Patch Windows now.
January 1, 2006 6:51 PM   Subscribe

Id rather not install some third party patch. You can disable the service that runs wmf files like so:

Disable: Start > Run > regsvr32 /u shimgvw.dll

After MS releases a patch you can restart it like so:

Enable: Start > Run > regsvr32 shimgvw.dll
posted by skallas at 6:59 PM on January 1, 2006

Why the fuck is there a third-party patch and not an official one? We knew about this last week. This is exactly the sort of thing Microsoft has all that money for.
posted by Protocols of the Elders of Awesome at 7:03 PM on January 1, 2006

"Will unregistering the DLL (without using the unofficial patch) protect me?

It might help. But it is not foolproof. We want to be very clear on this: we have some very stong indications that simply unregistering the shimgvw.dll isn't always successful. The .dll can be re-registered by malicious processes or other installations, and there may be issues where re-registering the .dll on a running system that has had an exploit run against it allowing the exploit to succeed. In addition it might be possible for there to be other avenues of attack against the Escape() function in gdi32.dll. Until there is a patch available from MS, we recommend using the unofficial patch in addition to un-registering shimgvw.dll."
posted by mr_crash_davis at 7:04 PM on January 1, 2006

It will really explode tomorrow when all the business PCs go back online

I thought most everyone had off tomorrow for the observed holiday?
posted by Remy at 7:06 PM on January 1, 2006

MS has a security advisory about it also. They recommend that you unregister the impacted dll. The relevant info is this:

Microsoft has tested the following workaround. While this workaround will not correct the underlying vulnerability, it helps block known attack vectors. When a workaround reduces functionality, it is identified in the following section.

Note The following steps require Administrative privileges. It is recommended that the machine be restarted after applying this workaround. It is also possible to log out and log back in after applying the workaround. However, the recommendation is to restart the machine.

To un-register Shimgvw.dll, follow these steps:

1. Click Start, click Run, type "regsvr32 -u %windir%\system32\shimgvw.dll" (without the quotation marks), and then click OK.

2. A dialog box appears to confirm that the un-registration process has succeeded. Click OK to close the dialog box.

Impact of Workaround: The Windows Picture and Fax Viewer will no longer be started when users click on a link to an image type that is associated with the Windows Picture and Fax Viewer.

To undo this change, re-register Shimgvw.dll by following the above steps. Replace the text in Step 1 with “regsvr32 %windir%\system32\shimgvw.dll” (without the quotation marks).

I've also reassigned the .wmf file association to notepad until MS releases an actual patch.

ISC recommends blocking the following IP netblocks at your firewall/router:

InterCage Inc.: 69.50.160.0/19 (69.50.160.0 - 69.50.191.255)

Inhoster: 85.255.112.0/20 (85.255.112.0 - 85.255.127.255)


I trust ISC pretty heavily, but I've not installed the patch yet. I'm waiting to see what happens tomorrow.
posted by dejah420 at 7:06 PM on January 1, 2006

I'm having second thoughts about buying that Sony BMG "Ultimate Prog Rock Metafile Collection".

"Why should consumers care? Most of them don't know what a Metafile is..."
posted by Protocols of the Elders of Awesome at 7:10 PM on January 1, 2006

So wait, Microsoft has officially recommended unregistering the DLL, but they haven't got something on Windows Update to do it automatically? That's...not...joined...up...
posted by Protocols of the Elders of Awesome at 7:11 PM on January 1, 2006

Can someone dumb this down for the dumbasses amongst us? (not me, of course!) Just who is vulnerable and through what actions can one become ... infected?
posted by papakwanz at 7:29 PM on January 1, 2006

papakwanz, Windows Metafiles (.wmf) and Extended Windows Metafiles (.emf) are image files, invented by Microsoft. They are fairly rare for most people. If you open one that has been specially designed for evil, either directly on the web, embedded in a webpage (I think) or attached to your email, the creator can run any code he likes on your machine. This is due to a flaw in Windows.

So, if you get sent a file with either of those extensions, don't open it until Microsoft gets off its arse and provides an update. And, of course, update your anti-virus software immediately.
posted by Protocols of the Elders of Awesome at 7:37 PM on January 1, 2006

This vulnerability has freaked out the admins enough at one of the forums that I read, that, they disabled posting of images entirely; which is a pretty big thing on a forum where threads are often chock full of game screenshots or scans from game magazines.

I'm also pretty sure there are some people here who wouldn't mind disabling images on MeFi too.
posted by yeoz at 7:40 PM on January 1, 2006

Can someone dumb this down for the dumbasses amongst us?

Buy a Mac already?
posted by Rothko at 7:41 PM on January 1, 2006

It's not just files with .wmf/.emf extensions.
from the link:

• Should I just block all .WMF images?
  This may help, but it is not sufficient. WMF files are recognized by a special header and the extension is not needed. The files could arrive using any extension, or embeded in Word or other documents.

The files could be in a .doc or have a .jpg or any other extension, and would still trigger the exploit if opened.
posted by yeoz at 7:46 PM on January 1, 2006

they disabled posting of images entirely

Why stop there? WMF files include binary code... just ban the numbers 0 and 1 from being transmitted over the server and you'll be safe.
posted by Protocols of the Elders of Awesome at 7:46 PM on January 1, 2006

How will this affect the installation of an official patch in the future?
posted by chrominance at 7:47 PM on January 1, 2006

Why stop there? WMF files include binary code... just ban the numbers 0 and 1 from being transmitted over the server and you'll be safe.

Because the <img> tag was the most direct vector for this particular exploit on that particular forum?... why are you being snarky? :(
posted by yeoz at 7:57 PM on January 1, 2006

For maximum effect, release exploit while those who would fix it are home on holiday drinking wine, and while those who would get hosed are home on holiday drinking wine, put in a week or so delay for any obnoxious action to allow maximum penetration and then wait for business to open.
posted by caddis at 8:02 PM on January 1, 2006

ISC recommends blocking the following IP netblocks at your firewall/router:

InterCage Inc.: 69.50.160.0/19 (69.50.160.0 - 69.50.191.255)

Inhoster: 85.255.112.0/20 (85.255.112.0 - 85.255.127.255)

Uh, WTF do I do with this? I don't get how section A of each of those lines relates to section B & C (in parentheses.) And my router config screens seem to offer "keyword blocking" but not IP blocking.
posted by Tubes at 8:04 PM on January 1, 2006

"regsvr32 -u %windir%\system32\shimgvw.dll" (without the quotation marks)

this needs to be redone every time computer is booted. until the offical patch is out, probably good idea to commit that one to memory. I hope the windoze abused like typing. heh
posted by rodney stewart at 8:07 PM on January 1, 2006

I'll take this up with our admins first thing today. Thanks.
posted by jouke at 8:07 PM on January 1, 2006

Tubes, you need to point all those routes to null. usually done by adding static routes for the above and set to a fake next hop address.
posted by rodney stewart at 8:13 PM on January 1, 2006

Sweet pogoing Christ wearing titty tassles on a trampoline. I have a dreadful feeling work is going to be absolute hell this week - perhaps even starting as early as tommorow morning.

Is there any known way yet to filter and detect embedded (non *.WMF named) WMF data for use in active firewall or server filtering?
posted by loquacious at 8:20 PM on January 1, 2006

As a Mac user, I won't gloat.

But it's fascinating... Why does an image file need to execute code? I looked it up but I don't get what it's used for exactly.

