Re: Ilfak's WMF patch

[Matthew Murphy <mattmurphy () kc rr com>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: RIPEMD160

Larry Seltzer wrote:
> Bear in mind that this patch does explicitly break functionality and even
> Ilfak says that when a real patch is available you should uninstall his. 
>
> The real question here is whether there is any legitimate use, let alone
> significant legitimate use, of the broken functionality out in the real
> world. The people who are "testing" and endorsing this patch aren't exactly
> running large test suites of real software through it. For all we know there
> are important graphics programs that are broken by it, and I think Ilfak is
> cautious on this point.

Not even a question.  The ABORTPROC record type has *ZERO* legitimate
use in the real-world.  It is designed to execute arbitrary code, making
it a security risk without legitimate value.  If there are apps that use
the functionality, I for one, am happy to see them broken.

In any case, the use of ABORTPROCs in WMFs is less app-dependent than it
is file-dependent.  ABORTPROC records are contained within the WMFs
themselves, so making portable use of an abort procedure defined in such
a fashion would be nearly impossible.  As it stands, I question
Microsoft's decision to include the functionality in the first place.  I
simply don't see a use for it.

When Microsoft's patch does appear, I'd imagine that it too will simply
break the ABORTPROC record type.  That functionality simply cannot be
secured any other way.

The question we should all be asking is why a hole this obvious wasn't
spotted.  A graphics renderer that includes *BY-DESIGN* functionality to
allow a graphics file to redirect execution control should've set off a
few thousand red flags inside Microsoft.  SWI auditing probably
should've spotted this one.

> I'm getting ready to write about this myself and I'm thinking of saying that
> in the interim I'm only really concerned with whether a) it's effective and
> b) the uninstall works properly. If (a&b) then it's probably a good idea at
> least to test the patch in order to see if it breaks your applications. By
> tomorrow morning if I see no reports of problems I'll be satisfied enough of
> b and every report so far tells me a is true, although I'd like to see more
> organized testing.

Haven't really heard much about the uninstall.  I can certify that the
patch is effective (it completely breaks the vulnerable functionality),
though I don't know at what cost to app compatibility.  It would appear
that the app compat cost is near nil, for the reason I stated above.

It might be worth noting that Ilfak only tested his patch on XP SP2.
It's been said to work on Windows Server 2003 SP1 by some, though it's
confirmed that it does indeed break on XP SP1, XP RTM, and there are
conflicting reports about Win2003 RTM.  Windows 2000, Windows 98, and
Windows Me users aren't able to apply the fix, either.  Given that the
number of Win2003 systems out there is going to be pretty small, it
seems that most non-XP desktop environments will be out of luck, as will
environments that haven't made the move up to SP2 from SP1 or (god
forbid) RTM.

That's going to be quite a few environments, particularly in the
corporate world, where nearly half of all workstations are still running
Windows 2000.  If I had a copy of any of these OSes, I'd offer to port
the patch.  I do not, however.

As an aside, with source code being available, I imagine that Ilfak's
patch could be ported to different environments if copies of the
gdi32.dll file from those systems could be procured.  If anyone has
backups of the file from an SP1 install (ideally in a fully-patched
form) I'd appreciate it if you could send me copies *OFF-LIST* so as to
avoid tying up others' bandwidth. :-)

- --
"Social Darwinism: Try to make something idiot-proof,
nature will provide you with a better idiot."

                                -- Michael Holstein

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (MingW32)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org

iD8DBQFDuFtkfp4vUrVETTgRA/KHAJ46Ugvh7wHcrCF7N4EtVvwfhkKuGACgtjSG
JktXsT+WNEZLWkQ3lpgx+Qc=
=Ri7w
-----END PGP SIGNATURE-----

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature

_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.