Network Security & Hardware - eWeek


Is the Smart Grid a Dumb Idea?
Surgical Adhesive Offers Smarter Way to Mend Bones
Get Smarter Technology on Your Mobile!
  Network Security & Hardware


Microsofts WMF Patch Leaks Out



 By: Ryan Naraine
2006-01-04
Article Rating:starstarstarstarstar / 0


There are 0 user comments on this Network Security & Hardware story.


Rate This Article:
Poor Best
A cryptographically signed version of Microsoft's WMF patch inadvertently leaks out to a security community site, prompting an updated advisory from the software giant.

A cryptographically signed version of Microsoft Corp.s patch for the Windows Metafile vulnerability accidentally leaked onto the Internet late Tuesday, adding a new wrinkle to the companys round-the-clock efforts to stop the flow of malicious exploits.

The MSRC (Microsoft Security Response Center) acknowledged that a slip-up caused "a fast-track, pre-release version of the update" to be posted to a security community site and urged users to "disregard" the premature update.

The companys official recommendation is for Windows users to unregister the Windows Picture and Fax Viewer (Shimgvw.dll) and wait for a properly tested patch scheduled for Jan. 10.

Mike Reavey, operations manager of the MSRC, said the appearance of the pre-release code was inadvertent.

Resource Library:
"There has been some discussion and pointers on subsequent sites to the pre-release code. We recommend that customers disregard the postings and continue to keep up to date with our latest information on the WMF issue," Reavey said.

A security researcher who had seen the leaked patch told eWEEK it contained an updated GDI32.DLL file that was created by Microsoft immediately after the first exploits started appearing on malicious Web sites on Dec. 27.

Interestingly, Microsofts patch works seamlessly with the unofficial hotfix from reverse-engineering guru Ilfak Guilfanov. "It looks like Microsoft was right on the ball with a patch and theyve done it the right way, taking all things into consideration, including the fact that [Guilfanovs patch] is going to be on a lot of machines," a source said.

Microsoft has frowned on the available of a third-party update, insisting that it cannot vouch for the quality of an unofficial patch that did not go through a full test pass.

Read more here about the third-party WMF patch and why Microsoft recommends caution.

Even as Microsoft scrambles to contain a threat that has grown to more than 100 exploits, there is a growing sense that some in the research community—and the mainstream media—have overblown the severity of the issue.

Privately, Redmond officials have bristled at attempts to liken the WMF exploits to debilitating network worms like Blaster and Sasser, especially since significant user interaction is required before an attack is successful.

Shane Coursen, senior technical consultant at Kaspersky Lab, said the general feeling was that the vulnerability should be rated "a step below critical."

"If this vulnerability were to be packaged in a completely automated worm in the wild that doesnt require the user to click on anything, then it would be really critical. But theres no automated attack vector here," Coursen said.

However, Coursen said the flaw represents a "very serious" threat that should be fixed as soon as a thoroughly tested patch is available. "Its very important the people follow the advice to unregister Shimgvw.dll and keep anti-virus programs updated. You dont want to overblow the threat but you dont want to give people a false sense of security either."

For advice on how to secure your network and applications, as well as the latest security news, visit Ziff Davis Internets Security IT Hub.

Marc Maiffret, co-founder and chief hacking officer of eEye Digital Security, said a discussion about the severity of the threat is meaningless.

"Theres this mentality among IT people and even at Microsoft that its not a big threat unless thousands and thousands of users are being compromised. Thats not the way to look at it. Theres a reason phishing is a huge problem. Its a huge problem because people can be easily tricked into clicking on a bad link. Thats why this is a big deal, even if the majority of users arent being compromised," Maiffret said.

He also warned against believing that the current attacks cannot be automated. "This can be totally automated … because it required a click today [doesnt mean] it will require a click tomorrow. There are plenty of other things you can do to launch an attack from a clean site," Maiffret said.

He referred to a November 2004 incident when hackers broke into a load balancing server that handles ad deliveries for Germanys Falk eSolutions AG and successfully loaded exploit code on banner advertising served on hundreds of Web sites.

"If an attacker breaks into an ISP that hosts images for thousands of good sites, all he has to do is replace those with malicious WMF files. He can break into any high-traffic site and put his image there. That wont require a phishing click," Maiffret said. "You cant rank threats based on how many people are being compromised."

Maiffret, who was crediting with finding and reporting a high-risk WMF bug to Microsoft last year, said IT administrators should avoid rating flaws based on which threats make news headlines.

"If its not in the news, thats the one you want to be afraid of. There are hundreds of zero-day, targeted attacks happening right now. The ones in the news are the ones we know about. But you cant base security off the worm you read about in the papers. That was how it was in the 1990s. Today, the climate is that you are being attacked by the flaw you dont know about and if its not found in the wild, youll never know about it," Maiffret said.