Oh, and one of the websites linked to recommended Firefox 1.5, which will at least ask before opening a WMF.
posted by fungible at 8:31 PM on January 1, 2006

fungible, the problem involves a memory buffer overflow, which Windows currently fails to prevent. When this happens, computers can behave in many unpredictable ways, and can be taken advantage of.
posted by Protocols of the Elders of Awesome at 8:37 PM on January 1, 2006

you don't need to take any action to get infected. if windows comes in contact with one of these infected files, you're fucked, because windows detects and acts upon windows metafiles automatically, without regard to file extension. this can happen simply by reading email, receiving an IM, or looking at a web site. unregistering shimgvw.dll may only delay infection. also note MS says unregistering shimgvw.dll "helps block known attack vectors", not blocks all attack vectors. the flaw is in gdi32.dll, there are almost certainly other ways to exploit it. movie of infection happening here. this is gonna be quite a show. i'm making popcorn and burning copies of ubuntu linux for my friends.
posted by quonsar at 8:40 PM on January 1, 2006

rodney stewart : I hope the windoze abused like typing. heh

I hope non "windoze" users can learn how copy and paste works, not to mention batch scripts and reg files.
posted by skallas at 8:44 PM on January 1, 2006

Dumbass here: Will running Firefox make me safe?
posted by LarryC at 8:49 PM on January 1, 2006

rodney stewart: this needs to be redone every time computer is booted.

microsoft: It is recommended that the machine be restarted after applying this workaround.

skallas: I hope non "windoze" users can learn how copy and paste works

i hope rodney stewart can learn how reading works.
posted by quonsar at 8:50 PM on January 1, 2006

Blaster was worse. Yawn.
posted by cellphone at 8:55 PM on January 1, 2006

Dumbass here: Will running Firefox make me safe?
posted by LarryC at 10:49 PM CST on January 1 [!]

No. Firefox has a long history of security issues, much like IE. In this case, however, you are safe from this particular vulnerability.
posted by cellphone at 8:56 PM on January 1, 2006

LarryC: NO. The Metafile vulnerability is system-wide, and doesn't rely on a particular browser. Anything that triggers the Metafile engine can exploit the vulnerability, whether it's IE, Firefox, Google Desktop, Irfanview, or any of a large number of other applications.
posted by chrominance at 8:57 PM on January 1, 2006

LarryC: No. If you are running Windows, you are not safe no matter what browsers or other applications you use. Any program which views, indexes, manipulates, or even just glances at image files will load the vulnerable Windows DLL when it encounters a WMF file.
posted by ubernostrum at 8:59 PM on January 1, 2006

Reading the comment thread on Ilfak Guilfanov's site, it's nice to see Steve Gibson checking in and verifying that the third-party patch does what it says it does, and does it well. Normally, I'd be pretty suspicious about installing some third-party DLL patch, but with a vulnerability this big, and an MS non-response this obvious, I'll be using Ilfak's workaround until there is a peep outa Redmond.
posted by delfuego at 9:03 PM on January 1, 2006

Will running Firefox make me safe?

no. en. oh. no. firefox and opera and most browsers will download any file with a .gif/.jpg/.png extension without user intervention (after all, that's what you expect it to do, it's a web browser.), and that file could be a .wmf simply renamed to .gif/.jpg/.png. once said file gets to your windows machine, windows automatically recognises it regardless of extension and you are fucked. here's a slashdotter who got infected running firefox.
posted by quonsar at 9:04 PM on January 1, 2006

cellphone: In this case, however, you are safe from this particular vulnerability.

cellphone is incorrect.
posted by quonsar at 9:05 PM on January 1, 2006

Plain english description of the exploit: if you visit a page hosting the file with IE with default security settings it'll infect you with no warning or interaction required. Here's a demo (WMV file, this is safe to view). It can be hidden in iframes or even snuck in via ad banners embedded on a page.

Firefox up to 1.07 and Opera prompt you to open the file with Windows Picture and Fax Viewer. If you do, you're infected. Firefox 1.5 tries to open it with Windows Media Player which doesn't know what to do with it (possibly a bug in Firefox). If you download the file and happen to have Google Desktop Search (and possibly other search programs) it'll helpfully index the file and infect you...the thumbnail image preview in Windows Explorer is also a vector. It's also circulating via e-mail spam.

There's been good coverage of this on Sunbelt's blog and Kaspersky Lab's Analyst's Diary. Also, the Wilders Security Forums thread.

There are already over 70 known variants, and they are easy to create. An eWeek article on AV's response effectiveness, commentary on it and another similar Wilders thread. Some aren't doing too badly, but if your AV is set to only update its definitions just once a week, that's really not gonna cut it. Lag time between new versions and updates is a killer--AVs with poor heuristics like Norton/Symantec probably won't be as effective in real world situations as the links might seem to suggest.

Sans and others have vetted and endorsed that 3rd party patch. It'll create an entry in Add/Remove Programs that can be used to safely uninstall it when an official hotfix comes out. I went ahead and applied it with no ill effects.
posted by Pryde at 9:14 PM on January 1, 2006

quonsar - that infection movie: I understand the part where the the infection happens. What I want to know is - the spyware removal bit, is that an example of the sort of payload this could carry? Ie. a spyware remover that wants to pop you for $40 to remove the exploit?

(I just think that's particularly sneaky, if that's the case)
posted by Jimbob at 9:16 PM on January 1, 2006

My sister and I are Mac users (thanks to me) but my mom still runs a Win2000 box. Should I tell her to simply avoid the internet until Microsoft offers an official patch or is that too drastic? For lay users, how great is the risk?
posted by SeizeTheDay at 9:19 PM on January 1, 2006

Thanks for the oblique tip, rodney stewart. However, these are the instructions for setting static routes for my router:

To set up a static route:

1. Click the Add button.
2. Type a route name for this static route in the Route Name box under the table.
(This is for identification purpose only.)
3. Select Active to make this route effective.
4. Select Private if you want to limit access to the LAN only. The static route will not be reported in RIP.
5. Type the Destination IP Address of the final destination.
6. Type the IP Subnet Mask for this destination.
If the destination is a single host, type 255.255.255.255.
7. Type the Gateway IP Address, which must be a router on the same segment.
8. Type a number between 2 and 15 as the Metric value.
This represents the number of routers between your network and the destination.
9. Click Apply to have the static route entered into the table.

Blahblahblahblah. I'm a pretty experienced user but I'm not a freaking network administrator. I think a whole lot of people are screwed unless a Windows Update patch for the root cause comes out soon.
posted by Tubes at 9:19 PM on January 1, 2006

Quonsar, that slashdotter who got infected said "only thing I did was to open a .wmf movie in Firefox", he seemed to have confused wmf with wmv or wmx and opened it. Still I wouldn't take any chances relying on Firefox for protection.
posted by bobo123 at 9:21 PM on January 1, 2006

a spyware remover that wants to pop you for $40 to remove the exploit?

i think it's someone using the exploit to add insult to injury by stealing a victims credit card number while allegedly selling them non-existent software.
posted by quonsar at 9:25 PM on January 1, 2006

Thank you, Pryde.

And thank you SeizeTheDay for asking my question.

--also, any one? Is my company's Windows Server vulnerable?
posted by jaronson at 9:26 PM on January 1, 2006

he seemed to have confused wmf with wmv or wmx and opened it

as pointed out above, the extension could be anything.
posted by quonsar at 9:26 PM on January 1, 2006

tubes, those pairs of IPs are equivalent. the first number x.x.x.x/n is an address/netmask pair. "n" means how many bits of the 32-bit IP address are valid; the last 32-n bits are "masked off" or in other words can be 0 or 1. the numbers in parens are equivalent to the addr/netmask when you expand out the "dont care" bits. the addr/netmask pair is shorthand.

my linksys router apparently can not do filtering of IP addresses or IP address ranges. i'm surprised by this. perhaps one could install route table entries to /dev/null for those addresses but i dont think this would prohibit incoming connections. it would probably not allow a TCP session to start up successfully though, and thus would protect you.

on preview: it looks like you have a partial answer per your post.
posted by joeblough at 9:27 PM on January 1, 2006

Oh, and not that I'm doubting anyone for a minute, but, if the sky is truly falling, why is there no story about it on Google News?
posted by jaronson at 9:29 PM on January 1, 2006

pfft. clearly you do not understand how google news works.
posted by quonsar at 9:30 PM on January 1, 2006

jaronson writes "why is there no story about it on Google News?"

