Microsoft patch for WMF flaw to be released Jan 10

[jwjw1]

Microsoft Corp. said today it does not plan to release a fix for the Windows Metafile (WMF) flaw until Jan. 10, when a patch will be included as part of the company's scheduled monthly updates for January. Microsoft has completed development of a patch for the flaw and is now testing it for quality and application compatibility, the company said in an advisory updating an earlier advisory released last week. The update will be available at Microsoft's Download Center in 23 languages for all affected versions of the Windows operating system.

"Microsoft has been carefully monitoring the attempted exploitation of the WMF vulnerability since it became public last week, through its own forensic capabilities and through partnerships within the industry and law enforcement," the company said in its statement. " Although the issue is serious and malicious attacks are being attempted, Microsoft's intelligence sources indicate that the scope of the attacks are not widespread."

Source: Computer World

http://www.computerworld.com/securitytopic...html?source=x10

Lets don't get in no hurry Micorsoft...lets wait another 7 days while 1000's of people are getting infected due to a Vulnerability in your OS.

[amrinders87]

I have seen a lot of news on the security hole, but have not seen any sources about how many people are infected. ;)

[RootWind]

Well I guess the people who don't know about this flaw will have to depend on their antiviruses (... that are hopefully updated...).

Though I have to admit, as bad as this exploit looked, I haven't seen this around as much as other exploits yet.

[Premgenius]

:o THey should have released this on priority

[phantom76]

:o THey should have released this on priority

And then could you imagine the yelling that the patch breaks other things, I'd wait or install the un offical patch till this one is release :cool:

[Hurmoth]

:o THey should have released this on priority

And then could you imagine the yelling that the patch breaks other things, I'd wait or install the un offical patch till this one is release :cool:

I see both sides and I'm sure Microsoft does as well. This is a big gamble right here, Microsoft could release it early or 'priority' and risk breaking more stuff or Microsoft could take it a little easier and risk more computers being infected (which is the users fault for not being more careful in where they search) and release it with the proper amount of testing. Not an easy decision and I'm so glad I'm not the one having to make it :yes:

[Banzai]

Hurmoth makes a good point but what sort of a message does this send out to customers? To me it says we where totally unprepared and until we get our self sorted you will have to look else where for a solution. Come on a 3rd party got a patch out before microsoft could.

[trance]

Yes and the 3rd party patch has no idea the issues it could cause.

[Hurmoth]

Hurmoth makes a good point but what sort of a message does this send out to customers? To me it says we where totally unprepared and until we get our self sorted you will have to look else where for a solution. Come on a 3rd party got a patch out before microsoft could.

Personally, I don't think it sends out any message to customers. I mean think of it, how many of Microsoft's customers actually even know this threat exsists? I doubt the majority of them do, so look at it this way:

• Microsoft currently has what maybe 1-5% infected computers out there. So:
  
• If they released a patch to early because they just wanted it out there and it broke stuff you now have 10-15% customer base angry.
  

My point is, 1-5% customer base isn't a huge deal when looking at the big picture, but getting into double-digits could turn into a big deal. This is something you have to take into account the HUGE number of people that run Windows out there and then think of the amount of people who are actually affected by this problem and if a patch is released that breaks other stuff the larger number of people that would be affected.

[justinside]

It always amazes me when Microsoft is always heralded as the culprit in an attack on its software. If some people were smart enough to install & update antivirus, use firewall's, and don't do something stupid like opening up files you have no idea of what they are there wouldn't even be 10-15% infected with this now. Probably more like less then 1%.

Lol people always blaming Microsoft - they must have wanted to make software with vulnerabilities - I'm sure that's their goal. :shiftyninja:

Seems to me their doing what they should be doing - fixing the issue and making sure the fix works.

[Banzai]

and don't do something stupid like opening up files you have no idea of what they are there wouldn't even be 10-15% infected with this now. Probably more like less then 1%.

Im not an idiot with computers but Ive always been under the false belief that when you get a email with a .exe file extension then its probably a virus.

But I always thought it was safe to open .jpg files i mean there harmless its just an image it cant run a program. oww sorry it can. This is isnt big, But has the potential to be huge.

[Hurmoth]

Im not an idiot with computers but Ive always been under the false belief that when you get a email with a .exe file extension then its probably a virus.

But I always thought it was safe to open .jpg files i mean there harmless its just an image it cant run a program. oww sorry it can. This is isnt big, But has the potential to be huge.

I'm not a virus expert by no means, but if I'm not mistake no file with an extension .jpg, .gif, .png, etc. can execute a virus. Only .com, .exe, etc. can be viruses, they hide the extension as something like 'hotpr0n.jpg.exe' but you don't see the .exe.

