Microsoft patch for WMF flaw to be released Jan 10

By jwjw1
in Back Page News

 Share

Recommended Posts

Grand Master

jwjw1

Posted
Posted

Microsoft Corp. said today it does not plan to release a fix for the Windows Metafile (WMF) flaw until Jan. 10, when a patch will be included as part of the company's scheduled monthly updates for January. Microsoft has completed development of a patch for the flaw and is now testing it for quality and application compatibility, the company said in an advisory updating an earlier advisory released last week. The update will be available at Microsoft's Download Center in 23 languages for all affected versions of the Windows operating system.

"Microsoft has been carefully monitoring the attempted exploitation of the WMF vulnerability since it became public last week, through its own forensic capabilities and through partnerships within the industry and law enforcement," the company said in its statement. " Although the issue is serious and malicious attacks are being attempted, Microsoft's intelligence sources indicate that the scope of the attacks are not widespread."

Source: Computer World

http://www.computerworld.com/securitytopic...html?source=x10

Lets don't get in no hurry Micorsoft...lets wait another 7 days while 1000's of people are getting infected due to a Vulnerability in your OS.

Mentor

RootWind

Posted
Posted

Well I guess the people who don't know about this flaw will have to depend on their antiviruses (... that are hopefully updated...).

Though I have to admit, as bad as this exploit looked, I haven't seen this around as much as other exploits yet.

Grand Master

Hurmoth

Posted
Posted
:o THey should have released this on priority

And then could you imagine the yelling that the patch breaks other things, I'd wait or install the un offical patch till this one is release :cool:

I see both sides and I'm sure Microsoft does as well. This is a big gamble right here, Microsoft could release it early or 'priority' and risk breaking more stuff or Microsoft could take it a little easier and risk more computers being infected (which is the users fault for not being more careful in where they search) and release it with the proper amount of testing. Not an easy decision and I'm so glad I'm not the one having to make it :yes:

Grand Master

Banzai

Posted
Posted

Hurmoth makes a good point but what sort of a message does this send out to customers? To me it says we where totally unprepared and until we get our self sorted you will have to look else where for a solution. Come on a 3rd party got a patch out before microsoft could.

Grand Master

Hurmoth

Posted
Posted
Hurmoth makes a good point but what sort of a message does this send out to customers? To me it says we where totally unprepared and until we get our self sorted you will have to look else where for a solution. Come on a 3rd party got a patch out before microsoft could.

Personally, I don't think it sends out any message to customers. I mean think of it, how many of Microsoft's customers actually even know this threat exsists? I doubt the majority of them do, so look at it this way:

  • Microsoft currently has what maybe 1-5% infected computers out there. So:
  • If they released a patch to early because they just wanted it out there and it broke stuff you now have 10-15% customer base angry.

My point is, 1-5% customer base isn't a huge deal when looking at the big picture, but getting into double-digits could turn into a big deal. This is something you have to take into account the HUGE number of people that run Windows out there and then think of the amount of people who are actually affected by this problem and if a patch is released that breaks other stuff the larger number of people that would be affected.

Neowinian

justinside

Posted
Posted

It always amazes me when Microsoft is always heralded as the culprit in an attack on its software. If some people were smart enough to install & update antivirus, use firewall's, and don't do something stupid like opening up files you have no idea of what they are there wouldn't even be 10-15% infected with this now. Probably more like less then 1%.

Lol people always blaming Microsoft - they must have wanted to make software with vulnerabilities - I'm sure that's their goal. :shiftyninja:

Seems to me their doing what they should be doing - fixing the issue and making sure the fix works.

Grand Master

Banzai

Posted
Posted

and don't do something stupid like opening up files you have no idea of what they are there wouldn't even be 10-15% infected with this now. Probably more like less then 1%.

Im not an idiot with computers but Ive always been under the false belief that when you get a email with a .exe file extension then its probably a virus.

But I always thought it was safe to open .jpg files i mean there harmless its just an image it cant run a program. oww sorry it can. This is isnt big, But has the potential to be huge.

Grand Master

Hurmoth

Posted
Posted

Im not an idiot with computers but Ive always been under the false belief that when you get a email with a .exe file extension then its probably a virus.

But I always thought it was safe to open .jpg files i mean there harmless its just an image it cant run a program. oww sorry it can. This is isnt big, But has the potential to be huge.

I'm not a virus expert by no means, but if I'm not mistake no file with an extension .jpg, .gif, .png, etc. can execute a virus. Only .com, .exe, etc. can be viruses, they hide the extension as something like 'hotpr0n.jpg.exe' but you don't see the .exe.