Partially the excellent timing. This year we got up to a four day window at christmas for maintence (Decemember 24-27) in many large organisations. All that time then meant people weren't hanging around during the ramp up of this exploit.
posted by Mitheral at 9:34 PM on January 1, 2006

Wow -- now that the folks at SANS are endorsing Ilfak's patch, and have provided an MSI file suitable for mass-distribution via policy files, there really is no excuse for this not being on every sysadmin's critical installation list first thing tomorrow morning. And since Microsoft has indicated to SANS that no patch will be forthcoming from them until around January 9th (read the end of that SANS link), there's really no point in waiting any longer -- just install the third-party patch now, and uninstall it once MS does their thing.
posted by delfuego at 9:37 PM on January 1, 2006

For the (justly) paranoid, VMware actually recently released VMware Player, a free version of their virtualization software along with a prebuilt "Browser Appliance" that's based on Ubuntu Linux. You need a fairly powerful computer to run it well, though. (Plentiful RAM is the most important thing.) They did have to recently patch their own software because of a potential vulnerability to the host system, but overall it's pretty secure and neat to play with.

The full version of VMware actually the tool security researchers use to analyze malware on virtualized Windows installs--the demo WMV I see quonsar beat me to posting was created using it (you can tell by the icon in the systray next to the clock).
posted by Pryde at 9:38 PM on January 1, 2006

Will the official MS patch likely be available to people using pirated copies of Windows?
posted by jimmy at 9:39 PM on January 1, 2006

No.
posted by Protocols of the Elders of Awesome at 9:42 PM on January 1, 2006

fuck
posted by jimmy at 9:44 PM on January 1, 2006

Microsoft costs businesses billions upon billions of dollars worldwide every time another one of these fucking exploits shows up. Why the hell do they suck SO MUCH? And why the hell do people PUT UP WITH IT?
posted by wakko at 9:44 PM on January 1, 2006

Also, why the FUCK isn't there a fix RIGHT NOW?
posted by wakko at 9:44 PM on January 1, 2006

jimmy: who knows. Maybe not, which increases risk for everyone else.

White hats: please write a worm that patches vulnerable winboxen with Ilfak's patch. Thanks.
posted by Slithy_Tove at 9:45 PM on January 1, 2006

Why the hell do they suck SO MUCH?

In my opinion, the fact that this exploit exists is not sucky. Trying to prevent every buffer overflow in an OS is a terrifying prospect. If this was an obvious exploit, it would have been discovered years ago. I have no doubt that there are many such exploits in other operating systems which don't get discovered because too few people are trying to find and exploit them.

The fact that there isn't an official patch out is, however, highly sucky.
posted by Protocols of the Elders of Awesome at 9:48 PM on January 1, 2006

AFAIK, while windows update won't work with a pirated copy of windows, you can always download the patch itself and install that directly.
posted by yeoz at 9:48 PM on January 1, 2006

And why the hell do people PUT UP WITH IT?

Laziness, stinginess and ignorance.
posted by Rothko at 9:49 PM on January 1, 2006

Trying to prevent every buffer overflow in an OS is a terrifying prospect

Some vendors already manage this properly.
posted by Rothko at 9:53 PM on January 1, 2006

Show me a vendor who has prevented every buffer overflow in their OS.
posted by event at 9:55 PM on January 1, 2006

Trying to prevent every buffer overflow in an OS is a terrifying prospect.

It's not that terrifying.

From the link:

• What is DEP (Data Execution Protection) and how does it help me?
  With Windows XP SP2, Microsoft introduced DEP. It protects against a wide range of exploits, by preventing the execution of 'data segements'. However, to work well, it requires hardware support. Some CPUs, like AMD's 64 Bit CPUs, will provide full DEP protection and will prevent the exploit.

People have been working on techniques to prevent buffer overflows for some time now. No clue if it actually'll do anything in regard to this exploit though. (Just checking my own AMD64 machine at home, Hardware DEP is enabled for all programs; I don't know if that was a default though.)

On Preview:
Some vendors already manage this properly.

Like OpenBSD, which has has some degree of built in buffer-overflow protection for a few releases now? :P
posted by yeoz at 9:56 PM on January 1, 2006

And why the hell do people PUT UP WITH IT?

because there's software ... lots of software that doesn't run on any other platform

aside from games, music apps are something i run in windows ... many of them don't have an effective equivalent elsewhere ... and don't talk to me about linux music apps ... i've tried them and they're just not at the same level ... and macs are too expensive

microsoft needs to STOP development for a while and fix what they have
posted by pyramid termite at 9:58 PM on January 1, 2006

protocols, MS does make security patches available without checking that the copy of windows is legit.

Those IP ranges are for network administrators who are used to putting firewall rules in place - probably not worth bothering for home users. Those netblocks are home to some bad guys but the exploits can be anywhere on the net. A common method is making a wmf (with any filename extension) the source of an iframe.

The hardware DEP reportedly prevents it but the software DEP supposedly does not.
posted by jam_pony at 9:58 PM on January 1, 2006

Speaking as a Mac user, I'd just like to say we all pity you poor Windows users and it serves you right.
posted by keswick at 9:58 PM on January 1, 2006

Sun's Trusted Solaris goes pretty far. StackGuard, libsafe and other options help vendors write safer code, some of which finds its way into military apps.
posted by Rothko at 10:02 PM on January 1, 2006

I'm 99% sure, that, while windows update won't work with a copy of XP that fails the "Windows Genuine Advantage" validation, users can still get "critical fixes" via automatic updates.
posted by yeoz at 10:03 PM on January 1, 2006

macs are too expensive

Cheaper than tech support, but its your dollar.
posted by Rothko at 10:04 PM on January 1, 2006

You realize, keswick, that there are a lot of smart people who know that Macs haven't been hit with viruses and vulnerabilities like Windows has, and yet don't feel the need to play "I told you so!" whenever something like this pops up.
posted by chrominance at 10:05 PM on January 1, 2006

Trying to prevent every buffer overflow in an OS is a terrifying prospect.

It's not that terrifying.

Then let's rephrase it: Trying to prevent every possible exploit in an OS is a terrifying prospect.

Even the vaunted OpenBSD team has had vulnerabilities. You can raise the bar for difficulty of triggering the exploit (like OpenBSD does, like StackGuard does, like libsafe, etc.), but you can't make it impossible.
posted by event at 10:08 PM on January 1, 2006

The hardware DEP reportedly prevents it but the software DEP supposedly does not.

According to Kaspersky Lab, it isn't foolproof:

At first glance it seems that hardware-based Data Execution Protection, which is available only with XP/SP2 on NX-bit (AMD) and XD-bit (Intel) enabled CPUs, prevents successful exploitation of the vulnerability.

We've tested on AMD and Intel platforms and HW DEP seemed initially to prevent successful exploitation in Internet Explorer and Windows Explorer. However, when testing the latest builds of third party image viewers like Irfanview and XnView HW DEP didn't prevent exploitation, even with HW DEP enabled for all programs. This is because both Irfanview and XnView are packed with ASPack and Windows disables HW DEP for ASPack packed files.
posted by Pryde at 10:09 PM on January 1, 2006

("an exploit" not "the exploit")
posted by event at 10:10 PM on January 1, 2006

Cheaper than tech support, but its your dollar.

my tech support is on google.com and groups.google.com ... works fine for me
posted by pyramid termite at 10:11 PM on January 1, 2006

I'm a windows and linux user who avoids Macintosh for good reasons. Yet I recommend them often.

The criteria are (a) can afford one (b) likes the interface (c) wants things to "just work" without having to bother too much about security, tinkering etc.. This describes a lot of the computer user population.
posted by jam_pony at 10:12 PM on January 1, 2006

Can anyone answer my questions upthread: Should I tell her to simply avoid the internet until Microsoft offers an official patch or is that too drastic? For lay users, how great is the risk?

