funsec mailing list archives
Re: Ilfak's WMF patch
From: Matthew Murphy <mattmurphy () kc rr com>
Date: Sun, 01 Jan 2006 16:44:53 -0600
-----BEGIN PGP SIGNED MESSAGE----- Hash: RIPEMD160 Larry Seltzer wrote:
Bear in mind that this patch does explicitly break functionality and even Ilfak says that when a real patch is available you should uninstall his. The real question here is whether there is any legitimate use, let alone significant legitimate use, of the broken functionality out in the real world. The people who are "testing" and endorsing this patch aren't exactly running large test suites of real software through it. For all we know there are important graphics programs that are broken by it, and I think Ilfak is cautious on this point.
Not even a question. The ABORTPROC record type has *ZERO* legitimate use in the real-world. It is designed to execute arbitrary code, making it a security risk without legitimate value. If there are apps that use the functionality, I for one, am happy to see them broken. In any case, the use of ABORTPROCs in WMFs is less app-dependent than it is file-dependent. ABORTPROC records are contained within the WMFs themselves, so making portable use of an abort procedure defined in such a fashion would be nearly impossible. As it stands, I question Microsoft's decision to include the functionality in the first place. I simply don't see a use for it. When Microsoft's patch does appear, I'd imagine that it too will simply break the ABORTPROC record type. That functionality simply cannot be secured any other way. The question we should all be asking is why a hole this obvious wasn't spotted. A graphics renderer that includes *BY-DESIGN* functionality to allow a graphics file to redirect execution control should've set off a few thousand red flags inside Microsoft. SWI auditing probably should've spotted this one.
I'm getting ready to write about this myself and I'm thinking of saying that in the interim I'm only really concerned with whether a) it's effective and b) the uninstall works properly. If (a&b) then it's probably a good idea at least to test the patch in order to see if it breaks your applications. By tomorrow morning if I see no reports of problems I'll be satisfied enough of b and every report so far tells me a is true, although I'd like to see more organized testing.
Haven't really heard much about the uninstall. I can certify that the patch is effective (it completely breaks the vulnerable functionality), though I don't know at what cost to app compatibility. It would appear that the app compat cost is near nil, for the reason I stated above. It might be worth noting that Ilfak only tested his patch on XP SP2. It's been said to work on Windows Server 2003 SP1 by some, though it's confirmed that it does indeed break on XP SP1, XP RTM, and there are conflicting reports about Win2003 RTM. Windows 2000, Windows 98, and Windows Me users aren't able to apply the fix, either. Given that the number of Win2003 systems out there is going to be pretty small, it seems that most non-XP desktop environments will be out of luck, as will environments that haven't made the move up to SP2 from SP1 or (god forbid) RTM. That's going to be quite a few environments, particularly in the corporate world, where nearly half of all workstations are still running Windows 2000. If I had a copy of any of these OSes, I'd offer to port the patch. I do not, however. As an aside, with source code being available, I imagine that Ilfak's patch could be ported to different environments if copies of the gdi32.dll file from those systems could be procured. If anyone has backups of the file from an SP1 install (ideally in a fully-patched form) I'd appreciate it if you could send me copies *OFF-LIST* so as to avoid tying up others' bandwidth. :-) - -- "Social Darwinism: Try to make something idiot-proof, nature will provide you with a better idiot." -- Michael Holstein -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2 (MingW32) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iD8DBQFDuFtkfp4vUrVETTgRA/KHAJ46Ugvh7wHcrCF7N4EtVvwfhkKuGACgtjSG JktXsT+WNEZLWkQ3lpgx+Qc= =Ri7w -----END PGP SIGNATURE-----
Attachment:
smime.p7s
Description: S/MIME Cryptographic Signature
_______________________________________________ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Current thread:
- Ilfak's WMF patch Gadi Evron (Jan 01)
- RE: Ilfak's WMF patch Peter Kruse (Jan 01)
- RE: Ilfak's WMF patch Rob, grandpa of Ryan, Trevor, Devon & Hannah (Jan 02)
- Re: Ilfak's WMF patch Pierre Vandevenne (Jan 01)
- RE: Ilfak's WMF patch Larry Seltzer (Jan 01)
- Re: Ilfak's WMF patch Matthew Murphy (Jan 01)
- Re: Ilfak's WMF patch Valdis . Kletnieks (Jan 01)
- Re: Ilfak's WMF patch Matthew Murphy (Jan 01)
- Re[2]: Ilfak's WMF patch Ilfak Guilfanov (Jan 01)
- Re: Ilfak's WMF patch Matthew Murphy (Jan 01)
- RE: Re[2]: Ilfak's WMF patch Larry Seltzer (Jan 02)
- Re[4]: Ilfak's WMF patch Ilfak Guilfanov (Jan 02)
- RE: Re[4]: Ilfak's WMF patch Richard M. Smith (Jan 02)
- Re[6]: Ilfak's WMF patch Ilfak Guilfanov (Jan 02)
- Re: Re[4]: Ilfak's WMF patch Valdis . Kletnieks (Jan 02)
- RE: Ilfak's WMF patch Larry Seltzer (Jan 01)
- RE: Ilfak's WMF patch Peter Kruse (Jan 01)
- Ilfak's WMF patch v. Microsoft's solution Richard M. Smith (Jan 01)