The biggest problem is public awareness. To many times people are trashed with anti-virus, anti-spam, anti-spyware, anti-whatever. What we need is to teach, or educate, people safe-surfing. People need to know going to places to download screensavers will most likely get you viruses, spyware, adware, or whatever. People need to know that clicking "YES" to everything without reading what they're clicking "YES" to is dangerous.

Anti-whatevers isn't the answer, public awareness is.

Grand Master

dragon2611

Posted
Posted

Only .com, .exe, etc. can be viruses, they hide the extension as something like 'hotpr0n.jpg.exe' but you don't see the .exe.

Really funny I could have sworn this exploit was in .wmf files clearly not a exe or com etc

Rising Star

Marsden

Posted
Posted

The people who get dinged by this are those who don't use anti-virus, have machines that are already infected with scumware, don't keep there machines updated and will click on anything sent to them via email.

Due to various updates from MS users using Outlook 2K and 2K3 plus Outlook Express can't fall victim to these malformed images because by default the images are not displayed in the viewer.

Grand Master

+Warwagon MVC

Posted
  • MVC
Posted (edited)

I think Microsoft is very wise to wait to release the patch. We aren't talking about a virus here, that spreads from infected machines, we are just talking about a vulnerability screwing some machines up. Really the only ones getting infected are the ones stupid enough to not run an antvirus, or update the one they have. I don't think Microsoft should throw an untested patch out in the wild for that, and risk breaking a whole bunch of other stuff. It would suck to be Microsoft, really, because they are damned if they do and damned if they don't.

Edited by warwagon
Grand Master

chopyaedoff

Posted
Posted

Really funny I could have sworn this exploit was in .wmf files clearly not a exe or com etc

You are right this exploit is in a .WMF file but all it doing is using a feature that was included that allowed the image files to contain actual code. This code would be executed via a callback in special situations and this call-back function is then being used to download the virus - which is an .exe

Grand Master

Hurmoth

Posted
Posted
Really funny I could have sworn this exploit was in .wmf files clearly not a exe or com etc

Well, like I stated, I'm not an expert :p Is .WMF an executable? How can it run unless it executes and in Windows only certain extensions can execute I though.

What I find odd is that McAfee says this is a "Low Risk" & Symantec says it is a "High Risk". :rofl:

Grand Master

+M2Ys4U Subscriber¹

Posted
  • Subscriber¹
Posted

Well, like I stated, I'm not an expert :p Is .WMF an executable? How can it run unless it executes and in Windows only certain extensions can execute I though.

What I find odd is that McAfee says this is a "Low Risk" & Symantec says it is a "High Risk". :rofl:

Windows Metafiles can contain executable code (originally designed [back in the Win 3.0 days] to pause print jobs, and related stuff), someone has just found this out and is starting to hack away at it...

from teh Wiki:

According to F-Secure assessments [4], the problem lies in the design of the WMF file. Since the architecture of the file is from a previous era, features were included which allowed actual code to be executed when a WMF file was opened. This mainly dealt with cancellation of print jobs during spooling. It has also been suggested that there may be more vulnerabilities in the functions of the WMF file. Because of the large support of Metafiles in the Windows operating system, most versions of Windows are vulnerable.

Grand Master

Mouldy Punk

Posted
Posted

Better late than never I guess :p

It only takes common sense to avoid the vulnerability. Firefox will ask you to download and run the dodgy .wmf, and other browsers probably do too. It's only IE that will automatically run the file...but IE users deserve to get exploited anyway.

Grand Master

Hurmoth

Posted
Posted
Thats the thing though Hurmoth a .wmf file could be renamed to .jpg and will have the same affects in executing a .exe file from the internet.

Since my last post I've gone and rearched this. Interesting stuff, but again this still comes down to public awareness though. Who many 'normal' users open every email they get? I'd say at least the majority, which is why they need to be tought if you don't know the sender or if the email is suspecious, don't open it.

Grand Master

Banzai

Posted
Posted

I agree hurmoth it is down to public awareness, unless you are expecting to receive an email from a friend that has the attachment happynewyear.jpg dont open it, and if you get an email from a friend that is out of context ie it doesn?t seem like them who has sent it don?t open the attachments. Basically AV is good but the best protection from internet crap is safe browsing. Hey lets make are own campaign of ?awareness? stuff this current crap in America about no videogames. Change peoples interests to safe internet use.