And for god's sake Rothko, computers in their current form are built for Windows. For better or for worse, just like the US economy, the world is stuck with Windows. So your silly attempts to sell Apple are effectively meaningless and a derail to this thread.
posted by SeizeTheDay at 10:15 PM on January 1, 2006

my tech support is on google.com and groups.google.com ... works fine for me

Then you are in the minority of the minority capable of understanding a) what to search for on google.com/groups.google.com; and, b) how to interprete the search results.

I wouldn't send my loved ones on their own like this, given that Microsoft can't support their own OS, and so I either fix my friends' and familiies' Windows boxes repeatedly or gently push them to safer, less expensive alternatives. (The only reason Macs are "more expensive" is because of less software piracy, anyway.)
posted by Rothko at 10:19 PM on January 1, 2006

So your silly attempts to sell Apple are effectively meaningless and a derail to this thread.

I'm not "selling" anything. Using a legitimate alternative to Windows is a perfectly legitimate option for fixing this problem in the long-term, and I'm well within my rights to suggest this solution — if only to curtail these unnecessary threads that are not worthy of "best of the web", by any stretch.
posted by Rothko at 10:25 PM on January 1, 2006

CarpeDiem: She's a typical user who uses IE, Outlook, default settings?

Either get her dll deregistered and the patch installed, or have her stay offline for a while, whichever is easier for both of you.

How great is the risk in general? It's hard to tell how likely one is to encounter this in casual use. Certainly the risk is greater in sleazy areas of the internet - porn, poker and such. And anyone who has poor spam filtering, takes attachments from strangers and so on is more at risk.

Probably there's less of it for those who just go to mainstream websites. The risk there is from sub-sub-contracted ads that may show up on pages.
posted by jam_pony at 10:25 PM on January 1, 2006

Excuse feeble attempt at cleverness, it occurs to me now there may be someone else with "carpediem" instead of "seize the day".
posted by jam_pony at 10:27 PM on January 1, 2006

Oh, come on. The fact that this exploit exists is a fucking joke. Seriously, at some point some developer had to have considered that allowing an image file to execute arbitrary code might, kinda, y'know, maybe be a bad idea.

No, this is a really, really stupid mistake, and I agree that it's emblematic of what a horrid company Microsoft is.
posted by spiderwire at 10:37 PM on January 1, 2006

Will the official MS patch likely be available to people using pirated copies of Windows?

Switching on automatic background updates (if you have SP2) will keep your system up to date, whether you have a disallowed key or not, even if the windowsupdate site says you're naughty and locks you out.

Not that it'll help with this new issue any time soon, but just as an FYI.
posted by stavrosthewonderchicken at 10:39 PM on January 1, 2006

Seriously, at some point some developer had to have considered that allowing an image file to execute arbitrary code might, kinda, y'know, maybe be a bad idea.

Looks like you need to learn about buffer overflows.

...or just read the thread...
posted by event at 10:41 PM on January 1, 2006

.....that said, there are a whole host of other reasons why the "developing an OS is haaaard" excuse doesn't fly (e.g. the use of DLLs in the first place), but I'm just sayin' -- even on face this exploit doesn't pass the laugh test.
posted by spiderwire at 10:41 PM on January 1, 2006

So this thing might be an issue for people who go to the "seedier" sites on the internet? It sounds like the risk for lay users is no more than usual.

wtf, geeks? chicken little much?

Thanks for the heads up just the same. pfft.
posted by jaronson at 10:42 PM on January 1, 2006

I've read the thread, chief. I'm saying that in principle, it's a really moronic idea -- from a developer's perspective -- to allow an image file to execute arbitrary code, buffer overflow or no.
posted by spiderwire at 10:44 PM on January 1, 2006

So this thing might be an issue for people who go to the "seedier" sites on the internet? It sounds like the risk for lay users is no more than usual.

You, sir, are a fool. Have fun with your spyware-infected paperweight.
posted by spiderwire at 10:45 PM on January 1, 2006

Also, with regards to updating pirated systems, there's this and this.

I've only used the latter (which is very good indeed) and can't vouch personally at all for the former, so caveat piratus or some fake latin like that.
posted by stavrosthewonderchicken at 10:48 PM on January 1, 2006

Metafilter: wtf, geeks?
posted by papakwanz at 10:49 PM on January 1, 2006

Thanks for the reply, spiderwire. Why do you assume I will have a spyware-infected paperweight?
posted by jaronson at 10:50 PM on January 1, 2006

I'm saying that in principle, it's a really moronic idea -- from a developer's perspective -- to allow an image file to execute arbitrary code, buffer overflow or no.

Agreed, data in image files shouldn't ever be executed.

But this isn't a Microsoft problem -- no Microsoft programmer made the decision to allow this. The problem is far more fundamental, at the level of the processor/programming language.
posted by event at 10:51 PM on January 1, 2006

Thanks stavros.
posted by jimmy at 10:51 PM on January 1, 2006

Um, I'm no techno weenie, but my NAV seems to have caught an attempted infection via this exploit during recent Web surfing: "[tempdir]/[filename].wmf: Download.Trojan". Might it just be enough to update our anti-virus definitions...?
posted by twsf at 10:53 PM on January 1, 2006

jaronson: because the implication that your computer can be infected only by surfing, quote, "seedier" sites is patently false. Your system can be infected by loading any image, even if you don't display it. Additionally, your computer could become infected via any other number of vectors -- IM, email, etc -- from any other infected system.

In other words, the claim that "the risk for lay users is no more than usual" is also false, and it's irresponsible to be claiming it. I assure you that you do run a risk of having your system disabled if you don't protect it properly, and by all appearances this is a very serious exploit.

Do what you want with your own computer, but since you don't have a clue what you're talking about, please, STFU and take it elsewhere, because your advice puts other people at risk.
posted by spiderwire at 10:59 PM on January 1, 2006

So this thing might be an issue for people who go to the "seedier" sites on the internet? It sounds like the risk for lay users is no more than usual.


ack spiderwire beat me to it. unless by lay user, you mean someont that doesnt use email/im?

Um, I'm no techno weenie, but my NAV seems to have caught an attempted infection via this exploit during recent Web surfing: "[tempdir]/[filename].wmf: Download.Trojan". Might it just be enough to update our anti-virus definitions...?

NAV is picking up the signature of the payload and not the signature of the vector. If the bad guys write up some new payload then NAV will miss it. Something I read by surfing outwards from the original post said that.
posted by juv3nal at 11:01 PM on January 1, 2006

from a developer's perspective -- to allow an image file to execute arbitrary code, buffer overflow or no.

It's a buffer overflow. You're not speaking "from a developer's perspective" if you think a buffer overflow constitutes "allowing" an image file to do anything. You're speaking from "an ignorant perspective".
posted by swell at 11:02 PM on January 1, 2006

Why do you assume I will have a spyware-infected paperweight?

because you don't even understand how google news works, for one thing.
posted by quonsar at 11:02 PM on January 1, 2006

But this isn't a Microsoft problem -- no Microsoft programmer made the decision to allow this.

It's endemic to the entire Microsoft development culture. No software house worth its salt should have ever written an OS as miserable in even the most basic fundamentals of security as Windows. The image-execution problem is only one small example of this issue, although it's an informative one if you consider just how stupid it is. It's a QC issue, plain and simple.

This is a nice overview that was on Reddit a few days ago that I think explains this nicely. (Although it's real real long.) Fun read.
posted by spiderwire at 11:03 PM on January 1, 2006

Something I read by surfing outwards from the original post said that.

Actually it's in the first link of the original post if you scroll down:
here
posted by juv3nal at 11:05 PM on January 1, 2006

swell: It's a buffer overflow. You're not speaking "from a developer's perspective" if you think a buffer overflow constitutes "allowing" an image file to do anything. You're speaking from "an ignorant perspective".

From the SANS FAQ:

"What is the actual problem with WMF images here?

WMF images are a bit different then most other images. Instead of just containing simple 'this pixel has that color' information, WMF images can call external procedures. One of these procedure calls can be used to execute the code."

But yeah, they're a bunch of ignoramuses, too.
posted by spiderwire at 11:07 PM on January 1, 2006

Alright, now we're gettin' somewhere...

