Neowin.net - Microsoft to Release WMF Vulnerability Patch on January 10th

Microsoft to Release WMF Vulnerability Patch on January 10th

Posted by Shane Pitman on 03 January 2006 - 18:04 · 81 comments & 17078 views

Thanks to jwjw1 for the heads up in Back Page News

A week after becoming aware of a severe vulnerability in the Windows Meta File (WMF) portion of Windows operating systems, Microsoft has announced that it will not rush its patch to release, but will instead test the patch with plans to release it on Tuesday, January 10th as a part of it's routine monthly security bulletins. Microsoft claims that they have been closely monitoring the attempted exploitations of this particular vulnerability over the last week, and while they do admit that the issue is serious and that attackers are actively attempting to exploit the vulnerability of affected systems, Microsoft’s partners and intelligence sources do not believe that the scope of the attacks is widespread.

While they report that no known instances of this particular vulnerability have been reported to be exploited via e-mail, Microsoft is urging users to exercise caution when opening e-mail messages or when following links in e-mail messages, especially if the source of the message is unknown.

Update

SANS / The Internet Storm Center are offering a patch to protect users from the problem. The reputable ISC are putting their backing behind it, and without any other good option, users might be wise to install their patch rather than waiting until the 10th. You can download it here (msi). Once again, the patch is un-official, and is not endorsed by Microsoft (or Neowin for that matter). However, if you trust Microsoft for security, you'll probably be ok trusting this.

View: Neowin Forum Discussion

News source: Microsoft Security Advisory 912840 (updated)

Hide additional information

About the Author
Full name: Shane Pitman
Forum name: Shane Pitman
Contact: via forum PM
Submissions: Normal · Headline

Total votes: 0

Bookmark on del.icio.us

Advertisement

(8 replies) #1 Posted by theyarecomingforyou on 03 Jan 2006 - 18:23: No rush then. This is the disadvantage of putting all your updates in one monthly update.

(3 replies) #2 Posted by MikeN on 03 Jan 2006 - 18:26: Disappointing...<img src="images/smilies/ermm.gif">

#3 Posted by macstorm on 03 Jan 2006 - 18:32: Microsoft claims that they have been closely monitoring the attempted exploitations of this particular vulnerability over the last week, and while they do admit that the issue is serious and that attackers are actively attempting to exploit the vulnerability of affected systems, Microsoft’s partners and intelligence sources do not believe that the scope of the attacks is widespread.

well said!

(2 replies) #4 Posted by phono on 03 Jan 2006 - 18:32

Come on... hire more peeps to testing then! Its takin too long!

#4.1 Posted by Steven on 03 Jan 2006 - 18:49

Its a week.. If you feel scared turn off your pc until next week.

#4.2 Posted by phono on 03 Jan 2006 - 19:10

Nice idea, but there's 800 of them. I know theres the unofficial patch, but...

#5 Posted by madnuke on 03 Jan 2006 - 18:43

Oh well only another week of SAN yellow alert and the ever increasing spread of this exploit which is now on every single way of transfering data over the internet. Most workplaces and schools are going back this week, this is when the problems will start.

#6 Posted by Jugalator on 03 Jan 2006 - 18:48

Oooh, January 10th... the excitement... it's unbearable! :p

(2 replies) #7 Posted by Julius Caro on 03 Jan 2006 - 19:19

Finally... this is like the third article about WMF.. and it's the first that says that WMF = windows meta file!

#7.1 Posted by Howard on 03 Jan 2006 - 19:47

I forgot my toll for the bridge, damn. Will you let me past in exchange for an old boot?

#7.2 Posted by TRC on 04 Jan 2006 - 00:28

Why is that so important? Who cares what it stands for; if a person wanted to know so bad it's simple enough to look up.

(6 replies) #8 Posted by harvaparva on 03 Jan 2006 - 19:21

Having been attacked twice today sooner rather than later, good job I'm running upto date anti-virus def's and have run as neowin suggested the following from the run line: -

regsvr32 -u shimgvw.dll

I'll add it back after the patch with: -

regsvr32 shimgvw.dll

#8.1 Posted by allen2404 on 03 Jan 2006 - 19:31

Where were you attacked?

