Page 1 of 2 12 LastLast
Results 1 to 16 of 22

Thread: Nasties before patches.

  1. #1
    Seething Cauldron of Hatred TheAnimus's Avatar
    Join Date
    Aug 2005
    Posts
    17,164
    Thanks
    803
    Thanked
    2,152 times in 1,408 posts

    Nasties before patches.

    http://www.theregister.co.uk/2005/12..._trojan_alert/

    Hackers have created a range of Trojan programs which exploit a dangerous new Windows Meta File vulnerability. The vulnerability is rated critical, and so far, no patch has been issued.

    The WMF vulnerability exists in computers running Microsoft Windows XP with SP1 and SP2, and Microsoft Windows Server 2003 and stems from a flaw in a utility used to view picture and fax files. The security flaw might be exploited by inducing victims to view maliciously constructed sites, particularly where IE is used as a browser, or when previewing *.wmf format files with Windows Explorer.
    Why are people publishing flaws before a patch has been released. Theres no point quickly nocking up a patch for the problem you shouldn't break the dev cycle because someone wants some limelight and publicly discloses a bug!

    Its probably more a moral thing in my mind.
    throw new ArgumentException (String, String, Exception)

  2. #2
    Senile Member
    Join Date
    Dec 2003
    Posts
    442
    Thanks
    3
    Thanked
    0 times in 0 posts
    Quote Originally Posted by TheAnimus
    Why are people publishing flaws before a patch has been released.
    Damn those malware writers, where is their sense of honour!

  3. #3
    Member
    Join Date
    Aug 2004
    Location
    Manchester
    Posts
    115
    Thanks
    0
    Thanked
    0 times in 0 posts
    It's possible that Microsoft were informed of the problem months ago (they haven't got that good a track record for releasing patches quickly). The person who informed them may have felt enough time had passed for them to have released a patch, and decided it was time to inform people so they knew what to do to keep their computer safe.

    Personally, I'd rather know about a problem with something on my computer so I could avoid/nullify any attempts to exploit it, rather than wait for someone to release a patch possibly months down the line.

  4. #4
    Seething Cauldron of Hatred TheAnimus's Avatar
    Join Date
    Aug 2005
    Posts
    17,164
    Thanks
    803
    Thanked
    2,152 times in 1,408 posts
    Erm, no, you can't avoid it and still have usability, enless you patch it yourself. The fundimental problem is you don't want to rush patches out, you don't want to mess up the dev cycle.
    throw new ArgumentException (String, String, Exception)

  5. #5
    Senior Member
    Join Date
    Dec 2005
    Location
    ::1
    Posts
    204
    Thanks
    4
    Thanked
    9 times in 8 posts
    • chinny's system
      • Motherboard:
      • Asus P5Q-EM
      • CPU:
      • Intel E6300
      • Memory:
      • 4Gb Corsair XMS2
      • Operating System:
      • Win7 x64
    Quote Originally Posted by MAdMaN
    It's possible that Microsoft were informed of the problem months ago (they haven't got that good a track record for releasing patches quickly).
    Apparently not this time http://secunia.com/advisories/18255/ although as you say that's not always the case.
    IE 28% of vulns no fix and 12% partially fixed......one exploit goes back to 2003!!! http://secunia.com/product/11/

    Oh well

  6. #6
    Senile Member
    Join Date
    Dec 2003
    Posts
    442
    Thanks
    3
    Thanked
    0 times in 0 posts
    Since all the reports i've seen mention it being spotted "in the wild" and not released by a security group I suppose there was nobody to tell MS except the malware authors themselves.

    Quote Originally Posted by TheAnimus
    The fundimental problem is you don't want to rush patches out, you don't want to mess up the dev cycle.
    Is interrupting their "dev cycle" (whatever thats supposed to mean) more of a fundamental problem then having millions of windows installations compromised?

    What is their dev cycle, are you insinuating they don't have an ability to respond quickly to such urgent security holes in their products? Or are they too busy taking out previously announced features from Vista

  7. #7
    Seething Cauldron of Hatred TheAnimus's Avatar
    Join Date
    Aug 2005
    Posts
    17,164
    Thanks
    803
    Thanked
    2,152 times in 1,408 posts
    Commercial software tends to be much more stable than open source software because of the design not been driven by a hudge commitie with no one actually in control of the direction. MS use a cycle that you'd learn on any good software engineering module. Design, Implement, Test.

    You can't rush out a patch just because of one problem, you don't know how many more you'll create. Even with the exhustive testing, how many people find that an update breaks something else? Often these breaks aren't MS's fault per say, their developers faults.

    A discussion i was having a few weeks back was that should you block proccesses sending messages (via window messages in this case) to other proccesses? A few apps would stop working, but you'd be able to stop a lot of "instant messenger worms" (ICQ/AIM/MSN all included).
    throw new ArgumentException (String, String, Exception)

  8. #8
    Senile Member
    Join Date
    Dec 2003
    Posts
    442
    Thanks
    3
    Thanked
    0 times in 0 posts
    Quote Originally Posted by TheAnimus
    MS use a cycle that you'd learn on any good software engineering module. Design, Implement, Test.
    Cutting edge stuff

    Yes they still have to do integration and regression testing on the patch for this critical flaw, I took your "mess up their dev cycle" comment to mean that why should their normal leisurely pace be interrupted.

    Still this hasn't seemed to be the catastrophe I thought it might be so perhaps they will rest on their laurels for a while longer.

    Not sure what sparked your open source rant.

    btw who did want the limelight as you mention in your first post?

  9. #9
    The late but legendary peterb - Onward and Upward peterb's Avatar
    Join Date
    Aug 2005
    Location
    Looking down & checking on swearing
    Posts
    19,378
    Thanks
    2,892
    Thanked
    3,403 times in 2,693 posts
    Quote Originally Posted by TheAnimus
    Commercial software tends to be much more stable than open source software because of the design not been driven by a hudge commitie with no one actually in control of the direction. MS use a cycle that you'd learn on any good software engineering module. Design, Implement, Test..
    Nothing like a bit of wide sweeping generalisation... Not sure a BSOD is really a sign of stable software!!
    (\__/)
    (='.'=)
    (")_(")

    Been helped or just 'Like' a post? Use the Thanks button!
    My broadband speed - 750 Meganibbles/minute

  10. #10
    Seething Cauldron of Hatred TheAnimus's Avatar
    Join Date
    Aug 2005
    Posts
    17,164
    Thanks
    803
    Thanked
    2,152 times in 1,408 posts
    Open source rant was due to the obligatory "oh this wouldn't happen if it was open source" posts that are flying around usenet (which i was reading hoping to learn more about the nastie showing up in the wild).

    The physcology of a virus writer is very intresting, its very similar to that of a security researcher. From what i understand a virus writer wants to demonstrate their power in a you must be scared by me way. But a researcher, who releases a proof of concept thing, has a similar desire, but its ment to be more wanting respect, rather than prooving their strength (and in turn wanting fear).

    Desiging a patch is very hard. As is any major change to a design. The example i used earlyer in this thread, could make the OS more secure, think of it as a "inter proccess communication firewall". This would be true for pretty much every WIMP OS. Say you want to make a virus, to earn money, more and more people are using VoIP espesually skype, there are lots of skype users. So lets make a program that tricks skype into thinking the user has clicked its buttons (this can be done with window messages, there is no need to move the mouse, then send a click, you can provide the stimulus directly)

    So is there ever a need for a program to simulate a button click, or keyboard input on another proccess?

    My worry about this is, i want to make some money, i set up a premium rate number in the USA and england. I design a trogen, starts by email, but once opened, sends a message to all the skype contact list, saying download this (it does this by using window messages, as pretty much every level of user can talk to another proccess via this, there are other ways, but typically the user has to have debug priv's on the proccess your invading). But then i use skype out, to dial a £1.50 a minuite number, if it waited until you wern't using skype, and muted the volume, the user would have little idea what was going on. I'd make quite a few (regretably all to easy to trace) £.

    Now, the only way to patch that "flaw" would be drastic, the implications on other applications would be far spread. Patching tends to lead to complicated results, granted, not the fault of the patch most of the time, but people still complain to the patch vendor as it worked until it came along.

    Useability vrs Security is a very big topic, should things be on by default?

