45 AM on January 2, 2006


Speaking as a diehard Macuser:

Now would be an excellent time for an experienced Windows user to write a post about how to secure a PC. Written in plain language, that Joe Schmoe could follow. This might actually help a lot of PC users.
posted by Brandon Blatcher at 9:48 AM on January 2, 2006


Windows is the most popular OS in the world, and it is this reason, and this reason alone which explains why so many exploits are developed for it. If you think BSD, Linux or OSX are safer by design, then you're wrong. They're safer because less people use them.

This is an argument I've always found facetious. If I were a virus writer, and I came across one of the 17 billion OS war threads like this one, and I saw all the people gloating about how OSX hasn't one successful virus in the wild, I would make it my life's goal to write the most vicious OSX virus I could. And yet not one has surfaced.

I'm not saying Mac is totally secure. I certainly think viruses and trojans are possible on the Mac. I just wonder why they aren't around. It's something I would look at scientifically, like a scientist would examine some culture in Iceland that's immune to HIV. What makes them so special?
posted by fungible at 10:09 AM on January 2, 2006


Dear God, Slithy_Tove has had me laughing for like 10 minutes non-stop.


Anyway, what's the update on this today? Any major shit hit the proverbial fan?
posted by papakwanz at 10:15 AM on January 2, 2006


Wow. Reason number two why the whole world thinks Mac users are twats. Paris Paramus is a Mac user.

Perhaps I should give my Powerbook away to one of the kids now.

The other true is, however, that the more complex the system, the less likely most people will be to appreciate a better alternative.

And if it only had the functionality that we all needed, then we'd be able to run it all the time.

But any time you want to come around to my house and re-write my apps, I'll be happy to have you.
posted by PeterMcDermott at 10:20 AM on January 2, 2006


FreeBSD is for people with dicks to small for Linux.

Whereas OS flame wars are for people with no dicks at all...
posted by PeterMcDermott at 10:21 AM on January 2, 2006


Thanks for all the relevant info, people.
posted by dazed_one at 10:21 AM on January 2, 2006


A helpful catch-all link for anyone trying to explain what's going on and what to do: the Wikipedia article. The most notable part is the info on the spread of the infection: 6% of the McAfee userbase by New Year's Eve is a bit scary.

Also, for fuck's sake. I'm sick and tired of all this OS war bullshit, and y'all need to cut it out. It's just making it harder to find out what's going on with this particular exploit, and no I don't need to see yet more mutual masturbation about The One True Operating System. Go away.
posted by chrominance at 10:31 AM on January 2, 2006


PeterMcDermott : "Whereas OS flame wars are for people with no dicks at all..."

Many chicks doing the Windows sucks/Mac is gay/Linux is hippie game nowadays, then?
posted by nkyad at 10:32 AM on January 2, 2006


Nice link, chrominance.

But one can't fail to notice that, your sickness and tiredness notwithstanding, the last recommendation of the article is "Switch to an alternative, more safer, operating system such as Unix, Mac, or Linux." et tu, Wikipedia...
posted by nkyad at 10:38 AM on January 2, 2006


This question may be a bit naive but is this that much of a worry to those running a good virus software?

Yep, it's a huge worry. Lemme explain. The vulnerability is that WMF files allow the execution of random bits of code under the right circumstances, and a user's computer can be directed to display those files during completely normal computer usage (e.g., just browsing the web, or reading email). That's not what screws up your computer, though -- what screws up your computer is whatever is actually done by the code that's been added to the WMF file. Make sense so far?

Now, your AV software looks for signatures for various bits of code that have been submitted to it as malicious. But the issue here is that there are infinite things that malicious people can add as code to the WMF files, so your AV software can never keep up... it's always playing catch-up. The only real solution here is for Microsoft to patch the hole in the WMF format, and prevent it from executing code.
posted by delfuego at 10:48 AM on January 2, 2006


Loquacious, I have verified that I, too, can manage to get my AV software to alert me to a potential exploit, despite the fact that I have Ilfak's patch installed (WinXP Pro SP2, all hotfixes). I just cc:ed you on an email to Ilfak asking about this, but I suspect that the reason both of us see this behavior is just that our AV software is being a bit overreaching, not that we were actually vulnerable. On this machine, I'm running Symantec NAV, and the trojan identified was Bloodhound.Exploit.56; it looks like it's detected via heuristics only, meaning that I'm sure NAV just saw the right stream of bits in the file despite the fact that they never had a chance to execute. So I'm actually not all that worried about the alert, but of course, I'll await Ilfak's word on the matter. (I don't know if he'll have a chance to reply, though -- he's probably so underwater right now!)
posted by delfuego at 10:52 AM on January 2, 2006


"And if it only had the functionality that we all needed, then we'd be able to run it all the time.

But any time you want to come around to my house and re-write my apps, I'll be happy to have you.
posted by PeterMcDermott at 1:20 PM EST on January 2 [!]"


I love you too.
posted by ParisParamus at 11:00 AM on January 2, 2006


The only reason to think that OSX is more secure then windows is ignorance.

Well, that and the fact that OS X doesn't, for example, intentionally incorporate a feature that allows arbitrary code embedded in image files to be executed.

There are no doubt security vulnerabilities in Mac OS X, but I doubt any of them were incorporated on purpose.
posted by kindall at 11:05 AM on January 2, 2006


et tu, Wikipedia...

Fixed. Hey, look, world-editable!

I also changed "Set the default WMF application to be something erroneous such as notepad." because it made my teeth hurt.
posted by gleuschk at 11:08 AM on January 2, 2006


OK. Could someone actually explain what is going on here: I have become a technology advisor to a number of colleagues. I'll make this simple by using law-style interrogatories:

1.What is the name if thus virus/issue:


2.What Do you need to do/not do to avoid being infected?


3.What happens when your PC/Network is "infected"?


4.Is there an official "fix" for this?


5.Does the unofficial "fix" work?


Thank you, PP
posted by ParisParamus at 11:13 AM on January 2, 2006


IANAP, but thought this Slashdot comment about why MS may be having trouble creating a patch was interesting:

Changing code that's this deeply buried in Windows is risky. The interpreter for WMF is one of the remnants of code left over from single-user computers, and they'll have to test changes very thoroughly. They're GOING to break things with this patch, because they're removing a designed-in feature. They're probably working feverishly to figure out how to minimize the damage, but some damage is inevitable. And the problem could be far worse than it appears; that DLL could be riddled with problems. It may not have been audited in many years.
posted by mediareport at 11:14 AM on January 2, 2006


There are no doubt security vulnerabilities in Mac OS X...

