Cédric Walter | Oct 8, 2020 | 0
WMF windows vulnerability still unpatched
This is a first: the Internet Storm Center is recommending trustworthy computing. They want you to trust that the unofficial patch for the Windows Metafile Volunerability that is currently being exploited by an IM worm. No patch from Microsoft at this time, and the exploit is arranged in such a manner that it cannot be detected by most intrusion detection systems (the snort rule will peg the CPU on your router) nor filtered by packet-inspecting firewalls (it spans two or more ethernet frames). Not really a whole lot of choice about this one.
read more at http://isc.sans.org
It’s probably a hard problem to patch. From what I’ve gathered, this is a feature of WMFs, not a bug. They were designed before people even knew what the Internet was. WMFs, apparently, have the ability to specify code to be run on a failure to render. So the bad guys give you a bad WMF file, cleverly renamed as JPG, and stick it in an ad banner. You browse a site (with any browser), Windows fails to render the WMF (which it will recognize even if the filename says JPG), runs the specified failure code, and you’re hacked. That fast.
Changing code that’s this deeply buried in Windows is risky. The interpreter for WMF is one of the remnants of code left over from single-user computers, and they’ll have to test changes very thoroughly. They’re GOING to break things with this patch, because they’re removing a designed-in feature. They’re probably working feverishly to figure out how to minimize the damage, but some damage is inevitable. And the problem could be far worse than it appears; that DLL could be riddled with problems. It may not have been audited in many years.
This is yet another example of how you can’t retrofit security; the first Windows versions were designed when security wasn’t even an issue, when the Internet was barely a twinkle in Al Gore’s eye. There’s a mountain of code that was written just to work, not to worry about being handed malicious data. If a user passed bad values to a system call and it crashed, oh well. It was their fault for doing it. It’s not like they had anything to gain from it, after all. They owned the computer. Why on earth would the computer need to protect itself from its owner?
With the advent of the Net, Microsoft decided to both stay backward-compatible and extend what they had onto the Internet. And their focus for many years was on new features, not security. Essentially every security person at the time warned them — stridently — against the choices they were making. It was obviously going to be a trainwreck. This is just the latest in that ongoing collision between a single-user operating system and exposure to every computer in the world.
Even worse, it is sooo bad that some people open source tool to increase invisibility of this issue…
We released a new version of the metasploit framework module for the WMF flaw, this one uses some header padding tricks and gzip encoding to bypass all known IDS signatures. Consider this "irresponsible" if you like, but it clearly demonstrates that a run-of-the-mill signature-based IDS (or A/V) is not going to work for this flaw. If anyone has any questions about why we are releasing these types of modules so early after the disclosure, feel free to drop me an email.
Original Marketting information of Trustworthy Computing can be found here.
PS: SuSE 10.0 is not affected I know I know it is easy to hit someone laying on the ground 😉