Check out eWEEK.coms for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEK.com Security Center Editor Larry Seltzers Weblog.



  Reader Comments: Microsofts WMF Patch Leaks Out
>>> Be the FIRST to comment on this article!
 

 
 
>>> More Network Security & Hardware Articles          >>> More By Ryan Naraine
 


xv8(;^ӲMQV,ٖcMۖRI}EB!)JϷKgO l$(oQP|d[ھoOETudžž0I)"h4"J>vl5[0kBA oaT9:?&CBQeKV#ltyod23!#k+ս>HSɴvwg!205IZ [ XdTC!p5lvap*)ZH&tGu <$jIuPؖgT'=ç^bARxF3bIH*!1lpq+J9yh OLÃ;ɟ; ˶ȭB¿{kW߂CUҏ5',wb6jmO |lu՛Px>N5U}öĥFr,˪hih9f J|TbT9ʗ;Q1hX虆5{2p*fOkݯ.P珮zם ? n04Uh;\CryU- G0Wn{'ݏ˷y@.{A~$Vj;}&DeR)8y_4j ::fN{\!x[n9* BP#Z[츆Ga`%pfQ2I}?_-~k~>G,[3KAV  2CT^1 zU5]{#[r9m>3:tf~R|]k5o~=cK']ĻIXC9C-0 ϖjd!3x=in>\vNIF,ȿ.WZB5e}!s;R(93i)ߖN@·[@8+:YK7|)U%Ȝ7>hr Ae)#8?ՅIhJq䠉YSl؅ R掇|P? X\U>EtAM)O8{3BqɃ`g@QE !\J!=! gL쥲bOT=૖yp>jY]6'tauIUi ]R޾k[yp>#uڽ^}8^$g 5F0 ,heݴ%!8W%MBrUPTbH@8ʍ/7љm!SK2A S:3ϩnOmNRgu1}Juc6m Uˊ(>H2胊6mdX- ,70}HOaI 43p<{?.v1ԙ +tAoL42#0 mv=&:llx Xd $4(s.y{L )ˁJCˋF0P&C 2/?:aQ}ڶO4uQȀ{r`:)amA5Luh`1 .g%ɡV\IQ g dRJyIWG!-i]R@Az6< -,rr2 (#!b\[2'9\v{B#\~*΍fr)ab -d[b|l e&vOZLloK7], S l -muk{T J >iܛ ̀%1tA.ϼ'3I `0u|rHC";Ngt 3APڏ|CC<ݲ%st08.fXfZ1kwBaò@s2QiB7 ƉMH|B] H8MGlz::iP=Gޫ08=vms3TNm~|F`O3_iy9g~9厬m yT.MmUPS7˕L8+׬UPM g2)*[hwlrs dV O_ba!_{`ř9 FL@]('{JFJV >zh'>eg HlYWn%,joI8ˇҰ.R.!d[0^{EYyD֑Rk(X+ezhxyx$ le6- m3@=-ဥ#=nP"MLYF4X\$جX;l d A q&Y`@G}f+&$-Û= ڇmWyH&&3>K\\NH1 `;ۋpFa e-6Ԕ&fb>X[ *^=W( ˖X La*:1Tkquؿ\Z îtݒohNvptA!Sh2F,ÑaHU0UIB+eMf-0א~3VDi?怚H|A2,e,g6GiڏA؜ZsFi9z224]r ɭ¹1j1|J0"B(#۝zzJalˣynQ7ưw"-D=MJu [L ֥m{lRIBm:|cSքw&8` {Tu` Ti(54_ځJԹuqlLѡڗ9;@<uP(P`x 4J"Fq'ȜA]o`+:9iz6eVA_~\iv7oQ&X GOpSV3G>";N%da:5³|?աsg8X$]3a-?Qn^``r18T_NWk`-0/jW.,6S~,Qhn6] f"["#A1Շܲ` sQl]|ʗJ,P 3Fʾ'3WiSq:Rg޿%?˘G2cFT)7)Ь&ڴ#iA/ߵ6N31aEl_&2|9SgWvK&;RZ/\vꪟ;)kJ9 Eɓ[z(r/?~n;.@0Tc T}̇/$̆RT(@@lj%SaO;a.re:OJړR>$K1\' x*|xTg$,22vBs:c#| S nzAx) K \ٛظ~2KUea8 (V,VX.pqLtW7YSc(0Hh_`Si٦D7:uvsh6s} ͶIRz'QV sֿ8&۪=^U1^sa^==k7^^abvE? ?ޟKKxfqoRcRXL\޷`CLtPdN\N(F}W}{%%Ms^uAeb`^|ѠI^ 8Wk%eFu[:ވ;j e1AVO!yN/ۭFSLo2A3hX#9k#&/Pa Be\g[,xvx0B ^/k-;g0YT4ԃ,d"0!?"ϻ0|]H\R ~tYwsJN .V_BAnp+z!N3F_TJh)4zu3H;kvo[)5[;E_%'[;8[Jҷo@WKw|EdW(kp vph縵vY#^b~2)}AOmN9˞xN _"Tc8L ]V)fT$-ݱi'>CBqDwJc IZ;ŨNnk)e9r :)O:6p|N,O⼬e=lIZ`D$+. W@/~PI$v+hiقnZdž5>ܻ8 .\߹mDR0N糳l)ZA| Nr 9m]`e>b%';yPb Q/ĵh0%Wu^~x#p)xh#^EEN9ʕr{.vSg.=$KKy5ڸ6llQ}y8b1 ?nOapϲTta=`|;#Ɇg5]{CSuNfMq;f=7FsYam׆Mb[{oA҂#BZ̭,ڎ@ ˱("%\S$Dݞ(Y\wuoߒar҆cA#IThx9nG.He>h?HА>cշݜ89# <gzv/dx=%~d^wo-;-UFydJ=~j/t:D(rnm e[."+2NI^x9 Z ,F}d3pTo4hјAhfil|Wo?`c7%<u(|k~T]epwߵC CمmȲܲȥe%(S|-/^Sr>^FE j OKt1ڮ/=a Fuo&m;N]K?`f7#S ORC@/Mvd3*7 C~!+Q1j?ö3$9g2x>l;mmݭnM ^L "A;$J܃4 RUCfK_:0y0pLa c|1 ߊ;bE#Ƴt_-ۊ&ZQ|=N8S{K</ ­TS M[k!1 %&'̼VpL _CWƥ8E/J[b4͟A/t8a8:4#,ؚ7bZك&LɊ?k ;dkV,-ra.jo'%7Mel51կGhWP`5qfZ 1<SM Z:z5>Xӡx_od.:XYAtɎR=zw6T3\%6_PztjX'&r;&[b!Q*.͵O "1a9Ai{·.HL}/M f7}F94bXZU3ˈ\$l4ZfG#剣y~vRjf1S9~+Cv $e0a1?ahʵ ;1!Dgb37v"/iЕuYa Է[L& x T?bBpGӔ.똈Y8CVÒޚFZi1Oy*6' _p'I}ǝ.%yYF2 DIT?xG ]G= TEU<Srh*D-cD f_/B? G`XGY0(QB$hv0C (ɪI]`k,W[8|8rlp }jrx nv7|ex&#& _>?J#VV=:7}Ai4EŴR0%p^[ќJ^(K|@j3_T,;(P15}$=0x#^f! J=MHQ!*E-2zsOdWK6Q$E*[ ;XjP+ƀԟ~3\:=H!caCb@F7Dc .)HR|u-Բl~lrD5#JI`LOaQD#JlD9v; [{oҗS%LRnGZz8ymT WDR-*Mx/)Mh6-;V"WW"b>&f+[EK{OG %rCb2a bĀmנR@_:_^,(/p>9W%NwO36'߸wI?ZBƪ']ª@u V/W?@}{[ݒ _ `?IդLܡkF^`Ok*"{{T,Skn9 Gd0=>J[:,4+ݵ!5<101l)I> N |=aJ5>_I9 ƈJDk--R ,{,p\}-\bB/ٮKR*Go*T :} ~+6k)|v-݈폝ԳqWݗ.g.6H( st$=P2tvƖ9RԪx?&!|೻ >n~ #4jƖX}}Gv%u, F?|ŷ|k+rbu9A 4[[{w=|=|=|=|߸P+߶/Tuօ;waxZ0ՅɮgCX@  v%BX?yD_"P ES0QM/y[")w_<-ķvf4.c0ݵW}_ & l4vJcmᥙv!~(l[9c+@m-lY[`8óK: +RX_^1˹tj?Х Wi,+QH_Hglp,Ù c~|P2$ ʬkbI2ƱLX!L43+x`șY NE=|/"98^"OQ]@avϳYbp ><؆&?y|Ux~^`pV- 6'"`Ls[hOo&>,qC$&pP]oހ^q~ F@ ыy wnٓ?쉣Z騒ׂ3ʉmOTLUq`p1BXG88$r =kR0DGo;ذ]j~Mt:"T9 Q|@Yi4<4>x!F{Kb+I6sG$HV,,VAXy/]#r d!7f"TXA0 `DYbI2=^㿤lݩj. \91y1E!<p>ƘKje?RVK.s;cNF <Э%?9VV^(JR;sO}F۾X`әė>jюLG۠[.'н2!h@j=m 31/նWۏ lO`-,9+?d_`=eEd[jIlwAQg')q8 @BTPe28S}P_/HJ woDQx+nO5cL}xaaV f&ٝ7 gU^|bPg걭d@2ɹy mǤg1i`IÄ0'ld z>fNdSۈ'1Q<3DDc^°4sfĘ8a]11axl|vn[/ T6CĊ1gKi.#_Ax=“HgxX]α*@[`* Sn Q&@ؔt7QI8L0SOlV .⇋|L?;NxNNx? &pj,9ۡ~lxF5?Y|ob!Lcأ{9C´vpT+mB<౸P,<^yN4xT\ ~_3\m~X;Cd'( 2@Ka1c~ţR͗1u/9CȮ KX]ÿӺYQ^F*?Ә^I*LQY<^@A##2dhz?JŇ@IQkZ9Dh\~"["6}8vn59i_voWj(;u{{sݾ\Y=q/楺 ˙OYufvʌPN'ZcͅfE4x)je^J>M`o՚?NrD(/bA@ }qt&6 "=vWHVTj!?m?+ʼnt|Yf8S[TmzVx9l0S#S܄P/ۧ}ҽngIkꋲK`˔_!ה [ȿ]Nmw!_48kBsy }Cߧ>i^tw2YJ>?tS4O/e |W)s_}R{JU[IJ+ϫDN#Lɿ@?R *%:e|A~S:enJ) _n?nRߤԿMKRS/_R#L>1~w{¿w]Jww)$)eVnpv%s_4OR\}V K#Og< ~2&Εb+@^W~ [{_WKI0ntӖ啗jk Ǩjuv^_BBU$X2M"1+(yǯgb^>c˼{}tȄq>p+i@Lw%<ߔ[nNJ>>]9 'q6G\%j2SOe9|, 5ʽKqǜg81 }^6|!7ft{|MtKn lx2%>CG0nsOk|>t"[~t_<\Y몮,5WlNAm!5q}2ى3فKjoBgO?vX6i^.7mhͦ"ds9(a$x FZg9Cq`F}`%h6:U_ D!jR}'m H7f/T}!i3JRPR[TJÞwrD&0qq8h.fD)J^8`ϴB%T.U&K h[pz!ǡn",#qQn3F ~~ZgH!;Fi (V kDFulD8ٷ]y ůD|݅߱Ϟw2n Azjlkӕcy+w&hHPWnv˷X귾4YB:p8C3`ܐ}€ICWur:`L|0LĶRO6I62QT Sv ?93N(@P W9!^e6٠^<:yLのE{gݍÜ4J7Ei#{,|@ xs[R+Ke$VinCE6<]܈Dƣj㙺gkӏgo{*u6r% XEڤZ-Q`W؞n`Pu0 ')AsҰl ;ApA7ihsS$˩Y)QEBd'KW6PֽE5F|썝ؚ}HF U}ð3Cv\[ -8Mga+Eb2PMYtc2G .@]փP =`B4<1Tz_E@ I7dUĔI 'R la,8f?}f<&сL{WУTB6&ah^ >; ˋ39qr*<̏_|JY+)/,̀/(֘ [5?@·({Aq{8N=y䏽7ƈG;:П48uD|ؿϾŗ_xb1zW?Pe^—05{ b8"qe5Tu^T]8:(1U3gURc@Y\Z}/{#r &3QEVxhd?qTKÅyFR RYIߨbi1#=QTv3^}jk~h*KGLT7Ywyݽmm]^G_l\?7*%-xTc]QP= Mte/D83ێ 뛽ŠLo暨 DՃV@({\Ztbf,䭏f`^R42Ш0 AdMTMv9ށ@T0 6",XDC(84W$tG 7-9?|.\ev .\0xLſ|&ՄuDct aSGTo֚M^Y-_.DOoDiB$lbŞPA<,M~K(_ʉI,,,=0 0ivmV[G@LZ|,s5%"p3:[XRs qj^?z#(Cǘ`P'f#Ya8:.+,'|w2c {a6ox uX/{xRicZ̦ س:ۢ]{2hl&fmu='1o[{=P+Z0#яŹ};!l= bcv+Ҏ)aOOLRpp`JE=X%+}aW x.qx7 sr)rSc0[TԤ!X\ODkAtɾ?]Wt޺\~:Z(y?^}ڽ''_v?\IAAytNqVޞ 'Ms>^B5Vfo=a86?J}G.