Well of course there are and will continue to be. However, MS is totally missing the boat on this one by failing to patch it on time. In many cases, they release patches before exploits are taken advantage of, but in many cases people fail to patch their systems.

That said, with McAfee, some patches, and a couple of free spyware programs, I've never had a problem with Windows. Same goes for my sisters who patch their Mac.

What I find dumbfounding is that no one seems to have any virtrol for the perpetrators of the crime itself.

As for intentionally? How so?
posted by juiceCake at 11:15 AM on January 2, 2006


Well, that and the fact that OS X doesn't, for example, intentionally incorporate a feature that allows arbitrary code embedded in image files to be executed.

How do you know?
posted by event at 11:15 AM on January 2, 2006


Correct me if I'm wrong, but a REALLY SIMPLE way to dodge this exploit is:

1. Tools/Folder Options/File Types, choose WMF, click Change, select Notepad (or something else harmless).

2. Use FireFox 1.5.

3. If you use an email client, disable images (which is the default for current versions of Outlook and Outlook Express anyway, and no doubt easy to do in Thunderbird if it's not also the default there).



I have exactly one WMF on my hard drive, and it ironically was installed by OpenOffice... :)
posted by Foosnark at 11:24 AM on January 2, 2006


Metasploit has a exploit which avoids many possible defenses.
posted by jeffburdges at 11:28 AM on January 2, 2006


One thing that us Windows users can do to limit these sorts of problems, is to run as a non-administrative user. You can also configure your mail client to only show plain text, and no images.
posted by me & my monkey at 11:28 AM on January 2, 2006


You should really follow the FPP links and some assorted references throughout the thread (the Wikipedia link is quite complete), it is all there. But then, just so you don't think we are not polite:

1.What is the name if thus virus/issue:
This issue is known as WMF vulnerability and refers to a series of exploits made possible by a feature (executable code) present by design in Windows Metafile

2.What Do you need to do/not do to avoid being infected?
a) From the Start Menu, select Run then copy and execute the following line:regsvr32 -u %windir%\system32\shimgvw.dll
This unregister the dll responsible for executing the code in a WMF
b) Download and install the unofficial patch (linked in the main FPP text)

3.What happens when your PC/Network is "infected"?
Anything the malware writer want to happen, basically. We are talking about a method to write a vector, the specific behavior is up to the payload writer.

4.Is there an official "fix" for this?
No. At this time Microsoft recommends step "a" in question 2 above. An official patch is not expected before January 9 (when it will be far too late).

5.Does the unofficial "fix" work?
All information available from respectable and trusted sources indicates so. It has also been reverse engineered and checked by lots of people and considered safe and clean.
posted by nkyad at 11:29 AM on January 2, 2006


What happens if you set the WMF association to notepad but get the code under another extension? That is possible with this exploit as I understand it.
posted by puke & cry at 11:31 AM on January 2, 2006 [1 favorite]


Correct me if I'm wrong

Foosnark, I think quonsar's comment early in the thread might be relevant. The extension on an infected file can be .jpg, .gif, etc.
posted by mediareport at 11:31 AM on January 2, 2006


Foosnark, Also see this comment from yeoz. The exploit can be triggered from a file with any extension.
posted by Zetetics at 11:33 AM on January 2, 2006


Is the unofficial patch mirrored anywhere? Hexblog is swamped and I'm trying to point someone to the temporary fix.
posted by mediareport at 11:35 AM on January 2, 2006


Foosnark: you're wrong, I'm afraid. Any windows app that displays images is vulnerable, because all that do so utilize GDI. This includes Firefox.

PP, since nykad nailed it, I'll just add:

3.What happens when your PC/Network is "infected"?
Literally anything. At stake is the ability to execute arbitrary code on your Windows machine. This includes custom-written zero-day trojans that your antivirus software will miss, or that might attempt to disable or corrupt your antivirus software. The most likely goal of anyone using this exploit against you is to hijack your machine to turn it into a spam-sender (or a garbage traffic sender to attack websites by deluging them).
posted by Ryvar at 11:39 AM on January 2, 2006


mediareport : "Is the unofficial patch mirrored anywhere? Hexblog is swamped and I'm trying to point someone to the temporary fix."

SANS Internet Storm Center site: wmffix_hexblog13 (parent blog entry, in case you don't want to click directly to an executable).
posted by nkyad at 11:40 AM on January 2, 2006


Cliff's notes:

1) It is NOT a buffer overflow. It is a poorly designed "feature" built into a Microsoft image format. Source. Its cause is horrible programming left over from pre-Internet days.

2) Patch it. NOW. Here's why, and how. Microsoft will probably not release a patch for another week. Particularly if you're an admin, you can't afford to wait that long.

3) Firefox and Thunderbird WILL PROBABLY make you safer. Mozilla apps use their own image rendering libraries, and you would have to download and open a WMF file (which you would be prompted to do in recent versions - FF 1.5 to be safe) to be infected. So you would not be AUTOMATICALLY infected with recent versions of Firefox. Source

4) Yes, some operating systems are inherently more secure than others because of their design. It is not just because of their (lack of) market share. If you do not understand the reasons why, then you're really not qualified to be throwing shit back and forth about it.

5) Everyone who is using this opportunity to say how great their chosen OS is with no additional helpful information is an asshole.
posted by chundo at 11:47 AM on January 2, 2006


chundo : "Everyone who is using this opportunity to say how great their chosen OS is with no additional helpful information is an asshole."

But then again this is not AskMe, everybody has the God/Matt-given right to an asshole in the blue.
posted by nkyad at 11:51 AM on January 2, 2006


Thanks for th info on 3), chundo, that was good to find out.
posted by Ryvar at 11:52 AM on January 2, 2006


Aside from the steps listed above, I've taken the additional measure of disabling the loading of images in FireFox- is this a good idea or an unnecessary precaution?

By the sounds of it, though, it doesn't sound like any precaution is unnecessary.
posted by baphomet at 12:00 PM on January 2, 2006


Thanks all for the relevant info. I've patched and unregistered the offending .dll on all the home PCs and my work laptop. I've also lobbed the patch and this discussion over the cubicle wall to my companies PC and Server Admin team. We'll see how tomorrow goes when our 1500 strong luserbase returns from holiday.