#8.2 Posted by Lare2 on 03 Jan 2006 - 19:50

Indeed...... were ?

#8.3 Posted by net-cruizer on 03 Jan 2006 - 20:11

How can you tell if you've been attacked?
I'm not about to disable Windows Picture/Fax Veiwer as it's one of my most used programs, lol.
Out of my 10 years of using computers, I haven't been attacked by anything, nor have I ever had a virus,but I'm curious to what this exploit actually does.

#8.4 Posted by Robbeke on 03 Jan 2006 - 20:24

install a trojan that takes control over your pc when you open up what looks like a normal picture. That's all

#8.5 Posted by Drestin on 03 Jan 2006 - 23:55

net-cruizer - just install the unoffical patch - doesn't affect your picture/fax viewer and cures the vulnerability.

#8.6 Posted by The_Decryptor on 04 Jan 2006 - 03:09

That's great and all, but the "feature" is in gdi32.dll, all that code does is disable the "Shell Image Viewer", applications that use gdi for displaying WMF files will still run the code.

(1 reply) #9 Posted by tunafish on 03 Jan 2006 - 19:24

well the question is i think its good theyw aited to get this out, as with most ms updates they normally have to release a second patch to fix the first, how ever i dont know why they could not release a quick patch that disables this for noobie users

#9.1 Posted by Drestin on 03 Jan 2006 - 23:43

Really? MOST ms updates require second patches? Care to number them vs the number of total releases? What, 1% of them require updates? And 50% of those are usually to handle unusual (read: customer screwed up systems) installs. THAT is why they take a little longer to release these than the open sores crowd who throw any patch out there immediately, testing be damned!

(1 reply) #10 Posted by chopyaedoff on 03 Jan 2006 - 19:41

Who's with me when i say that MS don't care about people's security.

#10.1 Posted by threedaysdwn on 03 Jan 2006 - 22:17

That's got to be the most ignorant and inaccurate statement I've heard all day.

#11 Posted by madnuke on 03 Jan 2006 - 19:42

The thing is they wont want to get bad press for releasing a 'critical urgent update' as it would look like their security is bad compared to taking the relaxed aproach.

(5 replies) #12 Posted by Banzai on 03 Jan 2006 - 19:53

ok i would love this to turn into another blaster in this next week, maybe im wrong but that would really kick ms in the teeth for not getting the patch out sooner.

#12.1 Posted by sphbecker on 03 Jan 2006 - 20:03

And if that doesn't happen then I guess you come make a post retracting that statement?

#12.2 Posted by Banzai on 03 Jan 2006 - 20:42

what is there to retract its not going to happen lets face it, im just saying it would be funny if it did.

#12.3 Posted by dismuter on 03 Jan 2006 - 22:10

That's not the kind of vulnerability which can be a Blaster-like disaster.
Anyone could get infected with Blaster, even the most computer-savvy users, by just connecting to the Internet without a firewall.

#12.4 Posted by Banzai on 03 Jan 2006 - 23:28

ok yes fair point but if you get an email come your way in outlook with an image file attached, what reason would you have not to open it, images are safe right?

#12.5 Posted by sphbecker on 03 Jan 2006 - 23:36

Yes, but what made the blaster so bad was the rate at which it could spread. Email viruses are limited by the fact that a human has to open the attachment and by the fact that if the virus tries to send too many emails the IP address will be black-listed and he will not be able to send anymore.

#13 Posted by tunafish on 03 Jan 2006 - 20:00

well the question is would you want ms to release a patch now and only patch this, or for them to check out the whole lot and see if anything else needs fixing?

but i hope in vista they set it so that only read access to system files and important files

#14 Posted by Croquant on 03 Jan 2006 - 20:35

Why does it seem that everything Microsoft does takes too long?

Last edited by Croquant on 03 Jan 2006 - 20:43

#15 Posted by mohan_168 on 03 Jan 2006 - 20:58

Maybe they need time to test the patch on all OS ... so that the patch dosent break any other windows components .... so that it is effective against the Vulnerability ... so that u dont require a 1.1a once the first patch is made .... so that you dont go out shouting my games and firefox aint working anymore ....

#16 Posted by thefonz on 03 Jan 2006 - 21:06

Why dont you just quit the dissing of microsoft.

If you dont like them, nobody is forcing you to keep using their operating systems; switch to OSX or one of the others out there.

Oh, and those of you saying they dont care about security; i'm sorry but "WHA??". Thats one of the most ridiculous things Ive ever read on here.

#17 Posted by madnuke on 03 Jan 2006 - 21:41

If you want to tell everyone about linux or OS X please don't post in this topic, its for news on the exploit not about switiching to a new OS.

#18 Posted by thefonz on 03 Jan 2006 - 21:46

Of course not, I use microsoft, and always will use microsoft. However alot of people here are dissing them.
Far as I'm concered microsoft are doing all they can, as properly and securely as they can to address this issue. Bitching about it wont solve it; so to those people who are doing just that, i tell them to be quiet.

Tell those folks to stop attacking microsoft then if you're so concerned. Thanks

(1 reply) #19 Posted by jcbeyond on 03 Jan 2006 - 22:51

Seems like the microsoft fix is out

http://www.winbeta.org/comments.php?catid=1&id=3750

#19.1 Posted by Banzai on 03 Jan 2006 - 23:41

humm thanks looks real will test to see if it fixes the bug in vmware and report back

Edit: Tested in in Vmware with xp home sp2 and it does protect against the wmf attacks

Last edited by Banzai on 04 Jan 2006 - 00:10

#20 Posted by Drestin on 03 Jan 2006 - 23:41

I wish that we could get an official fix out quicker but you do have to think about it before spouting off ignorant comments like some of the above.

Yes, it's critical but it happens to be in a piece of software that is in every version and in every language of windows since 3.1 - that's a LOT of regression testing. Would you rather that they released a flawed patch, early, so that not only do you have to break your update cycle (for those with only one PC, understand: Admins of large shops (I manage thousands of desktops) like having regular patch days, when you have 100 servers to update it's nice to only have to update them once on a schedule), then if the patch is wrong you'll have to break it AGAIN and then AGAIN for the normal patch day. So, patch (and reboot) once or three times?

Now - if you just can't wait - why not use the unoffical patch. It's been reviewed by several, high profile, 3rd parties who certify that it does what it claims. By using this patch you do NOT lose any functionality you had and it works.

So - what the hell do you have left to whine about? Sheesh... Not being a MS apologist but I can understand where they are coming from.

Also, contrary to the sky is falling predictions - while this IS a serious bug, amazingly there has been very little of it in the wild. Potential for being crazy bad? Yes. Actually crazy bad? In the eyes of 95% of the world they don't even know it's out there and come the day after patch day, everyone with automatic update will be patched. Looking at it as it sits right now - again - what do you have to whine about?

(2 replies) #21 Posted by Ely on 04 Jan 2006 - 00:03

Has anyone tested that Microsoft patch to see if it really works? I dont have any virtual machines right here to test right now otherwise I would test it, It looks authentic though.

#21.1 Posted by Banzai on 04 Jan 2006 - 00:11

As i reported before i tested it and it worked for me, seems to be the real deal

#21.2 Posted by jcbeyond on 04 Jan 2006 - 00:13

I installed and ran wmf_checker_hexblog.exe. The test came back as system seems to be invulnerable.

(2 replies) #22 Posted by Ely on 04 Jan 2006 - 00:29

cool, where's that checker?

#22.1 Posted by jcbeyond on 04 Jan 2006 - 00:37

http://rapidshare.de/files/10352854/wmf_checker_hexblog.exe

#22.2 Posted by Ely on 04 Jan 2006 - 00:41

Thanks buddy.

#23 Posted by TRC on 04 Jan 2006 - 00:31

Will there be a patch for Windows 3.1 also? From what I've read it's vulnerable too.

(1 reply) #24 Posted by Banzai on 04 Jan 2006 - 00:39

i highly doubt there will be a patch for 3.1, and same for windows 9x because as i read here Windows 9x and 2000 users are ok, because though the venerability is there windows picture and fax viewer isn’t set up to run wmf files by defult to quote
in their default configuration, have a default association for WMF files, and none of their Paint programs or any other standard programs installed with them can read WMF files.

