Did Microsoft pull an Ilfak? Microsoft’s patch under a magnifying glass

So, Microsoft released a patch ahead of schedule. We can only applaud that.

But what does that patch do?
Exactly what Ilfak Guilfanov’s patch did, only he built it in a few hours (plus some testing).

Microsoft disallowed SETABORT. Same as Ilfak’s… rearranged a bit. See for yourselves below. If that is the best solution, we see no harm in that either. It just seems that MS06-001 is Ilfak’s patch in a prettier outfit.

We understand the need for extensive testing, so the time differential in this case can be accepted. And yet…
The new patch was released today. After patching, the new gdi32.dll is dated to the 28th of December. What’s the date today?

What’s that all about? It makes you wonder, doesn’t it?

Well, why don’t you see for yourselves? Here is what Microsoft did, as bindiff shows.

Old GDI32 has the bug here:

.text:77F24914                 movzx   eax, word ptr [ebx+6]
.text:77F24918                 cmp     eax, 0Fh
.text:77F2491B                 jz      loc_77F25067    ; default
.text:77F24921                 push    0               ; LPVOID
.text:77F24923                 lea     ecx, [ebx+0Ah]
.text:77F24926                 push    ecx             ; LPCSTR
.text:77F24927                 movzx   ecx, word ptr [ebx+8]
.text:77F2492B                 push    ecx             ; int
.text:77F2492C                 push    eax             ; int
.text:77F2492D                 push    dword ptr [ebp-7Ch] ; HDC
.text:77F24930                 call    Escape
.text:77F24935                 jmp     loc_77F23F23

The patched GDI32.DLL contains this code instead:

.text:77F24914                 movzx   ecx, word ptr [ebx+6]
.text:77F24918                 push    ecx
.text:77F24919                 call    _IsAllowedWmfEscape@4 ; IsAllowedWmfEscape(x)
.text:77F2491E                 test    eax, eax
.text:77F24920                 jz      loc_77F2506C    ; default
.text:77F24926                 push    0               ; LPVOID
.text:77F24928                 lea     eax, [ebx+0Ah]
.text:77F2492B                 push    eax             ; LPCSTR
.text:77F2492C                 movzx   eax, word ptr [ebx+8]
.text:77F24930                 push    eax             ; int
.text:77F24931                 push    ecx             ; int
.text:77F24932                 push    [ebp+var_7C]    ; HDC
.text:77F24935                 call    _Escape@20      ; Escape(x,x,x,x,x)
.text:77F2493A                 jmp     loc_77F23F23

… and the new function itself:

.text:77F42D66 ; __stdcall IsAllowedWmfEscape(x)
.text:77F42D66 _IsAllowedWmfEscape@4 proc near         ; CODE XREF: PlayMetaFileRecord(x,x,x,x)+ACD
.text:77F42D66 arg_0           = dword ptr  8
.text:77F42D66                 mov     edi, edi
.text:77F42D68                 push    ebp
.text:77F42D69                 mov     ebp, esp
.text:77F42D6B                 xor     eax, eax
.text:77F42D6D                 cmp     [ebp+arg_0], 9
.text:77F42D71                 jz      short loc_77F42D7A
.text:77F42D73                 cmp     [ebp+arg_0], 0Fh
.text:77F42D77                 jz      short loc_77F42D7A
.text:77F42D79                 inc     eax
.text:77F42D7A loc_77F42D7A:                           ; CODE XREF: IsAllowedWmfEscape(x)+B
.text:77F42D7A                                         ; IsAllowedWmfEscape(x)+11
.text:77F42D7A                 pop     ebp
.text:77F42D7B                 retn    4
.text:77F42D7B _IsAllowedWmfEscape@4 endp

(got anything to tell Ren&Stimpy? Email us: rennstimpy@securiteam.com)

  • Susan

    The file for Windows 2003 is dated 12/30.

  • Pingback: DivisionByZero WebLog»Blog Archive » MS06-001 update voo WMF bug

  • Pingback: Navaho Gunleg » MS’s WMF patch could be plagiarized

  • Didier Stevens

    It’s exactly the same as Ilfak’s patch. The MS patch also prevents function 15 (0x0F).

  • Didier Stevens

    It’s not exactly the same as Ilfak’s patch. The MS patch also prevents function 15 (0x0F).

  • Didier Stevens

    Function 15 is MFCOMMENT, used to add comments to the metafile.

  • sunshine

    I suppose we needed to wait to an official patch for a comment. :)

    The patch is also entered in a slightly different location.

  • Jan

    The original code blocked 0x0F as well, just look at lines 2+3. The check was just moved to the new function.

  • sunshine

    Earlier and continuing reversing discussion on this can be found on the funsec mailing list:

  • Pingback: Aaron Tiensivu's Blog

  • KeithW

    Ilfak patched only his own build of Windows XP. Later, Steve Gibson had to help him add support for Windows 2000 SP4 and various others helped with mechanisms for repackaging and deploying on managed corporate networks.

    Microsoft dealt with 9 versions and service pack levels of Windows (including 64-bit editions) in U.S. English PLUS 23 localized versions. Since Microsoft’s patch was built into gdi32 rather than “hooked” via AppInit_DLLs, there was much more regression testing required (more to check for build errors than for code/logic errors).