CANNOT__RESIST__MEME:

Metafilter: Sweet pogoing Christ wearing titty tassles on a trampoline (loquacious indeed!)
posted by HyperBlue at 12:02 PM on January 2, 2006


Am I really the only one who thinks the sky isn't falling and that most of us won't even notice anything tomorrow?
posted by Justinian at 12:06 PM on January 2, 2006


loquacious, another question about the attack you intercepted: did NOD 32 actually catch the trojan payload executing, or did it just detect the presence of the trojan? Because if it's the latter, then it's very likely that the unofficial patch would have worked in your case.
posted by chrominance at 12:15 PM on January 2, 2006


Justinian : "Am I really the only one who thinks the sky isn't falling and that most of us won't even notice anything tomorrow?"

But the sky isn't really falling, at least no more than usual in WindowsWorld. The point of the thread, I think, is this one is a different kind of beast, one deeply buried in one of the most ancient and arcane Windows subsystems. Further, the exploit, complete with example code, was unleashed during the holidays, a period where the defenses are naturally relaxed - hence the urgency tone in some quarters. Apart from that, once patched most systems will be fine. But remember that this is not a matter of having a boom on January 3 - what we would see is a quiet escalation gearing toward a boom some time from now - this vulnerability is a way to install trojans, not the trojans themselves.
posted by nkyad at 12:15 PM on January 2, 2006


What will this "problem" do? Erase files? What?
posted by ParisParamus at 12:28 PM on January 2, 2006


Justinian -

That depends on your profession. Many, many people will be infected - and indeed already have been; there's no question of that. Most of them won't even know it happened, although they may suddenly find popup ads appearing for no reason. But mostly they'll be turning into zombie computers used by virus authors for sending spam, participating in DDOS attacks, or stealing passwords and other information from the local PC and network. So no, for these users the sky isn't falling, their computer will just get a little slower.

For those of us whose departments are responsible for cleaning up these zombie PCs so that they don't clog our network pipes and/or steal confidential company information, it will be a nightmare, I promise you. An exploit this easy and dangerous can't wait a week for a patch.
posted by chundo at 12:28 PM on January 2, 2006


What will this "problem" do? Erase files? What?

I probably didn't word it very clearly, so here goes - this problem is just an infection 'vector' - a means of getting nasty code on your system. Like an email that tries to trick you into double-clicking the attachment. Only in this case, all you have to do is view a WMF file. Or a WMF file that's been renamed to .jpg, .gif, etc.

The actual payload that's delivered onto your system by this method could be anything, and could do anything.
posted by Ryvar at 12:31 PM on January 2, 2006


Thanks, nkyad and chundo. That makes sense. I don't work in IT but I'll cross my fingers for you folks that do.
posted by Justinian at 12:31 PM on January 2, 2006


An addendum to what chundo just said:

Another thing to keep in mind is that every infection vector opens up new vectors as well -- so a trojan on one computer in the corporate intranet can much more easily infect other parts of the network. So as that initial ease-of-access goes up, so does that likelihood that the problem will self-amplify, and the cleanup job is that much more difficult.

With this exploit being so ridiculously common (loading and image!?), it has a good chance of becoming a real nightmare for a lot of sysadmins.
posted by spiderwire at 12:32 PM on January 2, 2006


XQUZYPHYR writes "Well, I just applied the patch everyone was linking to, and the result is that I can't either thumbnail or open any image files on my desktop anymore. "

Has anyone else experienced this? I have no problem opening image files with the patch installed...
posted by mr_roboto at 12:33 PM on January 2, 2006


**an image.
posted by spiderwire at 12:33 PM on January 2, 2006


Thanks, Ryvar. So, I guess you're saying that this "virus" is just opening a pathway for an actual substantive attack that will damage/erase/etc things--right?
posted by ParisParamus at 12:38 PM on January 2, 2006


So, I guess you're saying that this "virus" is just opening a pathway for an actual substantive attack that will damage/erase/etc things--right?

The vulnerability in WMF is the pathway that allows a virus to infect your computer without your consent.

It (the vulnerability / infection vector) is not a virus.
posted by spiderwire at 12:47 PM on January 2, 2006


PP -

Yep. See my last post also. It will probably be used mostly to install backdoors to use the PC as part of a zombie network.
posted by chundo at 12:47 PM on January 2, 2006


Right. It's not a virus - it's a preexisting massive gaping hole in the basic graphics portion of Windows itself that literally anything can be inserted through. 99.99% of the time that 'anything' is going to be a rootkit aimed at turning your machine into a spambot.

My wife's grandmother barely uses the Internet at all, so I'll just go and fix her system with the official patch in two weeks when I see her. Everyone else - including my own grandmother who only checks her email once a day - is getting a phonecall about this.
posted by Ryvar at 12:48 PM on January 2, 2006


XQUZYPHYR: could that be from disabling the DLL, not the patch?
posted by spiderwire at 12:58 PM on January 2, 2006


nkyad: But one can't fail to notice that, your sickness and tiredness notwithstanding, the last recommendation of the article is "Switch to an alternative, more safer, operating system such as Unix, Mac, or Linux." et tu, Wikipedia...

Looks like it's been taken out at the current time, probably for violating neutrality.

Changing OS might actually be a good short-term work-around, though. If you wanted to be totally safe, you could download and burn a linux livecd, then boot off of it until MS comes out with a patch. Once that happens, you could take it out, boot back into XP, and patch immediately.
posted by Mitrovarr at 1:01 PM on January 2, 2006


XQ -

From what I understand, the unofficial patch should eliminate the need to unregister the DLL, since it patches the actual function that causes the problem. It's recommended anyways to be on the safe side, but if it's causing you other problems you should be able to re-register it at this point with no ill effects.

Don't quote me on that though.
posted by chundo at 1:08 PM on January 2, 2006


Does this affect all versions of Windows?
posted by onegoodmove at 1:09 PM on January 2, 2006


Microsoft is saying that OneCare Beta takes care of this.
posted by ryanissuper at 1:10 PM on January 2, 2006


ParisParamus writes "So, I guess you're saying that this 'virus' "

It's a vulnerability, not a virus.
posted by krinklyfig at 1:10 PM on January 2, 2006


mediareport: Heh, that's me. I didn't write that here because I didn't think it would be that interesting to this crowd... folks seemed interested in solutions, not general discussion. Loquacious' plea for help-only seemed pretty heartfelt.

In my first draft, I talked about why the Unices, with their multi-user roots, were less likely to make this kind of mistake. I ended up pulling that part, but it was another reason I didn't post it here.
posted by Malor at 1:10 PM on January 2, 2006


ryanissuper writes " Microsoft is saying that OneCare Beta takes care of this."

Are they? They say:

"If you are a Windows OneCare user and your current status is green, you are already protected from known malware that tries to attack this possible vulnerability."

But isn't this true for any antivirus program? If a known piece of malware tries to get in via the WMF vulnerability, it'll be detected. But the vulnerability is still there, and the real danger is that a new (unknown) piece of malware will be delivered via the vulnerability.
posted by mr_roboto at 1:18 PM on January 2, 2006


Microsoft is saying that OneCare Beta takes care of this.

Microsoft is being intentionally vague with that claim. The quote is:

If you are a Windows OneCare user and your current status is green, you are already protected from known malware that tries to attack this possible vulnerability.

This means that you will be protected against known viruses that try to install themselves via this exploit, which is no different than any other anti-virus package. Notice it does not say that it closes the security hole, nor would it protect against new viruses using this exploit, several of which have popped up over the last few days.

That claim is just PR by Microsoft, trying to play down the problem and current lack of an official solution.
posted by chundo at 1:19 PM on January 2, 2006


D'oh. mr_roboto wins.
posted by chundo at 1:19 PM on January 2, 2006


There's lots of decent 3rd party image software that will display thumbnail directories for you - Irfanview has a nice utility that does it now.
posted by Jimbob at 1:30 PM on January 2, 2006


Are there any reputable sites with "safe" versions of the exploit that one can use to test one's vulnerability? (As independent verification of Ilfak Guilfanov's vulnerability checker program.)
posted by TimeFactor at 1:34 PM on January 2, 2006


this problem is just an infection 'vector'
Arg! The puns! the puns!

(Explanation: WMF format's main use, so far as I know, is for vector graphics.)
posted by jiawen at 1:37 PM on January 2, 2006


Irfanview still uses the library that contains this exploit. So no help there.
posted by chundo at 1:39 PM on January 2, 2006


jiawen: that's horrible. Nice one :)
posted by Ryvar at 1:44 PM on January 2, 2006


chundo writes "Irfanview still uses the library that contains this exploit. So no help there."

I unregistered the dll & installed the patch & my Irfanview thumbnail veiwer works just fine.
posted by taosbat at 1:57 PM on January 2, 2006


Ditto.
posted by Ryvar at 1:59 PM on January 2, 2006


I heard Sony is behind this.
posted by stet at 2:03 PM on January 2, 2006


timefactor: Are there any reputable sites with "safe" versions of the exploit that one can use to test one's vulnerability?

Yep, here are a few: Harmless WMF-Exploit test files, a few other test files.

Note that your antivirus software might complain that they have found exploits on those pages, but that's not because Ilfak's patch isn't working, but instead because your AV software is using heuristics to scan the actual bits and bytes of the WMF files and thinks that it's found an exploit. In private emails with Steve Gibson, we've both come to the conclusion that on a system without AV software, Ilfak's patch still would prevent the exploit from executing.
posted by delfuego at 2:18 PM on January 2, 2006


Also, viewing this file (a WMF file generated by Kevin Gennuso, vetted by SANS) on a protected system should cause no wrongdoings, but on an unprotected system, will launch the calculator (specifically, calc.exe) and quit Explorer (explorer.exe). On all my systems on which Ilfak's patch has been applied, I get nothing at all; in a VMware image of an unprotected system, I get a calculator and a quit Explorer process.
posted by delfuego at 2:21 PM on January 2, 2006


delfuego: Those are exactly what I was looking for. Thanks!
posted by TimeFactor at 2:30 PM on January 2, 2006


Thanks for clarifying, nlindstrom.
Anytime, PeterMcDermott! Glad to be of service.

I've been in IT since the days of MS-DOS 3, and lately, after years and years of telling users things like "don't open unknown email attachments" and then watching them specifically open them to see what happens, I gave up and switched to just laughing at them. It's a lot less stressful, and a lot more fun. All hail the Chronicles of George!
posted by nlindstrom at 2:31 PM on January 2, 2006


Timefactor: there is a site with test files; go to this thread at dslreports and scroll/search for a post by KyeU containing "I made a test site here". I don't know anything about the site or the poster.
posted by StephenB at 2:40 PM on January 2, 2006


Damn these slow fingers!
posted by StephenB at 2:41 PM on January 2, 2006


StephenB: No harm, in fact I'm glad to know more about the provenance of the test files. Plus the DSLReports thread looks at first glance like a good place to keep abreast of things. So thanks.
posted by TimeFactor at 2:48 PM on January 2, 2006


Maybe this has been said, but I've missed it: How can I tell if I've been infected? I'm running AVG and MS antispy. Somebody mentioned dormant trojans, and someone else mentioned zombie farming. Now I'm worried my PC is spewing spam across the world.
posted by atchafalaya at 2:49 PM on January 2, 2006


...and of course I now realize that DSLReports thread is linked in the original post here...
posted by TimeFactor at 2:51 PM on January 2, 2006


XQUZYPHYR, I had the same thumbnail problem after unregistering and applying the patch (using Irfanview). I re-registered the dll and my thumbnails came back.
posted by gfrobe at 2:55 PM on January 2, 2006


Update from work:

So far, anticlimactic. But probably mainly because we've only had a small percentage of our student body rotate through and hit the LAN so far - post break. Which is kind of nice because I had time to prep by burning the patches to a few CDs and working up some instructions and walkthroughs.



Update regarding the trojan-payload WMF exploit attempt I experienced on my home computer last night:

delfuego and others may be correct in saying that the patch may have worked, despite the trojan attempt detection.

Again - like an idiot - I failed to take notes, and I don't recall which module in my NOD 32 antivirus blocked the trojan code. Hopefully, in an ideal world, the internet monitoring module was what blocked it - so I'm going to play it loose and dangerous and assume that's what it was. That's what good antivirus is for, afterall.