#24.1 Posted by The_Decryptor on 04 Jan 2006 - 03:13

9x doesn't have a picture and fax viewer, but again, any app that renders wmf's with gdi could be an "entry point", possibly word for example.

(1 reply) #25 Posted by rIaHc3 on 04 Jan 2006 - 00:47

However, if you trust Microsoft for security, you'll probably be ok trusting this.

Was that line really necessary?

#25.1 Posted by advancedboy on 04 Jan 2006 - 02:04

I read that as an oxymoron, anyone else? (is oxymoron even the right word?)

#26 Posted by lukeangel on 04 Jan 2006 - 02:45

Hey Everyone; Just FYI i just got a notice from my Windows OneCare that OneCare is currently blocking this explot from happening. This may be a new tactic from microsoft to purchase there Security Package. This has been automatically done and it just popped up saying that I am officially protected from the flaw and that a OS fix will be implimented shortly! So not everyone has to wait til 1/10!

#27 Posted by vlsi0n on 04 Jan 2006 - 03:40

"Just curious, but how many infections are "ok" with you?

A patch for an exploit that is rated "extremely critical" should be released as soon as available, by any common-sense standard."

Well yeah, in a perfect world with one system config that'd work great! But with the almost limitless config's for the OS there needs to be a lot of testing, which MS said it wants to continue to do before releasing it on the 10th. Can you imagine the whining, complaining and bashing it would receive if the patch broke a cetain config, :rollseyes:.

#28 Posted by johndoh on 04 Jan 2006 - 16:44

#20 >what do you have to whine about?

Most people don't know about it, just as most people don't have windows update turned on.

I was reading about this in an internet cafe last night, and just out of interest I pulled up explorer just to see what would happen if I went to windows update. It hasn't been patched, it dind't have the activex control, and it then asked me to download the BITS update, etc. That's some 10 plus public machines that people use that wont be patched.

I've travelled the world updating people's pc's (on holiday), I've never found one yet that was up to date with patches.

#29 Posted by deadmonkey on 04 Jan 2006 - 22:56

To be honest it makes little difference if MS release the patch today or next Tuesday or even last week. Every major antivirus system was able to detect infected files within a few hours of this flaw being known about, let alone seen in the wild. Providing you are running AV software you will be fine.

The people who can still get infected with this [i.e the people with AV software] are the people who won't install the patch anyway. Yes Microsoft need to fix the problem but you are protected using software that is designed to do just that, protect you! When the fix is ready it will be released. If AV software couldn't protect you then I am sure that MS would have released a patch much quicker, but the fact of the matter is that if you are applying appropriate security to your system you will not be troubled with this exploit.

Some people need to make a mountain out of a mole hill. It honestly doesn't matter that much!

#30 Posted by jwjw1 on 04 Jan 2006 - 23:41

"deadmonkey" you need to really get out more and read...LOL

On December 31st, a new and improved version of the WMF exploit had been published. The new exploit generated WMF files that were different enough to bypass nearly all Anti-Virus and IDS signatures. Different methods of distributing the virus, such as e-mails and instant messenger chats have already been seen in the wild, as more and more worms and trojans have been utilising the exploit to gain access to computers running the Windows operating system....those earlier that detected all 73 variants have changed extremely and not so 'trusting'

and naaaaaa MS..its not that important for us to wait

Security experts have urged Microsoft to rush the patch because of the onslaught of attacks. More than a million PCs have already been compromised,

http://news.com.com/Microsoft+inadvertentl..._3-6018263.html

#31 Posted by Stunna on 05 Jan 2006 - 08:11

how do you know if you are infected

which anti virus software can actually pick it up?

#32 Posted by xMorpheousx416 on 05 Jan 2006 - 21:07

In case anyone is still reading this article, Bink has posted the Microsoft release of this patch today on his site.

[1]

Commenting has either been disabled on this article or you are not logged in. Click here to login or register, its free!

Note: Anonymous commenting is disabled in order to keep the quality of responses to a high standard.

Scroll to the Top