Thank you again, spiderwire.

So I downloaded the fix from hexblog.com, and I have my anti-virus (avast) and my firewall in place and don't open spam emails (like usual) and don't use instant messenger. Have I done everything I can to reduce my vulnerability?

and quonsar, I've always appreciated your comic relief.
posted by jaronson at 11:11 PM on January 1, 2006

Thank you again, spiderwire.

I'm not sure if you're being sarcastic, but if not, I apologize for the 'STFU.' I think that this is a serious problem and that it shouldn't be sold short.

The Guilfanov patch seems to be the way to go at the moment. The point I was making is that -- especially in the case of an exploit with such an innocuous infection method -- pretty much all Windows users are vulnerable to it.
posted by spiderwire at 11:14 PM on January 1, 2006

As a Mac user, I won't gloat

Me either. But my machine at work is a whole other story. Crap.
posted by damclean2 at 11:17 PM on January 1, 2006

Seriously, at some point some developer had to have considered that allowing an image file to execute arbitrary code was a bad idea, buffer overflow or no.

spiderwire, you are confusing me. Don't buffer overflow exploits overwrite the stack of a running program? The average C programmer does not normally shag about directly with the stack, but leaves it to the runtime to manage. I wouldn't have thought this exploit required anything from the programmer other than accepting a string of data longer than the destination buffer.

It's a bad idea to allow buffer overflows but it's awfully easy to do in C and no doubt this is an older chunk of code that predates the widespread awareness of just how bad it is.
posted by i_am_joe's_spleen at 11:19 PM on January 1, 2006

...Don't buffer overflow exploits overwrite the stack of a running program? The average C programmer does not normally shag about directly with the stack,...
I think what spiderwire is getting at is that the buffer overrun is being initiated by code that is run from the image file (WMF). And, yeah, it's not the brightest idea ever to create an image file format that runs code. Personally, I have never run across a use for it.
posted by Thorzdad at 11:25 PM on January 1, 2006

spiderwire: No, I'm not being sarcastic. You are answering my questions and I appreciate it .

I'm just trying to understand this thing, folks.
posted by jaronson at 11:27 PM on January 1, 2006

Where are people getting this idea that it's a buffer overflow?
posted by spiderwire at 11:29 PM on January 1, 2006

Thorzdad gets it. I guess it was from another comment upthread? Here's a very cogent explanation. Also provides an explanation for why it was previously needed, but the fact that it still exists is a friggin' travesty.
posted by spiderwire at 11:30 PM on January 1, 2006

From comments upthread, including yours.
posted by i_am_joe's_spleen at 11:30 PM on January 1, 2006

OK, read your link. Crikey that IS a bad idea, and yes I agree now it's not a buffer overflow.
posted by i_am_joe's_spleen at 11:31 PM on January 1, 2006

Unfortunately this isn't a buffer overflow, WMF files, when they fail to load correctly can call an external procedure. This is a system that in fact someone at microsoft did design so that the file could have a "failsafe" and be able too do something even in the event of a failure. So, yes, this is poor design. People are creating malformed WMF files that always "fail" and then the specified procedure can be run.
posted by rhyax at 11:34 PM on January 1, 2006

I didn't say it was a buffer overflow, that was Protocol, et. al.
posted by spiderwire at 11:34 PM on January 1, 2006

Sun's Trusted Solaris goes pretty far. StackGuard, libsafe and other options help vendors write safer code, some of which finds its way into military apps.

StackGuard doesn't "help vendors write safer code" at all; it's entire purpose is to stop stack overflows in poorly written software from fucking a system up. It requires recompilation, and it does nothing to help a vendor that releases unprotected binaries without source code, unless the vulnerability is in a protected system library that the vendor relies on. Libsafe? Another method of making up for shitty software development practices.

Those all just stop stack overflows. They don't stop heap overflows, and they don't stop format exploits. They certainly don't prevent overflows in the kernel. And they all have nothing to do with writing safer code. I don't know how you lumped RBAC into all of that, RBAC is next to useless for general use.

Disclaimer: I work/worked for the company that developed StackGuard and marketed a Linux distro based on it.
posted by cmonkey at 11:35 PM on January 1, 2006

Thanks to the folks who quickly provided the info lay users need to make our computers safe. Just unregistering the .dll file has made me feel a whole lot better. I hope it's enough, but it looks like I should also install the third-party patch to be sure, since MS has apparently dropped the ball. That Handler's Diary link is pretty frightening shit to some of us out here.

One question: How difficult is it for a lay user to install the currently available patch?
posted by mediareport at 11:36 PM on January 1, 2006

mediareport: I am a "lay user" and I just installed it. It was very easy. Just downloaded it, accepted the terms, etc.

I noticed it is listed in my Add/Remove Programs list and, if I understood the instructions from hexblog.com, you should uninstall that one before you install the Microsoft patch (that I assume is coming in the near future).
posted by jaronson at 11:42 PM on January 1, 2006

this all looks very hilarious from over here in linux land.
posted by ori at 11:57 PM on January 1, 2006

And, yeah, it's not the brightest idea ever to create an image file format that runs code. Personally, I have never run across a use for it.

I use it all the time. Since WMF files consist of just calls to the Windows graphics system, any software which can draw shapes can import and export them. Thus WMF is a defacto vector-image standard on Windows. For example, the only way to get vector images from an old cad program I use ( which doesn't export anything compatible) into powerpoint is to cut and paste metafiles.

That's not to say they couldn't Not that they couldn't have made the calls less exploitable. I've said it before, and I'll say it again: C is the devil's language.
On preview: Oh. It's not a buffer overflow. Well C is still evil, and your hair is too long.
posted by Popular Ethics at 11:59 PM on January 1, 2006

this all looks very hilarious from over here in linux land.

*laughs* Why do you people even post in threads like this?
posted by mediareport at 12:06 AM on January 2, 2006

Not that they couldn't
Pardon my stutter.
posted by Popular Ethics at 12:07 AM on January 2, 2006

Why do you people even post in threads like this?

Schadenfreude, I'm guessing.
posted by spiderwire at 12:08 AM on January 2, 2006

Sorry, I was told it was a buffer overflow thing.
posted by Protocols of the Elders of Awesome at 12:16 AM on January 2, 2006

Thanks to everyone here who has been contributing useful information about this issue that affects millions of us.

No thanks to anyone trying to derail this thread into an OS war.
posted by Afroblanco at 12:20 AM on January 2, 2006

Prediction: The sky is not falling and the world will go on pretty much as normal for most of us on Tuesday.
posted by Justinian at 12:22 AM on January 2, 2006

Schadenfreude, I'm guessing.

My guess is they see all the excitement and despite their oh-so-superior pronouncements want to be involved somehow. It's funny.
posted by mediareport at 12:24 AM on January 2, 2006

This is going to make this first week back at work in the new year suck major balls, isn't it? Not just for inside my company (where people install custom cursors and moving desktops if they're allowed to) but for all of our clients who are going to be getting crushed by this.

Thanks MS! Sell it first, patch it later! Woot!
posted by fenriq at 12:25 AM on January 2, 2006

fenriq: raise time! :)
posted by spiderwire at 12:25 AM on January 2, 2006

Question:

When it specifically comes to browsers - does turning "load images" off help in any way?
posted by divabat at 12:29 AM on January 2, 2006

Rothko, you're a complete fucking moron if you think you're safe just because you use a mac. There is nothing about the Mac's architecture that makes it secure against exploits like this, it's just not as deeply probed and targeted as much as windows.

This glitch is pretty major, but the fact is security problems on windows have been coming in less and less. The real problem, though, is Spyware which gets 'legitimately' installed by users.

I also don't understand why people are so worried, since you can get the third party patch here right from SANS. It seems to be thoroughly vetted.
posted by delmoi at 12:35 AM on January 2, 2006

When it specifically comes to browsers - does turning "load images" off help in any way?

Yes, it would. However, you can't get infected in firefox simply by viewing images, you need to download them and let them be opened by MS fax viewer (or get a thumbnail loaded in explorer)
posted by delmoi at 12:37 AM on January 2, 2006

this all looks very hilarious from over here in linux land.

That kind of attitude will really help sell Linux to the masses, dick.
posted by delmoi at 12:38 AM on January 2, 2006

What's really crazy is this:

This bug seems to affect all versions of Windows, starting from Windows 3.0 - shipped in 1990!

Good thing my mom's old machine just died and she doesn't have a modem in her new one yet.
posted by delmoi at 12:40 AM on January 2, 2006

One question: How difficult is it for a lay user to install the currently available patch?

You just have to click a few buttons, it's like installing any other program (the setup was done with install sheild).
posted by delmoi at 12:46 AM on January 2, 2006

Oh, come on. The fact that this exploit exists is a fucking joke. Seriously, at some point some developer had to have considered that allowing an image file to execute arbitrary code might, kinda, y'know, maybe be a bad idea.

This code was written in the late 1980s, and released in windows 3.0 in '90. The developer probably had no idea that windows machines would ever be connected to the internet, and I think only one worm had ever been written.
posted by delmoi at 12:49 AM on January 2, 2006

bah, i'm sorry if my comment was interpreted as particularly snug -- it was actually an honest impression, albeit probably one i should've kept for myself. my amusement was also decidedly not schadenfreude: i had just watched the video linked to earlier, and found it analogous to one of those roadrunner moments when the cayote falls off a cliff, only to have a boulder land on him, then a bigger boulder, and finally some lit dynamite. the majority of infected users will only suffer through decreased productivity and some annoyance, so i didn't think it was especially bastardly to chuckle a bit. anyhow, i help out XP users whenever i can on ask.mefi, and i have never (to my recollection) chided anyone for picking the "wrong OS". i would've added something useful but everything i know has already been covered. anyhow, again, sorry if i came off like a total dick.
posted by ori at 12:51 AM on January 2, 2006

apology accepted :P

Although, it's pretty surprising no one at MS thought to take a look at this.
posted by delmoi at 12:58 AM on January 2, 2006

*laughs* Why do you people even post in threads like this?

Just a guess, because if you were using Linux, you wouldn't be having the problem?

What will it take to get you to switch to Linux? For that matter, what will it take to get me to switch? I'm using Windows XP (came with my laptop) and Firefox.

The answer is, when the hassle and danger from the security flaws finally outweigh the utility of all the programs we use Windows for. An operating system's utility is measured directly in the software that runs on it. The number of programs that lock me into Windows has steadily been declining over the past few years, but Linux still has nothing like Corel Painter, and it still doesn't have the best hardware support (my wireless card isn't recognized). Maybe soon though....
posted by JHarris at 1:05 AM on January 2, 2006

delmoi: Yes, it would. However, you can't get infected in firefox simply by viewing images, you need to download them and let them be opened by MS fax viewer (or get a thumbnail loaded in explorer)

Which means that firefox is basically safe, despite what the panic mongers want us to believe...

jaronson: It sounds like the risk for lay users is no more than usual.

It sounds that way to me too. Especially for lay users who don't use MS default apps - IE, messanger, outlook, whatever.

No doubt this will be a big nightmare for admins, but it is stupid to put every windows user in a panic because some admins are going to have a long night - shades of y2k. Don't worry folks, you don't need to buy bottled water for this one...
posted by Chuckles at 1:22 AM on January 2, 2006

When did this turn into slashdot?

Windows is the most popular OS in the world, and it is this reason, and this reason alone which explains why so many exploits are developed for it. If you think BSD, Linux or OSX are safer by design, then you're wrong. They're safer because less people use them.

I'll bet that Microsoft are treating this extremely seriously, but you have to understand that there is a world of difference between Microsoft releasing something and a hacker releasing the same. Microsoft have a much higher standard when it comes to testing and internationalising its releases, and there is an obvious extra delay for them when it comes to rolling out patches.
posted by seanyboy at 1:23 AM on January 2, 2006

From here:When the HappyNewYear.jpg hits the hard drive and is accessed (file opened, folder viewed, file indexed by Google Desktop), it executes and downloads a Bifrose backdoor (detected by us as Backdoor.Win32.Bifrose.kt) from www[dot]ritztours.com. Admins, filter this domain at your firewalls.

Now there is one of those incredibly stupid things MS does... Why in hell does it even look at the file when I access a directory? Ya ya, thumbnail previews, length of movie, meta information in sound files... But it is just plain dumb. It is exists so that Windows can corner the market in applications that properly deal with those special types of files. I don't want my file browser accessing files, just tell me the names, thanks...

Of course google is doing it too - a necessary part of their product to be sure, but god knows why anybody wants what that product does...
posted by Chuckles at 1:31 AM on January 2, 2006

If one is running Win2KPro, not XP, will the patch work? It just says it was tested on XP.
TIA.
posted by NorthernSky at 1:32 AM on January 2, 2006

If you think BSD, Linux or OSX are safer by design, then you're wrong. They're safer because less people use them.

None of those reasons are why they are safer.

They are safer because people working on a free OS aren't motivated by selling the product. They don't care about pushing that next buggy release out the door and, more importantly, don't have to keep the source secret. Anyone with the skills to do so can find a vulnerability and anyone can make a patch.
posted by joegester at 1:37 AM on January 2, 2006

NorthernSky: Ilfak Guilfanov also wrote a little WMF Vulnerability Checker (link to his blog entry about it). I just ran it, after unregistering shimgvw.dll, patching, and rebooting. I run Win2K. The vulnerability checker says I'm okay.
posted by Slithy_Tove at 1:46 AM on January 2, 2006

Ironically, Intel processors have had the capability of full hardware memory protection going back more than 20 years to the 80286. The mechanism allowed slicing and dicing the memory map into various segments for each running process and declaring attributes such as access privilege, data, code, executable or not executable. Any illegal access generated an exception -- buffer overruns are impossible. This is an extremely sophisticated and powerful memory protection mechanism that has been present in all of the subsequent Intel processors but almost completely unused by the OS. It's only real use in Windows was for limiting access to I/O ports.

Unfortunately these features made programming more complicated and back then software engineers were just happy to get away from the old segment and offset model of the 8086 so they just created one big 32-bit flat segment for everything having all privileges and called it good. It is analogous to always logging in as administrator, but on the lowest hardware level.

There were reasons more than just simplicity for ignoring these hardware features. It would have been extremely difficult to port the OS to other processors such as 68K, PowerPC or Alpha since the hardware models were so different.
posted by JackFlash at 1:49 AM on January 2, 2006

I have flagged every single comment that has attempted to derail this thread into the "Your OS sucks" conversation. That conversation is NEVER interesting or useful. People post about it because they have nothing to say, yet they really enjoy typing.

This vulnerability is a problem that effects millions of people, and it would be nice if we could discuss it without the noise.

Thank you.
posted by Afroblanco at 1:50 AM on January 2, 2006

Thanks slithy, I just installed the patch anyway (not very patient am I) and the computer did not asplode. I have to hope this doesn't turn into a horrible nasty thing. People suck sometimes, huh.
posted by NorthernSky at 1:54 AM on January 2, 2006

joegester: You're assuming that because problems exist uniquely within the Microsoft development methodology, then no problems exist in the admittedly different open source methodology. I think this is a dangerous way to think, and it doesn't take into account the fact, that any complex computer program is going to contain bugs and exploits.

We're probably never going to agree on this either, so there's little point in arguing it.
posted by seanyboy at 1:54 AM on January 2, 2006

I consider the "switch your OS" argument to be off-topic at all. The long article I posted earlier makes the argument that these sorts of problems are inevitable given Microsoft's myriad development problems. You do know why they had to scrap Longhorn, right?

Since the ostensible purpose of patching one's computer is to protect it from corruption, which is in turn aimed at preserving the computer's functionality, then any discussion of serious exploits like these should certainly consider the question of whether it would be much more time-effective to simply switch to a more secure OS. The ease-of-use and built-in security that OSX offers provides an opportunity to compare that question in a cost-benefit analysis.

For a lot of novice-to-intermediate computer users out there, the people who will be affected worst by this exploit and all that follow as a result of Microsoft's broken development process, switching to OSX is actually an argument that's well worth considering. Since that's all the majority of users, it's a relevant question for large organizations as well, and thus quite germane to this thread.

And really, all the important info isn't too hard to sort out anyway -- there's more than enough in the FPP itself.
posted by spiderwire at 2:00 AM on January 2, 2006

I just got hit with a live, in-the-wild WMF exploit attempt. NOD 32 caught the known trojan attempt. Now scanning with antivirus variants.

If one is running Win2KPro, not XP, will the patch work? It just says it was tested on XP. TIA.

Excellent question. I don't know. Since this DLL is an oldy and moldy, I'm going to guesstimate and say "Yes. It should work." But perhaps I shouldn't say that, and perhaps it didn't work. Read on:

Like I said, I just got hit by a WMF exploit attempt off the web. I'm running FireFox 1.0x, Win2K Pro SP 2, NOD 32 antivirus and the Ilfak patch.

NOD 32 just killed an attempted trojan execution via the WMF exploit. How did it even get to the point that it could even be detected by NOD 32? It shouldn't have even executed at all. I didn't download the WMF-named file and try to load it in any of the above listed programs. It just attempted to execute, drive-by style. No clicky, no download, nothing.

If this trojan wasn't a known signature or didn't cause a heuristics match in NOD 32, and the payload had been ultimately malicious rather than what I assume was an adware/spyware trojan, it's likely I wouldn't even be typing this right now. Effectively I was just nailed.

Let me put this into a bit of personal perspective:

In all of my computing life, from Apple 2 days beginning in early 1984 until today, I've had exactly 1 actual virus, 1 actual trojan, 0 worms, and 2 seperate instances of IE browser hijacking.

Considering I've been online in various forms since about 86, have owned dozens of computers, am what would be known as a "high risk" user, and haven't been without broadband since 97 or 98 or so, those statistics are strongly approaching zero.

This is the very first time, ever, that something has slipped through my layers of defenses and even so much as triggered an antivirus alert/quarantine, much less an attempt to actually execute. I'm super careful.

My work week is going to fucking suck, thank you very much.

No doubt this will be a big nightmare for admins, but it is stupid to put every windows user in a panic because some admins are going to have a long night - shades of y2k. Don't worry folks, you don't need to buy bottled water for this one...
posted by Chuckles at 1:22 AM PST on January 2

Uh, yeah. Don't worry. Leave it to the admins. Thank you. Argh. Pointy. Must not kill.

You might want to rethink that buying bottled water thing, though. People tend to cry a lot when they lose all their photos, music, movies, email, and whatever else that comprises this digital life we've got going.

I have a really bad feeling about this, and I was totally non-plussed by Mellissa, ILOVEYOU and Blaster, and was either helpdesking, tech-ing or admining during the major outbreaks for each of those.

You haven't lived until you've seen a Compaq Proliniant multi-CPU server running nothing but MS Exchange for just a thousand users explode like a barrel of Thermite and magnesium shavings and leave a smoking crater in the server room.
posted by loquacious at 2:05 AM on January 2, 2006

Seanyboy: the problem is within the Microsoft development ideology, which is basically "release first, patch later," and that's only the beginning of their problems. Up until the Longhorn scrap, their dev process involved trying to grab then entire OS' spaghetti code, do a full build, and then send the segments back to their departments for bug fixing.

I don't subscribe to the "OSS is inherently better" philosophy and all its weird marxist/altruist undergarbage, but the fact is that Microsoft's flawed development process leads to these problems, and OSX and most of the OSS community just write better software, because they actually follow good coding practices.

There are well-researched, well-documented, well-practiced processes and rules for writing good, secure software, and Microsoft doesn't follow them. That's why their software sucks. Period. This latest exploit is just a tragic real-world effect and example of what their poor development practices ultimately do 15+ years down the line (literally, in this case).

Again, that article I've linked twice now gives a pretty good, somewhat technical rundown, if you really want to understand some of the issues. I assure you that you are not talking from a very informed nor nuanced position right now.
posted by spiderwire at 2:06 AM on January 2, 2006

The "switch your OS argument" is pointless and useless. When people engage in it, I am always surprised that they don't annoy themselves. I have never seen anybody actually convinced to change their OS in one of these arguments, and they have been going on for a LONG TIME.

The argument gives people a change to vent their aggression at each other, and that's always fun. I just wish they would do it somewhere else.

I've known people who were evangelists for one system or another, and they inevitably do harm to their own cause. I don't care how much you love your Mac/Linux/Windows box. No, really. I don't.
posted by Afroblanco at 2:09 AM on January 2, 2006

If one is running Win2KPro, not XP, will the patch work? It just says it was tested on XP. TIA.

"It should work for Windows 2000, XP 32-bit, XP 64-bit, and Windows Server 2003."
posted by stavrosthewonderchicken at 2:12 AM on January 2, 2006

Specifically, this page hits some of the salient technical points (e.g. DLLs) regarding why Windows is just a miserably-designed piece of software. There's some good (if vitriolic) points in the /. thread linked in the FPP, too.
posted by spiderwire at 2:12 AM on January 2, 2006

The "switch your OS argument" is pointless and useless.

Regardless of how you feel about the people arguing it, this statement is patently false. The choice of OS and how we can transition to a better OS (whatever that might be) is a very, very important one.

There are literally billions of dollars being wasted patching holes that shouldn't exist in the first place. It makes a lot of people's jobs very miserable and occasionally causes people to get fired for problems that they didn't create. It makes the internet a generally less pleasant place to be and stops everyday people from being able to do things that you might take for granted, like send email or use the internet. It makes businesses choose their poison between oustanding overhead costs going to compatibility or to support.

You might not be interested in it, and you might not understand how this question affects you (although don't fool yourself -- it does), and you might not care about the people whom it affects, but calling this argument "pointless and useless" is just obtuse.
posted by spiderwire at 2:19 AM on January 2, 2006

MetaTalk

I beg you to keep the OS debate out of this thread. It is nothing but noise here, and now. Stop, damnit. Please. I'm begging you. This is neither the time nor place to discuss it. It's like arguing we should have bought a metal ship while we're out at sea and the wood one we're in is burning.

I'm going to be checking in here tommorow from work to help solve this motherfucker. Please don't make me wade through your noise to do so.
posted by loquacious at 2:20 AM on January 2, 2006

If one is running Win2KPro, not XP, will the patch work?

I've just run the patch on w2kpro and unregistered the .dll as well. I then used Ilfak's WMF Vulnerability Checker and it reports the box as "invulnerable" to the exploit, w/ the caveat of "this specific exploit".
posted by well_balanced at 2:20 AM on January 2, 2006

Notice that I'm not evangelizing one way or another here, even though I think that OSX is pretty clearly the better choice -- but I do think it's relevant that we start to consider as a computer-dependent society jsut how important access controls and secure standards and, y'know, middling little crap like that actually is, rather than sweeping it under the rug until the next shitstorm appears. I'd fully support Microsoft if they would just pull their heads out of their asses. Given their market share, they're actually the ones in the position to do the most good.
posted by spiderwire at 2:21 AM on January 2, 2006

Fucking hell. I've got to go to bed. I just know the phone is going to ring in the morning with the dreaded phrase "Can you come in early?" being uttered. All XP laptop shop, roving computers coming back to campus after a long winter break, not the sharpest userbase in the netblock, tiny support department... I'm so fucking doomed.
posted by loquacious at 2:25 AM on January 2, 2006

good luck loquacious!
posted by spiderwire at 2:26 AM on January 2, 2006

I don't have the nearly religious fervor some people do about open source either. I agree that the switch your OS argument is tiresome and inane.

