WhistlinDixie

[sigh] We Can Breathe Again, At Least For Now

As of 5:00 pm Eastern time today, Microsoft has a patch available through Windows/Microsoft Update to fix the Windows Metafile vulnerabiliy that I mentioned on Monday. Once you have installed the patch from Microsoft, you can go ahead and uninstall the patch from Ilfak Guilfanov by going to Add/Remove Programs and uninstalling the entry "Windows WMF Metafile Vulnerability HotFix"

I am slightly surprised that we are seeing this patch so quickly. Initially, Microsoft stated that it would not release the patch until "Patch Tuesday", the second Tuesday of each month, so that the patch could get plenty of QA testing. Microsoft has subsequently stated that after discovering this vulnerability, they are going to delve into their proprietary standards to check if similar "features" were included in other Microsoft file formats.

Also, over the past few days, a few problems have been discovered that were caused by the patch from Ilfak. The biggest problem is that it has created printing problems for some people, mostly if they are using networked printers. The only reason that this should be happening is because the printing is relying on the fallback "feature" built in to the Windows Metafile format that Ilfak’s patch disabled.

Microsoft: Does Intelligent Life Exist In Redmond?

Security Alert!!! A new zero-day vulnerability is being exploited in the Windows Metafile format on the Microsoft Windows platform.

Right before New Year’s Eve, a series of viri were discovered circulating on the Internet that can infect your computer without requiring you to do anything. That’s right, you can get these viri by just having your computer connected to the Internet. These viri take advantage of a very stupid "feature" that is in the Windows Metafile (WMF) image format. All versions of Windows produced from 1991 to the present (apx Windows 3.0 to Windows XP and Windows Server 2003) are effected by this vulnerability. Microsoft currently endorses a workaround that involves the user unregistering a DLL, but this workaround is basically worthless since it only shuts down one avenue that the viri can use to exploit this vulnerability and also breaks the thumbnail display feature in Windows. A much better solution is a small program written by Ilfak Guilfanov and improved with the help of Steve Gibson. You must install the program and reboot your computer for the fix to work. It should shut down every avenue that the viri can use to exploit this vulnerability. The only downside to this patch is that it only works for Windows 2000 and up (sorry Win95 and Win98 users). When Microsoft comes out with an official fix for this vulnerability, you can then uninstall this program. I highly recommend installing this small program due to the extreme ease of contracting one of these viri. Just to give you an idea of how easy it is to get one of these viri, many security experts have infected themselves with these viri without even realizing it.

A little more detail: Most popular graphics formats in use on the Windows platform are raster-based formats. This means that the image is stored as a bunch of individual pixels. Formats such as BMP, GIF, PNG, and JPEG are raster formats. Another type of graphics, vector graphics, are stored as a series of instructions for the program to execute and draw. For example, the file might specify that a black line should be drawn from one point to another, then a red rectangle should be drawn with a set of points for vertices. These images are scalable and generally can be stored in less space, but do not handle real life images. Examples of vector graphics formats are SVG and WMF.

When Microsoft designed the WMF format back in the early nineties, they decided to allow the graphics file to contain program code that would be executed if an error occurred when the drawing instructions in the file were being executed. It might have seemed like a harmless and somewhat useful feature back in the trusting days of computing before the Internet. However, it is now being used as a very easy way to execute arbitrary code on your computer. All you have to do to activate the code is to view the infected image. What makes it even worse is that the image could be masquerading as something other than a *.wmf file. Many of the viri are hidden in GIFs. The virus could be executed by simply viewing a web page that has one of these bad graphics on them. A MSN Messenger version of the virus is also circulating that would infect you the second that you get an IM containing the tainted image. Also, it has been proven that just having the image on your computer without viewing it could lead to you getting infected due to certain content indexers that you might have running on your computer, such as Google Desktop Search.

This is a zero-day vulnerability, meaning that it was exploited before it was discovered by either Microsoft or an external security firm. Microsoft is currently working on a patch for this vulnerability, but they are fighting an uphill battle since almost 100 viri have been discovered to date that exploit this vulnerability. For this vulnerability, you should NOT rely on your anti-virus software to protect you since new variants are being released almost constantly. You can learn more about this vulnerability by listening to the first part of episode 20 (audio – transcript), the episode 20 extension (audio), and by reading the episode 20 show notes of the Security Now! podcast hosted by Leo Laporte and Steve Gibson.

You Call This Security

A few days ago I was browsing the Data Security site on the UPS intranet. I was doing this not because I was bored, but because I had to fix some dead links on our department’s internal website. When I went to log into one of their password reset forms to see if it was what I was looking for, the page broke on me. Basically, stuff got displayed that was not supposed to be. Anyway, I decided to look at the source code for the page to see if I could figure out why it was so screwed up. What I saw was surprising: my full name, address, phone number, birth date, first date of employment with UPS, SSN, and other bits of sensitive personal information. I can understand why you would need to access some of this data on the server to authenticate my login, but there is no reason whatsoever to send this to the client. This is the kind of information that any security person would tell you that you should not enter on a website, especially one where you don’t have a secure SSL connection (signified by a little padlock icon in the browser). Anyone who happened to capture the packets from my transmission could easily reconstruct the web page and see all of that personal information. Not only that, but anyone, including you, could have caught those packets. I think that they should reconsider their department name.

