MouseTrap: Does Your Computer have MICE?

[Clif Notes]

Hi all,

One of my articles was recently published at infopacket.com. Here it is
....

From Infopackets:<http://snipurl.com/ltfp>

------
You may have recently heard about the Windows Metafile vulnerability.
Steve Gibson at GRC.com has written the definitive tool to detect if
your system is still at risk. He calls this vulnerability "Metafile
Image Code Execution" or "MICE" and he calls his detection tool,
"MouseTrap".

Do you still have MICE? Most of you are already protected by a Windows
Update. Even so, I recommend you download and run MouseTrap to be
certain that your computer doesn't have MICE. If the MouseTrap shows
you do have MICE, Steve's article on the WMF page contains tips on how
to get rid of your little rodents.

GRC Mousetrap - 29k - all Windows versions - $0.00
http://www.grc.com/wmf/wmf.htm

 

[B. R. 'BeAr' Ederson]

You may have recently heard about the Windows Metafile vulnerability.
Steve Gibson at GRC.com has written the definitive tool to detect if
your system is still at risk.

I wouldn't call it the 'definite tool'. As Art already pointed out
a couple of days ago: There's at least one other tool. The author
of the IDA disassembler Ilfak Guilfanov not only provided a patch,
but also has a program to check for the vulnerability:

www.hexblog.com/2006/01/wmf_vulnerability_checker.html

I'd prefer Ilfaks out of several reasons. First Ilfak provided
his tool with source code. So it is more easy to check what it
really does. Second Ilfaks tester doesn't tell that you're save
(like Steve Gibsons program does) but states:

| Your system seems to be invulnerable to the WMF exploit.
|
| Please note that this program tries only one WMF exploit.
| In theory other vulnerabilities and exploits are possible,
| so stay vigilant and update your systems frequently!

Note: Ilfak not even *tried* to convey his tool would be a
'definitive' (= ultimate) one for WMF vulnerability. That's
much more precise and honest regarding the subject, IMHO.

The last reason comes from the somewhat bad reputation of Steve
Gibson. When he brings up a topic, it is usually worth further
investigations. Unfortunately, he often has serious flaws within
his analyses. You see articles changing a bit from day to day
until the last revision seems some kind of 180 degree version of
the first.

Btw. - If someone wants to have a look inside *.wmf files. -
Piet Jonas provides a program called WMF2Viewer on his website.
It has a Diagnosis menu which shows the header structure, a
list of commands and parsing errors for *.wmf files:

http://piet.jonas.com/WMF2Viewer/WMF2Viewer.html

The program needs a Java 1.2 runtime environment. It is payware
for commercial usage. Deduced from the wording Piet uses inside
readme.txt and on his website I'd say WMF2Viewer is free for
personal (private) use. Someone who wants to use the program on
a regular basis at home should ask Piet, though. (IMHO.)

BeAr

 

[Craig]

I wouldn't call it the 'definite tool'. As Art already pointed out
a couple of days ago: There's at least one other tool. The author
of the IDA disassembler Ilfak Guilfanov not only provided a patch,
but also has a program to check for the vulnerability:

www.hexblog.com/2006/01/wmf_vulnerability_checker.html

I'd prefer Ilfaks out of several reasons. First Ilfak provided
his tool with source code. So it is more easy to check what it
really does. Second Ilfaks tester doesn't tell that you're save
(like Steve Gibsons program does) but states:

| Your system seems to be invulnerable to the WMF exploit.
|
| Please note that this program tries only one WMF exploit.
| In theory other vulnerabilities and exploits are possible,
| so stay vigilant and update your systems frequently!

Note: Ilfak not even *tried* to convey his tool would be a
'definitive' (= ultimate) one for WMF vulnerability. That's
much more precise and honest regarding the subject, IMHO.

The last reason comes from the somewhat bad reputation of Steve
Gibson.

Steve Gibson's work has been suspect for years. It seems to lean more
on F.U.D. than science. Now, his latest assertion is that the WMF
vulnerablity is actually an MS-designed backdoor.

