Everyone acts as if this is something new--this vulnerability has existed since Windows 3.1 (which was the last time that .wmf files were widely used). .WMF files are 16-bit, ancient attempts of MS to make compressed pictures/etc. many years before .jpg even existed. That's like saying I found a new exploit in winfile.exe or progman.exe. Disable the useless dll file and move on.

This is now in microsofts hands and will be fixed, and its down to the powerfull nature of XP and its many users that it was discovered. It should only be a problem for those needing to visit "dodgy" sites for the nest few weeks.

so ... carefull when going to crack,hack and warez sites then .. problem sorted.

Im happy with MS, at least it will be sorted.

"carefull when going to crack,hack and warez sites then"

Better yet, just buy your software and avoid these sites all together.

lol exactly.

I think its interesting that people continually find flaws with Windows, yet new ones seem to magically crop up every day. So MS has a few bugs, why is it that millions of people use this product, and it takes so long to find a problem? And when a new problem is found, MS corrects it, obviously those problems are very miniscule and managed to elude us this far, so where is the problem?

If your arm was broken and you didn't know it, and the doctor couldn't find the fracture, and years later you started complaining of pain in your arm, then you can blame the doctor and yourself for not finding the root of the problem until now. Windows gets broken AFTER people use it. Its flawed because its vulnerable because people make it vulnerable.

If they locked it down to the point where it was bulletproof, it wouldn't be very easy to use now would it? But instead they make it easy to use, and as such, its easy to exploit.. You can't have things both ways, and don't give me this happy BS about Apple, Unix, and Linux that doesn't problems, because there are just as many problems in those OS as Windows, so don't EVEN pretend they are not flawed.

People make products. People make mistakes. As long as their are produts created by people that make mistakes, there will be flaws. If these so called "experts" are so smart, why can't they find ALL the flaws at once? Huh? It missed QA, millions of users, hundreds and thousands of experts, gamers, and a host of hackers, and 3 years later, they STILL manage to find new problems, that's an indication that obviously people are fine, and until something like a spyware or some rogue program exploits a problem, that is a sign its very resilient.

It takes some car manufacturers years to discover a problem with a frame.. because time and abuse, once again by the users, starts to make it a problem..

I agree with what you're saying. However, at the same time you have to agree that there's ALWAYS room for improvement, so complaints are clearly warranted. I believe Windows Vista will be a much much more secure OS, due to its "running in sandbox" design, so even when new vulnerabilities are exploited - the damage that can be done will be highly minimized to that sandbox.

This is not to say that the competition comes even close to being a better OS overall, IMO.

Still, MS has so much money they should hire every hacker who finds an exploit in their software OR HARDWARE! Double his current salery. They can afford it, and that hacker, if given access to some source code, will find even more holes and plug them before the bad guys get a chance to find them the hard way (trial and error).

I'm not pissed about MS having bugs and exploits. I'm pissed that they *force* you to use their s***ty software.

I've gutted IE and a dozen other things from my system to make it secure. Most of the exploits that make it to the headlines have no effect on my computer, but I pay a price. Most programs *expect* your computer to have IE, or at the very least some MS components that know how things work.

An example is cFosSpeed. The configuration panel launches some MS HTML thing, which does....nothing on my system, resulting in me manually editting ini files.

It's annoying that pre-installing crap on people's computers results in both less secure computers and more secure ones, but ones that can't do everything and have other flaws.

That's what I like about linux. For all the flaws it has, it seems to be designed so if you need something, you know the risks associated with it, and you can choose whether or not you want that component.

Though yeah...there are some distros that mostly mirror windows.

I choose to be less paranoid and more practical in my fears. What is worth worrying and what is not - is how I think about it. I've never met, or heard of, a single user who had suffered any monetary or critical data loss if they did a few basic things:

a. backed up their critical data
b. ran an updated antivirus
c. ran a top-rated firewall
d. kept their windows updated

So why should I worry about it and start inconveniencing myself with restrictions?

Further, even if you pick just two (any two) from the above four on the list, you're still highly likely to lose no money/data.

I see your point of view and understand it however you have to understand that one of the reasons MS did what they did (intergrate IE, etc) is so that third party developers can easily develop applications around technologies in the OS. With the web becoming as big as it was in the late 90s MS saw that to keep a competative edge they needed to make it easy for the army of Windows developers to make web enabled applications.

It turned out not so great for them in the security department but it meant a lot of applications could be developed much easier. As you mentioned cFosSpeed (which I have no idea what it is) needs some MS libraries. The developer didn't have to use the MS libraries, they could have written their own but that causes two problems. One it means they have a lot more work (both initial development and maintenance). Microsoft provides a simple solution for them so they can develop their application quicker and be sure it will run on any system that contains the library it needs.

