Register | Login | |||||
Main
| Memberlist
| Active users
| Calendar
| Chat
| Online users Ranks | FAQ | ACS | Stats | Color Chart | Search | Photo album |
| |
0 users currently in Hardware / Software. |
Acmlm's Board - I3 Archive - Hardware / Software - Windows Metafile Exploit | New poll | | |
Pages: 1 2 | Add to favorites | Next newer thread | Next older thread |
User | Post | ||
Tommathy Since: 11-17-05 From: Cloud Nine, Turn Left and I'm There~ Last post: 6426 days Last view: 6426 days |
| ||
The problem (rather scary, actually)
Possible work around (somewhat helpful, kind of a nuisance, but won't defend against all attack vectors) |
|||
DarkSlaya 930 Gamma Ray Since: 11-17-05 From: Montreal, Canada Last post: 6427 days Last view: 6426 days |
| ||
Now, I wanna know the name of the installed trojan.
Simply because I want to know if there's been a update for my AV (AVG - There's been an update yesterday) |
|||
Ailure Mr. Shine I just want peace... Since: 11-17-05 From: Sweden Last post: 6426 days Last view: 6426 days |
| ||
...I opened around five pages with IE with this laptop. Maybe one more or less. Half of them is Mozilla homepage, rest was me testing online.php as a guest on IE.
Shows how much belief I still have in IE eh? ~_~ Heh, WMF... I recall seeing that extension for clipart. Which usually use vectors, although to be honest I hadn't used clipart in forever. It looks lame now. |
|||
HyperHacker Star Mario Finally being paid to code in VB! If only I still enjoyed that. <_< Wii #7182 6487 4198 1828 Since: 11-18-05 From: Canada, w00t! My computer's specs, if anyone gives a damn. STOP TRUNCATING THIS >8^( Last post: 6427 days Last view: 6427 days |
| ||
I don't think IE has much to do with it this time.
"Disabling the Windows Picture and Fax Viewer will not eliminate the risk as the flaw exists in the Windows Graphical Device Interface library." "...a serious security issue that has cropped up before in browsers, including lololol and Safari." If the hole is in the Windows GDI, then any program that displays WMFs is vulnerable. (edited by HyperHacker on 12-31-05 01:18 PM) |
|||
Ailure Mr. Shine I just want peace... Since: 11-17-05 From: Sweden Last post: 6426 days Last view: 6426 days |
| ||
Look at that movie
X_X I swear, my next primary OS will not be Windows. |
|||
HyperHacker Star Mario Finally being paid to code in VB! If only I still enjoyed that. <_< Wii #7182 6487 4198 1828 Since: 11-18-05 From: Canada, w00t! My computer's specs, if anyone gives a damn. STOP TRUNCATING THIS >8^( Last post: 6427 days Last view: 6427 days |
| ||
Yeah, pretty bad. Though it fails to fully demonstrate the problem... they should have shown the user just browse to a site containing that image. | |||
max Blipper i'm a pixie !!! Since: 11-17-05 Last post: 6687 days Last view: 6426 days |
| ||
as far as I know it doesn't work when viewed inline (at least in good browsers) | |||
HyperHacker Star Mario Finally being paid to code in VB! If only I still enjoyed that. <_< Wii #7182 6487 4198 1828 Since: 11-18-05 From: Canada, w00t! My computer's specs, if anyone gives a damn. STOP TRUNCATING THIS >8^( Last post: 6427 days Last view: 6427 days |
| ||
Dunno, the article makes it sound that way...
Actually, judging by this:
It sounds like some browsers might execute the code while IE just shuts down. (Still, remote crashing is bad. ) Really, if inline images don't trigger it, then it's not exactly as critical as it sounds. I don't see why they wouldn't, though. The bug is in the GDI, which is used to draw nearly all images whether they be inline in a web page or BMPs in MSPaint or the desktop background. (The only exceptions are programs that use DirectX or OpenGL, or have their own image drawing code for some reason.) I guess the only way to be sure would be to make a test image and try it. But for that I'd have to find how exactly to use the exploit and write the code in ASM, which I'd rather not do. (ASM + Windows = Pain!) |
|||
HyperHacker Star Mario Finally being paid to code in VB! If only I still enjoyed that. <_< Wii #7182 6487 4198 1828 Since: 11-18-05 From: Canada, w00t! My computer's specs, if anyone gives a damn. STOP TRUNCATING THIS >8^( Last post: 6427 days Last view: 6427 days |
| ||
Since MS has been so slow to update, here's someone who claims to have made their own fix. | |||
MathOnNapkins 1100 In SPC700 HELL Since: 11-18-05 Last post: 6426 days Last view: 6426 days |
| ||
So... uh... does Windows use WMF files as a middle man format for display? I don't see how this would be that dangerous b/c i haven't seen a file with a .wmf extension in ages. Wouldn't it be best to make patches that filter out .wmf files? (edited by MathOnNapkins on 01-03-06 08:17 AM) |
|||
dormento Red Goomba Since: 11-18-05 Last post: 6579 days Last view: 6426 days |
| ||
The problem is that Windows recognizes metafiles by their header. In that sense, you could pick a metafile, stuff your payload inside and rename it to jpg.