Bunk, bogus, etc...

http://www.theregister.co.uk/2006/01/21/wmf_fud_from_grc/

-Craig

 

[Susan Bugher]

Steve Gibson's work has been suspect for years. It seems to lean more
on F.U.D. than science. Now, his latest assertion is that the WMF
vulnerablity is actually an MS-designed backdoor.

Bunk, bogus, etc...

http://www.theregister.co.uk/2006/01/21/wmf_fud_from_grc/

Mark Russinovich has some interesting things to say about this:
http://www.sysinternals.com/Blog/

Susan
--
Posted to alt.comp.freeware
Search alt.comp.freeware (or read it online):
http://www.google.com/advanced_group_search?q=+group:alt.comp.freeware
Pricelessware & ACF: http://www.pricelesswarehome.org
Pricelessware: http://www.pricelessware.org (not maintained)

 

[jacaranda]

Mark Russinovich has some interesting things to say about this:
http://www.sysinternals.com/Blog/

My question: Gibson says that contrary to other people's claims, Win98 is
not vulnerrable. I downloaded a patch for Win98 that was posted here.
Does anyone know whether or not that was unnecessary? I'd like to
uninstall if I could, since after installing, I've been getting system
errors when coming out of hibernation mode. (It also could be associated
with something else, but it happened the day after I "patched" my system.)

 

[Art]

My question: Gibson says that contrary to other people's claims, Win98 is
not vulnerrable.

What other people? The only "experts" I know of who are claiming some
sort of (potential) vulnerability with the older versions of Windows
work for MS.

I downloaded a patch for Win98 that was posted here.

That was probably Paolo Monti's (Nod32) patch:

http://www.nod32.ch/en/download/tools.php

Does anyone know whether or not that was unnecessary?

Looks to me like covering legacy Windows versions was a marketing
gimmick by NOD32. I have no idea whether or not it does any
good on those older systems.

I'd like to
uninstall if I could, since after installing, I've been getting system
errors when coming out of hibernation mode. (It also could be associated
with something else, but it happened the day after I "patched" my system.)

Uninstall it to see if the problem goes away. But otherwise, I doubt
if there's any harm in leaving it installed. I had installed it on my
Win ME PC without any ill effects, and I see no reason to get rid of
it.

Art

http://home.epix.net/~artnpeg

 

[Clif Notes]

I wouldn't call it the 'definite tool'. As Art already pointed out
a couple of days ago: There's at least one other tool. The author
of the IDA disassembler Ilfak Guilfanov not only provided a patch,
but also has a program to check for the vulnerability:

www.hexblog.com/2006/01/wmf_vulnerability_checker.html

I'd prefer Ilfaks out of several reasons. First Ilfak provided
his tool with source code. So it is more easy to check what it
really does. Second Ilfaks tester doesn't tell that you're save
(like Steve Gibsons program does) but states:

| Your system seems to be invulnerable to the WMF exploit.
|
| Please note that this program tries only one WMF exploit.
| In theory other vulnerabilities and exploits are possible,
| so stay vigilant and update your systems frequently!

Note: Ilfak not even *tried* to convey his tool would be a
'definitive' (= ultimate) one for WMF vulnerability. That's
much more precise and honest regarding the subject, IMHO.

The last reason comes from the somewhat bad reputation of Steve
Gibson. When he brings up a topic, it is usually worth further
investigations. Unfortunately, he often has serious flaws within
his analyses. You see articles changing a bit from day to day
until the last revision seems some kind of 180 degree version of
the first.

Btw. - If someone wants to have a look inside *.wmf files. -
Piet Jonas provides a program called WMF2Viewer on his website.
It has a Diagnosis menu which shows the header structure, a
list of commands and parsing errors for *.wmf files:

http://piet.jonas.com/WMF2Viewer/WMF2Viewer.html

The program needs a Java 1.2 runtime environment. It is payware
for commercial usage. Deduced from the wording Piet uses inside
readme.txt and on his website I'd say WMF2Viewer is free for
personal (private) use. Someone who wants to use the program on
a regular basis at home should ask Piet, though. (IMHO.)

BeAr

Hi BeAr,

Thanks, you have some fine points there.

I wouldn't call it the 'definite tool'. As Art already pointed out

I call it definitive for ease of use. My audience is mainly
inexperience users. I haven't tried Ilfaks tools but I suspect they
would only confuse most of my readers.

You've made a good argument against my use of the word definitive. I
may change it to "very good".

The last reason comes from the somewhat bad reputation of Steve
Gibson. When he brings up a topic, it is usually worth further

Easy to be an "arm chair quarterback". I'd guess he knows more about
this stuff tham anyone in ACF. So he makes an occasional mistake? Big
deal. He's done enough already to help all of us with security issues.
He could retire from all of this right now and have done far more for
bringing internet security to the uninformed masses than 99.9% of the
programmers out there.

Case in point:
Have you ever recommended his ShieldsUp or used it yourself?

I saw someone in this thread mention his "theory" that this is a
backdoor? As far as I can see, if it looks like a backdoor, walks like
a backdoor and talks like a backdoor, it is a backdoor. I have heard
that Mark R. never contradicted that statement. He just says it doesn't
appear to have been done with malicious intent.

If you guys want to say bad things about him, I'll just have to cover
my ears. LOL

Have fun!

Clif @ http://clifnotes.tk

 

[CharlieDontSurf]

Easy to be an "arm chair quarterback". I'd guess he knows more about
this stuff tham anyone in ACF. So he makes an occasional mistake? Big
deal. He's done enough already to help all of us with security issues.
He could retire from all of this right now and have done far more for
bringing internet security to the uninformed masses than 99.9% of the
programmers out there.

Uh-oh, somebody's starstruck. Gibson's a self-aggrandizing huckster.
Always has been. His breathless jargon-laden "security" missives have
been reeling them in for years.

Case in point:
Have you ever recommended his ShieldsUp or used it yourself?

Yes, I've been *nano-probed*. Lol. Long ago.

I saw someone in this thread mention his "theory" that this is a
backdoor? As far as I can see, if it looks like a backdoor, walks like
a backdoor and talks like a backdoor, it is a backdoor. I have heard
that Mark R. never contradicted that statement. He just says it doesn't
appear to have been done with malicious intent.

No, Mark R says he's convinced it's not a backdoor. He's far from alone.

 

[Art]

I wouldn't call it the 'definite tool'. As Art already pointed out
a couple of days ago: There's at least one other tool. The author
of the IDA disassembler Ilfak Guilfanov not only provided a patch,
but also has a program to check for the vulnerability:

www.hexblog.com/2006/01/wmf_vulnerability_checker.html

I'd prefer Ilfaks out of several reasons. First Ilfak provided
his tool with source code. So it is more easy to check what it
really does. Second Ilfaks tester doesn't tell that you're save
(like Steve Gibsons program does) but states:

| Your system seems to be invulnerable to the WMF exploit.
|
| Please note that this program tries only one WMF exploit.
| In theory other vulnerabilities and exploits are possible,
| so stay vigilant and update your systems frequently!

Note: Ilfak not even *tried* to convey his tool would be a
'definitive' (= ultimate) one for WMF vulnerability. That's
much more precise and honest regarding the subject, IMHO.

The last reason comes from the somewhat bad reputation of Steve
Gibson. When he brings up a topic, it is usually worth further
investigations. Unfortunately, he often has serious flaws within
his analyses. You see articles changing a bit from day to day
until the last revision seems some kind of 180 degree version of
the first.

To hopefully add a bit of clarification:

I know for a fact that Ilfak didn't address the vulnerability
questions concerning older Windows versions such as '98 and
'ME. I was in communication with him right after the first of the
year when he was refining his fix and needed sample GDI files
of various versions that exist for Win 2K in particular.

His WMF vulnerability checker was limited for use with only certain
of the NT based systems, and it's not clear whether or not it
it's worthwhile for NT4 ... or even for Vista. He was focussed
strictly on a temporary fix that could be used on many Win 2K and XP
systems out there until MS released a patch. Ilfak strongly
recommended that as soon as MS released a patch, his temp fix should
be removed and the MS patch installed instead.

To Steve's credit, he gave of his time to help Ilfak and promote
Ilfak's temp fix which was a very GOOD thing. Personally, I take
Steve's style with a grain of salt, and I don't like the "Gibson
bashing" that some seem to think is so kewl. Yet, questions remain
concerning the potential WMF vulnerabiities of legacy Windows systems,
since Steve's assertion they are not vulnerable is hardly "definitive"
and the last word on the subject

Art

http://home.epix.net/~artnpeg

 

[B. R. 'BeAr' Ederson]

I haven't tried Ilfaks tools but I suspect they would only confuse
most of my readers.

I don't think so. Direct execution, clear message windows.

Easy to be an "arm chair quarterback". I'd guess he knows more about
this stuff tham anyone in ACF. So he makes an occasional mistake? Big
deal. He's done enough already to help all of us with security issues.
He could retire from all of this right now and have done far more for
bringing internet security to the uninformed masses than 99.9% of the
programmers out there.

It is not worth to further pursue this. There are Gibson believers
and those who hate him. And there are some who just don't care. I'm
one of the last group. I don't use his tools and would check them
by a disassembler and/or debugger if I ever had to relate on one.
But that's a practise I always use on tools where sincere doubts
about their security status are expressed somewhere. (And which I
want to use *by all means*. - What *rarely* is the case.)

I very seldom check Steve Gibsons pages. He always makes sure to
spread his opinions. So it doesn't take long to read the whole story
elsewhere and get a detailed counter-analysis (if someone thinks it
necessary) at the same time. (It is very likely to get contradicting
opinions on Steve Gibsons texts as some people quickly jump onto
everything he publishes...)

Case in point:
Have you ever recommended his ShieldsUp or used it yourself?

No. I use very special hand-crafted ;-) security setups for my
computer systems and test them from other computers, myself. I
sometimes have a look into some simple browser test sites. (And
the like.) These are the ones I recommend. They need to be clean
and simple and must not be overloaded with buzzwords and fear
causing statements. I never got the feeling, it would be wise
to include ShieldsUp.

Same goes with SpinRite. If simple tools don't work on a drive
I do data recovery with a hex editor. If you know enough about
the structure of file systems, then it is just a kind of bee
work and patience. And you're sure that your data won't be
destroyed by a tool proofing faulty in the least suitable
moment. Remember: I don't judge about SpinRite. I never felt
the urge to test it.

I saw someone in this thread mention his "theory" that this is a
backdoor? As far as I can see, if it looks like a backdoor, walks like
a backdoor and talks like a backdoor, it is a backdoor. I have heard
that Mark R. never contradicted that statement. He just says it doesn't
appear to have been done with malicious intent.

Mark said it is unlikely to be an *intentionally* placed backdoor.
From that point on it is a question of definition. If you call a
security hole which enables a break-in a backdoor, then it is one.
Usually, this term is reserved for the intended mechanisms, though.
Most security flaws would be a backdoor by the broader definition...

BeAr

 

[jacaranda]

Uninstall it to see if the problem goes away. But otherwise, I doubt
if there's any harm in leaving it installed. I had installed it on my
Win ME PC without any ill effects, and I see no reason to get rid of
it.

Well I don't want to uninstall it if Win98 is actually vulnerable.

That's why I'm hoping some of the experts here will step in and advise.
I'd rather get rid of the Win98 patch, but will keep it until people tell
me it's safe to get rid of.

 

[Clif Notes]

Uh-oh, somebody's starstruck. Gibson's a self-aggrandizing huckster.
Always has been. His breathless jargon-laden "security" missives have
been reeling them in for years.

Ahhhhrrrgggg! You caught me out. Yep, I'm a Gibson fan since the late
90's. I think I like him because I'm a self-aggrandizing huckster
myself. LOL

I listen to Leo Laporte and Steve Giboson's "Security Now" podcast all
the time.
<http://www.grc.com/securitynow.htm>

Hmmm, I've always liked Leo too, ever since he was on ZdTV. Leo's fun
to listen to.

No, Mark R says he's convinced it's not a backdoor. He's far from alone.

Well Charlie, he doesn't say that.

Quote from Mark R: "and given a choice of believing there was malicious
intent or poor design behind this implementation, I'll pick poor
design"

Mark's not paranoid enough in this case. I'm tempted to believe that
there are many undocumented "back doors" into Windows. By "back door"
in this case, I mean vulnerabilities in code that allow an unauthorized
outsider in. Sure, that's a wide definition, but it's still accurate.
If I was designing a backdoor into Windows, I'd try to make it look
like it could have been accidental. Deniable plausibility. Ever heard
of that?

Quote from Mark R: "The bottom line is that I'm convinced that this
behavior, while intentional, is not a secret backdoor."

See, he doesn't deny that it could be a backdoor. He even states that
it was "intentional". He only states he doesn't think it was used as a
"secret backdoor". Okay, it's not a secret backdoor anymore, but it's
still a backdoor by my definition.

My bottom line? Gibson was right. It's a backdoor. Was it ever used as
a secret or malicious backdoor by MS or the NSA? Even Russinovich can
only offer an opinion on that and he could be right. Who knows? Would
you believe what Microsoft tells us? Deniable plausibility.

Have fun!

Clif @ http://clifnotes.tk
Devoted to promoting Freeware and Free Information

 

[Al Klein]

I saw someone in this thread mention his "theory" that this is a
backdoor? As far as I can see, if it looks like a backdoor, walks like
a backdoor and talks like a backdoor, it is a backdoor. I have heard
that Mark R. never contradicted that statement. He just says it doesn't
appear to have been done with malicious intent.

And Mark's analysis has its own hole. Knowing what I know about Mark,
and knowing what I know about Steve, I'd accept Steve's analysis if I
couldn't analyze it myself. Nothing against Mark, I just have more
faith in Steve.

 

[=?ISO-8859-1?Q?=BBQ=AB?=]

And Mark's analysis has its own hole. Knowing what I know about
Mark, and knowing what I know about Steve, I'd accept Steve's
analysis if I couldn't analyze it myself. Nothing against Mark, I
just have more faith in Steve.

I followed most of the ongoing analysis in the grc groups for the
last couple of weeks, though I can't claim to have a grip on all the
technical details. Eventually[1] I believe everyone who looked at
the phenomenon came to the same conclusion about what it actually
does, though they disagree about why. And without access to the
Windows source code or access to the people who wrote it, questions
about why it behaves in the strange way it does are all matters of
speculation. Here's one more take on it, from John Graham-Cumming,
who helped and got help from Gibson in taking things apart:
<http://www.jgc.org/blog/2006/01/wmf-setabortproc-problem-is-not.html>

[1] I say "eventually" because IMO the can of worms should not have
been opened in public before Gibson spent some more time analyzing
things /and/ asking other people to do so. His initial podcast did
have caveats sprinkled throughout, but once the words "intentional"
and "backdoor" have been uttered, there's bound to be more heat than
light for a while.

 

[Lou]

Mark Russinovich has some interesting things to say about this:
http://www.sysinternals.com/Blog/

Susan
--
Posted to alt.comp.freeware
Search alt.comp.freeware (or read it online):
http://www.google.com/advanced_group_search?q=+group:alt.comp.freeware
Pricelessware & ACF: http://www.pricelesswarehome.org
Pricelessware: http://www.pricelessware.org (not maintained)

Mark sounds pretty knowledgable. Thanks.

Lou