+ Post New Thread
Page 2 of 2 FirstFirst 12
Results 16 to 28 of 28
Windows Thread, WMF Bug in Technical; I am lucky, my system backup went from about 13hrs a night down to about 1hr 15. You ask how ...
  1. #16

    john's Avatar
    Join Date
    Sep 2005
    Location
    London
    Posts
    10,535
    Thank Post
    1,496
    Thanked 1,051 Times in 920 Posts
    Rep Power
    303

    Re: WMF Bug

    I am lucky, my system backup went from about 13hrs a night down to about 1hr 15. You ask how I achieved this! By changing server! Thats it!!! My ultrium 1 is now working at full speed by swapping from a ML370G2 to a DL380G4. Its flying. As for restarts, I tend to hot restart them when assemblies are on or during lunchtime, the kids don't matter at lunch, the staff are key, so whilst they are eating, rebooting a couple will not harm anybody.

  2. #17

    Michael's Avatar
    Join Date
    Dec 2005
    Location
    Birmingham
    Posts
    9,262
    Thank Post
    242
    Thanked 1,568 Times in 1,250 Posts
    Rep Power
    340

    Re: WMF Bug

    IMPORTANT!!!!!

    The following websites http://stats4all.cc/ and http://stats4all.ws/ contain malicious code which exploits the recent Windows WMF vulnerability.

    By checking SINA records revealed the address: http://stats4all.cc/fa/p1hWwY7jFLNnwA/expl1.wmf

    The WMF filename and time detected matches that of Sophos which successfully detected and deleted the virus. This was on a system which already had the Official Microsoft patch applied. I'm unsure of the severity on unpatched systems, however for those of you with your own proxies, block these sites straight away!

  3. #18

    Geoff's Avatar
    Join Date
    Jun 2005
    Location
    Fylde, Lancs, UK.
    Posts
    11,803
    Thank Post
    110
    Thanked 583 Times in 504 Posts
    Blog Entries
    1
    Rep Power
    224

    Re: WMF Bug

    Two more security issues have been found in the Windows WMF libraries.

    http://www.pcworld.com/news/article/...011006X,00.asp

    They aren't as serious as the first one (just crash the machine) but why didn't MS pick them up while it was patching the publically known one?

  4. #19

    Join Date
    Jul 2005
    Location
    Corby
    Posts
    1,056
    Thank Post
    12
    Thanked 20 Times in 18 Posts
    Rep Power
    24

    Re: WMF Bug

    Yeah. This whole thing stinks.

    Paul

  5. #20

    mac_shinobi's Avatar
    Join Date
    Aug 2005
    Posts
    9,756
    Thank Post
    3,265
    Thanked 1,052 Times in 973 Posts
    Rep Power
    365

    Re: WMF Bug

    Found this and thought it may be usefl, a vulnrability tester and also a patch which was a temporary one but does the exact same thing as the ms update apparently :

    http://www.grc.com/sn/notes-020.htm

  6. #21

    Join Date
    Jul 2005
    Location
    Corby
    Posts
    1,056
    Thank Post
    12
    Thanked 20 Times in 18 Posts
    Rep Power
    24

    Re: WMF Bug

    If you read the thread most of us applied that patch or intended to a full week ago! It's probably not worth installing now since most if not all networks will be installing Microsoft's patch- also released a short time ago (no doubt in retaliation to the unofficial patch and media coverage of the exploit).

    I'm still browsing at home with Ubuntu and OS X. With the exploit expanding I think this is something that will definitely haunt MS for a time.

    Paul

  7. #22

    Geoff's Avatar
    Join Date
    Jun 2005
    Location
    Fylde, Lancs, UK.
    Posts
    11,803
    Thank Post
    110
    Thanked 583 Times in 504 Posts
    Blog Entries
    1
    Rep Power
    224

    Re: WMF Bug

    Here's a snort rule (taken from Bleeding Snort) to pick up all known variants of the WMF exploit.

    Code:
    #by mmlange
    alert tcp any any -> $HOME_NET any (msg:"BLEEDING-EDGE CURRENT WMF Exploit"; flow:established; content:"|01 00 09 00 00 03 52 1f 00 00 06 00 3d 00 00 00|"; content:"|00 26 06 0f 00 08 00 ff ff ff ff 01 00 00 00 03 00 00 00 00 00|"; reference: url,http://www.frsirt.com/exploits/20051...tafile.pm.php; classtype:attempted-user; sid:2002734; rev:1;)
    
    # By Frank Knobbe, 2005-12-28. Additional work with Blake Harstein and Brandon Franklin.
    # flow_depth (of http_inspect_server) has to be set to 0. Recommend second Snort instance with that config.
    # Note that these rules will fail to detect the exploit when the HTTP response is gzipped.
    # There is also a possibility for evasion, but a version that catches it will incurr massive amount of FPs.
    #
    #alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"BLEEDING-EDGE EXPLOIT WMF Escape Record Exploit - All Ports - v3"; flow:established,from_server; flowbits:isnotset,bleeding_wmf_expl; flowbits:isnotset,bleeding_wmf_expl_v1; content:"|00 09 00 00 03|"; content:"|00 00|"; distance:10; within:12; flowbits:set,bleeding_wmf_expl; flowbits:noalert; classtype:unknown; reference:url,www.frsirt.com/english/advisories/2005/3086; sid:2002733; rev:7;)
    #alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"BLEEDING-EDGE EXPLOIT WMF Escape Record Exploit - All Ports - v1"; flow:established,from_server; flowbits:isnotset,bleeding_wmf_expl; flowbits:isnotset,bleeding_wmf_expl_v1; content:"|00 09 00 00 01|"; content:"|00 00|"; distance:10; within:12; flowbits:set,bleeding_wmf_expl_v1; flowbits:noalert; classtype:unknown; reference:url,www.frsirt.com/english/advisories/2005/3086; sid:2002759; rev:1;)
    
