Talk:Microsoft Windows metafiles are a vector for computer viruses

Is this even news?
Is it binary? Is Microsoft Windows involved? Then it's a vector for computer viruses. We already know this. Is this even newsworthy? 67.189.63.57 23:09, 2 January 2006 (UTC)

Sources not linked from article
Metasploit's sample exploit ( explanation )

Slashdot's coverage:

Metafilter's coverage:



MediaWiki's vulnerability
I preformed a few minor tests to verify that MediaWiki does not allow uploads of .wmf files, or .wmf files renamed to .jpg, but these don't warent an OR tag. I don't know if there is some format under which MediaWiki can be tricked into mistakenly accepting a .wmf file, nor if MediaWiki running under Windows uses system DLLs for file type identification, and thus is vulnerable itself. Nyarlathotep 19:41, 2 January 2006 (UTC)

Okay, we are vulnerable. Commons accepts .wmf files mascarading as .ogg files. However, I've yet to find any format which is natively displayed by MediaWiki, oggs are just an offsite link, even if they are not offsite. Nyarlathotep 21:05, 2 January 2006 (UTC)


 * Will that play anywhere though. Mediawiki displays that as a speaker icon. If you download it, your mediaplayer will just say the file's gibberish. Bawolff ☺☻[[image:smile.png]] 00:31, 3 January 2006 (UTC)


 * If you download it, and somewhere along the way, any of the vulnerable dll parse the file (for example, after checking the file header to discover it's really WMF), then you probably could be infected. Whether that does happen is another question. -- KTC 00:42, 3 January 2006 (UTC)

Breaking?
I have no idea if this is really breaking news, virus vulnerabilities are traditionally handled in pretty obscure channels, but this seems like a really really big one, and the exploits seem nastier than usual. Nyarlathotep 16:40, 2 January 2006 (UTC)
 * News broke yesterday of it (NPR and WINS carried the story) but I wasn't able to gather sources and find out which versions of Windows were affected and how. &#x25aa; NeoAmsterdam TalkEdits 17:22, 2 January 2006 (UTC)
 * Everything is effected: no official patch exists. Somebody even claimed that they accedentally infected their DOS machine running wget, meaning that the metafile got run somehow once it was downloaded.  Nyarlathotep 17:48, 2 January 2006 (UTC)
 * Not a DOS machine, but a "DOS box" -- a misnomer for the cmd.exe command prompt. (black text window thing) The code was executed instantly because a filesystem filter driver detected the new file as soon as it was written to disk. In order to index the file for searching, the filter driver used vulnerable Windows code to examine the file. 24.110.60.225 02:47, 3 January 2006 (UTC)


 * I don't know about anyone else, but this has been in practice for many... many years now. WMF was widely exploited since about the time that the ASF/WMV "hacks" came into place.  That being said, I don't think it should be breaking - and I think the focus of this article should switch to the patch rather than the vulnerability, which has been known and exploited for years. (see )  --MrMiscellanious – Happy New Year – 17:53, 2 January 2006 (UTC)
 * I don't think your linked article is the same issue at all, as we arn't talking about a buffer over/underflow here. Here we appear to have a vunlerability which is trivial to exploit, works on all Windows machines, and is actively being exploited by the worst sorts of people, along with hosts of online forum pranksters.  I've seen people say "An IM worm was only a matter of time", but they always appear to be referring to the initial discovery of the an outbreak on Dev 27th, although that is not absolutely clear, I could be wrong about its exploitation history.  Anyway, its not clear to me that any computer virus stories should be considered breaking news, but this one seemed like a probable candidate, revert if you disagree.  Nyarlathotep


 * The code, to my understanding, only executes under a buffer overflow. So, I would say it is very relevent to point out that this is not new information, and has been discovered for years.  --MrMiscellanious – Happy New Year – 23:56, 2 January 2006 (UTC)
 * Not my understanding of this vulnerability, but yes it is not extremely new but has been talked about since November. It is currently widely exploited by spyware but not much malware (haven't heard of any.) -  Amgine | talk en.WN 00:56, 3 January 2006 (UTC)
 * You're confused. There were two vulnerabilities in quick succession. The first one was a buffer overflow in November that was easy to fix. The second one, made public on December 27, is a serious design flaw which seems to go back 15 years to Windows 3.0. It's not a buffer overflow, and thus won't be stopped by most things that work against buffer overflows. Unlike a buffer overflow, this is easy to write a solidly reliable exploit for. You can exploit essentially all versions of Windows with the same WMF. 24.110.60.225 02:52, 3 January 2006 (UTC)
 * Well, it's only a "serious design flaw" because we have the benefit of hindsight and living in a different computing world than that of 15 years ago. The same can be said of TCP/IP not have much consideration for security in its protocol design. It didn't need it when it was invented. Unfortunaly, just not the case anymore. -- Wikipedia:User:KTC 05:37, 3 January 2006 (UTC)

Has this vunerability been exploited in the wild yet?
Tabbed as NPOV because of concerns over the title.

has this vunerablity actually been epxloited in the wid yet?

ShakespeareFan00 20:15, 2 January 2006 (UTC)


 * I think you miss-read the title, as I did once myself, dispite the fact that I wrote it. I'll renamed the article to something less likely to cause miss-readings and remove the tag.  Feel free to restore the tag if you don't think I managed to address the issue.  Or just rename the article yourself, I'm not picky about the title.  Yes, its has a number of wild exploits, mostly trojans, but it also has an IM worm.  Nyarlathotep 20:27, 2 January 2006 (UTC)


 * Yes. See External links in Wikipedia's article - 2005 WMF vulnerability. -- Wikipedia:User:KTC 20:32, 2 January 2006 (UTC)


 * I know The Reg isn't exactly a credible and reliable news source, but they do take this sort of stuff seriously. Their article starts off "Hackers have created a range of Trojan programs which exploit a dangerous new Windows Meta File vulnerability."  Note the use of past tense: It's confirmed and wild. &#x25aa; NeoAmsterdam TalkEdits 21:05, 2 January 2006 (UTC)

Am I the only one
who first read WMF as wikimedia foundation? Bawolff ☺☻ 22:32, 2 January 2006 (UTC)
 * lol The only one who will admit it so far. ;) --Ikester 23:01, 2 January 2006 (UTC)

Suggestion
Change the article name from Microsoft Windows metafiles are a vector for computer viruses to Microsoft Windows are a vector for computer viruses ;-) --ren
 * But that wouldn't be news.

Patch Available
Windows XP just notified me that there was a fix for something unspecific...

Size: 196 KB - 710 KB

''A remote code execution security issue has been identified in the Graphics Rendering Engine that could allow an attacker to remotely compromise your Windows-based system and gain control over it. You can help protect your computer by installing this update from Microsoft. After you install this item, you may have to restart your computer.''

More information for this update can be found at 

The link doesn't seem to lead anywhere, and searches for patches related to the KB article 912919 doesn't turn up anything. Can't find any sources. Hmm...

More information is available here... http://www.microsoft.com/technet/security/bulletin/ms06-jan.mspx --anon 70.92.174.251 20:40, 5 January 2006 (UTC)


 * I just checked [http://windowsupdate.microsoft.com], there is an update. KB912919, see this security bulletin.  This should be written as a new article. --Brian McNeil / talk 20:47, 5 January 2006 (UTC)
 * The update requires a restart... C-ya! Brian McNeil / talk 20:49, 5 January 2006 (UTC)


 * I have reverted this because the availability of a patch should be a new story that has a ==Related news== section with a link to this story. --Brian McNeil / talk 21:02, 5 January 2006 (UTC)


 * Love to, but I'm anon. ;) Someone else will have to handle that, I guess. Still, though, I figured it'd be worth mention until a new article actually existed... --anon 70.92.174.251 21:06, 5 January 2006 (UTC)
 * As an anon there is absolutely nothing stopping you from starting a new story, just fill in the title you want in the box on the main page and have a go. Not registering an account will only stop you doing some things like renaming stories. --Brian McNeil / talk 21:09, 5 January 2006 (UTC)
 * Oh, I'm used to the WP convention of anonymous users being prohibited from creating new articles. Well. I don't have much to contribute, but I'll give it a shot. Thanks. --anon 70.92.174.251 21:52, 5 January 2006 (UTC)
 * I have created a stub article at Microsoft releases emergency patch for WMF exploit, hope you're happy to contribute to that. --Brian McNeil / talk 21:38, 5 January 2006 (UTC)

I'm not sure this really warrants a seperate news story. Patches are just whats expected. Not releasing a patch would be a news story. But releasing an emergency patch 5 days ahead of their scheduled monthly patch update doesn't seem like a news story to me. I recommend generalizing the new story to cover all responces to the exploit, not just Microsofts. We can continue this conversation on Talk:Microsoft releases emergency patch for WMF exploit. Nyarlathotep 22:17, 5 January 2006 (UTC)
 * This was a significant exploit, I had coworkers that got hit by it and had major problems getting cleaned up. They didn't do anything stupid, this was an exploit without a patch.  Most other issues have been exploits reverse-engineered from patches.  I think the stub I mention above has become an okay article, can we continue any discussion on this on it's talk page? --Brian McNeil / talk 22:24, 5 January 2006 (UTC)