If you read my last post or have been paying attention to tech news this past week or two, you should have heard about the rootkit included on some Sony-BMG audio CDs marketed as copy protection software. This rootkit hides all files and registry entries that start with $sys$. I mentioned in my last entry how a crack has already been released for Blizzard’s MMORPG World of Warcraft. Now, CNN reports that a virus, named Stinx-E, has been created that takes advantage of the cloaking provided by the copy protection on the Sony-BMG CDs. The real kicker is that currently, no virus scanners or spyware scanners will detect the virus since they cannot see it. I must say, it looks like Sony is going to get hit hard for their little trick.

BEWARE! Malware Being Distributed As Copy Protection Software

Watch out! Sony-BMG has been releasing CDs for about the past year that have a rootkit built into them. Not only that, but they don’t tell you that they are installing it, it is known to cause computers to blue screen, and is nearly impossible to remove without completely reinstalling Windows.

OK, backtrack a little bit. I’m sure that you don’t have a clue as to what a rootkit is. I’ll try to explain, but they are pretty complicated.

Every operating system has a kernel, which is the that the user interface uses to communicate with the hardware. It is a little hard for Windows users to understand since Microsoft markets Windows as just an operating system, even though it is so much more. On the other hand, Linux and Unix users will know what it is since Linux is really just the kernel and other programs, like the command line shell bash and the desktop environment KDE, run on top of it. Anyway, every piece of software on the computer communicates with the hardware (hard drive, memory, etc) by making calls to the kernel, which then performs the correct instructions to make the computer do the task. The only reason that the Windows kernel should ever be modified is if a major patch is released. Other than that, the kernel should never be modified since it could cause instability.

A rootkit, however, breaks this rule: it modifies the kernel. One of the things that rootkits most commonly do is modify the code that reads the directory structure on your computer and the registry. This might sound harmless at first, but think again. By doing this, the maker of the rootkit can hide whatever they want to on your hard drive or in your registry, and you’ll never know it because you won’t be able to see the file or registry entry. For a more detailed description of what a rootkit is, you can either listen to or read Episode 9: Rootkits from the Security Now! podcast, hosted by Leo Laporte of This Week In Tech and G4‘s Call For Help and Steve Gibson of Gibson Research Corporation.

This story was originally published on the SysInternals blog, which is written by Mark Russinovich, on Monday. It ends up that Sony-BMG licensed copy protection software from First 4 Internet called XCP, that uses a rootkit. It is installed when you agree to the EULA that displays when you insert the CD into your computer. The rootkit that it installs cloaks any files or registry entries on your computer that start with the string $sys$. You can’t even get around the rootkit by starting in safe mode because it marks itself as a safe mode driver. It is possible to find the files that are cloaked by using a program from SysInternals called Rootkit Revealer. However, this rootkit has evil intentions. If you try to delete these files (easily done if you know that they exist), your CD-ROM drive will disappear from Windows. It can be restored, but it is not an easy process. A longer discussion on this rootkit can be heard or read in Episode 12: Rootkit DRM of Security Now!

Mark of SysInternals revisited the topic today. In Sony’s EULA, they say that their copy protection software can easily be removed. Ha! That’s a good one. To remove it, you must first go to Sony-BMG’s website and request the uninstaller. They email a link to you that leads to a web page where you can download a service pack to XCP. However, this service pack is the only way to uninstall it. When you start the installer, you must decline to EULA, which will trigger the uninstaller. However, the uninstaller is itself flawed. It is impossible to reliably remove a rootkit while Windows is running, due to the way that it interacts with the kernel. When you attempt to unload the rootkit, you could very easily blue screen your system. Too bad that First 4 Internet was too incompetent to know this. Then again, what should you expect from a company that relies on a poorly written root kit to implement copy protection. What’s even worse is that Sony-BMG refuses to admit that they are using DRM technology that utilizes a rootkit.

Remember when I mentioned that the rootkit masks all files and registry entries that started with $sys$? This allows anyone to plant files on your computer that start with the same string and have them hide from you. Already, a crack has surfaced that allows players to circumvent the anti-cheat facilities in Blizzard‘s MMORPG World of Warcraft. Also, every time that you insert the CD, a program on it "phones home" to Sony-BMG, which is a security risk in and of itself.

I don’t know about you, but after learning all of this, I can say that I am going to stay away from Sony-BMG for a while, and any other copy-protected CDs. It just isn’t right to buy a CD only to learn that you basically have no rights to use it. They dictate that you can make X number of copies, you can only listen to it on a computer using our built-in player, you can’t rip the songs yourself in any format you want, but we do offer (crappy) 128 kbs MP3 versions of these on our website that you can only download if you have the original CD in your CD-ROM drive, etc. What ever happened to fair-use? Doesn’t sound like you own the music, now does it?

What’s even worse is that what Mark Russinovich did was illegal under the Digital Millennium Copyright Act. What was illegal about Mark getting a rootkit off of his system, you wonder? It is because it is considered circumventing copy protection. For doing that, he could be taken to court. What is wrong with this picture? Pretty soon, every music manufacturer could start putting "copy protection" on their CDs that phones home or puts ads on your computer, and you could not legally do a thing about it due to the DMCA! The music industry is doing all of the wrong things to try to get people to actually buy music instead of illegally downloading it from P2P services such as KaZaA, Shareaza, and BitTorrent.