The WMF Short Story
If you don't need all the details below, here's the quick and dirty message: Steve Gibson wrote Knock Knock, a little tool to determine if you have the Windows WMF vulnerability patch.
Knock Knock (Who's There?)
Many of you installed the patch mentioned by Steve Gibson and it's unnecessary for you to uninstall it. The patches cooperate very smoothly. And by now your XP system should have the official Microsoft WMF vulnerability hotfix.
You can check to see if you're protected by using Steve's GRC WMF vulnerability tester. (Gibson gleefully named the program "Knock Knock" since this was a backdoor, deliberate or not.)
Mr. Gibson says that anyone can use the tester to make sure their various WMF patches -- from wherever -- are working.
BTW, in my previous blog, I might have implied that Steve wrote the patch. He didn't -- he was endorsing and hosting its download at the time because the author's site had been taken down due to over-use. The patch was written by "Ilfak Guilfanov," a well-known developer. Steve G. also reviewed his source code so that he could assure people that it was safe.
Uninstall Insistence
You don't have to do it, but if you insist, just open the Windows Control Panel "Add/Remove Programs," where you will find the "Windows WMF Metafile Vulnerability HotFix" listed. Remove it, then reboot.
Windows WMF Patch Sites
Some of you are fastidious -- dare I say obsessed -- PC users and want all the details.
You can manually check to see if you have the official Microsoft patch by going to Start, Help and Support, Keep your computer up-to-date with Windows Update, Review your Update History, and then seeing if "Security Update for Windows XP (KB912919)" is listed. If it's not, head for: Microsoft's Updates site.
You can also get all of January's security updates if you're so inclined.
Kill Some Time
Woof. Says it all.
I think it's quite a mouthful to imply Gibson has the skills to review Ilfak's code.
Steve,
I have been reading your column for 3 or 4 years and must say that it's my favourite of the pcworld offerings.
keep up the good work
moe
-----------------------------------
moe is in the garage
http://spaces.msn.com/members/MOES-GARAGE/
The URL no longer works. I think we'll soon see a case of the 'tail between legs syndrome'. Also, who needed to see if they needed the patch? They didn't remember if they got it? And they couldn't just visit the MS page to see if they needed it?
I think I'll go back to the office and write a new Windows program. It's going to tell you if you're running Windows.
Even I am amazed at the lack of responsibility of these two characters Gibson and Laporte.
If you read their transcript 21 with Guilfanov you see clearly that 1) Guilfanov knows what he is talking about and tells you when he doesn't know something; and 2) Gibson and Laporte do not know what they are talking about, pretend they know everything (more than Guilfanov - which would be ridiculous), preferring to position themselves, for fun and profit, as the helpers of the little man on the Internet.
But when Guilfanov signs off in Liege, something interesting happens. Up to this point there has been little of the usual 'stir the pot' speculation. Suddenly with Guilfanov off the line it picks up grandiosely.
Especially interesting is how they try to fan the flames of what this callback can do - and in so doing they show once and for all that they do not know a thing about Windows. All they can do is bellow hot air.
The online documentation for SetAbortProc is easy to find. Just put it into Google and you will be there in a matter of seconds. SetAbortProc is not as Gibson and Laporte describe - being neither are real Windows programmers they wouldn't know this, so they just speculate. Irresponsibly. And stir the pot. Intentionally.
SetAbortProc serves one purpose. It's exploited when the WMF flaw is exploited. It's not as easy as Gibson and Laporte think. Few things are as easy as they think. SetAbortProc runs namely the cancel dialog for printouts. And it's not legacy code - it's used even today, unless Gibson and Laporte know something no one else knows, namely that no one prints things out anymore.
Yes, SetAbortProc comes from Windows 3.0, but it was ported and well and successfully to Win32 (Windows NT). There is nothing wrong with that. And ordinarily it will be disregarded when metafiles are drawn to a screen. What happened with the exploit was that there was a way to get a rogue address in there during a data transfer operation. It's blocked on 9x but gets through on NTx.
As per usual, Gibson does not know what he is talking about, Laporte just emcees him, and you reporters just suck it up.
You should all be ashamed. Especially you, Steve: we thought you knew better. A LOT better.