unofficial patch??

[David Farber <dave () farber net>]

Begin forwarded message:

From: Lynn <lynn () ecgincc com>
Date: January 3, 2006 5:00:49 PM EST
To: dave () farber net
Subject: wmf

If anyone is interested, the 'unofficial' patch is mirrored here:
http://sunbeltblog.blogspot.com/2006/01/alternate-download-for- 
unofficial.html

The original site is down due to heavy traffic.


http://www.pcworld.com/news/article/0,aid,124149,00.asp

Microsoft Urges Users to Wait for Official Patch

Software giant says fix for WMF flaw is coming, advises against  
installing
unofficial fixes.

Peter Sayer, IDG News Service
Tuesday, January 03, 2006

Some security researchers are advising Windows users to rush to  
install an
unofficial patch to fix a vulnerability in the way the OS renders  
graphics
files, but Microsoft wants customers to wait another week for its  
official
security update, it announced Tuesday.

The problem is in the way various versions of Windows handle graphics in
the WMF (Windows Metafile) format. When a vulnerable computer opens a
maliciously crafted WMF file, it can be forced to execute arbitrary  
code.
Microsoft published a first security advisory on December 28, saying it
had received notification of the problem on December 27 and was
investigating whether a patch was necessary.

On Tuesday, Microsoft updated the advisory to say it has completed
development of its own patch, and is now testing it for release next  
week.

"Microsoft recommends that customers download and deploy the security
update for the WMF vulnerability that we are targeting for release on
January 10, 2006," said the advisory, the full text of which can be  
found
online.

The company says it carefully reviews and tests its security updates,  
and
offers them in 23 languages for all affected versions of its software
simultaneously. It "cannot provide similar assurance for independent
third-party security updates," it says.

Threat Level

The number of users potentially at risk is high, with all versions of
Windows exhibiting the vulnerability, but the number actually  
affected so
far is relatively low, researchers say.

However, the chance of running into a malicious WMF file is climbing,  
and
with it the danger of running an unpatched system. Already, one security
Web site has had to warn its readers to stay away: the owners of the
knoppix-std.org site warned in a forum posting that hackers had modified
the site so as to attempt to exploit the vulnerability on site visitors'
machines.

There is "a lot of potential risk" associated with the vulnerability,
according to Jay Heiser, a research vice president with Gartner and the
company's lead analyst on information security issues. "If it can be
exploited in any significant way, it would be an extremely big risk."

"It's a race between Microsoft and the exploit community," he says.

The bad guys had a head start in that race. Security researchers at
Websense first spotted malicious Web sites using the exploit on December
27, but those sites may have been doing so as early as December 14, the
company says.

On December 28, Microsoft ambled out of the starting blocks with its  
first
security advisory acknowledging a potential problem.

Over the weekend, it updated this to suggest a way in which users could
reduce the risk by disabling an affected part of the OS, called
shimgvw.dll. Microsoft warned that the fix has the side effect of  
stopping
the Windows Picture and Fax Viewer from functioning normally. Others
report that it also stops Windows Explorer from showing thumbnails for
digital photos.

Unofficial Fix

Security researchers outside Microsoft had other ideas: rather than
disable shimgvw.dll, they would modify it so that only the functionality
considered dangerous was blocked. By December 31, programmer Ilfak
Guilfanov had developed an unofficial patch to reduce the danger of
attack, without impairing Windows' graphics functions.

His patch quickly won the support of security researchers including The
SANS Institute's Internet Storm Center (ISC) and F-Secure.

Mikko Hypponen, chief research officer at F-Secure, feels safe
recommending the Guilfanov patch for several reasons.

"We know this guy. We have checked the code. It does exactly what he  
says
it does, and nothing else. We've checked the binary, and we've checked
that the fix works," he says.

He has one final vote of confidence: "We've installed it on all our own
computers."

Sophos PLC's Senior Security Consultant Carole Theriault advises
businesses not to install the unofficial patch. "We wouldn't  
recommend it,
for testing reasons," she says.

One of the hidden dangers of the WMF vulnerability is that things are  
not
always what they appear. Usually, WMF files can be identified by their
.WMF file extension, and blocked as a precaution, but attackers may  
choose
to disguise malicious files simply by giving them another image file
suffix, such as .JPG, because the Windows graphics rendering engine
attempts to identify graphics files by their content, not their name.  
That
was the case with a file with the title "happynewyear.jpg" that began
circulating in e-mail messages on December 31: If opened on a Windows
machine, the file attempts to download and install a backdoor called
Bifrose.

As a consequence, says Theriault, businesses should keep existing
antivirus protection up to date and concentrate on blocking unsolicited
mail while waiting for the Microsoft patch, as this may help to  
screen out
attacks. They should encourage users to practice safe computing by only
visiting reputable Web sites and taking care with what they download,  
she
says.

Jeremy Kirk of the IDG News Service contributed to this report.



-------------------------------------
You are subscribed as lists-ip () insecure org
To manage your subscription, go to
 http://v2.listbox.com/member/?listname=ip

Archives at: http://www.interesting-people.org/archives/interesting-people/