    # Thes rules have to be there for both 
    alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"BLEEDING-EDGE EXPLOIT WMF Escape Record Exploit - Version 1"; flowbits:isset,bleeding_wmf_expl_v1; pcre:"/\x26[\x00-\xff]\x09\x00/"; flowbits:unset,bleeding_wmf_http; flowbits:unset,bleeding_wmf_expl; flowbits:unset,bleeding_wmf_expl_v1; classtype:attempted-user; threshold:type limit, track by_src, count 1,seconds 120; reference:url,www.frsirt.com/english/advisories/2005/3086; sid:2002758; rev:2;)
    alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"BLEEDING-EDGE EXPLOIT WMF Escape Record Exploit - Version 3"; flowbits:isset,bleeding_wmf_expl; pcre:"/\x26[\x00-\xff]\x09\x00/"; flowbits:unset,bleeding_wmf_http; flowbits:unset,bleeding_wmf_expl; flowbits:unset,bleeding_wmf_expl_v1; classtype:attempted-user; threshold:type limit, track by_src, count 1,seconds 120; reference:url,www.frsirt.com/english/advisories/2005/3086; sid:2002742; rev:5;)

  8. #23

    Michael's Avatar
    Join Date
    Dec 2005
    Location
    Birmingham
    Posts
    9,262
    Thank Post
    242
    Thanked 1,568 Times in 1,250 Posts
    Rep Power
    340

    Re: WMF Bug

    It is unfortunate two new security issues have been found so soon after the WMF patch was released, however on a brighter note at least MS will patch it. If the problems are serious enough, I'm sure they'll release an out of cycle patch.

    All these updates will be included in XP SP3 and of course Vista which'll hopefully be the last of this particular problem.

  9. #24

    Geoff's Avatar
    Join Date
    Jun 2005
    Location
    Fylde, Lancs, UK.
    Posts
    11,803
    Thank Post
    110
    Thanked 583 Times in 504 Posts
    Blog Entries
    1
    Rep Power
    224

    Re: WMF Bug

    Thats not much help for poor souls still using W2k or W9x. I know there's quite a few of those machines round here.

  10. #25

    Michael's Avatar
    Join Date
    Dec 2005
    Location
    Birmingham
    Posts
    9,262
    Thank Post
    242
    Thanked 1,568 Times in 1,250 Posts
    Rep Power
    340

    Re: WMF Bug

    Well 2000 SP3 and later supports Automatic Updates just like XP, you can go to Microsoft Update or in a domain environment, 2000 can receive updates from SUS or WSUS. I don't see it's a major problem.
    Microsoft will never release SP5, however they have released Update Rollup 1 for 2000 SP4 users. I believe at some point in the future they'll release Update Rollup 2, 3, 4...

    As for W9x users I honestly think it's time to upgrade. I see no justification other than financial or specialised environments which require the use of such an old operating system.

  11. #26

    Geoff's Avatar
    Join Date
    Jun 2005
    Location
    Fylde, Lancs, UK.
    Posts
    11,803
    Thank Post
    110
    Thanked 583 Times in 504 Posts
    Blog Entries
    1
    Rep Power
    224

    Re: WMF Bug

    Quote Originally Posted by Michael
    Well 2000 SP3 and later supports Automatic Updates just like XP, you can go to Microsoft Update or in a domain environment, 2000 can receive updates from SUS or WSUS. I don't see it's a major problem.
    Microsoft will never release SP5, however they have released Update Rollup 1 for 2000 SP4 users. I believe at some point in the future they'll release Update Rollup 2, 3, 4...
    Well my understanding is that MS are still supporting W2k server but not W2k Workstation. So if you have any desktops running W2k your up a certain creek without a paddle.

    Quote Originally Posted by Michael
    As for W9x users I honestly think it's time to upgrade. I see no justification other than financial or specialised environments which require the use of such an old operating system.
    Hardware... Win9x -> Linux is the only viable upgrade path.

  12. #27

    Michael's Avatar
    Join Date
    Dec 2005
    Location
    Birmingham
    Posts
    9,262
    Thank Post
    242
    Thanked 1,568 Times in 1,250 Posts
    Rep Power
    340

    Re: WMF Bug

    Windows 2000 is now in its Extended Support phase. Microsoft will only fix critical problems until the year 2010, which you can view here

    XP Professional's Extended Support phase ends 31/12/2011 - one and a half years after 2000. We could be beta testing Vista's successor by then!

    I agree generally some W9x computers aren't powerful enough to run 2000/XP, however in a lot of cases a memory upgrade can make all the difference. Memory is very cheap these days. 2000/XP's requirements MHz wise aren't that demanding, but both operating systems are very demanding on memory.

  13. #28

    Geoff's Avatar
    Join Date
    Jun 2005
    Location
    Fylde, Lancs, UK.
    Posts
    11,803
    Thank Post
    110
    Thanked 583 Times in 504 Posts
    Blog Entries
    1
    Rep Power
    224

    Re: WMF Bug

    Sticking some memory in an old PC just so you can upgrade it to W2k seems a bit futile in the long run. Not very cost effective either. On a more pratical note I've had lots of fun and games with old motherboards not liking 256mb and/or single sided DIMMs.

SHARE:
+ Post New Thread
Page 2 of 2 FirstFirst 12

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •