Info on Windows' WMF Vulnerability

[Sidoh]

http://it.slashdot.org/it/06/01/05/2027259.shtml?tid=172&tid=128&tid=201&tid=218

Awesome. Ahead of schedule. It only ~100 or so variants of this vulnerability for them to go "oh, shit, maybe we are fuckbags."

Yuck, what a bunch of dipshits.  At least they're patching it...

[Newby]

Oh, yeah, when this originally showed up on slashdot (the wmf vulnerability) I went to tell my dad and they already had a patch for employees out.

This is what I observed from the internal webpage for M$ slaves, seeing as how the word "test for public" and "download" were all over it.

[iago]

There's an MS patch that got released publicly.

It was posted to DSL Reports earlier. We obtained a copy of it to see if it was actually malware - turned out to be from Microsoft "for real" and contained "WindowsXP-KB912919-x86-ENU.exe" within a ZIP file. We fed it to a few lab rats and it wanted to write to a strange new folder on a D: drive. So we ran it on a couple of lab rats that HAD a D: drive.

 Setup began, wham! BSOD that would have made NT 3.5 proud. "kernel-in-page" error and the world latched. Hard reboot and the "you've been naughty" check of the D: drive every time.   

 I can see why they were a bit miffed at it escaping Redmond. Heh.

[Quik]

I still wanted to make a non-malicious PoC and post on a large image-sharing website such as deviantART.

[mynameistmp]

A guy from hexblog released an unofficial fix for this before MS did:

http://www.packetstormsecurity.org/Win/patches/WMFHotfix-1.4.msi

[iago]

A guy from hexblog released an unofficial fix for this before MS did:

http://www.packetstormsecurity.org/Win/patches/WMFHotfix-1.4.msi

Haha yeah, I think I mentioned Ilfak's patch somewhere.. that's awesome

But apparently, it interferes with some printer drivers, so it might not be as simple as originally though.

[iago]

Of course, Microsoft did the exact same thing as Ilfak, modified very slightly:
http://blogs.securiteam.com/index.php/archives/184

Good game! 

[Warrior]

Ilfak patched only his own build of Windows XP. Later, Steve Gibson had to help him add support for Windows 2000 SP4 and various others helped with mechanisms for repackaging and deploying on managed corporate networks.

Microsoft dealt with 9 versions and service pack levels of Windows (including 64-bit editions) in U.S. English PLUS 23 localized versions. Since Microsoft’s patch was built into gdi32 rather than “hooked” via AppInit_DLLs, there was much more regression testing required (more to check for build errors than for code/logic errors).

The resulting builds must be signed and packaged with CAT files required by Windows File Protection. Those hotfix packages also contain versioning and dependency checks so that a future hotfix for gdi32 will not be overwritten if this hotfix is accidentally reinstalled. (This sounds simple when you’re only dealing with one DLL but when a hotfix includes multiple DLLs with dependencies, it used to be a real problem in the 2000-2001 timeframe before Microsoft established the current mechanism.)

Additionally, there is automatic “migration” capability so that you can install the hotfix on XP SP1 and then apply SP2 without redownloading and reapplying the hotfix. (If you look under the hidden folder %SystemRoot%\$hf_mig$, that’s what those files are for.)

Conclusion of testing and packaging still left hundreds of files to be mirrored AND verified. There are servers supporting microsoft.com/downloads (direct download), Windows Update/Microsoft Update (the site known to end-users), MBSA (detection tool requiring metadata updates) and Windows Server Update Services (corporate tool). If you snoop through the filenames and XML metadata files used internally, you’ll see that these are separate infrastructures which obviously involve substantial work to stage around the world. Given how heavy the load on hexblog.com was, it still only represented a tiny fraction of technically inclined Windows users. When Microsoft releases a critical fix, the server hits are measured in the hundreds of millions.

Lastly, certain documentation (much of it in multiple languages) must be ready to publish at the same time as the hotfix itself. This always includes Security Bulletins (in simplified and technical versions) and KB articles. In a high-profile situation like this, key partners and enterprise accounts don’t like their “Support Flash” communications to trail the hotfix availability by much.

So when Microsoft says “testing,” you need to realize that there is also substantial “build” and “release” work implied as part of the process. Although grandma probably understands “testing,” it’s unlikely that she cares to hear about anything from the realm of makefiles or XML manifests so you wouldn’t hear about build/release aspects in the soundbite quotes given by Microsoft to mainstream media for laypeople.

Seems they did a bit of more work (By a bit I mean a shitload)

[iago]

But in the end, their patch looked almost the same. 

Most of the stuff in the article (like, 95% of it) should be automated.  I highly doubt they went to each of the localized versions and made the same code change, and I doubt they manually test everything.  They obviously don't package cab files or the migration files manually.  I don't really see what the big problem is, everything they're doing there ought to be automatic. 

[Warrior]

They have to ENSURE to thier customers that the patch will work with no strings attached, say that guy's patch hadn't worked, it wouldn't be a big deal. Microsoft deals with hundreds of millions of customers and they have thier reputation to lose along with thier credibility of being able to fix bugs in thier OS. I'd opt for more bug testing and a later release as opposed to less bug fixing and a earlier rushed release.

[Screenor]

They have to ENSURE to thier customers that the patch will work with no strings attached, say that guy's patch hadn't worked, it wouldn't be a big deal. Microsoft deals with hundreds of millions of customers and they have thier reputation to lose along with thier credibility of being able to fix bugs in thier OS. I'd opt for more bug testing and a later release as opposed to less bug fixing and a earlier rushed release.

And now I bring you to subject SP2.

[Sidoh]

They have to ENSURE to thier customers that the patch will work with no strings attached, say that guy's patch hadn't worked, it wouldn't be a big deal. Microsoft deals with hundreds of millions of customers and they have thier reputation to lose along with thier credibility of being able to fix bugs in thier OS. I'd opt for more bug testing and a later release as opposed to less bug fixing and a earlier rushed release.

The MSI install package for the fix is 86 Kb.  Ilfak was able to code a fix that at least "pseudo" worked in but a few hours.  To me, that says it's not that difficult of a process.

I do agree that patching an OS is a very delicate procedure and it should have thorough testing, but when you have an exploit that renders a computer as venerable as this one, it's pretty time-critical.

[Warrior]

I think they realized that and after thiers was leaked they had no choice but to release it and hope for the best. It's a hard decision to make I'd agree but atleast it's fixed now officially.

[Sidoh]

I think they realized that and after thiers was leaked they had no choice but to release it and hope for the best. It's a hard decision to make I'd agree but atleast it's fixed now officially.

Haha, yeah.  I still don't think they should have ever even considered releasing a patch to a vulnerability this serious that late, though...

Oh well, it's fixed!

[iago]

They have to ENSURE to thier customers that the patch will work with no strings attached, say that guy's patch hadn't worked, it wouldn't be a big deal. Microsoft deals with hundreds of millions of customers and they have thier reputation to lose along with thier credibility of being able to fix bugs in thier OS. I'd opt for more bug testing and a later release as opposed to less bug fixing and a earlier rushed release.

Why isn't it automated?  Can't they just upload the patch to a virtual test machine, and it tries it automatically on every conceivable system?  Don't tell me that's beyond Microsoft's abilities, I'm sure it's not.  Testing should take seconds!