It is just the way development works. Nobody wants to write something someone else already has providing it does what they want.

Wow :/ That's great :( Well, I'm using the Firefox, but still it's not good :(

Folks, switch to Linux ;)

Yeah, one day Linux will be replaced by something else that sucks even more. Linux is a fad, and its day is coming. Linux will be a memory just like the Heath, the Commodore 64, Amiga, and OS/2.

Linux sucks!

I disagree. If China and the EU start putting massive amounts of cash into Linux (or any new OS they'll invent, possibly on unique hardware) - it has a great chance of eventually taking over. I really believe this.

Only because Linux/Acrobat exist, did MS do the unthinkable and announced opening their Office formats.

Linux is in no way a fad. It's here to stay (thank goodness).

Instead of making blanket statements like "Linux sucks" (hey, isn't that the exact thing you accused me of yesterday?!) why not substantiate your comment.

Why does it suck?

Lemme throw out one major reason it sucks: DRIVERS.

Followed by why it doesn't: ADAPTABILITY.

Didn't you know, the Amiga isn't dead!
(haha)

Well, that's Microsoft for you. There better be a patch for this soon. Luckily I'm a Firefox user, so I don't have to be too worried by this. I'll just make sure not to download many images until there's a fix.

Luckily Microsoft always manages to fix things easily.

I don't use WMF, and I haven't seen it used or supported much :P

I think MS is not doing enough. It's not fast enough. MS policy SHOULD be that as soon as a vulnerability is discovered, they IMMEDIATELY notify all their customers so they can apply TEMPORARY workarounds before the real fix arrives. How many people do you think are aware of the WMF de-registeration thing I posted? How many people do you think are getting hurt by this hole right this moment as we speak? I would say thousands.

Well they do. There is the security section of their website, multiple RSS feeds now available and lovely email messages you can subscribe to (which I believe are digitally signed so you can be sure they come from MS and not some scammer).

One of the problems with directly contacting the end user is that they need to know who the end user is, a way to contact them and what products they need (as I am sure you wouldn't want to get emails about EVERY MS product update would you?).

Personally I think RSS is the best way to deliver this information to users, sadly MS doesn't have their own RSS client yet, I wish they had released something quickly as they offer thousands of RSS feeds yet no way to view them!

MS doesn't need to know who their user is, not by name/email at least. They currently communicate critical/general OS updates very effectively via Automatic Windows Update.

The current MS policy is (roughly) monthly updates, so people can easily prepare for them and actually expect them to come. This is all nice and dandy when talking about vulnerabilities that have not been exploited yet. However, for cases such as the last one, where exploits are "in the wild", with many AV merchants rating it as "critical" - it would make sense for MS to block them temporarily (by disabling certain features) until a patch is released. My hope is that MS will do just that if an exploit that KILLS USER DATA is discovered, using this or any other future hole.

In the LEAST, allow me to have a little checkbox in Automatic Updates settings to "allow temporary walkaround to security vulnerabilities while Microsoft is working on a permanent fix". This way I get an immediate pop-up telling me WMF rendering is about to be temporarily disabled - until the patch is released and then will be AUTOMATICALLY re-enabled - OK?

Expecting folks to visit techy sites even on a weekly basis is not reasonable. Too many folks left out in the cold.

I agree more could be done and methods you suggest are workable. However one of the biggest problems is explaining the problem to the end user without a) scaring them so much they don't turn on their computer and b) making them understand the problem.

To be honest I had to do a quick search to jog my memory of what a WMF file was. I can't remember the last time I used them and my mind was blank when I read about it.

I do think you are on the right track though and I hope Microsoft do something to react quicker. I guess a simple message such as "A known security problem has been detected on your system. We highly suggest disabling the problem features. This can be done for you automatically by selecting OK. All features will be restored as quickly as possible and you will be notified once this has been done" and offer a link for more information. I guess 99% of end users will just do it.

I think one of the things holding Microsoft back is that AV firms releash definitions to spot the infected files, etc quickly so any user will an auto updating AV app should be protected (I know I was with NOD32 before I even read about the exploit). I guess this is why Microsoft want an AV app in the market so they can help stop the problem before they releasing a patch to perminatly fix the problem.

Windows puts me in mind of a screendoor on a submarine somehow..........

Thats cause it has more holes then a fishing net (and is somehow the most popular operating system)

Yeah, I don't think its an accident, considering millions and millions of people use it. You think you might be in the minority because Windows is above you intellectually? I think so.

Maybe you don't understand how to use it, and that's why you have problems. The rest of the world gets along just fine. If if were so bad, why would it be so popular? I think you are just jealous, and if you don't like Windows, feel free to use anything else,

"If if were so bad, why would it be so popular?"

Well, walk into the nearest "computer" store IE: Circuit City, Best Buy, you know where every regular Joe shops and try to buy a computer without Windows.

Well, there's a MAC but the Windows box is much less expensive so guess which one gets purchased more.

If it was very bad, consumers would "inconvenience" themselves and install Linux on those PCs (in mass #'s). Consumers inconvenience themselves daily when searching for MP3's/movies on p2p networks rather than buying them - which means they feel they're getting bum-deals elsewhere. (Perhaps not the greatest example...)

So Windows may not be the greatest, but its clearly not the worst. And the fact millions of techies (such as myself) who could easily have migrated to Linux, stay with Windows regardless of its "many" flaws - it hints the OS is actually pretty good overall.

LOL

People would not do any such thing. They would do what one of my relatives did and just not use their computer anymore.

Consumers wouldn't inconvenience themselves one bit, they don't know what Linux is so how would they know where to get it or how to install it?

No, you are correct Windows is not the worst I can think of many situations where it's better. That doesn't change my point. ;-)

Gee.... I'm so shocked SP2 does nothing.

Wow, so surpriised over here. (sarcasim)

Go back in your hole and stay there... jackass......

What is it with you all?!

Don't you have any backup image(s) for your OSes, and scheduled backups for your data running on your machines?

Maybe people'll have to learn to live with such things - even if they don't use but their private machines.

There is no safety - just be sure to take the necessary precautions to get your system working again within some five or ten minutes.

Thanx to "extremely well" for his helping comment, anyway.

Not everyone has the time, patience, computer resources, or disks, to proform regular backups.

Then quit complaining about data loss!

I think complaining is a good thing(tm)

Hopefully it will cause MS to incorporate the technology they've recently bought from FolderShare not only into the toyish Messenger Live (so originally termed "Shared Folders" there), but also in more serious applications such as backing-up the most critical 2GB of user data - family pics, email, office docs, favorites. Anything but EXEs and other such (relatively) easily (re-)obtainable files. The clueless users would LOVE them for that, as they should.

At any rate PC users have been extremely lucky in the last few years that most viruses/trojans did not really damage their data files, but rather tried to make money off them in one way or another (zombies spamming, bank account tapping, adware forced on you). Or pehaps using them as hop-points for hackers trying to cover their tracks or to use for DoS attacks.

And as HD's become less and less reliable by the day, it seems that pretty soon average users would start demanding min three HD setups, say in RAID3 so that even their non-critical stuff is constantly "backed-up" (of sorts). More than 90% of data loss IMHO is attributed to mechanical failure, only 10% to malware. And if you're actually running an updated antivirus, the numbers are more like 99%/1% -- again IMHO only. ;)

Waaa.. I don't have time to backup.. waaah..

Yet, people have the time to recreate the data, don't they? There is no excuse for not backing up. It takes time, and? If its important enough, they will do it.

I agree, quit complaining already!

Its not MS job to see to you preserve *YOUR* data. Does the bank make you KEEP a savings account? NO, so don't whine when you spend all your money.

Its YOUR data, its YOUR computer, its YOUR time. You backup YOUR stuff.

Blame everyone else but yourself, when its YOUR problem.

Nobody said MS has to do ANYTHING. MS should, however, do whatever they can to keep their customers happy, and keep the regulators away. Every little thing counts and MS is not unbeatable in the very long run, unless they are the best and really try the hardest to please their customers - not only to milk them.

BTW pure economics would also tell you it makes business sense - these backup services can be given for a fee, perhaps as part of MS's new OneCare initiative? (currently in beta)

If the customers are aware backup/antivirus service is available (obviously it'd be very heavily pushed with 3-month free trials on Vista installs or something), and it's very easy to use, and the customer STILL didn't go for it - at that time I'll say they deserve the data loss. At the same time, I do shed tears on the ignorant user who loses important files. People are stupid - not their fault really.

WOW, would you believe that we actually agree on something?

Well said!

;-)

That is a pretty poor excuse. They are a lot of free applications that allow you to setup automatic backups.

If you have enough time to write a post on this website you have enough time to setup a backup process.

Many, many, many people use their computers as a tool - a newspaper replacement, a place to organize media (jukebox for audio and video), an alternative to physical mail.

Many of the things that make "my" Windows install "mine" is the customizations that are done. Many times, these settings are stored in the registry and even if they were backed-up, there is no easy way (from the OS point of view) to get them back in effect after a reinstall.

Furthermore, with the vast expansion of HD capacity, how do you propose someone backs up thier 200GB of media files? I guess that every PC that runs Windows should compe complete with an external HD of equivalent size so that thier "Data" and settings can be backed up. Oh, but WAIT, you can't have it plugged in all the time, otherwise when you visit a web site with a picture on it, everything can be deleted or otherwise rendered useless. I guess the BIOS should have some kind of backup utility in it (outside of the OS), but that would require knowledge of the filesystem and security - a completely new set of security problems...

How would it be for the makers of Tivo if everytime a certain "viral" commercial came on, your Tivo deleted all recorded programs, all preferences (lists, schedules, etc), and required a 4 hour rebuild? That is the equivalent of these exploits.

All we want is a little built in protection. Running as a non-administrative user is of vital importance and should be strictly enforced. The ability to "sudo" in Windows should be much more visible and accessible.

I saw McAfee VS Enterprise's Buffer Overflow protection stopping the malware in its tracks yesterday. Wonder if hardware buffer overflow protection (AMD/Intel) does anything.

If you enable DEP on XP (2003 has it on by default) to protect applications as well as the OS this turns it on. Some crap applications may be broken by this, so XP has it off by default, allthough I have never ran into a case of this breaking anything.

But on the same token, I avoid stupid applications that would need to have executable data segments.

*sighs* I can't say I'm surprised. I was expecting more security vulnerabilities to be discovered in WIndows...

I am always expecting new vulnerabilities to be found as well.

It's only a matter of time until a new flaw is found.

True. it is kinda disappointing, but hardly surprising. This IS Windows. No offense to those that like it, but it's famous for it's holes. Through, I admit... This exploit the artical focuses on is minor.

Windows can be made to be very secure, however it takes quite a bit of effort.

Movie of the exploit in action (this link is safe itself):
http://www.websensesecur...es/alerts/wmf-movie.wmv

Sadly, I can't play .wmv files for some reason.

Wow... that really stinks. My parents always think that the simple solution to not getting a virus is to not blindly download stuff and stuff. It is definitely not that simple, and now I have the fodder to prove it. Thanks!

Meanwhile... /me continues surfing and stuff on Linux

haha yeah, just tell your parents to unplug from Internet so you can get more bandwidth :D

LINUX w00t!

If you like Linux then why bother to comment on MS products? If you like it, use it. Great for you. If you don't like MS, don't use it. no one is holding a gun to your head, but I can't wait until Linux starts to falter, and I can laugh in your face.

I know there are flaws, but I don't bother to hang around the Linux boards to see what they are, because I don't care. I am happy with MS, and it doesn't affect anyone else the fact that I like MS. But I don't blame you for liking something else, so quit bashing MS if you like Linux. Leave it alone!

So, if you don't KNOW why Linux sucks then why did you just attack it in an above comment?

An alternative, easier solution is to set the Internet Zone security on High.

Take off your pants. I'll give you a virus.

You have a little single celled organism in your pants?

heh

nice.

My comment or his little organism?

HAH!

Lacking that dll on my nLited and highly modified Win2k box, I'm not terribly worried about this...

You should be!

No, not really.

No DLL = No DLL Exploit

What if you have opened your system to more exploits by removing system features that should be there (perhaps to protect you?).

I actually encountered this the other day, damn thing caught me the first time but Nod32 got it the second.

Reporters - how about giving a link on how to temporarily disable that WMF crap-format?

Lemme assist:
http://www.gameshout.com.../122005/article2167.htm

----
A couple of security firms, including Verisign's iDefense, have published workarounds that appear to mitigate the threat. According to iDefense, Windows users can disable the rendering of WMF files using the following hack:

1. Click on the Start button on the taskbar.
2. Click on Run...
3. Type "regsvr32 /u shimgvw.dll" to disable.
4. Click ok when the change dialog appears.

iDefense notes that this workaround may interfere with certain thumbnail images loading correctly, though I have used the hack on my machine and haven't had any problems yet. The company notes that once Microsoft issues a patch, the WMF feature may be enabled again by entering the command "regsvr32 shimgvw.dll" in step three above.

Excellent link. That's what I was really hoping for.

Thanks

Damn, I thought it would be a joke or something....putting "Really Bad" in quotes like that.

That's just cruel.

I actually experienced an attempt from this exploit last night. Nothing managed to get onto the system though (or run) barring the WMF file. So far nothing has been detected nor other services/processes running apart from the normal. I personally think the security services are going a bit over the top with the threat as yes, those people who are running unprtoected boxes could be asking for trouble, but the systems here are totally protected (and the failed attempt to exploit my box last night proves this). Maybe it is because I am running the Beta of IE7 that stopped it, I don't know for certain?

What were the symptoms?

Sore throat, stuffy nose, and a fever.

Open sores and greenish discharge?

gross! hahaha

One of my freinds got infected by this last night, it's a true nightmare.

I just got infected using Opera browser. Luckily AVG picked it up and deleted the offending files. And it also crashed my mirc client.