    Now as to BSOD, 99% of them are caused by a malfunctioning device driver, thats un-signed. NT really is rock solid comparied to the compitition (RISC OS, etc.)
    throw new ArgumentException (String, String, Exception)

  11. #11
    Senile Member
    Join Date
    Dec 2003
    Posts
    442
    Thanks
    3
    Thanked
    0 times in 0 posts
    an update on this.. as read on slashdot.
    An IM "worm" is now taking advantage of the vulnerability.

    http://www.viruslist.com/en/weblog?d...92530&return=1

    A new worrying angle is that this vuln isnt actually in shimgvw.dll and in windows GDI library so even if you have unregistered shimgvw.dll you can be infected.

    I'd think very seriously before clicking on any links sent to you in your IM client.

    btw some guy has made his own patch that neuters the vulnerability see http://www.f-secure.com/weblog/archi....html#00000756
    Last edited by RedPutty; 01-01-2006 at 10:23 PM.

  12. #12
    Senior Member theslasher@ntlw's Avatar
    Join Date
    Sep 2005
    Location
    Brighton
    Posts
    389
    Thanks
    0
    Thanked
    0 times in 0 posts
    Ive just got a Snooper neo 2 my mate brought me and the wife a navman 520 for Christmas the snooper came free so i did not mind paying 4.95 a month for subscription.
    The snooper and the navman work great just installed camera data base on the navman.

  13. #13
    Senile Member
    Join Date
    Dec 2003
    Posts
    442
    Thanks
    3
    Thanked
    0 times in 0 posts
    Wrong thread maybe mate?

    Back to the wmf vuln ... I thought this was going to turn out to be bad and it seems those who know about such things are very worried too.
    http://isc.sans.org/diary.php?rss&storyid=996


    I've written more than a few diaries, and I've often been silly or said funny things, but now, I'm being as straightforward and honest as I can possibly be: the Microsoft WMF vulnerability is bad. It is very, very bad.

  14. #14
    Seething Cauldron of Hatred TheAnimus's Avatar
    Join Date
    Aug 2005
    Posts
    17,164
    Thanks
    803
    Thanked
    2,152 times in 1,408 posts
    sad thing is he is quite right, i'm writing this now, on a under ram'd tablet pc, which i'm running as administrator.

    when i first heard about this bug, my first thought was. Sh*t, can people make MF emoticon? That would be quite worrying.

    As for it escaping virus scanners, i don't belive that to be true, from my (very) basic study of this bug, i belive that sophos (the one i use, free license from uni) would be able to use signature checking as normal, enless the programmer is very cunning about it. (but this is more an anti-virus programing paradigm question, as what should a virus scanner hook).

    Myself, if theres no patch out by MS on tuesday, i'm going for Illfak's!
    throw new ArgumentException (String, String, Exception)

  15. #15
    Senior Member
    Join Date
    Jan 2004
    Location
    Leicestershire
    Posts
    1,212
    Thanks
    7
    Thanked
    31 times in 30 posts
    • madman045's system
      • Motherboard:
      • P9X79 Pro
      • CPU:
      • I7-3820
      • Memory:
      • 32GB
      • Storage:
      • Not enough!
      • Graphics card(s):
      • HD7970
      • PSU:
      • 850w Corsair
      • Case:
      • Corsair Carbide 300R
      • Operating System:
      • Win 7 Ultimate X64
      • Monitor(s):
      • Dell U2713HM & 2007WFP
      • Internet:
      • Plusnet FTTC - 30mbit/7mbit
    Is this nowt to do with it?

    http://www.microsoft.com/downloads/d...displaylang=en

    Thanks

  16. #16
    Senile Member
    Join Date
    Dec 2003
    Posts
    442
    Thanks
    3
    Thanked
    0 times in 0 posts
    I don't think so, there has been at least one other similar vulnerability in the last few months so its probably to do with that .

Page 1 of 2 12 LastLast

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Similar Threads

  1. Where can I download all the patches?
    By Trash Man in forum PC
    Replies: 7
    Last Post: 01-07-2005, 08:47 PM
  2. il2 patches
    By alterion in forum PC
    Replies: 4
    Last Post: 04-06-2005, 01:06 AM
  3. Apple Patches iTunes MPEG Decoding Flaw
    By Steve in forum HEXUS News
    Replies: 9
    Last Post: 11-05-2005, 07:10 PM
  4. Replies: 11
    Last Post: 09-02-2005, 12:59 PM
  5. patches for Pacific Fighters?
    By lopper99 in forum PC
    Replies: 5
    Last Post: 19-01-2005, 03:20 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •