Windows WMF vulerability affects Fx users?. What can we do?
-
- Guest
-
- Posts: 13808
- Joined: November 7th, 2005, 11:26 am
-
- Posts: 1183
- Joined: April 2nd, 2003, 11:07 pm
Alice wrote:In other words, If you can open a .wmf file, you're vulnerable.
No doubt about that. I remember back in the day when meta files were all the rage and you could do some pretty crazy things with them. I'm sure this is just the tip of the iceberg and it's a pretty big one already. The only real "fix" I see is to disable parsing meta files at the kernel level, that's not going to be easy and it's really going to mess with MS Office and even Corel Office. Big ol' can of worms this is. Even Word Pad parses .wmf files for chris' sakes.
-
- Guest
I'd like to clarify something. By default (even in win fx 1.5), the windows media plug-in allows certain formats to be displayed embedded. Now I say again this is by default. If a wmf file need not have the appropriate extension to do damage then it can simply have an extension like wmv. When firefox sees this, isn't it going to send it straight to the plug-in? And if so, isn't wmp going to look at the file header and then treat it as a wmf?
-
- Posts: 1183
- Joined: April 2nd, 2003, 11:07 pm
That's a scary thought. Yeah, you are right. Windows Media Player can show image files and Windows identifies .wmf files by their header and not by the extension. So, what you suggest is entirely plausible. However, if you have applied the patch and unregistered the .dll you should be immune to such trickery. Should be.
-
- Guest
monkeyman wrote:That's a scary thought. Yeah, you are right. Windows Media Player can show image files and Windows identifies .wmf files by their header and not by the extension. So, what you suggest is entirely plausible. However, if you have applied the patch and unregistered the .dll you should be immune to such trickery. Should be.
I didn't apply the patch for reasons being, I'm concearned about how it might affect the official m$ patch (that hopefully comes out soon).
I was browsing the forums and was directed to this post by http://forums.mozillazine.org/viewtopic.php?t=362478
I don't think we should be telling people firefox is safe unless we are sure of it.
-
- Posts: 1183
- Joined: April 2nd, 2003, 11:07 pm
Anonymous wrote:monkeyman wrote:That's a scary thought. Yeah, you are right. Windows Media Player can show image files and Windows identifies .wmf files by their header and not by the extension. So, what you suggest is entirely plausible. However, if you have applied the patch and unregistered the .dll you should be immune to such trickery. Should be.
I didn't apply the patch for reasons being, I'm concearned about how it might affect the official m$ patch (that hopefully comes out soon).
I was browsing the forums and was directed to this post by http://forums.mozillazine.org/viewtopic.php?t=362478
I don't think we should be telling people firefox is safe unless we are sure of it.
But, it's Windows Media Player and not Firefox. Every browser has to call up external programs at some point or other. WMF files are parsed by a huge number of programs so, unless you want to remove all of your plugins, there is going to be a certain risk no matter what browser you use, if you are unpatched.
-
- Guest
monkeyman wrote:Anonymous wrote:monkeyman wrote:That's a scary thought. Yeah, you are right. Windows Media Player can show image files and Windows identifies .wmf files by their header and not by the extension. So, what you suggest is entirely plausible. However, if you have applied the patch and unregistered the .dll you should be immune to such trickery. Should be.
I didn't apply the patch for reasons being, I'm concearned about how it might affect the official m$ patch (that hopefully comes out soon).
I was browsing the forums and was directed to this post by http://forums.mozillazine.org/viewtopic.php?t=362478
I don't think we should be telling people firefox is safe unless we are sure of it.
But, it's Windows Media Player and not Firefox. Every browser has to call up external programs at some point or other. WMF files are parsed by a huge number of programs so, unless you want to remove all of your plugins, there is going to be a certain risk no matter what browser you use, if you are unpatched.
If u look at it that way, then Internet explorer is not to be blamed as well. Visit the link I posted, someone asked if firefox was safe. The response was yes. When clearly that is not true. The chances of triggering a hidden wmf file in firefox is equal to that of IE. If someone came here and asked if IE was safe, everyone would be saying no.
-
- Guest
-
- Posts: 1183
- Joined: April 2nd, 2003, 11:07 pm
Anonymous wrote:monkeyman wrote:Anonymous wrote:monkeyman wrote:That's a scary thought. Yeah, you are right. Windows Media Player can show image files and Windows identifies .wmf files by their header and not by the extension. So, what you suggest is entirely plausible. However, if you have applied the patch and unregistered the .dll you should be immune to such trickery. Should be.
I didn't apply the patch for reasons being, I'm concearned about how it might affect the official m$ patch (that hopefully comes out soon).
I was browsing the forums and was directed to this post by http://forums.mozillazine.org/viewtopic.php?t=362478
I don't think we should be telling people firefox is safe unless we are sure of it.
But, it's Windows Media Player and not Firefox. Every browser has to call up external programs at some point or other. WMF files are parsed by a huge number of programs so, unless you want to remove all of your plugins, there is going to be a certain risk no matter what browser you use, if you are unpatched.
If u look at it that way, then Internet explorer is not to be blamed as well. Visit the link I posted, someone asked if firefox was safe. The response was yes. When clearly that is not true. The chances of triggering a hidden wmf file in firefox is equal to that of IE. If someone came here and asked if IE was safe, everyone would be saying no.
Firefox itself doesn't parse .wmf files so, in that respect, Firefox is safer. However, "safer" is not "safe". So, yes, saying Firefox is safe is not entirely true. If you removed the plugins that call external programs then Firefox would be safe. It's a really nasty system wide vulnerability so I can't stress enough how important getting patched and dealing with the official patch later is. It's bad. Really, really bad. It may be the worst Windows vulnerability ever.
-
- Posts: 299
- Joined: March 11th, 2004, 9:05 pm
monkeyman wrote:I didn't apply the patch for reasons being, I'm concearned about how it might affect the official m$ patch (that hopefully comes out soon).
The patch can be uninstalled.
If for some reason the patch does not work for you, please uninstall it. It will be in the list of installed programs as "Windows WMF Metafile Vulnerability HotFix". I'd like to know what programs are crippled by the fix, please tell me.
I recommend you to uninstall this fix and use the official patch from Microsoft as soon as it is available.
http://www.hexblog.com/2005/12/wmf_vuln.html
.
-
- Posts: 1183
- Joined: April 2nd, 2003, 11:07 pm
I got some more info about the Windows Media Player question from F-Secure and it seems that WMP isn't a problem afterall:
"In our tests (under XP SP2) older versions of Firefox (1.0.4) defaulted to open WMF files with "Windows Picture and Fax Viewer", which is vulnerable. Newer versions (1.5) defaulted to open them with Windows Media Player, which is not vulnerable...but then again, Windows Media Player is not able to show WMF files at all so this might be a bug in Firefox. Opera 8.51 defaults to open WMF files with "Windows Picture and Fax Viewer" too. However, all versions of Firefox and Opera prompt the user first."
http://www.f-secure.com/weblog/archives ... l#00000752
"In our tests (under XP SP2) older versions of Firefox (1.0.4) defaulted to open WMF files with "Windows Picture and Fax Viewer", which is vulnerable. Newer versions (1.5) defaulted to open them with Windows Media Player, which is not vulnerable...but then again, Windows Media Player is not able to show WMF files at all so this might be a bug in Firefox. Opera 8.51 defaults to open WMF files with "Windows Picture and Fax Viewer" too. However, all versions of Firefox and Opera prompt the user first."
http://www.f-secure.com/weblog/archives ... l#00000752
-
- Guest
monkeyman wrote:I got some more info about the Windows Media Player question from F-Secure and it seems that WMP isn't a problem afterall:
"In our tests (under XP SP2) older versions of Firefox (1.0.4) defaulted to open WMF files with "Windows Picture and Fax Viewer", which is vulnerable. Newer versions (1.5) defaulted to open them with Windows Media Player, which is not vulnerable...but then again, Windows Media Player is not able to show WMF files at all so this might be a bug in Firefox. Opera 8.51 defaults to open WMF files with "Windows Picture and Fax Viewer" too. However, all versions of Firefox and Opera prompt the user first."
http://www.f-secure.com/weblog/archives ... l#00000752
Same guest (from above)
cheers monkeyman. I can surf safely now
-
- Guest
http://www.grc.com/sn/notes-020.htm
There is a pre-packaged patch on this page. It can be easily un-installed when ms finally gets around to fixing it.
There is a pre-packaged patch on this page. It can be easily un-installed when ms finally gets around to fixing it.
-
- Posts: 299
- Joined: March 11th, 2004, 9:05 pm