Author Topic: OFFICIAL WINDOWS UPDATE for Windows Vulnerability - READ IN (Read 12785 times)

mouser · « **on:** January 02, 2006, 12:05 PM »

A fairly serious vulnerability was found in windows recently which is apparently being used in the wild and can infect computer simply by viewing an infected web page, etc.:

http://www.microsoft...lletin/ms06-001.mspx

an extremely well respected programmer (one of the authors of IDA) has written an unofficial fix for this because microsoft is not responding in a timely manner:

http://www.hexblog.c...005/12/wmf_vuln.html

i've read the description and comments and it seems well thought out and safe (and uninstallable).

I have installed this myself.

Seems safe and can be uninstalled if for some reason you have any issues. just fyi..

A new OFFICIAL patch has been released by microsoft - just run windows update to get it.
Read more here: http://www.microsoft...lletin/ms06-001.mspx

(note: it's not clear yet whether people who installed the unofficial patch need to uninstall that first, but safe bet would be uninstall official from add/remove programs list, then reboot, then run windows update to get official patch).

mouser · « **Reply #1 on:** January 02, 2006, 12:31 PM »

more info on the vulnerability:
http://www.msnbc.msn.com/id/10651414/

brotherS · « **Reply #2 on:** January 02, 2006, 12:36 PM »

Nasty stuff out there!

brotherS · « **Reply #3 on:** January 02, 2006, 12:38 PM »

Hmm... after thinking about that a bit I wonder if Firefox could protect you (again).

The article doesn't even mention Firefox, maybe because it's on MSNBC?

mouser · « **Reply #4 on:** January 02, 2006, 12:45 PM »

i dont think firefox will protect you from this. more informaiton from antivirus company f-secure:
http://www.f-secure.com/weblog/

Mark0 · « **Reply #5 on:** January 03, 2006, 03:03 PM »

I installed the fix from the IDA guy (totally counting on his "fame"

) some days ago on various PC, and from my experience it worked and haven't negatively affected nothing. Since Microsoft is taking too much time to patch this (as usual), I think it's highly recommended to apply this patch.

One of the nasty thing with this kind of exploit, is that you don't even need to open/view the file if, for example, you are running Google Desktop. When Google crawler hit the file, it will try to render it himself to get a proper thumbnail!

Bye!

Jibz · « **Reply #6 on:** January 03, 2006, 05:06 PM »

Seems hexblog.com has been suspended - probably too much trafic.

Any (trustworthy) alternative download sites?

mouser · « **Reply #7 on:** January 03, 2006, 05:10 PM »

jibz, see this post first: https://www.donation...dex.php?topic=1977.0

Mark0 · « **Reply #8 on:** January 03, 2006, 05:16 PM »

Any (trustworthy) alternative download sites?
-Jibz (January 03, 2006, 05:06 PM)

No that I like too much Steve Gibson site, but his mirror come handy!

http://www.grc.com/sn/notes-020.htm

Bye!

mouser · « **Reply #9 on:** January 05, 2006, 02:48 PM »

original post updated with info about new official patch.

tinyvillager · « **Reply #10 on:** January 10, 2006, 01:36 PM »

Source:http://news.com.com/More+WMF+problems+for+Microsoft/2100-1002_3-6024931.html?part=rss&tag=6024931&subj=news

You still have to be careful...

Just days after Microsoft rushed out a patch to fix a critical Windows flaw related to the processing of Windows Meta File images, two more problems with the component were flagged.

Source:http://secunia.com/advisories/18364/

Avaya Products Microsoft Windows WMF "SETABORTPROC" Vulnerability

mouser · « **Reply #11 on:** January 13, 2006, 12:27 PM »

ok this is fascinating:
listen to the mp3 or read the transcript of this new discussion that the vulnerability could have been a planted backdoor:

http://www.grc.com/securitynow.htm
(direct link to mp3 -> http://media.grc.com/sn/SN-022.mp3)

note: we've been discussing grc and steve gibson here in another thread, so take this with a real grain of salt; but expect there to be a lot of controversy over this.

mouser · « **Reply #12 on:** January 13, 2006, 08:47 PM »

Microsoft Disputes WMF Backdoor Claim:
http://www.betanews....oor_Claim/1137200934

http://blogs.technet...06/01/13/417431.aspx

f0dder · « **Reply #13 on:** January 14, 2006, 01:50 PM »

Mr. Gibson is such a sensationalist. I'm reading the transcript of the MP3, and all I see is "LOOK AT ME LOOK AT ME". And it sounds like he, as usual, isn't really understanding what's going on - *sigh*

mouser · « **Reply #14 on:** January 14, 2006, 01:56 PM »

it will be extremely interesting to hear the next episode of the mp3 show.
fodder you should listen to it on mp3 - it's clear that his cohost realizes the gravity of what he's accusing microsoft of doing and keeps offering him the opportunity to back down but he never does.. you have to give him some credit for sticking his neck out so far on something that's going to get a lot of push back.

f0dder · « **Reply #15 on:** January 15, 2006, 11:07 AM »

I read the transcript, and this "keeps offering him the opportunity to back down" looks more like something to cover their asses. It seems like Gibson hasn't analysed the flaw (ie, proper reverse engineering) but rather just fiddled with .WMF files until he produced one that worked, and then jumps to conclusions that 1 is a "magic backdoor value", while it sounds more like a buffer overflow to me. I haven't done RE of it either, but I'd rather opt for something that sounds plausible instead of brewing up conspiracy theories.

you have to give him some credit for sticking his neck out so far on something that's going to get a lot of push back.

Not really. Sticking out his neck this way gives him publicity, and that's what he wants.

mouser · « **Reply #16 on:** January 16, 2006, 10:08 AM »

long slashdot discussion of the issue:
http://it.slashdot.o.../01/16/0615247.shtml

f0dder · « **Reply #17 on:** January 16, 2006, 10:31 AM »

Heh, even the /. zealots say that Gibson is a crackpot ^_^

f0dder · « **Reply #18 on:** January 19, 2006, 09:27 AM »

...so much for Gibson's "magic value" theories - here's a guy that KNOWS how to reverse engineer, and has actually done it: http://www.sysinternals.com/Blog/

mouser · « **Reply #19 on:** January 19, 2006, 12:38 PM »

fodder's link, to Mark Russinovich's blog entry about the wmf vulnerability, will no doubt be the definitive word on the subject.

His conclusion:

"The bottom line is that I'm convinced that this behavior, while intentional, is not a secret backdoor."

looks like steve gibson is going to be eating his words on his next radio show.