So, the patch and DLL un-registration may have actually have worked - NOD 32 may have simply detected the trojan before it was fully downloaded and an execution attempt may have been made.

Sorry if that's not at all helpful. Shit happens.

Thanks everyone for their help and updates. The response on this one has been pretty tight. Amazing stuff. K-Rad thanks go especially to Ilfak Guilfanov for being truly hardcore. Thank you.
posted by loquacious at 3:37 PM on January 2, 2006


Paris Hilton: "Please to shut up."

I'm not sure what you are objecting to about this. It is a pretty non-controversial recitation of facts concerning hardware memory protection. I certainly don't have a dog in this fight. I just thought it interesting since someone had mentioned the new DEP (Data Execution Prevention) technology. It is not commonly known that hardware protection mechanisms have been built into the earliest PC hardware but never enabled by software. It seems there really isn't anything new under the sun.
posted by JackFlash at 3:41 PM on January 2, 2006


I'm not sure what you are objecting to about this. It is a pretty non-controversial recitation of facts concerning hardware memory protection.

If that's common knowledge, it's a pretty sad state of affairs. Windows has used memory protection since the 3.0 days. What do you think a "GPF" is? Windows 95, and NT not to mention Linux all use memory protection thoroughly.
posted by Paris Hilton at 4:08 PM on January 2, 2006


So THAT explains why Steve Jobs is using it as the base for Mac OS X.

OMG It's not "based" on FreeBSD, it has a kernel level BSD compatability layer (and that's BSD in general, not freeBSD spesificaly. It uses a Match microkernel from nextstep, not used in any free OS)
posted by Paris Hilton at 4:10 PM on January 2, 2006


Is anyone else surprised by how well Paris knows her stuff? I have a new found respect.
posted by mr_roboto at 4:13 PM on January 2, 2006


Hmm... I unregistered the DLL and installed the patch it caused the "My Pictures" thing in win2k to stop working. I think it was unregistering the DLL.
posted by Paris Hilton at 4:15 PM on January 2, 2006


Windows has used memory protection since the 3.0 days.

Hardware-level memory protection, yo. Windows 3.0 != hardware.
posted by spiderwire at 4:20 PM on January 2, 2006


Malor: folks seemed interested in solutions, not general discussion

Actually, we were more interested in *not* seeing insults and tired OS flamewar crap. Your info at Slashdot was relevant and helpful both, I think. Times like this, being able to view comments by threshold sure comes in handy.
posted by mediareport at 4:33 PM on January 2, 2006


Hi everyone,

I'd just like to let you know that I fine rebooted, activating the patch. I re-registered the dll, and "My Pictures" now works fine. I'm sure there are some issues, but it won't (or at least didn't for me) knock out viewing files in the shell.

Hardware-level memory protection, yo. Windows 3.0 != hardware.

I don't even know what this is supposed to mean, but the hardware that implemented the memory protection was inside the CPU itself, windows just enabled it, unlike previous operating systems like DOS, etc. You have to turn on memory protection in software, which is what windows did, amoung other things. I'm talking about memory protection that prevents certan programs from touching the memory of other programs and the kernels, which allows for things like multiuser systems and so on. It's been around for quite a while. That won't protect against buffer overflows, unless you're running your program without superuser status. The problem is, most windows users run as "Administrator" all the time, which means that if you overflow a buffer in any program run by admin, you get root access.

If you do that on mac OSX, Linux, or whatever you just get user level access. In a lot of corporiate environments users are not given admin access, so they are as "safe" as their Linux and OSX friends. However, they can't install software on their own.

It's possible to run windows this way, but it's just not common because software writers (including spyware authors) expect root access, and their programs won't work if you don't give it too them. But that's a user problem, not a problem with the OS itself.
posted by Paris Hilton at 4:37 PM on January 2, 2006


Hopefully, in an ideal world, the internet monitoring module was what blocked it - so I'm going to play it loose and dangerous and assume that's what it was.

You can probably find out for sure when you get home--the threat log will indicate which module it was, at least if logging was enabled. I think it's on by default, but I could have turned it on manually.
posted by Pryde at 4:57 PM on January 2, 2006


Paris Hilton writes "It's possible to run windows this way, but it's just not common because software writers (including spyware authors) expect root access, and their programs won't work if you don't give it too them. But that's a user problem, not a problem with the OS itself."

Windows should highly discourage anyone from running as root unless you need to do something like un/install software. But they don't, and in fact they go so far as to suggest it for problematic software that insists on running with admin privileges. That's sloppy and encourages worst practices.
posted by krinklyfig at 5:24 PM on January 2, 2006


aaack. ok, so i unregistered the DLL and patched, and now have no thumbnails. sorry to be so inexperienced, but how do i re-register the DLL?
posted by lapolla at 5:32 PM on January 2, 2006


uh, never mind...realized it's right there at the top of the thread. duh.
posted by lapolla at 5:39 PM on January 2, 2006


Pryde: Yeah, I thought of that today when I got in to work, that there should be logs of some sort available. Will check it out when I got home.
posted by loquacious at 6:40 PM on January 2, 2006


Paris Hilton, I was speaking specifically about segmentation. Windows XP uses a different mechanism, paging, for the major part of its memory protection. The limitation of paging is that it allows marking a page as read-write or read-only, but not as code or data. Windows XP and Linux essentially disable segmentation by using the flat memory model. Without segmentation there is no way to prevent execution of code on the stack or heap. That is what allows buffer overflows to occur.

This is being fixed with the release of DEP support in XP SP2 but only works on the latest Intel and AMD processors. This will allow pages to be marked for no-execution. This feature should virtually eliminate the buffer overflow attacks, but it will take a while to replace all of those older CPUs.
posted by JackFlash at 7:21 PM on January 2, 2006


Post #301 balh de blah blah de windows..de blah de wtf de blah de de lets hope we get to 400.
posted by Mr Bluesky at 8:03 PM on January 2, 2006


The test file linked by delfuego was gobbled up immediately by my McAfee virusscanner that had updated itself tonight.
posted by jouke at 8:47 PM on January 2, 2006


On the OS wars, a couple of things:

I think it's important to know that the original NT was generally considered to be a well-designed, stable, and secure operating system and was rated at the DoD's highest non-networked security level. The architect of NT was Dave Cutler, who designed VMS. NT was, initially, a very well designed OS. It's degeneration into the much less well-designed OS as XP is directly the result, primarily, of the consumer demand for backwards compatibility. This problem plagues every OS and app vendor, not just MS. Secondarily, NT and its children are insecure and poor networked OSs is because NT wasn't intended to be a network-centric OS—but they're still better than what would have had had MS continued with the pre-NT core. In contrast, the UNIX OSs were designed as networked OSs essentially. That's an important difference. It's true that MS cannot be claimed to be an ideal development shop; it's certainly true that they've always, with their premiere apps and OSs, added features at the expense of sufficient QC. But, in general, I'm not completely comfortable with comparisons to other OS and app vendors because MS is in a unique position in the industry. I don't know why people seem to assume that other companies would be much better behaved and conscientous were they in MS's position.