    The resulting builds must be signed and packaged with CAT files required by Windows File Protection. Those hotfix packages also contain versioning and dependency checks so that a future hotfix for gdi32 will not be overwritten if this hotfix is accidentally reinstalled. (This sounds simple when you’re only dealing with one DLL but when a hotfix includes multiple DLLs with dependencies, it used to be a real problem in the 2000-2001 timeframe before Microsoft established the current mechanism.)

    Additionally, there is automatic “migration” capability so that you can install the hotfix on XP SP1 and then apply SP2 without redownloading and reapplying the hotfix. (If you look under the hidden folder %SystemRoot%\$hf_mig$, that’s what those files are for.)

    Conclusion of testing and packaging still left hundreds of files to be mirrored AND verified. There are servers supporting microsoft.com/downloads (direct download), Windows Update/Microsoft Update (the site known to end-users), MBSA (detection tool requiring metadata updates) and Windows Server Update Services (corporate tool). If you snoop through the filenames and XML metadata files used internally, you’ll see that these are separate infrastructures which obviously involve substantial work to stage around the world. Given how heavy the load on hexblog.com was, it still only represented a tiny fraction of technically inclined Windows users. When Microsoft releases a critical fix, the server hits are measured in the hundreds of millions.

    Lastly, certain documentation (much of it in multiple languages) must be ready to publish at the same time as the hotfix itself. This always includes Security Bulletins (in simplified and technical versions) and KB articles. In a high-profile situation like this, key partners and enterprise accounts don’t like their “Support Flash” communications to trail the hotfix availability by much.

    So when Microsoft says “testing,” you need to realize that there is also substantial “build” and “release” work implied as part of the process. Although grandma probably understands “testing,” it’s unlikely that she cares to hear about anything from the realm of makefiles or XML manifests so you wouldn’t hear about build/release aspects in the soundbite quotes given by Microsoft to mainstream media for laypeople.

  • sunshine

    KeithW – You should post that last in your own blog here.

  • http://blogs.securiteam.com/index.php/archives/author/mattmurphy/ Matthew Murphy

    I guess I know this from experience, but uh… have people bothered to look at the posting alias? This is meant to be, ya know… funny and lighthearted, and all.

  • wari

    Incidentally (or maybe not…) no one has reflected on the fact that over a month earlier of the “discovery of an exploit in the wild” TWO other vulnerabilities were disclosed in GDI32.dll that dealt with processing WMF files.
    If at the time that those bugs were reported to the vendor, they had done a more in-depth review of GDI32.dll they should had found the SetAbortProc one and fix it as well.
    The vendor did not do it, but apparently the attackers did. That’s proactive security for you… yeah right

  • Antony

    Ilfak Guilfanov patch blocks any call to setabortproc, Microsoft patch blocks the setabort from the WMF format. So it’s important that any user uninstall Ilfak Guilfanov patch and install the Microsoft patch.

  • Kyle

    Ilifak Guilfanov’s Patch
    GDI escapes are handled within GDI32.DLL by a function conveniently known as
    Escape( ). If it were possible to re-write that function in such a way that it would ignore
    any SETABORTPROC escapes, it would block the vulnerability not only from within
    the Windows Picture and Fax Viewer (shimgvw.dll) but from any other unknown
    vectors as well. Of course, doing so would block any legitimate uses of
    SETABORTPROC escapes

  • Canopi

    Final official patch is dated Dicember 29 2005 and not 28.

  • http://www.devitto.com Dom De Vitto

    Basically, Ilfak and Steve did two Windows versions in two days, and the 65,000 staff at Microsoft, who has access to the C source of faulty code, rather than just disassembled code, managed 9 versions of windows, in 9 days.

    Impressive. That’s a lot of middle managment, by any corporate standard.

    MS really dropped the ball here.

  • P

    Dom De Vitto how many of those 65,000 employees do you think work in the security patch testing dept. and how many of those do you think worked on this particular fix. MS also had to ensure that the fix worked on all language versions, all SPs, etc, etc.

  • br0nd

    LOL @ MS + the gays supporting MS,
    millions of windows systems are prone to attack for more than 2,3 week ,and millions of systems are compromised,whatever the no of guys working on the patch dosent matter , as this is a critical one MS should patch this within 1, 2 days

  • knobdy

    br0nd – I’ll guess English isn’t your first language…3rd?

    It’s fun to rip on MS, I guess, but I’m currently typing on a Linux laptop which I patch WEEKLY for MULTIPLE apps AND the kernel. Once/If Linux gets a larger market share it will also become a larger, easier, more satisfying target. Then who will we laugh at?

  • Rainer

    Delays because the international versions had to be tested, too?
    BS! That’s a design decision MSFT made intentionally.
    Who in his right mind would design an OS that has to be compiled for every language and provided with seperate patches for every language?
    They did this on purpose so nobody can buy the (supposedly) cheap Brazilian version and fit it with i18ns.
    I have no sympathy for them. They built the system, they could have built it less complex (at least partly), but they choose to maximize profit.
    And besides: WMF – they should have withdrawn support for that long ago.
    It’s always the same: “Let’s mix data and code”…lalala… oh, helo Macro-Viruses, helo WMF-exploit.

  • speicys

    Actually, the brazilian version is US$30,00 more expensive than the original.


    Just wanted to make that clear.