The poor victim gets the file, opens an explorer window with thumbnails on. Windows thinks "ohoho look this, it's an image file, let's see if i recognize the format. Wheee, it's a metafile!" File extension doesn't matter. For all i know, it checks this type of information for every file in the system. have you ever tried to rename an .EXE to something else, only to try checking the properties dialog and seeing version information? I think the GUI (or CLSID or whatever) always takes priority over file extension. And this exploit is there since at least Win95. That's scary. |
|||
FreeDOS + Giant Red Koopa Legion: freedos = fritos Since: 11-17-05 From: Seattle Last post: 6426 days Last view: 6426 days |
| ||
That's awesome, especially since I'm not on Windows | |||
MathOnNapkins 1100 In SPC700 HELL Since: 11-18-05 Last post: 6426 days Last view: 6426 days |
| ||
Originally posted by dormento I didn't mean a filter for the file extension. As you have put it I meant reading from the internal header of the file. I'm gonna go look around for patches in the meantime. They said it might be a week before Microsoft makes one. |
|||
Tarale 2710 Affected by 'Princess Bitch-Face Syndrome' ++++!! Persona non grata Since: 11-17-05 From: Adelaide, Australia Last post: 6426 days Last view: 6426 days |
| ||
Funny, I've known about this for a while but keep missing the thread here.
Well, now they're actually recommending that people install the unofficial patch. I think it's been tested and the binary actually does what the source code says it does and such, so I dunno.... Microsoft still preparing their own patch but that won't be till next week.... meh. |
|||
Chris Spiny Since: 11-17-05 Last post: 6536 days Last view: 6536 days |
| ||
Wow. This must be big. I was reading through -- at the same time, heard it on the news. I can't believe the exploit's been out since win95... | |||
Tarale 2710 Affected by 'Princess Bitch-Face Syndrome' ++++!! Persona non grata Since: 11-17-05 From: Adelaide, Australia Last post: 6426 days Last view: 6426 days |
| ||
Originally posted by Chris Yes, it's unusual that something like this hits mainstream media; but it's good that they're taking it seriously. This has been all over the usual geek media for days -- Slashdot and Ars have both run stories, and it's all over Google News. I'd consider telling my boss about it, but then she'll send out a warning to all users which will freak them out for no real good reason and they'll call us. (Note: I consider unnecessarily panicking a bunch of computer illiterates for something they can't fix to be "no good reason") (edited by Tarale on 01-03-06 11:34 PM) |
|||
Ailure Mr. Shine I just want peace... Since: 11-17-05 From: Sweden Last post: 6426 days Last view: 6426 days |
| ||
And considering that they don't support some of their older OS's... that's a problem.
I really doubt it they fix it for Win 95 and 98... an OS people still use to this age. I'm not sure if 2000 and ME is abonden yet, but they will be soon enough anyway. (edited by Ailura on 01-03-06 11:30 PM) |
|||
dcahrakos 490 Since: 11-17-05 Last post: 6643 days Last view: 6643 days |
| ||
heres an unofficial patch...worked for me.
http://castlecops.com/a6436-Newest_WMF_Exploit_Patch_Saves_the_Day.html |
|||
Tarale 2710 Affected by 'Princess Bitch-Face Syndrome' ++++!! Persona non grata Since: 11-17-05 From: Adelaide, Australia Last post: 6426 days Last view: 6426 days |
| ||
Incidentally, Microsoft are strongly recommending against the unofficial patch and advise that their patch will be released on the 10th.
Google News has been interesting to watch these past couple of days, with articles that tell you either to get the patch or not get the patch... |
|||
HyperHacker Star Mario Finally being paid to code in VB! If only I still enjoyed that. <_< Wii #7182 6487 4198 1828 Since: 11-18-05 From: Canada, w00t! My computer's specs, if anyone gives a damn. STOP TRUNCATING THIS >8^( Last post: 6427 days Last view: 6427 days |
| ||
Someone asked just how this works in Programming, but the thread got closed, so I thought I'd explain here. (||bass gave a fairly good explanation, but I feel like doing so myself. )
Any time a program reads things from a file it has to put them in memory. This means it has to reserve some space in memory (what's called a buffer) for the data it reads. The problem is that the program doesn't check the size of the data. If the data is too big the program will blindly copy it into the buffer, and since the buffer isn't big enough the data also gets copied over whatever else is in memory nearby. (Unfortunately this is a common problem in Microsoft's programs.) If there's enough data it can overwrite program code or pointers in memory, so if the data writing over it is actually program code, it gets executed instead of the code that should be there. (Or in the case of overwriting a pointer, it changes it to point to some part of the data which contains code.) Is there any patch out yet for Win98? |
Pages: 1 2 | Add to favorites | Next newer thread | Next older thread |
Acmlm's Board - I3 Archive - Hardware / Software - Windows Metafile Exploit | | |