Grand Master

ichi

Posted
Posted

Since my last post I've gone and rearched this. Interesting stuff, but again this still comes down to public awareness though. Who many 'normal' users open every email they get? I'd say at least the majority, which is why they need to be tought if you don't know the sender or if the email is suspecious, don't open it.

Depends on what the vulnerability is about. This wmf thing can be (an has already be found to be) embeded in "trusted" web sites. Someone could place one of those wmf files in the neowin forums and almost every windows user would get infected.

This topic is now closed to further replies.
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.

  • Posts

    • Amazon Greenlights A New "Stargate" Series

      By Som · Posted

      https://www.change.org/p/save-the-new-stargate-series-let-martin-gero-build-the-future-of-the-franchise?utm_source=share_petition&utm_medium=mobileNativeShare&utm_campaign=share_petition&recruited_by_id=376d0b10-cf3c-11e7-a513-03b837c94000&recruiter=836653795&share_id=jVyr5PGfkN Petition for anyone who's interested 
    • Here's how to watch Summer Game Fest 2026 and what to expect from the 2-hour showcase

      By LoneWolfSL · Posted

      Here's how to watch Summer Game Fest 2026 and what to expect from the 2-hour showcase by Pulasthi Ariyasinghe The June game showcase schedule is packed, and with the Sony event already behind us, it's time for the next major presentation to come in swinging. Later today, Geoff Keighley will be bringing the 2026 edition of Summer Game Fest live from the Dolby Theatre in Los Angeles, California. For anyone wanting to tune in online, the Summer Game Fest showcase livestream will be kicking off at 2 PM PT | 5 PM ET | 10 PM BST later today, June 5. The jam-packed show is slated to run for about two hours, with platforms like YouTube (4K at 60FPS), Twitch, Facebook, or X being available for catching it. Like in previous years, separate streams featuring American Sign Language and Descriptive Audio are available on YouTube as well. Keighley has only dropped a few teasers about what gaming fans can expect to see at the show. This includes a new look at Star Wars Zero Company from EA, a major announcement from Guild Wars developer ArenaNet, more Clutch gameplay, and some sort of Sega presence. As for fan expectations, there is hype building about a Final Fantasy 7 Remake Part 3 reveal here, and we might see new details about announced games like Alien Isolation 2 as well. If you want even more games, keep in mind that right after the main kickoff event, the Day of the Devs showcase will begin its own festivities at 4 pm PT | 7 pm ET. This is focused entirely on upcoming indie games. Following this, the next major games showcase is slated to happen on June 7. Here, Microsoft is bringing the big guns with its Xbox Games Showcase and Gears of War E-Day Direct. Check out the full calendar for all of the June events over here.
    • Ladybird Browser is no longer accepting outside contributions thanks to AI

      By Reancarnation_X · Posted

      AI is destroying jobs like nothing before
    • Microsoft is making Windows 11's context menus faster, simpler, and configurable

      By +samw61 · Posted

      I think the car analogy is more this: Left hand drive, basic commands on the left side of the infotainment screen. Right hand drive, basic commands on the right side of the infotainment screen. Granted, you're not swapping between the two often so it's doesn't really work. But it's to do with the proximity of you (your mouse, or the driver) to the controls.
    • Microsoft is making Windows 11's context menus faster, simpler, and configurable

      By +samw61 · Posted

      I mean, the old one was broken and so stupidly complex for many users, so I don't see that as a feasible option. A context menu needs to be simple to use, and for me the Windows 11 style actually worked really well for me, and many others. I used to have to scroll the damn context menu just to get to "file properties" in Windows 10. That was not a good experience, and I'm sure you'd agree. What they're trying to do is make it the best of both worlds, as clearly you'd prefer the Win10 style. I'm curious how they're going to do this.

  • Recent Achievements

    • Conversation Starter
      FBSPL earned a badge
      Conversation Starter
    • Week One Done
      I2D earned a badge
      Week One Done
    • Week One Done
      Dr Jared Dental Studio earned a badge
      Week One Done
    • Week One Done
      RG INVESTMENT GROUP earned a badge
      Week One Done
    • Very Popular
      The Norwegian Drone Pilot earned a badge
      Very Popular

  • Popular Contributors

    1. 1
      +primortal
      486
    2. 2
      PsYcHoKiLLa
      263
    3. 3
      Skyfrog
      86
    4. 4
      FloatingFatMan
      64
    5. 5
      Michael Scrip
      63
    Show More

  • Tell a friend

    Love Neowin? Tell a friend!