close

Privacy guaranteed - Your email is not shared with anyone.

Welcome to Glock Talk

Why should YOU join our Glock forum?

  • Converse with other Glock Enthusiasts
  • Learn about the latest hunting products
  • Becoming a member is FREE and EASY

If you consider yourself a beginner or an avid shooter, the Glock Talk community is your place to discuss self defense, concealed carry, reloading, target shooting, and all things Glock.

Zero Day WMF Exploit - Possible worst ever!

Discussion in 'Tech Talk' started by Toyman, Jan 2, 2006.

  1. Toyman

    Toyman

    2,597
    20
    May 6, 2003
    West Michigan
    This is bad, real bad. Make that very real bad.

    Anyone following this exploit in the news? I've posted some links on my blog about this: http://www.fishous.com/?p=14

    Just wondering if any of you might have some other good links and news coverage?
     
  2. podwich

    podwich

    4,414
    95
    Sep 7, 2000
    MI

  3. nickg

    nickg

    640
    0
    Jan 16, 2002
  4. havensal

    havensal Nozzle Jockey CLM

    2,939
    1
    Aug 14, 2003
    Western, NY
    Here is a copy of an emal I recieved.

    SERIOUS WINDOWS FLAW



    In the past several days, I have become aware of a serious flaw within Windows (all versions 95 through XP) that Microsoft has not patched as of yet. Articles I have read have made it clear this is a serious flaw, and that hackers immediately stepped up their attempts to take advantage of this opportunity to infect PC's around the world. A brief article is at the following address: http://news.com.com/2001-1009_3-0.html?tag=ne.tab.hd



    This one, from the Internet Storm Center, makes it seem even more serious: http://isc.sans.org/diary.php?rss&storyid=996



    With windows not providing a fix for the problem as of yet and antivirus/firewall programs having limited ability to stop any attack attempt, experts are suggesting a fix to patch the flaw. I have found a file that is supposed to be effective and safe to install-- it is mentioned in the link above, created by Ilfak Guilfanov. Follow the link below:



    http://grc.com/sn/notes-020.htm



    If you go to this site, you can read more about the problem and decide for yourself if you want to install the patch (the green box near the bottom of the page). Steve Gibson, who runs this site and his 'Security Now' podcast, is a security expert and I for one trust what he is saying. I have installed the fix on my 2 computers and have had no ill effects and I've not heard of any problems caused by this fix. The internet storm center says "We have very carefully scrutinized this patch. It does only what is advertised, it is reversible, and, in our opinion, it is both safe and effective."



    Once Microsoft repairs the problem and your version of Windows is updated, you can uninstall the patch like any other program.



    I normally don't go to clients with issues such as this, but I felt it serious enough to pass on the information and let you make an informed decision. If you have any questions, please don't hesitate to contact me.



    Sincerely,

    Barry
     
  5. havensal

    havensal Nozzle Jockey CLM

    2,939
    1
    Aug 14, 2003
    Western, NY
  6. StoneGiant

    StoneGiant

    561
    0
    May 31, 2003
    Derry, NH
    Does anyone know if the "fix" is clean? If it has been certified, then why hasn't the Gates Crew paid some money to the developer and redistributed it?
     
  7. johnstrr

    johnstrr In the Garden

    51
    0
    Oct 15, 2005
    I have run it on my machine and it is recommended by ISC so it's probably a safe bet...

    it's available as a .msi from the above site...
     
  8. Toyman

    Toyman

    2,597
    20
    May 6, 2003
    West Michigan
    The fix is clean, it comes with the code for it, which Steve Gibson of GRC.com has reviewed. It's a tiny bit of code.
     
  9. StoneGiant

    StoneGiant

    561
    0
    May 31, 2003
    Derry, NH
    After reviewing the notes at Internet Storm Center, I implemented the "fix".

    And isn't the Gates Crowd a wonder? We get to wait until the 10th for their fix to a known problem. As Dan Rather would say,


    • "Courage."
     
  10. Toyman

    Toyman

    2,597
    20
    May 6, 2003
    West Michigan
    You have no idea just how large and complex the Windows Environment is. They have to regression test against numerous things, including all the development environments and hundreds of products.

    If this thing was released right away and broke something, the first thing you guys would say is "Why didn't MS test it?" They can't win for loosing with you guys. Maybe there's an app or something that uses the escape sequence functionality, which is probably why it's in there in the first place, duh.

    And yes, I do have an idea of how extensive it is, I used to work for Microsoft, in testing and in development.
     
  11. StoneGiant

    StoneGiant

    561
    0
    May 31, 2003
    Derry, NH
    I, too, have extensive software engineering experience. One of my programs was a flight simulator / Monte Carlo analysis that took 11 HP9000's 26 hours to run.

    Even back in the dark ages of 1992 I employed automatic regression test software; your assertion that MS is too complex to test in a timely manner implies a lack of well-architected scope and extension.

    Two questions for you:

    1. [*] How long has Microsoft known about the security flaw, and why have they been so slow in responding?

      [*] Are you saying that the "fix" as published on the Internet is too simple? On the surface, it appears to lack the kind of complexity that demands over a week of testing by an organization with arguably the greatest software development resources in the world.
     
  12. Toyman

    Toyman

    2,597
    20
    May 6, 2003
    West Michigan
    1. December 28, 2005. Make a matrix of all the versions of windows, all the service packs, and all the products and then ask yourself how long it takes to setup machines for these and test them. It's in the 1,000's of combinations.
    2. The fix provided on the net seems to work, but hasn't been completely tested. I did find one instance of it making IE and WMP to fail to launch this morning until I uninstalled it and re-booted (my own machine).
     
  13. nickg

    nickg

    640
    0
    Jan 16, 2002
    here is an interesting story about AV products who have been testing the WMF problem.
    ------------------------------------------------------------------------------

    http://www.edbott.com/weblog/?p=1191

    AV-Test, which tests anti-malware products, has been tracking the situation closely and has, so far, analyzed 73 variants of malicious WMF files. Products from the following companies have identified all 73:

    * Alwil Software (Avast)
    * Softwin (BitDefender)
    * ClamAV
    * F-Secure Inc.
    * Fortinet Inc.
    * McAfee Inc.
    * ESET (Nod32)
    * Panda Software
    * Sophos Plc
    * Symantec Corp.
    * Trend Micro Inc.
    * VirusBuster

    These products detected fewer variants:

    * 62 — eTrust-VET
    * 62 — QuickHeal
    * 61 — AntiVir
    * 61 — Dr Web
    * 61 — Kaspersky
    * 60 — AVG
    * 19 — Command
    * 19 — F-Prot
    * 11 — Ewido
    * 7 — eSafe
    * 7 — eTrust-INO
    * 6 — Ikarus
    * 6 — VBA32
    * 0 — Norman

    The difference for the more effective products is likely to be heuristic detection, tracking the threat by identifying the basic techniques of the exploit, rather than looking for specific patterns for specific exploits.
     
  14. johnstrr

    johnstrr In the Garden

    51
    0
    Oct 15, 2005
    MS Patch is now out.. install it, reboot and then uninstall the other one.. it is something like "WMF... MFI.. Hotfix" or something like that.
     
  15. epsylum

    epsylum Boolit Hoze

    3,868
    1
    Sep 4, 2004
    Racing Capital, USA
    I left my computer on last night. It updated by itself.