The biggest problem is public awareness. To many times people are trashed with anti-virus, anti-spam, anti-spyware, anti-whatever. What we need is to teach, or educate, people safe-surfing. People need to know going to places to download screensavers will most likely get you viruses, spyware, adware, or whatever. People need to know that clicking "YES" to everything without reading what they're clicking "YES" to is dangerous.

Anti-whatevers isn't the answer, public awareness is.

[yisman]

It's a little disturbing that MS isn't moving more quickly here. This is a key vulnerability.

[dragon2611]

Only .com, .exe, etc. can be viruses, they hide the extension as something like 'hotpr0n.jpg.exe' but you don't see the .exe.

Really funny I could have sworn this exploit was in .wmf files clearly not a exe or com etc

[Marsden]

The people who get dinged by this are those who don't use anti-virus, have machines that are already infected with scumware, don't keep there machines updated and will click on anything sent to them via email.

Due to various updates from MS users using Outlook 2K and 2K3 plus Outlook Express can't fall victim to these malformed images because by default the images are not displayed in the viewer.

[+Warwagon MVC]

I think Microsoft is very wise to wait to release the patch. We aren't talking about a virus here, that spreads from infected machines, we are just talking about a vulnerability screwing some machines up. Really the only ones getting infected are the ones stupid enough to not run an antvirus, or update the one they have. I don't think Microsoft should throw an untested patch out in the wild for that, and risk breaking a whole bunch of other stuff. It would suck to be Microsoft, really, because they are damned if they do and damned if they don't.

Edited January 3, 2006 by warwagon

[chopyaedoff]

Really funny I could have sworn this exploit was in .wmf files clearly not a exe or com etc

You are right this exploit is in a .WMF file but all it doing is using a feature that was included that allowed the image files to contain actual code. This code would be executed via a callback in special situations and this call-back function is then being used to download the virus - which is an .exe

[Hurmoth]

Really funny I could have sworn this exploit was in .wmf files clearly not a exe or com etc

Well, like I stated, I'm not an expert :p Is .WMF an executable? How can it run unless it executes and in Windows only certain extensions can execute I though.

What I find odd is that McAfee says this is a "Low Risk" & Symantec says it is a "High Risk". :rofl:

[+M2Ys4U Subscriber¹]

Well, like I stated, I'm not an expert :p Is .WMF an executable? How can it run unless it executes and in Windows only certain extensions can execute I though.

What I find odd is that McAfee says this is a "Low Risk" & Symantec says it is a "High Risk". :rofl:

Windows Metafiles can contain executable code (originally designed [back in the Win 3.0 days] to pause print jobs, and related stuff), someone has just found this out and is starting to hack away at it...

from teh Wiki:

According to F-Secure assessments [4], the problem lies in the design of the WMF file. Since the architecture of the file is from a previous era, features were included which allowed actual code to be executed when a WMF file was opened. This mainly dealt with cancellation of print jobs during spooling. It has also been suggested that there may be more vulnerabilities in the functions of the WMF file. Because of the large support of Metafiles in the Windows operating system, most versions of Windows are vulnerable.

[Mouldy Punk]

Better late than never I guess :p

It only takes common sense to avoid the vulnerability. Firefox will ask you to download and run the dodgy .wmf, and other browsers probably do too. It's only IE that will automatically run the file...but IE users deserve to get exploited anyway.

[jcbeyond]

Seems like the microsoft fix is out

http://www.winbeta.org/comments.php?catid=1&id=3750

I just installed, pc ok so far.

It's updated the gdi32.dll 5.1.2600.2818

[Banzai]

Thats the thing though Hurmoth a .wmf file could be renamed to .jpg and will have the same affects in executing a .exe file from the internet.

[Hurmoth]

Thats the thing though Hurmoth a .wmf file could be renamed to .jpg and will have the same affects in executing a .exe file from the internet.

Since my last post I've gone and rearched this. Interesting stuff, but again this still comes down to public awareness though. Who many 'normal' users open every email they get? I'd say at least the majority, which is why they need to be tought if you don't know the sender or if the email is suspecious, don't open it.

[Banzai]

I agree hurmoth it is down to public awareness, unless you are expecting to receive an email from a friend that has the attachment happynewyear.jpg dont open it, and if you get an email from a friend that is out of context ie it doesn?t seem like them who has sent it don?t open the attachments. Basically AV is good but the best protection from internet crap is safe browsing. Hey lets make are own campaign of ?awareness? stuff this current crap in America about no videogames. Change peoples interests to safe internet use.

[ichi]

Since my last post I've gone and rearched this. Interesting stuff, but again this still comes down to public awareness though. Who many 'normal' users open every email they get? I'd say at least the majority, which is why they need to be tought if you don't know the sender or if the email is suspecious, don't open it.

Depends on what the vulnerability is about. This wmf thing can be (an has already be found to be) embeded in "trusted" web sites. Someone could place one of those wmf files in the neowin forums and almost every windows user would get infected.