Friday, January 6. 2006
si .. cui se gandeste Microsoft sa multumeasca (la sfarsitul zilei, in timpul rugaciunii)
==== cut from Microsoft Security Bulletin Summary for January 2006 ====
Acknowledgments:
Microsoft thanks the following for working with us to protect customers:
* Dan Hubbard of WebSense (http://websense.com/global/en/) for working with us on MS06-01.
==== cut ====
pai sa nu ii faca lui Ilfak Guilfanov pula curcubeu ?
adica cine kilu meu e gusterul ala Dan Hubbard ?
============ alte drepturi de autor
ideea de pula curcubeu vine din MALAIESTI, BUCEGI.
MALAIESTI este locul in care o ardeam eu aproape obesesiv la inceputurile mele montane, era pentru mine caldarea in care gaseam o capra neagra de fiecare data cand ma uitam spre Bucsoiu.
(dupa care locul care a devenit obsesiv a fost Rametzul si cheile lui)
IN FINE! deci .. in Malaiesti, stateam sa ma odihnesc in fatza refugiului pe o banca. In fatza refugiului poposec 3 tipi. Discutzia nu stiu exact de la ce incepe DAR la un moment dat ajunsese sa fie: "nici eu nu pot sa ma pis. mai am niste ruj pe pula. de acum doua zile. de la nevasta-ta" .. asa isi consola unul din ei prietenul. GENIAL!
http://blogs.securiteam.com/index.php/archives/184
==== cut ====
So, Microsoft released a patch ahead of schedule. We can only applaud that.
But what does that patch do?
Exactly what Ilfak Guilfanov’s patch did, only he built it in a few hours (plus some testing).
Microsoft disallowed SETABORT. Same as Ilfak’s… rearranged a bit. See for yourselves below. If that is the best solution, we see no harm in that either. It just seems that MS06-001 is Ilfak’s patch in a prettier outfit.
We understand the need for extensive testing, so the time differential in this case can be accepted. And yet…
The new patch was released today. After patching, the new gdi32.dll is dated to the 28th of December. What’s the date today?
What’s that all about? It makes you wonder, doesn’t it?
Well, why don’t you see for yourselves? Here is what Microsoft did, as bindiff shows.
Old GDI32 has the bug here:
.text:77F24914 movzx eax, word ptr [ebx+6]
.text:77F24918 cmp eax, 0Fh
.text:77F2491B jz loc_77F25067 ; default
.text:77F24921 push 0 ; LPVOID
.text:77F24923 lea ecx, [ebx+0Ah]
.text:77F24926 push ecx ; LPCSTR
.text:77F24927 movzx ecx, word ptr [ebx+8]
.text:77F2492B push ecx ; int
.text:77F2492C push eax ; int
.text:77F2492D push dword ptr [ebp-7Ch] ; HDC
.text:77F24930 call Escape
.text:77F24935 jmp loc_77F23F23
The patched GDI32.DLL contains this code instead:
.text:77F24914 movzx ecx, word ptr [ebx+6]
.text:77F24918 push ecx
.text:77F24919 call _IsAllowedWmfEscape@4 ; IsAllowedWmfEscape(x)
.text:77F2491E test eax, eax
.text:77F24920 jz loc_77F2506C ; default
.text:77F24926 push 0 ; LPVOID
.text:77F24928 lea eax, [ebx+0Ah]
.text:77F2492B push eax ; LPCSTR
.text:77F2492C movzx eax, word ptr [ebx+8]
.text:77F24930 push eax ; int
.text:77F24931 push ecx ; int
.text:77F24932 push [ebp+var_7C] ; HDC
.text:77F24935 call _Escape@20 ; Escape(x,x,x,x,x)
.text:77F2493A jmp loc_77F23F23
… and the new function itself:
.text:77F42D66 ; __stdcall IsAllowedWmfEscape(x)
.text:77F42D66 _IsAllowedWmfEscape@4 proc near ; CODE XREF: PlayMetaFileRecord(x,x,x,x)+ACD�p
.text:77F42D66
.text:77F42D66 arg_0 = dword ptr 8
.text:77F42D66
.text:77F42D66 mov edi, edi
.text:77F42D68 push ebp
.text:77F42D69 mov ebp, esp
.text:77F42D6B xor eax, eax
.text:77F42D6D cmp [ebp+arg_0], 9
.text:77F42D71 jz short loc_77F42D7A
.text:77F42D73 cmp [ebp+arg_0], 0Fh
.text:77F42D77 jz short loc_77F42D7A
.text:77F42D79 inc eax
.text:77F42D7A
.text:77F42D7A loc_77F42D7A: ; CODE XREF: IsAllowedWmfEscape(x)+B�j
.text:77F42D7A ; IsAllowedWmfEscape(x)+11�j
.text:77F42D7A pop ebp
.text:77F42D7B retn 4
.text:77F42D7B _IsAllowedWmfEscape@4 endp
==== cut ====
==== cut =====
Now that the official patch is out, I feel better about wondering a few things in public.
The unofficial patch from Ilfak Guilfanov was a great service, I think.
I did not apply it. I got too paranoid, for good reason. People who should have known better did a lot of questionable things....
1. Intense, breathless coverage of how new and bad and quickly expoited a newly disclosed vector is, and how
you MUST CERTAINLY DO SOMETHING FAST, makes me careful. (Not that I am not careful otherwise, but I tend to make mistakes when rushed. Anyone else like that?)
2. When a really clever patch appears by someone I never heard of, AND it is touted as the best "must apply", I get paranoid....Especially when unregistering the Windows Picture and Fax DLL seemed so reasonable a work-around to reduce my exposure surface.
3. When I saw the source code, which works patching a DLL at run-time based on opcode pattern matching including WILDMAT, I start to think about how many different versions of DLLs there are and how could anyone have possibly been
sure that the sequence works only as it was documented, and not any other way on every DLL?
It would take a lot of work to determine that, and I expect that anyone making the claim would have a paper-trail of documentation to go along with the statement of "We have reviewed it and verified it works as intended, trust us."
4. Then the originators website gets slashdotted. Understandable, but that detaches the originator's claims of white-hatness from the mirroring sites claims of fidelity to the originator's code.
5. I'm offered an MD5 from the SAME distributing site (SANS ISC) that serves the patch installer.
Sorry, that's SOOO unprofessional, both because it is an MD5 which is a mickey mouse hash, it's 2005 you know, and because you can't trust an MD5 from the same site as you get the package.
The fact that "professionals" were asking me to accept both of those fallacies condemns their choice of methods, even if their intents were honest and good.
6. OK, I don't have to trust MD5, because there is a detached PGP sig! The problem is it is using a group-owned key, a key which is not in the MIT keyserver, even though previous versions of the SANS ISC key are.
(NOTE: the MIT key server has the 0x9C0EC441 key now, but it did not when I looked before.)
The OLD (0x9B0E6F13) AND NEW isc@sans.org keys on the mit keyserver have NO external signatures (as reported by the MIT key server.) (All the signatures are also @sans.org.)
I'm way paranoid now. Knowing how small my exposure surface is after unregistering the DLL, I'll wait a week, which wasn't a week anyway.
OK, a few simple things I expect Security Professionals to do better next time, and they are easy and simple.
1 - MD5 collisions are easy to generate now. Don't offer them as assurance of integrity. They aren't, so it makes you look foolish. SHA-1 is probably also not a good choice.
2 - Use trustable keys.
If you want to sign with a group key, sign with your personal keys too. Sign with previous versions of unrevoked keys if possible.
Use a key available on a public key server. Sign new keys with previous keys (at least SANS ISC did do that.)
Sign something that is offered for however many windows users signed with 1024 bit keys? What's wrong with larger keys for something so important?
(Probably some other key management things here too, since that isn't my area of expertise.)
3 - If you make statements like "we verified the patch does what it is supposed to" then PGP sign the notes you made when doing the analysis, and publish the notes along with your statement of "trust us."
Then the community can verify your statement and thoroughness.
Other than that, Way to go Team. I felt pretty in control of my options on this one, and got enough information from BugTraq to ignore the breathless main stream media coverage and do something safe and sane.
Forrest J Cavalier III
Mib Software
==== cut ====
Forest Laurentziu Clever al patrulea.
deci vine un tip Ilfak Guilfanov si zice .. baietzi, mai da-i in pula mea pe aia de la Microsoft, vretzi un patch .. luatzi cu tata. From Rusia with love. faza e ca tipul Ilfak care e programator la origine si are faculta de matematica terminata la moscova s-a prins el cum sta bitul de paritate prin fisierele de la microsoft si a rezolvat problema. practic intai a existat solutia lui si apoi a existat solutia de la microsoft. gurile rele spun ca seamana foarte mult.
pana ieri solutia lui microsoft era sa elimine din sistem functia de afisare, solutia lui Ilfak era sa repare libraria defecta.
hai sa ne gandim cine a castigat la puncte ? iar solutia lui Iflak a fost confirmata de totzi producatorii mari de antivirusi si catziva expertzi in securitate ca fiind OK - "it works"
microsoft a reusit sa dea cu batzul in balta... ca tampitzii au dat drumul pe net unui remediu pe cale "neoficiala"
pentru a pune cireasa pe coliva, ieri seara au publicat pe windowsupdate.microsoft.com un remediu care acopera insa doar windows xp, 2000 si 2003. nu si windows 98, 95, ME .. si prima versiune de windows afectata si ea 3.0
acum vine pulica asta Forest Laurentziu Clever al patrulea si spune ca el in viatza lui nu ar fi aplicat solutzia de la Ilfak ca pana mea x si y motive stupide cat cuprinde. pai dragul meu sa nu imi bag eu pula in tine pana nu mai ai pe unde sa respiri - tu si prietenii tai programatori de la microsoft carora le-a luat 9 zile sa dea o solutzie si se pregateau sa mai "leneveasca" inca vreo 4 daca nu le sarea lumea in cap?
===== drepturi de autor
expresia "sa imi bag pula in tine pana nu mai ai nici o gaura prin care sa respiri" imi apartzine, a fost nascocita de frustrairle mele si a aparut ca un popup in timpul unei perioade de stress. se trateaza ca atare. multumesc persoanelor care ma fac sa injur si sa inventez expresii noi contribuind astfel cu noi valori la patrimoniul universal (pe partea ne-nationalizata)
Today our company is arranging a costume ball.
Look, there's Alex from QC department with a mask of a wolf.
Following him there's Vasja from sales with a mask of a bear.
Over there there's Tanja from human resources with a mask of a fox, and, at the back, you can see our network administrator with a mask of 255.255.255.0...
toate datele, numele, adresele si numelere de telefon de mai jos sunt fictive.
orice asemanare cu realitatea nu exista. thanks to andrej.
===== cut =====
Iubita mea Maria,
Stiu ca psihologul mi-a zis ca nu ar trebui sa mai iau legatura cu tine, ca sa pot sa te uit mai repede, dar nu mai rezist. In ziua cand m-ai parasit m-am jurat sa nu mai vorbesc cu tine niciodata. Dar era doar ego-ul meu ranit care dicta. Nu am vrut sa fiu cel care sa lase de la el si sa se impace. In fanteziile mele intotdeauna tu te intorceai cu coada intre picioare la mine. Cred ca mandria mea avea nevoie cu disperare de asta. Dar acum vad ca mandria m-a costat o groaza de lucruri. Am obosit tot pretinzand ca nu mi-e dor de tine. Nu mai imi pasa ca voi fi considerat un prost. Nu mai imi pasa cine face prima tentativa de impacare atata vreme cat unul din noi o face. Poate e timpul sa lasam inima sa vorbeasca, si nu creierul. Pentru ca inima mea spune: "Nu e nici una ca tine, Maria"
Te caut in ochii si sanii fiecarei femei pe care o intalnesc, dar ele nu sunt tu. Nici pe-aproape macar.
Acum doua saptamani am intalnit o fata in club si am adus-o acasa. Nu vreau sa iti spun asta ca sa te ranesc, ci ca sa iti arat disperarea mea. Era tanara, probabil pe la 19-20 de ani, cu un corp perfect pe care numai tineretea si probabil vreo 10 ani de dansuri artistice pot sa il ofere. Vreau sa spun, doar un corp perfect. Sani cum nu vezi nici in prezentarile de moda si un fund rotund pentru care merita sa si omori. Visul oricarui barbat, nu? Dar in timp ce stateam pe canapea si ea imi oferea partida perfecta de sex oral, m-am gandit la acest lucru, care este atat de important in viata. Sa fi ajuns atat de superficial? Ce daca are un corp perfect? O face mai buna la pat? Ma rog, in cazul ei da, dar nu asta e important. O face asta o persoana mai buna? Are un suflet mai bun decat tine, care nu mai ai fermitatea corporala de odinioara? Ma indoiesc. Si nu ma gandisem la asta niciodata pana atunci. Asta inseamna ca m-am mai maturizat un pic, nu? Dupa ce i-am servit o portie de iaurt barbatesc, m-am surprins gandindu-ma, "de ce ma simt atat de gol pe dinauntru?". Nu era doar tehnica ei perfecta de oral, era altceva. Si atunci am avut o revelatie. Nu era la fel pentru ca tu nu erai acolo. Stii ce inseamna asta? Nimic nu mai e la fel fara tine. Doamne, Maria, innebunesc fara tine. Si tot ce fac imi aduce aminte de tine.
Iti mai aduci aminte de Angela, vecina noastra de la 3 care isi creste singura copilul? A trecut saptamana trecuta pe la mine cu o cratita de friptura. A zis ca se vede ca nu mananc cum trebuie, acum cand nu mai e o femeie in casa. Mi-am dat seama de ce a vrut sa spuna dupa masa, dar nu asta am vrut sa iti spun. Oricum, am baut cateva pahare de vin si ne-am trezit tragandu-ne-o ca iepurii in vechiul nostru dormitor, care inca te mai asteapta. Si vreau sa iti zic ca femeia asta stie ce vrea, ca orice femeie maritata care nu are rezerve vizavi de cum arata, de cariera ei sau daca ne aud copiii. Si dintr-o data a observat oglinda aia mare cu picior pe care ai mostenit-o de la bunica-ta. A asezat-o pe covor ca sa ne putem vedea in timp ce i-o trag pe la spate. Asta m-a excitat teribil, dar nu am putut sa nu ma intristez la gandul ca tie in 14 ani de trait impreuna nu ti-a trecut niciodata prin minte sa utilizam oglinda aia ca accesoriu sexual.
Sambata a trecut sora-ta Carmen sa imi lase o copie dupa sentinta de divort. Stiu ca nu are prea multa experienta de viata, dar sa stii ca pentru varsta ei e foarte matura si a fost un prieten de nadejde pentru mine in tot timpul asta. Mi-a dat o groaza de sfaturi bune despre tine si despre femei in general. A incercat si incearca din rasputeri sa ne impace. Asa ca eram in jacuzzi, cu o cupa de sampanie, amintindu-ne cu nostalgie de vremuri fericite. Are acelasi sange cu tine, si nu puteam sa nu observ cum seamana cu tine cand te-am cunoscut si aveai 18 ani. Lucrul asta m-a facut sa plang (uite un lucru pe care inainte nu l-as fi recunoscut in ruptul capului). Carmen a incercat sa ma consoleze si am descoperit cu ocazia asta ca e pasionata de sexul anal, ceea ce m-a facut sa ma gandesc de cate ori ne-am certat cand iti ceream acelasi lucru, certuri care probabil au grabit despartirea noastra. Dar vezi, chiar si cand i-o dadeam sorei tale la ochiul maro, numai la tine ma gandeam.
Trebuie ca in adancul inimii tale sa simti acelasi lucru. Nu crezi ca am putea incepe totul de la inceput? Sa stergem cu buretele toate necazurile si sa o pornim cu dreptul intr-o noua si fericita relatie. Eu cred ca putem. Daca simti si tu la fel, te rog da-mi de stire.
Daca nu, macar da-mi un telefon si spune-mi unde mama dracu' ai ascuns telecomanda.
Al tau,
George
===== cut =====
|
agregate