I'm also think valid the argument that other OS's could not be guaranteed to be as safe as they currently are were their userbase equal to MS's. The objection that we don't see blackhats disproving this, as someone asserted above, is because it is somewhat harder, for various reasons both MS's fault and not, to write malicious exploits for non-MS OSs and the idea that being able to imagine a single malicious coder attacking another OS as proving the viability of such an attack is about as reliable an argument as Anselm's Ontological Argument. If it just took one person with an idea and the incentive to create an outbreak of a malicious worm, we'd be seeing a lot more in the Windows world that we are. The huge Windows userbase does make a huge difference. That said, I do agree that there would nevertheless be fewer successful attacks of these other OSs were they in Windows's place. But certainly still far from zero.

On this exploit:

The person upthread who said that they want their OS filesytems to only look at the three-letter extension of a file is oddly asserting something very Windows-centric and at odds with much the rest of the filesystems out there. And UNIX filestystems are generally supposed to read the file header to determine the file type...the recent extension focus is because of the ubiquity of Windows files. And that sort of filehandling is extremely retrograde and simplistic as there's a multitude of good reasons to have complex metadata information as an integral part of a filesystem. This is where everyone is going.

As far as "executable" code in a file's metadata being inherently a "bad idea"—I think this assertion is simplistic, and as an intial response to it I will mention OOP. Primarily, I'll assert that this distinction is not as obvious as assumed and shouldn't be as obvious as assumed.
posted by Ethereal Bligh at 8:54 PM on January 2, 2006


TekWar is better than Dragonlance.
posted by Rothko at 9:12 PM on January 2, 2006


because it is somewhat harder ... to write malicious exploits for non-MS OSs

because it is somewhat harder to buttfuck a guy who doesn't bend over.
posted by quonsar at 9:35 PM on January 2, 2006


With enough Astroglide, anything can be inserted anywhere.
posted by Rothko at 9:44 PM on January 2, 2006


I have to add my voice to those protesting the OS religious wars.

I'm trying to get real information from this thread as well as other sources. Phooey on you religious nuts. You're a waste of my time.

When non-windows OS's can drive all the roads...

Waste of time.
posted by taosbat at 10:36 PM on January 2, 2006


OK, for those that are interested, I just got home and opened NOD 32's logs. There's actually two entries.

Here's the rub, though. The second entry for the AMON module shows a file actually hitting my hard drive. I believe this may indicate a bug or vulnerability in FireFox. I absolutely did not authorize a file download. What I did authorize was FireFox's "Choose program" handler (or whatever) to open a Windows Explorer "Open file..." instance to attempt to point the WMF at textpad, in a misguided attempt to make sure FireFox was playing on the same team.

The log entries have been edited for clarity, so that the correct information appears under the correct title header, and the user field has been redacted. Sorry about the length, real estate wise.

Work wasn't as bad as I thought it would be, but I'm new at this particular place. Everywhere else I've been at we ran a super tight shop, so this kind of stuff was usually dealt with proactively as much as possible. I gather the place I'm at now isn't like that as much. The student userbase isn't really all that sharp, and as I extrapolate I can only assume they're already so riddled with spyware, adware and other malware they'd hardly even noticed. They seem to just sequester them as much as possible from the administrative side of things. *grumble*. Hey, I don't set policy, permissions or rights. I'm the lowest on the totem pole. I just get to do cleanup.

Now I eat killer tacos, read a good book and sleep.

Log entry 1:
Time
1/2/2006 2:33:54 AM

Module
IMON

Object
file http://85.255.115.173/pa/2/wmf/wmf_dcode.wmf

Name
Win32/TrojanDownloader.Wmfex

Threat
trojan

Action
Connection terminated

User
[Redacted]

Information
(blank)


Log entry 2:

Time
1/2/2006 2:34:09 AM

Module
AMON

Object
file

Name
C:\DOCUME~1\ADMINI~1\LOCALS~1\TEMP\bfgimvp0.wmf

Threat
Win32/TrojanDownloader.Wmfex trojan

Action
quarantined - deleted

User
[Redacted]

Information
Event occurred on a new file created by the application: C:\Program Files\Mozilla Firefox\firefox.exe. The file was moved to quarantine. You may close this window.
posted by loquacious at 11:19 PM on January 2, 2006


loquacious: I believe this may indicate a bug or vulnerability in FireFox. I absolutely did not authorize a file download. What I did authorize was FireFox's "Choose program" handler (or whatever) to open a Windows Explorer "Open file..." instance to attempt to point the WMF at textpad, in a misguided attempt to make sure FireFox was playing on the same team.

The file is still downloaded to the disk, so it can be opened by your text editor, hence it being located in the temp dir.
posted by Goblindegook at 1:20 AM on January 3, 2006


Goblindegook: Ah, duh! Thanks. :) (I think I'm suffering from info overload, I should have known that.)
posted by loquacious at 2:19 AM on January 3, 2006


Hmm. Okay, I think I understand now, loquacious. Firstly, re-reading Nod32's helpfile, "AMON monitors all potentially threatening actions on protected computers such as opening, executing, creating, or renaming files." In this case it was just the creation of the file and not it executing, so that's good.

The second entry for the AMON module shows a file actually hitting my hard drive. I believe this may indicate a bug or vulnerability in FireFox. I absolutely did not authorize a file download.

That's by design--as Goblindegook alluded, the browser began downloading the file to a temp directory as soon as the open/save dialog popped up. If you've ever noticed when saving larger downloads that the file's half done by the time you specify a location, well, that's why. Other browsers do the same thing.

Out of curiousity I just did an experiment in VMware with that test file delfuego linked to using an unpatched XP Pro install with no AV. I went to the link in Firefox and got the usual open/save popup. Without clicking either option, I navigated to the temp directory with Windows Explorer and blam, calc popped open and Explorer crashed as expected. It's not like people normally go to that folder, but it's still interesting.

I then installed Google Desktop to see if it would automatically trigger the exploit by indexing the temp directory, but it didn't...presumably it ignores those locations? I confirmed for myself it does trigger it once the file is actually saved elsewhere, as reported.
posted by Pryde at 2:55 AM on January 3, 2006


thanks for the heads-up.
posted by toffee at 3:30 AM on January 3, 2006


MS can't keep playing this patch catch up game. OEMs, MS, your local neighborhood geek, et al need to migrate users to restricted user accounts. Then users can use the runas functionality to perform administrative tasks.

Running as a restricted user isn't a cure all, but its a 99% cure for the malware issues pesting windows. Its sort of like running with a loaded gun, but with the safety on.


I understand that this is one of the big selling points of Vista - accounts are non-administrative by default. In case anyone missed it, I'd like to point out the link I posted earlier, which has a lot of helpful info about using non-administrative accounts. I've been doing this for some time, and the nonadmin site has been very helpful.
posted by me & my monkey at 5:35 AM on January 3, 2006


Paris Hilton, I was speaking specifically about segmentation. Windows XP uses a different mechanism, paging, for the major part of its memory protection. The limitation of paging is that it allows marking a page as read-write or read-only, but not as code or data. Windows XP and Linux essentially disable segmentation by using the flat memory model. Without segmentation there is no way to prevent execution of code on the stack or heap. That is what allows buffer overflows to occur.

Look, I don't mean to beat up on you but you're still way wrong, and now you're mixing up your terminology too. As far as I know, there's nothing preventing code in the data segment from being executed, and the benefit of paging is that you can just use a single 32 bit (or 64 bit) pointer, and everything is handled by the MMU (including paging to the hard drive), with segments and offsets each program has to manage the DS register themselves and you can only have single blocks of data 64k in size. Plus, there's nothing preventing you from mixing up your code and data anyway, because you can set DS and CS to whatever you want.
posted by Paris Hilton at 7:29 AM on January 3, 2006


My God, I just got into the office. I saw this Thursday with a machine at work. I had no idea what it was, never saw it before. It happened 15 minutes before I left for the holidays. The virus scanner wasn't picking anything up. Damn this week will suck.
posted by geoff. at 7:51 AM on January 3, 2006


Ethereal Bligh writes "I think it's important to know that the original NT was generally considered to be a well-designed, stable, and secure operating system and was rated at the DoD's highest non-networked security level."

Microsoft's NT attained C2 rating is marketing fluff at it's best, only applied to 3.5 SP3 and bears no relation to any system someone who doesn't work for an alphabet soup agency would use, even in 1995. For one thing those systems couldn't even include a floppy drive or any other external writeable media. When was the last time, if ever, you sat down at an NT box without a floppy/CD-R?
posted by Mitheral at 7:58 AM on January 3, 2006


Mitheral writes "Microsoft's NT attained C2 rating is marketing fluff at it's best, only applied to 3.5 SP3"

Oh ya, it also only applied to NT 3.5 SP3 in US versions because the DES encryption required to meet the standard was illegal to export at the time.
posted by Mitheral at 8:03 AM on January 3, 2006


The good folks at SANS are now providing a good MSI installer of Ilfak Guilfanov's patch for use in corporate, distributed-installation environments. The SANS site is a bit overloaded right now, but I'm a bit loathe to mirror the MSI (since two MSIs have been pulled in the past 48 hours for silently failing on older operating system versions, and if this one gets pulled, I don't want to still be providing it).
posted by delfuego at 8:28 AM on January 3, 2006


so has the sky fallen? network admins : is it as bad as everyone was fearing?
posted by crunchland at 8:36 AM on January 3, 2006


Paris Hilton, you are confusing segments in the old 8086 with protected mode segmentation in later processors. That is a whole new ballgame and my point was that most people don't even know it exists. Protected mode segments can be any size from 1 byte to 4G bytes. Processes still use a 32-bit offset and don't need to mess with the segment registers. An attempt to make an access out of the range of the segment size generates an exception. Each segment can be marked as read/write, code/data and privilege level. This powerful mechanism was not used in Windows XP for some good reasons -- complexity and portability. But now Microsoft has recognized that this leaves some vulnerability. Hence the addition of DEP to the paging mechanism. This will be a great improvement.
posted by JackFlash at 8:42 AM on January 3, 2006


oops, was wrong
posted by cellphone at 10:10 AM on January 3, 2006


so has the sky fallen? network admins : is it as bad as everyone was fearing?

Really impossible to say yet. There could be an enormous number of vulnerable machines out there right now, but unless someone writes code that will utilize it, and have it spread faster than AV companies can distribute definition files etc. then we really can't be sure of how many machines have been affected.

Here's to hoping though. Thanks for the MSI link delfuego.
posted by purephase at 10:38 AM on January 3, 2006


"Microsoft's NT attained C2 rating is marketing fluff at it's best, only applied to 3.5 SP3 and bears no relation to any system someone who doesn't work for an alphabet soup agency would use, even in 1995."

It's relevant in a general discussion of MS, stability, and security because NT is buried in there under the XP code. And that old NT was regarded by most as a pretty good, stable, and secure OS. That's the only point I was making; the idea was to assert that MS gets it right every now and then. I mean, look: would you have preferred to see on desktops everywhere something evolved from the Win16 codebase, an uber Windows for Workgroups? I wouldn't.

I think that NT's children are inherently vulnerable because NT wasn't designed as a concurrent-user and/or networked OS, in contrast to UNIX. To the degree that's true, I don't think it's completely fair to bash MS for this.

But the real problem is that backwards compatibility has compromised the protected system space, which was pretty secure previously. Although MS was answering market demand, I do blame them for this because it would have been in everyone's best long-term interests had MS forced users to accept a more secure computing paradigm. I mean, the whole idea that we need something like Virtual PC or VMware for PC is really absurd: the OS should be doing this for us.

I got in the habit of using XP as Administrator because I still find apps that don't install or run correctly under a user account. This is MS's fault, and the apps development shops's fault. MS should make it more difficult or inconvenient to run as Administrator while doing one's daily computing. They should make a clear distinction between single-user, multi-user, and administrative application installation. They should by default make more administration tasks more Administrator exclusive. Users need to be educated about that wall that should be there. (And this is true for desktop OSs, like Linux and OS X, too.)
posted by Ethereal Bligh at 11:15 AM on January 3, 2006


WSJ is reporting the MS will be providing a patch 1/10/2006:

http://online.wsj.com/article/SB113630873566736620.html?mod=home_whats_news_us.
posted by Capt. Bligh at 12:43 PM on January 3, 2006


"posted by Capt. Bligh at 1:43 PM MST on January 3"

Father!
posted by Ethereal Bligh at 1:06 PM on January 3, 2006


This made the front page of today's FT
In its security bulletin, Microsoft made a general recommendation against unofficial patches, saying it was “best practice to utilise security updates for software vulnerabilities from the original vendor of the software”.
posted by Lanark at 2:22 PM on January 3, 2006


it's best practice to bash steve ballmer in the face with a baseball bat, too.
posted by quonsar at 3:36 PM on January 3, 2006


Interesting. I tried downloading and viewing the test file in a directory. Windows notified me that it detected dangerous code execution and was shutting down the parent process (explorer.exe, in this case). Calculator did not start.

Thank goodness for OS/2! yes, I'm kidding.
posted by DrJohnEvans at 3:54 PM on January 3, 2006


it's best practice to bash steve ballmer in the face with a baseball bat, too.

I prefer using a chair.
posted by loquacious at 4:54 PM on January 3, 2006


I prefer the irony of a broken window frame.
posted by fenriq at 5:10 PM on January 3, 2006


Hilarious description from this Wired article on the subject:

Microsoft first allowed .wmf file extensions to carry executable code at least as far back as Windows 3.0, Websense says. This was to enable Windows to cancel print jobs using the file format, and the developers in that simpler era apparently didn't imagine it would be used for anything more malicious.

A layer of backward compatibility folded into modern Windows kept the security hole alive below the surface of the operating system. Now anyone can use WMF files to do anything they want to your system, such as copying or destroying data, or installing backdoors to allow re-entry later. They can also cancel your print jobs.

posted by Afroblanco at 5:35 PM on January 3, 2006


Since this thread seems to have slowed down a bit, now might be the perfect time to point out that Microsoft currently plans to stop providing security updates for Windows XP Home on December 31, 20061.
posted by boaz at 7:57 PM on January 3, 2006


what?!
posted by jacobsee at 8:22 PM on January 3, 2006


Since this thread seems to have slowed down a bit, now might be the perfect time to point out that Microsoft currently plans to stop providing security updates for Windows XP Home on December 31, 20061. -- boaz

Oh, mother of all that is evil...this time next year is going to be *such* a clusterfuck if MS sticks to that announced schedule. Apple and Linux will both have a chance to gain some pissed off ex-MS users. Apple, if their users quit acting like Jobs gave birth to the Sun and if the prices got competitive. Linux, if someone could create a front end that just "works". No tinkering, no fussing with crap. Something my 90 year old grandmother could put in the CD case and click "Install" and it would work.

The first organization that can actually make Linux fairly idiot-proof will have a gold mine. But right now, you have to be a geek to get it to work right. Geeks are not the primary computer using audience anymore.
posted by dejah420 at 8:42 AM on January 4, 2006


after reading that article i doubt microsoft will stick to that schedule
posted by jacobsee at 9:45 AM on January 4, 2006


The first organization that can actually make Linux fairly idiot-proof will have a gold mine. But right now, you have to be a geek to get it to work right

what do you have to be to get windows to work right?
posted by quonsar at 9:32 PM on January 4, 2006


Not someone who fucks with it.

Not that that should be the standard, but it's true. A year after I set up my mom and her husband's Dell, it still seems to be working fine (I'm still on holiday). That's because neither of them have a clue about anything, and most especially about downloading and installing dodads or "optimizing" their systems. My dad, on the other hand, does a reinstall every month or so. (Although I secretely suspect he screws up his PC so he has something to do.)
posted by Ethereal Bligh at 9:44 PM on January 4, 2006


what do you have to be to get windows to work right?

Related to a kind geek.
posted by Feisty at 9:21 AM on January 5, 2006


The official update has been released.
posted by purephase at 1:14 PM on January 5, 2006


Microsoft have issued their patch. Run Windows Update to get it.
posted by normy at 1:16 PM on January 5, 2006


Oh please, to get windows to work properly, you just have to not be a complete idiot. In 11 years of having a windows box we have never had a single virus, rarely seen the blue screen of death (that mostly happened back in '96 when my god mom installed a pre-alpha warez copy of the doomed memphis/win97), and have had one single browser hijacking thingy, and we are so not geeks. It's as though people purposely shut their brains off when they sit down to use their computers. I know any time I try to help a classmate fix a windows problem (which is always of their own creation) they start freaking out immediately with the "it's too complicated, it's all greek to me, it's too much work, do it for me, it's haarrrrd, waah". How can anyone expect an o/s to run properly if they don't bother learning the very basics of how it works or how to maintain it?
posted by zarah at 9:33 AM on January 7, 2006


my god mom installed a pre-alpha warez copy of the doomed memphis/win97

yr god-mom is 1337.
posted by keswick at 12:04 PM on January 7, 2006


Does anyone have a recommendation for Windows 98/ME since Microsoft is not offering one?

I've seen a patch by by Paolo Monti at NOD32 and it's rumoured that GRC will provide one, just not yet.

Does anyone have other options or a judgement about how safe these would be?

My gut feeling is that those using 98/ME are not at serious risk but with certain third-party image viewers installed I think there's a chance that these WMF exploits could cause problems.
posted by jacobsee at 2:42 PM on January 7, 2006


cross-posted to dslreports
posted by jacobsee at 2:52 PM on January 7, 2006


I was surprised to see a Win2000 patch, frankly, but it certainly was welcome. (I'm running Win2K on my server.)
posted by kindall at 5:27 PM on January 7, 2006


i doubt microsoft will stick to that schedule (regarding stopping support for XP Home by the end of this year)

yep
posted by jacobsee at 3:01 PM on January 12, 2006


« Older Shhhhh...type quitely...   |   Mad Gasser of Mattoon Newer »


This thread has been archived and is closed to new comments