cellio: (avatar)
Monica ([personal profile] cellio) wrote2006-01-05 10:55 pm
  • Add Memory
  • Share This Entry

Windows patch

Microsoft has published the patch for the WMF security hole. If you run Windows and you ever view images whose pedigrees you're not 100% certain of -- like, say, if you ever visit non-trusted web sites, or you view images people send you via email or IM -- you should apply this patch now. Don't wait for the automatic updates to run. (If you don't know what I'm talking about, you should read the security bulletin. Microsoft even admits it's a critical update.)

I'm going to leave LJ image placeholders turned on for a day or two, just in case this fix doesn't do it. (Image placeholders prevent posted images from automatically showing on your friends page, which is useful if you read any open communities where malicious images could be posted.)
Flat | Top-Level Comments Only

[identity profile] steven.livejournal.com 2006-01-06 12:25 pm (UTC)(link)
Thank you for this. Although I don't use a PC anymore, I'm usually the one who's summoned by Paul or my mother when something goes wrong with theirs. I'll be sure to get them to update.
cellio: (avatar)

[personal profile] cellio 2006-01-06 04:19 pm (UTC)(link)
I have a friend who secretly installed VNC (a remote desktop) on his parents' PC because sometimes it's just easier to fix the problems than explain them to novice users. :-)

[identity profile] jeannegrrl.livejournal.com 2006-01-06 01:01 pm (UTC)(link)
Ya know, if this isn't another incentive to make Firefox my default browser, I don't know what is! Thanks for the post.
cellio: (avatar)

[personal profile] cellio 2006-01-06 01:57 pm (UTC)(link)
While I would never discourage someone from moving away from Internet Explorer, in this case it wouldn't have made a difference. The payload was somehow (through a process I don't understand) embedded in the image itself; it doesn't rely on ActiveX or IE bugs or the like.

How the WMF bug works (simplified)

[identity profile] brokengoose.livejournal.com 2006-01-06 03:12 pm (UTC)(link)
So it's another incentive to switch from Windows to... well, anything else.

WMF files include the ability to run arbitrary code if the image fails to render correctly. This was an intentionally added feature so that, for example, if a program rendered a bad print job (as a WMF with canned error-handling code), the job could remove itself from the queue and/or warn the user that it hadn't rendered correctly. Insane today, but back in Windows 3.0 days (when the WMF format was designed and networking was an optional add-on), it was a clever hack. To exploit, just use an intentionally-mangled image, and include evil code as an "error handler" that's called when the image fails to render.

Some places (http://www.f-secure.com/weblog/archives/archive-012006.html#00000761) are assuming that we'll be seeing more WMF exploits because there are a few other ways to call code from a WMF file, and Microsoft has probably only fixed the specific function that's being exploited right now.
cellio: (avatar)

Re: How the WMF bug works (simplified)

[personal profile] cellio 2006-01-06 04:17 pm (UTC)(link)
Thanks for the explanation!
madfilkentist: (Default)

[personal profile] madfilkentist 2006-01-06 03:53 pm (UTC)(link)
Actually, IE is more vulnerable to the flaw, because it looks inside images which are nominally .gif, .jpg, or whatever, and displays them as WMF if that's what the header indicates they are. Firefox won't do that automatically. The IE behavior is a violation of W3C recommendations.
cellio: (avatar)

[personal profile] cellio 2006-01-06 04:18 pm (UTC)(link)
Thanks. Yet another reason to stay away from IE, then.
Flat | Top-Level Comments Only