Microsoft acknowledged late Wednesday the existence of a zero-day exploit for Windows Metafile images, and said it was looking into ways to better protect its customers. Even worse, by the end of the day nearly 50 variants of the exploit had already appeared. One security company said the possibilities were endless on how the flaw could be exploited. ‘This vulnerability can be used to install any type of malicious code, not just Trojans and spyware, but also worms, bots or viruses that can cause irreparable damage to computers,’ said Luis Corrons of Panda Software.
So there’s a very critical flaw, that could potentially be exploited by ANY (?) web page and there’s no fix yet?
Edit: Oh, I see that deleting SHIMGVW.DLL may possibly help.
Edited 2005-12-31 17:44
Deleting important system files isn’t a bright idea, I figure the name shimgvw.dll stands for something like shell image video (don’t know what the w would stand for besides “windows”).
Most likely after deleting that many of your windows applications would refuse to start complaining that the dll is missing, especially dialogs with animated pictures and web browsers with their animated throbbers.
But then that’s just my guess, go ahead and experiment if that’s what you want. My warning will still be here for everyone else to read and I can only guess what would happen if you delete that DLL.
You’re not supposed to delete it. You run a command which unregisters it. Unless this is a different fix than I’ve read in other stories.
You can register it later.
We’d probably all be better off if people just unregistered all dll’s associated with Microsoft file types; then people’d be forced to save things in formats which they can actually view on other systems.
Don’t delete this, I’ve heard that it causes all sorts of problems.
IE: You won’t be able to thumbnail and will have problems with JPG files, + some applications may crash.
Don’t delete this, I’ve heard that it causes all sorts of problems.
IE: You won’t be able to thumbnail and will have problems with JPG files, + some applications may crash.
Actually, unregistering/deleting this file is one of the first things I do after installing XP, and have notice no bad side effects from doing so (though I have my own apps registered for viewing images). I originally got the idea from here:
http://www.monroeworld.com/pchelp/tweakxp.php#14
DELETING FILE NOT NECESSARY, as others note it is not always a good idea to delete system files, even the bad ones.
use this command to unregister the dll:
REGSVR32 /U SHIMGVW.DLL
If most users didn’t run with privileged (Administrator), this would be a non-issue as software couldn’t be installed. Supposedly, the default in Vista will be for normal users to run totally unprivileged.
It’s not like ‘nix has been doing this for years and years, oh wait, they have been.
If most users didn’t run with privileged (Administrator), this would be a non-issue as software couldn’t be installed
Don’t be silly. Of course the software will get installed. If you are running as a non-admin, it will get installed under your account and do damage to your data.
The malware does not even need to be installed. It just needs you to browse a website that has some malware attached to a wmf, which can open as a pop-up windows. You are beaten, simple as that.
This could be a real killer for Microsoft as .wmf files go right back to the days of Windows 3.0. So all versions can be hit, and Microsoft have admitted there is no cure for this one…
http://news.bbc.co.uk/1/hi/technology/4566504.stm
<i”Exploit code has been publicly posted and used to successfully attack fully-patched Windows XP SP2 systems,” said Cert. “However, other versions of the Windows operating system may be at risk as well.”
Experts say there is no patch available for the flaw, which affects computers running Windows XP, ME, 2000 and Windows Microsoft Windows Server 2003.
[/i]
I am not going to gloat and say ” I truly am glad I only use Linux”, because I am not glad, I honestly do feel sorry for users being preyed on by these scumbags. They need shot
I DO use Linux, and it affected me too.. I browsed a porn site, and Firefox kept asking me if I wanted to download a .wmf file. I said YES, coz I am stupid that way. The file downloaded and did nothing. It did not show me the boobies and it did not screw up my PC.
I know it would have been a different story if I was using windows.
Just running non-admin doesn’t fix it… Is this really a security-context problem or admin problem?
Having to switch to admin (on MS) everytime you want to install software is a headache. However, running normally as non-admin is certainly a good idea. Still, all it takes is an admin-privaledged service or device driver to open the hole for trouble.
Can we expect users to admin their own machines properly? Is there a better way?
There is no way software can do irreparable damage to the hardware it runs on. The only exceptions being software that can drive hardware to perform above its specs for prolonged periods of time and cause overload, but that’s the kind of hardware I don’t want to see in a home or office PC. Home and office hardware should have mandatory safeguards against such abuse.
So in short: software running on a PC can NEVER do irreparable damage to the machine it runs on unless the hardware was faulty to begin with. Now cut the fearmongering for the sake of selling your security products! Or at least make it less obvious..
Are you retarded or just a little dim ?
Have you never heard of flashing ?
Dickhead
“…software running on a PC can NEVER do irreparable damage to the machine it runs on…”
‘hdparm -U /dev/hda’ will unregister an IDE interface, eg. remove it permanently from the system…
Ben
You can also f–k the users data properly inaccessable by locking the disk via SMART commands. The hardware is rendered unusable without being broken. If you’re lucky a rescue service can unf–k the drive. Massacre if such a WMF went into circulation..
“There is no way software can do irreparable damage to the hardware it runs on. ”
You forget chernoble, it flashed your bios with junk.
>NEVER do irreparable damage
Hmmmm….hits basw with clue stick.
Admin+FirmwareChanges = UScrewed
Never say never, a good programmer could totally make your hard drive or pc not boot up ever again without replacing some parts or sending them back to the manufacturer to get their firmware reset.
