The Power of Open Source

One of the criticisms of open source software is that there is no one to blame when a customer needs a problem solved. For example, if an open source OS or application is found to suffer a vulnerability, no one is seen to be responsible for patching it. Following this line of thinking, commercial software is considered a superior choice for consumers (whether corporations or individuals). When a problem happens, users can rely on the vendor.

The recent SANS ISC post about the WMF vulnerability has completely annihilated this argument. I have criticized SANS in the past, but I cannot fault their handling of the ongoing fiasco. I've never seen anything like this plea by Tom Liston before:

Looking forward to the week ahead, I find myself in the very peculiar position of having to say something that I don't believe has ever been said here in the Handler's diary before: "Please, trust us."

I've written more than a few diaries, and I've often been silly or said funny things, but now, I'm being as straightforward and honest as I can possibly be: the Microsoft WMF vulnerability is bad. It is very, very bad.

We've received many emails from people saying that no one in a corporate environment will find using an unofficial patch acceptable.

Acceptable or not, folks, you have to trust someone in this situation.

To the best of my knowledge, over the past 5 years, this rag-tag group of volunteers hasn't asked for your trust: we've earned it. Now we're going to expend some of that hard-earned trust:

This is a bad situation that will only get worse. The very best response that our collective wisdom can create is contained in this advice - unregister shimgvw.dll and use the unofficial patch. You need to trust us.


The unofficial patch Tom references was written by Ilfak Guilfanov and described here. What is this? It's a patch created by a non-Microsoft developer, acting more rapidly than Microsoft itself. Sure, you can argue that Microsoft is working now to develop a patch that will hopefully address deeper problems, perhaps serious problems. Nevertheless, SANS has reverse engineered the unoffical patch to ensure its validity, wrote a FAQ about the vulnerability, and is now hosting a .msi to ease patch installation. This is unprecedented.

Where is Microsoft on this issue? They published their initial advisory on 28 Dec and updated it 30 Dec. Nothing they've done has helped resolve the issue. Meanwhile, the Metasploit project has released a module to generate malicious WMF files. This puts exploit creation in the hands of the lowest common denomintaor.

F-Secure reports the WMF issue is truly "a feature, not a bug," due to Microsoft's design of the WMF format. In fact, F-secure says

"'The WMF vulnerability' probably affects more computers than any other security vulnerability, ever."

Everyone who paid good money to Microsoft to fulfill its duty as a commercial vendor selling closed, proprietary software is still waiting for an official patch. Meanwhile, users are owned by exploit spam and targeted WMF email attacks. Remember this example the next time your management refuses to allow running open source software because "no one is responsible for problems."

When private third parties like SANS and Ilfak Guilfanov have to step up to the plate to save the world, the argument for exclusively running closed, proprietary software with a poor security record is weak indeed.

Note: I do not mean to unduly criticize Microsoft employees. I know several of them who are really sharp. At the end of the day, however, Microsoft as a corporation is AWOL on the WMF issue.

Update: SANS has temporarily pulled their .msi. However, I just installed the original .exe on a Windows XP SP2 system without incident. I also unregistered the shimgvw.dll library. Ilfak Guilfanov's patch creates this directory on the host:

C:\Program Files\WindowsMetafileFix>dir
Volume in drive C has no label.
Volume Serial Number is 30EF-BD7B

Directory of C:\Program Files\WindowsMetafileFix>

01/02/2006 08:52 AM DIR .
01/02/2006 08:52 AM DIR ..
01/01/2006 12:38 PM 155 compile.bat
01/01/2006 03:54 PM 1,141 Readme.txt
01/02/2006 08:52 AM 3,537 unins000.dat
01/02/2006 08:52 AM 673,546 unins000.exe
01/01/2006 03:41 PM 7,022 wmfhotfix.cpp
5 File(s) 685,401 bytes
2 Dir(s) 3,207,041,024 bytes free

C:\Program Files\WindowsMetafileFix>type Readme.txt
MS WINDOWS METAFILE VULNERABILITY HOTFIX v1.3

PLEASE READ THE FOLLOWING CAREFULLY!

This is a temporary fix for the MS Windows
Metafile file vulnerability:

http://www.hexblog.com/2005/12/wmf_vuln.html

It has been tested on Windows 2000, Windows XP,
and Windows XP Professional 64bit.
Please use it at your own risk and switch
to the official patch from Microsoft as soon
as it is be available.

THIS FIX IS PROVIDED 'AS IS' WITHOUT WARRANTY OF
ANY KIND, EITHER EXPRESS OR IMPLIED, INCLUDING,
BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF FITNESS
FOR A PURPOSE, OR THE WARRANTY OF NON-INFRINGEMENT.

IN NO EVENT SHALL ILFAK GUILFANOV BE LIABLE TO YOU
OR ANY THIRD PARTIES FOR ANY SPECIAL, PUNITIVE,
INCIDENTAL, INDIRECT OR CONSEQUENTIAL DAMAGES
OF ANY KIND, OR ANY DAMAGES WHATSOEVER, INCLUDING,
WITHOUT LIMITATION, THOSE RESULTING FROM LOSS OF USE,
DATA OR PROFITS, WHETHER OR NOT HE HAS BEEN ADVISED
OF THE POSSIBILITY OF SUCH DAMAGES, AND ON ANY THEORY OF
LIABILITY, ARISING OUT OF OR IN CONNECTION WITH THE USE
OF THIS SOFTWARE.

Copyright 2006 by Ilfak Guilfanov, ig@hexblog.com
http://www.hexblog.com

As you can see, you can inspect the .cpp file and compile it yourself if you do not want to run the compiled wmffix_hexblog13.exe.

Comments

Anonymous said…
Beyond what you have said, I'm impressed by Ilfak's willingness to create versions which work on Win2K, etc. I mean, here's a guy who contributes code, and when people say "Yeah, but does it work on win2k? What about SP3? An MSI would be better", instead of saying "If you want that, write it", he says "I'll see if I can get to it". A day later, there it is.

I sure hope this guy has been taking care if his liver, because he's going to be getting a ton of free drinks out of his work on this.

Popular posts from this blog

Zeek in Action Videos

New Book! The Best of TaoSecurity Blog, Volume 4

MITRE ATT&CK Tactics Are Not Tactics