That said, it's not totally pointless. Clearly I'm not going to change change seanyboy's mind. I didn't expect to in making my comment. It was directed at the many other people who read his comment who don't know about the other side of the argument. I just hate the, "Oh well, there's no one that's better. Nothing can be done anyways."-attitude that people have about software. It's so defeatist.
posted by joegester at 2:29 AM on January 2, 2006

loquacious: Leave it to the admins.

Don't be silly... I'm the only admin that takes care of any computer I ever touch (except my girlfriend's, if I try to 'admin' her machine she gets plenty pissy). You completely misread my statement - it is guaranteed to be a massive headache for admins, but many(most?) regular users probably won't even notice*.

* Well, your description sounds a little scary actually... We'll see.
posted by Chuckles at 2:35 AM on January 2, 2006

Chuckles: No, I wasn't assuming you would personally leave it to the admins... but... damn. This is how we ended up with a userbase addicted to Windows. Graargh, must sleep.
posted by loquacious at 2:41 AM on January 2, 2006

The "change your OS" argument is indeed valid, but right now more immediate mitigation strategies are probably more useful. You're not going to get the massive Windows userbase to switch to OS X or Linux anytime soon, let alone in the next couple of days, so you may as well chill.

loquacious: you installed the patch and unregistered the DLL? And the WMF still got through? Do you have more info?
posted by chrominance at 2:48 AM on January 2, 2006

Yes, patched and unregistered. Yes, it still got through.

Firefox attempted to open the WMF, it asked what I wanted to use to open it, and like an idiot, I went to go point it at textpad - launching a Windows Explorer "Open file..." dialog in the proccess. NOD 32 AV caught the Trojan as Explorer was tapped by the WMF.

I'm assuming that the source of the WMF was a 2nd or 3rd party ad server linked to from a page I was visiting.

Frankly I was so startled at seeing my antivirus 'ware actually do anything I simply nuked it and shut it all down without taking notes on the filename, the source, the first party page, or any attempts at determing the offending server. Which, for the moment, was probably the best thing I could have done. I may have time to attempt to recreate it from a VMWare instance or test box at work tomorrow.

I'll update - time permitting - from work tomorrow. Otherwise it might have to wait until I get home.

Those that can update and gather links in this thread, please do. Thank you. I have a feeling I'm going to need them.
posted by loquacious at 3:05 AM on January 2, 2006

Speaking as a Mac user, I'd just like to say we all pity you poor Windows users and it serves you right.

Seconded. I just love reading about these things in Opera on my iBook.
posted by nlindstrom at 3:13 AM on January 2, 2006

this all looks very hilarious from over here in linux land.

*Waves from over here in Mac land*
posted by nlindstrom at 3:21 AM on January 2, 2006

Wow, some of you can be real assholes. Do you cheer at fatal Chevy car crashes from your Ford?
posted by skallas at 3:27 AM on January 2, 2006

And why the hell do people PUT UP WITH IT?

Because of compatibility, choice, functionality, cost. You know, little things like that.
posted by bobbyelliott at 3:28 AM on January 2, 2006

The exploit test that was posted earlier, I believe, only checks to see if that third-party patch is there or not. You can actually run the exploit from this site. It doesn't do anything malicious.
posted by skallas at 3:39 AM on January 2, 2006

There are well-researched, well-documented, well-practiced processes and rules for writing good, secure software.

Ha, ha, ha ha ha, ha , ha ha ha, ha.
I'm going to forget about your subtle and nuanced jibe because frankly, that's the funniest thing I've read all (checks date) year.
posted by seanyboy at 3:55 AM on January 2, 2006

Skallas - does that exploit do anything at all that's useful to casual users? The site says it has "all payload removed" - presumably that means you'd get the same results (nothing happening) whether your system has the patch installed or not.
posted by Jimbob at 4:23 AM on January 2, 2006

In reviewing the various security websites about this vulnerability it seems that, in addition to
(a) disabling regsvr32 and
(b) downloading/running Ilfak's patch, it's also a good idea to
(c) turn off Google Desktop for the time being.
posted by mono blanco at 5:00 AM on January 2, 2006

Well, I just applied the patch everyone was linking to, and the result is that I can't either thumbnail or open any image files on my desktop anymore. Unfortunately, while a lot of people are screaming about how their tech and network jobs are seriously compromised here, my job actually involves, well, working with shitloads of image files. So unless someone knows what I'm doing wrong I'm taking this stupid patch off and joining the non-panic crowd until I get an MS patch.
posted by XQUZYPHYR at 5:57 AM on January 2, 2006

Is it really necessary to install the patch and unregister the dll or is just patching enough?
posted by sic at 6:04 AM on January 2, 2006

sic, do both. It can't hurt you.
posted by nkyad at 6:46 AM on January 2, 2006

Seconded. I just love reading about these things in Opera on my iBook.

As a Mac user for nearly twenty years or so now (my first was a II cx), I could never figure out why most PC users regarded us as such twats.

Thanks for clarifying, nlindstrom.
posted by PeterMcDermott at 7:30 AM on January 2, 2006

dll pickle? What are you talking about?
posted by ParisParamus at 7:32 AM on January 2, 2006

Speaking as a Mac user, I'd just like to say we all pity you poor Windows users and it serves you right.

Why? I'm going to assume you're not a cock so why would you say people deserve it?

As a Windows user, a Mac user, a Solaris user, and having friends and relatives who use a mix of them (including Linux) I really don't understand how you can equate a person's choice of OS with them deserving something bad?

Seconded. I just love reading about these things in Opera on my iBook.
posted by nlindstrom at 6:13 AM EST on January 2 [!]

I just love seeing people make assholes of themselves.
posted by juiceCake at 7:48 AM on January 2, 2006

dll pickle? What are you talking about?
posted by ParisParamus at 7:32 AM PST on January 2 [!]

It has nothing to do with Republicians, George Bush or American Politics.

So you don't need to worry about it.


And why the hell do people PUT UP WITH IT?
Because of compatibility, choice, functionality, cost. You know, little things like that.
posted by bobbyelliott at 3:28 AM PST on January 2 [!]

Huh. Here I thought it was ignorance on the consumers part.

FreeBSD is what I use and it has compatibillity (can run SCO, GNU/Linux binaries, many window apps via WINE, and some have gotten Solaris and NeXTSTEP binaries working on the platform) Choice/functionality - over 8000+ apps in ports. Cost - $0 out of my pocket for software licencing fees.

That and I don't have to take time to 'secure' the box, nor spend addl. money on new antivirus software because the software authors have a history of failure, nor do I have to spend time fixing the box after an infection like Window Users have to.

I got educated long ago about Unix. And when Microsoft said "NT will be a better Unix than UNIX" kinda shows where one should be.

Now - Anyone care to explain why Microsoft says 'unregister the dll' VS have an actual patch?

Anyone?
posted by rough ashlar at 7:48 AM on January 2, 2006

Windows is the most popular OS in the world, and it is this reason, and this reason alone which explains why so many exploits are developed for it. If you think BSD, Linux or OSX are safer by design, then you're wrong. They're safer because less people use them.

Even if it were that simple, and it's not, why would you care what the reason is? "Mac OS is far more secure, but it's only because it's not as popular, so why switch." Such backwards thinking.

Because of compatibility, choice, functionality, cost. You know, little things like that.
posted by bobbyelliott

Funniest comment I've read in ages. Some people would buy a piece of coal and rationalize it.
posted by Dennis Murphy at 7:53 AM on January 2, 2006

I really don't understand how you can equate a person's choice of OS with them deserving something bad?

Everyone makes choices, and in a responsibility society, you have to be responsible for that choice.

If they pick something with a known track record of failure, are you suggesting that bad choice should be met with:

1) Pity
2) Attempt to take opportunity to educate or remind why the choice has flaws
3) Mocking laughter

After you try #2 and it doesn't sink in.....#3 is quite the natural choice.

There is a difference between "deserving" and "Well, DUH what did you think would happen?"

This is yet another "DUH" moment.