Modern operating systems protect against that sort of thing. Hell, most motherboards have measures you can put in place that prevent any writing to the BIOS flash.
Modern OS’s do what? Prevent a program with admin permission from issuing system calls to write to hardware addresses? Are you kidding? Flashing hardware with code is as simple as running an executable with permission. The hardware at a predetermined address reads instructions to load the incoming data, and write to static memory, that simple (in a nutshell).
And sure, you can password protect your BIOS from BIOS changes, but how many home users are doing that? And that is just the BIOS, anyhow. And should users be expected to password protect their BIOS’s?
The bottom line is that if arbitrary code can be executed with admin/root privaledge, than this opens up a worst case scenario. The only protection is to plug the hole in the app/driver/security-context.
shane
No, but the hardware itself can prevent it if it is not in a particular state (let’s say the official flashing utility pokes some addresses with specific bits before issuing any kind of flashing instructions).
Actually, that’s usually how it works. Firmware flashers for hard drives, optical drives, motherboards, video cards, etc. are all proprietary.
not all firmware flashes are proprietory (as in the company who makes the drive makes the firmware), i suggest you look up making Regioned DVD drives Region Free, and you’ll see alot of people supplying non-official firmware for people to make their drives region free.
Yeah, non-official firmware … I didn’t say firmware, I said flashers (ie. the actual utilities that prepare the drive for flashing, and then do the flashing itself).
As long as you have a firmware image, it can be hacked. The flashers themselves, not so much.
What is zero-day supposed to mean?
Without knowing if it’s supposed to mean something it just looks like they’re trying to sound cool IMO.
“What is zero-day supposed to mean?”
I was thinking the exact same thing!!! WTF??
It refers to the interval between the time that the exploit is known, to the time that examples of it being used in anger appear.
Zero day exploits are obviously the worst sort, because they give so little time to the good guys to patch.
Someone else has written that if you are running as limited user, you are still vulnerable to this one. Yes and no. I would defer to the better informed, but surely you are not vulnerable to having your root system files tampered with? So your user area might have the programme in it, but its ability to infect the system would be very limited. No rootkits or trojans, for instance. Maybe someone better informed will correct this, if its false.
“Someone else has written that if you are running as limited user, you are still vulnerable to this one. Yes and no. I would defer to the better informed, but surely you are not vulnerable to having your root system files tampered with? So your user area might have the programme in it, but its ability to infect the system would be very limited. No rootkits or trojans, for instance. Maybe someone better informed will correct this, if its false.”
On Windows systems, this is false. The explanation of why is a little long-winded, but I will attempt it anyway.
First try an experiment: find a simple innocuous executable (similar to notepad or calculator) somewhere on the web, and download it to media formatted as FAT32. As a non-admin user attempt to run that executable – it will run.
An executable will run on a Windows system without any local user giving it permissions to run. The only thing that a Windows system requires in order to attempt to run an executable (from anywhere) is that the executable has a particular extension (one of about twenty or so).
On Windows systems – program installers are simple executable files. By “program” I could mean adware or spyware or keylogger type programs – any malware at all.
On Windows systems – it is possible to schedule an executable to be run (say at a specific time or on next boot) without any local user intervention at all.
On Windows systems – there are many, many ways to get an externally-supplied executable file to run on a target system without any local user giving permission or even being aware that something has been run.
Windows systems are arranged in this way in order to maintain backwards compatibility with legacy binary applications. (Windows customers tend to get upset if some expensive binary-only program they purchased in 1998 does not now run on their new XP system).
Because modern Windows systems are backwards compatible (in a binary API sense) with an insecure non-networked single user OS from circa 1995, they are FUNDAMENTALLY, BY DESIGN insecure.
Yes, I do understand that as a limited user you can run programmes, and these can evidently do nasty things. But surely they cannot modify the Registry or basic system parameters?
I’ve always told people to run as limited user, but that this will give them a problem with CD burning. What they should do for this is use ‘run as’ for this one application. Then they should set Zone Alarm to seek permission for all outbound connections from applications, and turn them down the first time if they don’t understand why, and see what happens. In addition, put in WinPatrol and refuse system modifications they don’t understand. Also enable privacy between user accounts. And to use a different user account for any financial transactions from the one they use for ordinary writing, browsing and so on.
Its not terribly convenient, but its not too bad because any significant financial transaction is something one thinks about for a while in advance, and does deliberately, so the step of signing in and out is not a big deal.
Is all this not going to protect against being rooted or trojaned by this one? I realise, its not going to protect the user data in the infected account, but that will be true of all zero day exploits.
For CD Burning you can download a program from Ahead (Nero Burning ROM) that will enable CD Burning rights for Users/Power Users or a special Nero group. It’s free and I use it at office.
At office all my Windows users are “Users”. I have no issue with worms or trojans cause they cannot install. Further users cannot install programs and because of that most users don’t know that they can still run programs they download themselves. Helps me a lot to keep the system sane.
On Windows systems, this is false. The explanation of why is a little long-winded, but I will attempt it anyway.
I think you are a tad confused.
First try an experiment: find a simple innocuous executable (similar to notepad or calculator) somewhere on the web, and download it to media formatted as FAT32. As a non-admin user attempt to run that executable – it will run.
Correct, just like on my FC4 Linux box. However, try running an application that attempts to invoke a privilege not granted to standard users, or access a portion of the file system or registry not granted access to standard users. You won’t get very far.
An executable will run on a Windows system without any local user giving it permissions to run. The only thing that a Windows system requires in order to attempt to run an executable (from anywhere) is that the executable has a particular extension (one of about twenty or so).
And your point it is?
On Windows systems – program installers are simple executable files. By “program” I could mean adware or spyware or keylogger type programs – any malware at all.
They are anything but simple executables. They can be MSI (Windows Installer) packages, they can be self contained exe’s. But they almost always have some common features including registering class id’s and setting global defaults in the system portion of the registry, which is not writable by non-privileged users. That said, some applications, such as Google earth, will install a profile specific (profile directory and HKCU hive) version that is localized to the current user profile only (thus allowing a non-privileged user to install the application). This application however would be accessible only to the user who installed the application (other users would not have access to the application and its settings).
As for installing malware, an executable running in the context of a non-privileged user will not be able to modify global portions of the registry, system files, install device drivers or access the debugging facility (among other user rights).
On Windows systems – it is possible to schedule an executable to be run (say at a specific time or on next boot) without any local user intervention at all.
Not as a non-privileged user. You are limited to the user rights granted to a non privileged user and the properties defined in the ACL’s on the file system and registry.
On Windows systems – there are many, many ways to get an externally-supplied executable file to run on a target system without any local user giving permission or even being aware that something has been run.
Only if running as an Admin.
Windows systems are arranged in this way in order to maintain backwards compatibility with legacy binary applications. (Windows customers tend to get upset if some expensive binary-only program they purchased in 1998 does not now run on their new XP system).
No. Windows of the NT variety are most often run as Admin because of said legacy apps and Microsoft’s unwillingness to (up until very recently) proactively educate users adequately on how to run their systems in a secure fashion (not to mention the laziness of most users). Nearly all legacy apps (and newer problem apps, such as games) can by run using the runas command invoked from a non-privileged user. This is how I run my Windows systems (and how I install apps, etc.) and I have never gotten a single piece of malware on any of my boxes. It is significantly more secure to invoke an application with raised privileges on an as-needed basis than to have the default security context of your user session be highly privileged. Running IE, Firefox, Outlook, Thuderbird, mIRC, and other apps as an admin is just not a good idea. Furthermore, if malware is invoked from a non-privileged account, your AV software at least has a fighting chance of cleaning it up since your malware won’t be able to interact with system service settings as a non-privileged user, thus preventing AV from becoming disabled (something most malware attempts immediately).
Because modern Windows systems are backwards compatible (in a binary API sense) with an insecure non-networked single user OS from circa 1995, they are FUNDAMENTALLY, BY DESIGN insecure.
Incorrect; they are not “fundamentally insecure” by design. But Microsoft’s previous stance of having all users run with admin privileges by default WAS a very bad idea. However, that stance was driven out of a wish to provide easy to support compatibility by circumventing all the security features of modern NT variants (2000, XP, 2003). In the end, all this did was promote laziness in users and developers and provide a wide open target for bad guys. Microsoft, and users who don’t take it upon themselves to properly secure their systems, will be paying for this mess for a long time to come.
With all that said, this is a big old bug, and very serious problem that users should be very careful to avoid until a patch is released. Even a non-privileged user could inadvertently infect his or her profile and running as an admin could easily lead to a very serious compromise.
It’s Judgement Day implemented by Microsoft and not compliant with standards.
Edited 2005-12-31 20:11
Just as a side point, it is completely possible to do whatever you want to the hardware through software, in the hands of a capable programmer. It would most likely have to be done in assembly, although I’m sure it *could* *possibly* be done in a higher-level language.
You could set your monitor refresh rate to 500Hz, set your CPU clock speed to 10 GHz, you could turn off the fans, set your Hard Drive to spin at 30K RPM, heck, you can probably find some software Interrupt that will cause the power supply to overjuice a computer part… The point is it *could* be done, but I don’t think that it would be done through some wmf exploit.
If you’re smart/capable enough to kill a computer with software, then your *likely* capable enough to either design your own exploit or not do it at all. Most people that I know that have a UBER high knowledge of computers would never use it for destruction.
Enough said about that, I’m kinda of surprised that this “bug” has just recently been acknowledged by MS. I have yet to read the article (time-constraints, will read later), so forgive me If I’m wrong. Something this deep *could* wreak a lot of havoc in the hands of a capable, malicious, person.
For MS’s sake, and all Win users, that patch better come soon….lol
–ZaNkY
I hate to continue with the off-topic stuff, but you’re way off base. You can’t arbitrarily change all those values like you insist. You can change your bus-speed, clock multiplier and a few other things on CERTAIN processors, but it requires a reboot to go into effect.
Not only that, it likely won’t cause irreperable damage. Most modern processors have protection against overheating.
There is very little you can change through software (especially when not in ring0 mode) that isn’t protected against on modern hardware.
Sorry to go off topic again
I totally agree, there are many safeguards against it, but again, someone who knew how to get around them *could* get it done if it were his goal. Even if it required a rebott, chances are the user would never see it comming anyways. I was merely bringing out the possibility. Remember, Hardware is controlled with software.
And as far as I know, it’s not that hard to get a program to run in Ring0, if it is done through Assembly. I have the link somewhere…. I’ll look it up
But hey, I’m not here to argue. Again, I doubt that such harmful code would find its way into a wmf exploit. More like some dumb skidy “format c:” or some other dumb trivial thing.
good points sappyvcv.
–ZaNkY
No, someone who knows what they are doing doesn’t have anything to do with it. You simply can’t do that much to hardware through code, even if it’s ring0 and assembly (it doesn’t matter if it’s assembly, you can do inline asm in various high level languages).
You can only run in ring0 if you’re running as a device driver, the end.
Yea. So you run as a device driver.
There’s no reason to damage hardware in a virus/worm. Your code won’t get very far if it destroys all of its hosts!
You can do nasty things to some disks by playing with their settings wrong. But you’d have to know how to do it on each disk. It would just be too hard to make a virus which does real damage by destroying hardware! Maybe a Mac virus could get the job done? There’s much less hardware to attack there.
http://video.google.com/videoplay?docid=8338081239877959959&q=intel << watch this video it will prove that Intel CPU’s are protected against over heating fbut AMD ones arent… well will provide evidence for… i guess prove was too stong a word.
Um..well.. they did remove the cooling solutions. And that video was made a few years ago anyway, wasn’t it?
True, bit still shows that you shouldnt take for granted that a system is designed to somehow protect itself from being damaged by heat.
I don’t disagree with you. But Zanky tried to make it seem so simple for “soemone that knows what they are doing” to destroy a systems hardware.
Just because software controls hardware, doesn’t mean software can do whatever it wants with hardware. It’s much more plausible that things with incorrect parameters just fail to work at all.
> You could set your monitor refresh rate to 500Hz
Not likely… you’d be replacing the driver, and firmware probably wouldn’t acknowledge an absurd value. However, you CAN damage cheaper monitors with incorrect driver settings, you are correct there.
> set your CPU clock speed to 10 GHz
That would be through the BIOS, and I’d be impressed if you could do that. So would Intel.
> you could turn off the fans, set your Hard Drive to spin at 30K RPM
Again, controlling things like power management and throttling you are not going to do even by advanced arbitrary code execution. You are talking about replacing driver code and still having the OS function. And hard drives would not spin at 30K even with your own code and extra power. The drivers/firmware wouldn’t even know what to do with those values.
Simple fix.. use Linux, BSD, or Mac
Did you tell that to Ford Explorer owners that had the faulty tires? “Simple fix. Get a new car.”
Granted, there was a fix for the tires: get new ones, paid for.
But it’s the idea. Things aren’t always that simple.
If my car repeatedly had serious problems, yes, I would get a new car.
This TYPE of problem affects ALL operating systems… it’s a coding error, just as buffer overflows are.
Just using UNIX (even if it would solve this problem) isn’t a viable solution. If you were trying to run a business with lots of desktop office work requiring proprietary drivers and apps only available to large user base it wouldn’t be so simple. btw, buffer overflows and date probs are found in unix apps all the time. They just don’t hit the news as potentially affecting millions of home users at once.
Edited 2006-01-01 09:49
“Simple fix.. use Linux, BSD”
Yeah, so useing my computer can be ten times harder to use than it already is, yay.
Unix is easy, if it’s not easy you are doing something wrong.
“Unix is easy, if it’s not easy you are doing something wrong.”
Come on, you’re not fooling anyone. Unless you’re talking about OSX.
“Simple fix.. use Linux, BSD”
Yeah, so useing my computer can be ten times harder to use than it already is, yay.”
I am not an IT professional, so I tried a couple of Linux distributions that were claimed to be easy for newbies, KANOTIX and PCLinuxOS.
I found them both very easy to install and very useable – I was productive within just a few hours. They both came with a complete set of applications including a very capable Office suite, and absolutely zero malware and also no registration requred or CD-keys to enter or EULAs to read and worry about.
Painless, easy, capable.
So either I am a genius, or you are … a troll?
“So either I am a genius, or you are … a troll?”
Nope, not a troll, just an ex-Linux user (for now) that likes to use my computer and all the hardware it came with, not spend tons of extra time trying to get half my hardware working, and getting very frustrated along the way, like has never happened when using the standard OS: Windows (which I hate by the way). Where you able to get all your hardware working with those easy to use Linux distros? I doubt it. Did you have to use the command line at all? I think you probably are a genius, and someone who doesn’t need to use all the hardware that came with their computer, or do any serious multimedia work (can Linux play more than one audio stream at once yet?). Look, you’re not helping the cause to deny what Linux lacks.
“not spend tons of extra time trying to get half my hardware working, and getting very frustrated along the way, like has never happened when using the standard OS: Windows (which I hate by the way). Where you able to get all your hardware working with those easy to use Linux distros?”
Yes. Every single bit of hardware worked 100% with both of those distributions out of the box, including USB multifunction printer/scanner, digital camera, wireles router & ADSL modem setup, accelerated 3D graphics, PCMCIA wireless network card, etc, etc. Everything.
As I said: ‘I found them both very easy to install and very useable – I was productive within just a few hours.’
“Where you able to get all your hardware working with those easy to use Linux distros? I doubt it.”
Yes. All of it. Oh yee of little faith.
“Did you have to use the command line at all?”
No. Here is me not using the command line:
http://members.dodo.com.au/~quiet1/snapshot39.jpg
“I think you probably are a genius, and someone who doesn’t need to use all the hardware that came with their computer, or do any serious multimedia work (can Linux play more than one audio stream at once yet?). Look, you’re not helping the cause to deny what Linux lacks.”
Wrong, wrong, yes it can, and wronger.
Please try to keep up with what you attempt to criticize. All of your criticisms are well and truly out of date.
Edited 2006-01-02 05:48
Wow, that’s really amazing! PClinuxOS must be the best Linux distro ever because every one I have tried has given me all the problems I listed in previous posts. I am going to try it as soon as I can. Is there a live CD or a free version? I do still doubt it will work with all of my hardware but I really hope it does because I really want Linux to work for me and be able to use my whole compter whithout having to resort to useing Windows again. I’ll let you know how it goes. Sorry I doubted you but Linux distros have let me down so many times.
“I am going to try it as soon as I can. Is there a live CD or a free version? I do still doubt it will work with all of my hardware”
Can’t guarantee it will work for you, but here it is (and KANOTIX also).
PCLinuxOS is based on Mandriva.
KANOTIX is based on Debian.
Both are LiveCDs with the ability to install to HD.
http://debian.tu-bs.de/kanotix/KANOTIX-2005-04/KANOTIX-2005-04.iso
For KANOTIX, there is one command-line installation script: something like nvidia-installer.sh
For PCLinuxOS, choose one from here that matches your video card:
http://pclinuxos.ethz.ch/mirror/pclinuxos/live-cd/english/preview/
PCLinuxOS is the more complete. It comes with all manner of AV codecs, it can import ttf fonts from a windows installation, and even though it is RPM-based it still uses apt and synaptic. The only additional thing to install is libdvdcss.
Cheers, and good luck.
Simple fix.. use Linux, BSD, or Mac
No problem: Next time there is a security flaw in the crappy linux kernel, and there are, I ask you to switch to Windows as a simple fix
When you find a hole that affects every version of linux installed then I will take your advice.
Oh yea and if you did find that problem (Which has never happened) it still would not affect BSD or Mac OS users.
Another fine mess you’ve gotten us into Mr. Gates. You’d think people would grow weary of getting screwed in the backdoor yet here we are.
There’s an unofficial patch by Ilfak Guilfanov
Details here
http://www.grc.com/sn/notes-020.htm
and here
http://www.f-secure.com/weblog/archives/archive-122005.html#0000075…
I’m not chancing it and am unregistering the dll and patching.
Celerate, my guess is that shimgvw.dll stands for Shell Image Viewer.
Several firms, Microsoft included, told users to disable the Windows Picture and Fax Viewer, the application that Internet Explorer automatically launches to display WMF image files. Microsoft’s advisory instructed users to click the Start menu, choose Run, then enter “regsvr32 -u %windir%system32shimgvw.dll” (without the quote marks), and click OK. Doing so, however, breaks the viewer so that it won’t display other associated image file formats, such as those with the .jpg extension, a popular format used by most digital cameras.
http://www.informationweek.com/story/showArticle.jhtml?articleID=17…
The Best. New Years. Present. Evar.
From all Mac users to all Windows users: We wish you a very happy 2006.
That is so true. I abhor the thought about destroying computers
I lost the link that I had earlier that showed how to switch to ring0, but I found many, many more on Google. This is one off of Phrack, if anyone knows them.
I’m a security enthusiast, it’s kinda my job to know what can and can’t be done.
The link as promised
http://www.phrack.org/show.php?p=59&a=16
You don’t need to download the entire magazine, just Crtl-F for “ring0”.
I’m not going to link to any potentially destructive code, although I will assure you, it exists.
My point being, that:
1) It is possible to enter ring0 execution (easily at that)
2) It is possible to damage hardware, although it would be incredibly hard. Keyword: POSSIBLE
I also want to apologize for going way off track, but it is always necessary to consider the worse case scenario, isn’t it? Yes, someone malicious enough, knowledgeable, and cruel, could bring about chaos by inlineing ring0 execution code, that fries CPUs with some over-clocking, upping vcore, shutting down fans (while still making sure that safeguards don’t shut the system down), or some combinations thereof, into some wmf file, that is placed on Google, MSN, and yahoo’s front pages through some DNS poisoning technique, web defacing, or other random method.
What a run-on sentence
P
Again, forgive me for going off track, this will be the last comment I place in this news article relating to the above. I strongly believe that this issue is not being taken as serious as it should be. Patch up!
–ZaNkY
(note: this wmf thing is sort of like that GDI JPEG exploit thing, correct me if I’m wrong )
a security enthusiast should do more research.
in windows xp, you need administrator privilege to access DevicePhysicalMemory. a properly administered system is at no risk to this “ring0” attack. if you have administrator privilege, you can install and access device drivers anyway.
in windows server 2003 sp1, the object can’t be accessed with any privilege.
this is just like having access to /dev/kmem in linux with root privilege.
i think you are right though with regards to physical damage in that it is remotely possible. some systems support live changes to voltages and fans. almost all the manufacturers implement it differently. assuming some silly user is browsing the web as a administrator, and gets hit with arbitrary execution of code vulnerability and that vulnerability just happened to have code designed to get kernel level access and be designed to work with that user’s exact hardware, it could be possible. it would be quite a feat to see that pulled of. consider much work and how many NDA’s the author of Motherboard Board Monitor had to sign, just to get the mobo specific code to read temps and fan speeds.
On Windows it is my observation that a driver can be installed on the system by a simple executable on a CDROM. The executable runs, places some files in temporary locations, and schedules a task to be run on next boot to finish off the installation process. This is part of the reason why Windows requires a re-boot so often when installing new software.
OK, if an “install program” on a CDROM can arrange for a ring0 driver (or indeed as Sony demonstrated even a rootkit) to be installed into the system on next boot, why can’t a malware executable from who-knows-where-on-the-web do exactly the same thing?
Next time you boot the system it destroys itself.
When you log in as administrator, you should only be installing from trusted media (this goes for any OS!), i.e. a legit Adobe disc or something. if you pop in that burnt copy of Photoshop your buddy gave you, and it 0wns your system when you start the install, that’s too bad, not window’s fault. A simple executable could do just as much harm on linux, if you’re running as root, which is the analog of running as admin on windows.
As a user, the worst thing a simple executable on a CDROM can do is schedule something to run when that user logs on again, and whatever it schedules will run with his privileges, which means it can’t install a ring0 driver. Sony’s rootkit was harmless to people running properly administered systems. User’s have no write access to the Windows directory.
Proper administration goes for any OS. You can schedule something to run when you log back on in on linux too, but just like windows, it’s stuck with that user’s privileges.
there are alot of analogous situations between windows and linux. they both have super users that allow free reign, root and administrator. the main difference is linux users tend to set their systems up properly, windows users do not, its hardly a fundamental issue with windows. and actually, both camps are even thinking about the issue and coming up with solutions. SELinux and roles in linux and LUA and limited privileges of even admins in Windows Vista are changing the whole free reign thing even for the respective super users.
i always load Microsoft’s higher security policies on new installs. one effect of this is disabling autorun for all removable media. autorun is an absurd idea IMHO. linux gets thumbs on that one, i don’t know of any distro with autorun by default.
“As a user, the worst thing a simple executable on a CDROM can do is schedule something to run when that user logs on again, and whatever it schedules will run with his privileges, which means it can’t install a ring0 driver. Sony’s rootkit was harmless to people running properly administered systems. User’s have no write access to the Windows directory.”
I don’t believe this is actually the case. Windows (even Windows XP) will happily run executables from FAT32 media. FAT32 format does not have “owner” or “permissions” attributes as part of the file structure. Since Windows (by design) allows execution of files without identified permissions or owners (for example if it happens to be installed on a FAT32 disk instead of an NTFS disk), then it cannot know which user of the system (for example) inserted a command into “autoexec.bat” (or something similar). AFAIK at boot time it just runs things automatically and with root priveleges without knowing who or how those commands were scheduled or where the associated files came from.
Windows is binary-compatible with a single-user non-networked OS from circa 1995. That fact alone means it is necessarily inherently insecure.
i’m not even going to touch running windows xp on FAT32 with a 40 ft pole. basing any argument against windows on such a crippled install is just pointless. i’ve never even seen such an install (systems never came preinstalled that way, upgrade perhaps?), but yes, doing so would forfit file system security completely and anyone could schedule anything. but if that were the case, why bother scheduling it, just do whatever the hell ya want.
furthermore i think you might be confused, about how a process gets its privileges. they’re inherited from the process that launches it, not the owner or permissions on the filesystem.
again it’s not inheritly insecure. again basing any argument against windows on such a crippled fat32 install is just bull.
“i think you are right though with regards to physical damage in that it is remotely possible.”
It is actually quite easy – just changing some BIOS settings will do it.
I had a go at one time at “overclocking”. The instructions said to increase the BIOS settings for clock speeds, multipliers and bus speed until the machine would no longer boot. After that it was necessary to re-set the CMOS RAM (using a jumper on the motherboard), then manually put back all the settings and back off on the clock speeds back to the highest values that still worked.
Given all that – it is therefore possible for any software that can change BIOS settings to render a machine unbootable to the extent that over 95% of computer users would have to take the machine back to a store to get it operational again.
Edited 2006-01-01 01:39
OMG enough with all these “i know how to fix this, use linux”, “bet you wish you were a bsd user”, and “happy new year from mac users”!
we can smell the trolls coming from a mile away everytime a negative microsoft article is reported.
i’m not a huge microsoft fan, i just get tired of scrolling past your useless dribble.
“i’m not a huge microsoft fan, i just get tired of scrolling past your useless dribble.”
Hear hear.
Grow up folks.
That’s the case with all mainstream operating systems, of course. Sure, some developers write shitty software that needs to be run as admin, but that’s not the operating system’s fault.
Browser: ELinks/0.11rc0 (textmode; Darwin 8.3.0 Power Macintosh; 80×40-3)
Here is a perfect example for all the silly Windows supporters! The ones who say “If Linux was more popular then it would be attacked more etc because hackers go after the more popular OS”
But yet here is a hole big as a house in Windows, not found by “Hackers” but by security experts! And Microsoft as always has no answer for it!
Doesn’t matter if there were 500 Windows machines in the world or 500 million, the holes are still there and you are crazy to think it will get any better!
So please get off the crack and use BSD, Linux, Mac OS (BSD) or something else! Windows is insecure, over priced and a mess!
And Vista will be a little more secure then XP but not much, there is no way they can put a full Linux/Unix style permission set in Windows cause it would freak their user base out. Plus it would freak out Windows administrators. People are so used to just being able to install whatever, whenever with nothing stopping them. Administrators are so used to being able to use the System Account to get around the problem of trying to remotely install software and patches while there is no privlaged user logged in.
Who gonna teach all these people different? What is going to happen (like in XP) is that during the install process (And this is actually a problem with Linspire Linux and Mac OS. Even though in Mac OS its not so bad cause you still must enter your password for software installs etc even though the first user you create after you do an install is an Admin (Not root though like in Linspire) ) you will have the option to add higher security but not forced to. When you get an OEM install the higher security will not be on so that when you boot up you will be just taken to a desktop and not have to make accounts etc. And as always MS will blame users for this, even though MS has never told regular users to do anything else (Trying to keep that Windows 95/98/ME feel)
That is why I like the Mac OS and Ubuntu, yea it’s a pain for power users to use sudo in Ubuntu but all you have to do is type : “sudo passwd root” create a password and then go in to options and allow GDM or KDM to let root login. (sudo passwd -l root will turn root back off, then you turn root off in KDM and GDM)
My point is that even if Microsoft puts in better user level security I doubt that they will educate their user base on how and why they need to use it. And Windows supporters along will MS will continue to blame Hackers and stupid users for their problems!
> “An executable will run on a Windows system without any local user giving it permissions to run. The only thing that a Windows system requires in order to attempt to run an executable (from anywhere) is that the executable has a particular extension (one of about twenty or so).” <
“And your point it is?”
The point is that this is the API for executable programs on Windows systems.
Windows doesn’t check if a file has been given executable permissions by any user at all (let alone the admin) who knows a password on the local machine – Windows just runs it anyway.
Since the notion of “users”, “accounts” and “priveleges” was totally absent in the design of Windows circa 1995, and since modern versions of this OS are backwards compatible with that API – then necessarily the notion of “users”, “accounts” and “priveleges” is a bolt-on afterthought.
Windows often loses track of who has invoked what – indeed it will often allow something to be invoked without any idea of who invoked it or where it came from – Windows will run it anyway – this very vulnerability is a good example.
Windows ACLs are a part-way solution around these severe security deficiencies in Windows design – but far to often they are not invoked or are easily worked around.
As far as over 95% of Windows installations out there goes – Windows is not secure at all. By design, and by default.
As a matter of experience for example I know of Windows XP installations where accounts have been disabled – anyone who turns on the machine is automatically logged on (without any password) as root!
Since the notion of “users”, “accounts” and “priveleges” was totally absent in the design of Windows circa 1995, and since modern versions of this OS are backwards compatible with that API – then necessarily the notion of “users”, “accounts” and “priveleges” is a bolt-on afterthought.
You have absolutely NO idea what you are talking about. The DACL model used in NT has been there since day one (1993). Win32 originated on NT, not Windows 95 (it was bolted on to the DOS/VMM386 kernel, NOT the other way around). The rest of your post is just so much FUD.
You need to understand that there are people who have CONSIDERABLY more knowledge regarding systems internals than you do. If you want to have a critical discussion about Windows, that’s fine. However, it would be wise in the future to actually KNOW what you are talking about before shooting your mouth off.
Oh, and yes, if I either remove the ACE or set an explicit deny entry on the ACL on ANY object referenced by the Security Reference Monitor you will not be able to access that object. Everything in NT is an object managed by the Object Manager executive subsystem and every object has a security descriptor with an ACL enforced by the Security Reference Monitor executive subsystem (obviously if you are using a legacy filesystem with no defined NT SDDL ACL, the object will be instantiated by the system with a blank ACL). If you wish to view the pervasiveness of this functionality use process explorer from http://www.sysinternals.com .
“obviously if you are using a legacy filesystem with no defined NT SDDL ACL, the object will be instantiated by the system with a blank ACL”
… where a legacy filesystem is defined as? anything other than NTFS perhaps? meaning floppy disks, USB sticks, CDROMs and data DVD’s perchance? meaning that Sony can install a rootkit because it came to the system via CDROM, possibly?
There are hundreds of exploits of Windows supposed security that have nothing at all to do with buffer overflows. They are just plain and simple holes in the system – the system whose API was designed circa 1995 (not Windows NT – the API is still Win’95 design).
You have absolutely NO idea what you are talking about. The DACL model used in NT has been there since day one (1993)
You should stop talking out of your a**. Security of NT and all of its derivatives (yes 2003 too) is abysmal.
This flaw is one more proof, but won’t stop those in denial from thinking otherwise.
The rest of your post is just so much FUD
It’s not. You are the clueless one.
However, it would be wise in the future to actually KNOW what you are talking about before shooting your mouth off
Look who’s talking there.
Oh, and yes, if I either remove the ACE or set an explicit deny entry on the ACL on ANY object referenced by the Security Reference Monitor you will not be able to access that object
Didn’t you know ? GPO is flawed too, and GPO use these ACE/ACL. Stop the BS please.
The Sony rootkit and WMF flaw are proof you are all wrong. All of these won’t work on non NTFS anyway. You are surrounded by non NTFS systems/appliances (USB key, CDROM, …) in case you didn’t know.
Everything in NT is an object managed by the Object Manager executive subsystem and every object has a security descriptor with an ACL enforced by the Security Reference Monitor executive subsystem
Wrong. That’s one big flaw of NT BTW.
obviously if you are using a legacy filesystem with no defined NT SDDL ACL, the object will be instantiated by the system with a blank ACL
It’s not obvious at all to me. Especially since in Linux, this is configurable on an object by object basis, by device, by default, …
So these kind of hacks are not possible by default on a Linux system, so no, it’s not obvious to me.
Didn’t you know ? GPO is flawed too, and GPO use these ACE/ACL. Stop the BS please.
The Sony rootkit and WMF flaw are proof you are all wrong.
Actually they prove that you are the one who’s wrong and doesn’t know absolutelly anything about malware, windows security model and security vulnerabilites in general.
Shellcode exploiting this WMF flaw will run AS USER, ie: if you visit the web page logged in as LUA (non-admin), the shellode, trojan downloader the shellcode is dropping and spyware the trojan downloader is downloading and executing will run AS USER.
There is NO WAY to escalate privileges with this WMF bug.
As for the sony DRM rootkit – it’s rootkit component is aries.sys driver, it’s basically copy/pasted from sample source from rootkit.com. Now, if you knew anything on windows drivers, you would know that there is NO WAY to install them unless you’re running as Admin, regardless of filesystem you’re trying to run the driver from.
All of these won’t work on non NTFS anyway. You are surrounded by non NTFS systems/appliances (USB key, CDROM, …) in case you didn’t know.
When you see spyware, worms and viruses spreading via USB and CDROM, let me know.
Everything in NT is an object managed by the Object Manager executive subsystem and every object has a security descriptor with an ACL enforced by the Security Reference Monitor executive subsystem
Wrong. That’s one big flaw of NT BTW.
No it isn’t, IMHO NT Object Manager is the supreme example of it’s great design. Imagine: everything is an object (file, device, thread, semaphore, mutex, process, driver..), and every object type has a set of private routines (OPEN/QUERY/CLOSE/DELETE/SECURITY) that are routed onto object-specific functions.
When you open a file in Windows Explorer, open a mutex or semaphore inside your C code, try to terminate process in Task Manager…the object type specific SECURITY method is invoked an your access token is validated against the ACL of object you are trying to open/delete/enumerate/execute..
Now show me how to set an ACL on a socket or POSIX semaphore/thread/mutex in linux without installing some obscure kernel patches? No way dude.
Thanks to NT Object Manager i can atomically wait on an array of DIFFERENT object handles with WaitForMultipleObjects(), there is no way to do anything similar in pthreads.
Especially since in Linux, this is configurable on an object by object basis, by device, by default, …
In NT-based Windows you can confiugure ACL on object-by-object basis too, you could do it actually since 1993.
Go download sysinternals Process Explorer, WinObjEx tools and play as much as you like.
So these kind of hacks are not possible by default on a Linux system, so no, it’s not obvious to me.
Oh please, there are hundreds of linux rootkit easyly found on Internet, actually the very first rootkit was made for UNIX (SunOS) in 1994. And regarding WMF exploit, it’s a classical buffer overflow and linux is by no means immune to them. It’s the result of IA-32 stack implementation that (up until recently) didn’t support non-executable stack.
Edited 2006-01-02 12:31
“And regarding WMF exploit, it’s a classical buffer overflow”
As I understood it, this vulnerability is not a buffer overflow. Rather it is due to a design feature of the WMF data format where the data can include a call to have some coded instructions executed.
AFAIK, it is a classic repeat (yet again) of the basic security hole where Windows mixes executable instructions in with the data formats.
As I understood it, this vulnerability is not a buffer overflow. Rather it is due to a design feature of the WMF data format where the data can include a call to have some coded instructions executed.
That’s pure BS. Go download ANY of the WMF trojan droppers, as original one posted on bugtraq:
http://www.securityfocus.com/archive/1/420288/30/30/threaded
http://unionseek.com/d/t1/wmf_exp.wmf
If you open it inside hex editor, you can see a bunch of 0x90 bytes – in IA-32 this is “nop” (no operation) opcode, and filling a bunch of nops inside shellcode is the classical way of making it more reliable, since you don’t have to guess the precise location of return address on stack, but some range.
Now, if it were as you claim that there is EXECUTABLE BINARY CODE that get’s called inside GDI engine in form of jmp __fixed_offset_in_WMF_data_header, there wouldn’t be need for those nops, would it?
AFAIK, it is a classic repeat (yet again) of the basic security hole where Windows mixes executable instructions in with the data formats.
And what other “examples” of this “security holes” can you name?
“Now, if it were as you claim that there is EXECUTABLE BINARY CODE that get’s called inside GDI engine in form of jmp __fixed_offset_in_WMF_data_header, there wouldn’t be need for those nops, would it?
”
Strawman.
http://en.wikipedia.org/wiki/Strawman#In_logic_and_rhetoric
http://www.fallacyfiles.org/strawman.html
I did not claim that the WMF file contained binary instructions – those are your words.
As I understand it, a WMF file may contain a code followed by parameters which (when the WMF file is processed by the Windows OS) causes a call (with the associated parameters) being passed through to gdi32 (or whatever – something like that).
The call to gdi32 with appropriate parameters can be arranged to cause Windows to then execute anything desired – including malware.
I would speculate that this has the effect that the end executable is run at the privelege level of gdi32.
“what other “examples” of this “security holes” can you name?”
IE -> MSHTML.
IE, Outlook -> ActiveX.
vbscript in .doc & .xls
Apparently just parsing a link is dangerous – as is anything else that Outlook now bans (rather than fix Windows security MS just bans file types in Outlook).
Just from my limited knowledge.
http://www.hexblog.com/2005/12/wmf_vuln.html
It is from the reputed IDA pro disassembler programmer. This is an intelligent fix.
I don’t understand why it is taking so long for Microsoft to respond to this problem with a workable solution.
and people almost forgot there’s still no patch for this security hole.