ZERO DAY! Huge Microsoft Security Flaw...

Attention ATS Members, Serious Windows Security Flaw

This flaw effects every Windows operating system shipped since 1990, even if all patches are applied.

Google News




There are even reports out now that trojans are being passed that alter your system to add malicious code to all WMF images on your computer.

PLEASE STAY AWARE OF DEVELOPMENTS AND INSTALL THE OFFICIAL PATCH AS SOON AS IT IS AVAILABLE


HotFix Patch Information



[edit on 1-2-2005 by SkepticOverlord]

What if you just changed the wmf file type so it open with notepad or even just remove the wmf file type all together?

Would that prevent this virus?

Thanks SO!

I had been following this, but I had not seen that Steve G had a temp fix out.

Much appreciated.

[Edit - It took me a few tries to get the download.
Their site is probably flooded from all the traffic. Don't give up, just try, try again.]


[edit on 1/2/06 by makeitso]

Apparently not. Anything that can display a WMF file can execute the malicious code.

Don't Wait!
Windows users should install an unofficial security patch now, without waiting for Microsoft to make its move, advised security researchers at The SANS Institute's Internet Storm Center (ISC).

Their recommendation follows a new wave of attacks on a flaw in the way versions of Windows from 98 through XP handle malicious files in the WMF (Windows Metafile) format. One such attack arrives in an e-mail message entitled "happy new year," bearing a malicious file attachment called "HappyNewYear.jpg" that is really a disguised WMF file, security research companies including iDefense and F-Secure. said Sunday. Even though the file is labelled as a JPEG, Windows recognizes the content as a WMF and attempts to execute the code it contains.

Phew...I saw huge security flaw and thought I had something to worry about, then I saw the "Microsoft" part. I wasn't suprised at all to find that it was a flaw in Windows, however. Guess I can just add this to the list of reasons I'm glad I use Linux

Thanks for the heads-up though, SO as I do run Windows 2000 on one of my machines and the rest of my family uses XP. I will be sure to patch my familiy's PCs as soon as possible.

Edit: I can't spell

[edit on 2-1-2006 by UnknownOrigins]

Ahhh.... come on SO! This is ATS!

Everybody knows that software security scares are manufactured by the people wanting to sell us the latest security software... or that the government is secretly using these "patches" to spy on us...


Seriously though..

What is the damage here?
A slowed system?
Massive internet traffic?
A "reformat C:" kind of situation?

Can you comment on this...

While some workarounds are being suggested on the Web, Dunham is only validating this one for disabling windowsmetafile file handling: First, users should click on the Start button on the taskbar. Then they should click on Run, type "regsvr32 /u shimgvw.dll," and click "Ok" when the change dialog appears.

What is the effect of that to the average user?

Is this what the hotfix you linked to does?

Like most people I'm not an expert and so I'm apt to install whatever "fix" is given to me, especially if it's labelled "official" after a big media blitz.

I guess that's why the conspiracies are so compelling.
.

edit: spelling

[edit on 1/2/2006 by Gools]

More information about the vulnerability may be found at CERT.

www.us-cert.gov...
www.us-cert.gov...
www.kb.cert.org...
www.kb.cert.org...

CERT
A Windows system may be compromised through several methods including:

Opening a specially crafted WMF file. Note that a malicious WMF file may masquerade as a JPEG or other type of image file.
Visiting a specially crafted web site.
Placing a malicious WMF file in a location that is indexed by Google Desktop Search or other content indexing software.
Viewing a folder that contains a malicious WMF file with Windows Explorer.

Once the vulnerability is exploited, a remote attacker may be able to perform any of the following malicious activities:

Execute arbitrary code
Cause a denial-of-service condition
Take complete control of a vulnerable system

The last link gives some solutions, I dont have the space to quote them all. Be sure to read the page.

Disable or reset the file association for Windows Metafiles

Disabling or remapping Windows Metafile files to open a program other than the default Windows Picture and Fax Viewer may prevent exploitation via some attack vectors. Microsoft has suggested taking the following steps to disable shimgvw.dll in Microsoft Security Advisory (912840):

Un-register the Windows Picture and Fax Viewer (Shimgvw.dll) on Windows XP Service Pack 1; Windows XP Service Pack 2; Windows Server 2003 and Windows Server 2003 Service Pack 1

To un-register Shimgvw.dll, follow these steps:
Click Start, click Run, type "regsvr32 -u %windir%\system32\shimgvw.dll" (without the quotation marks), and then click OK.
A dialog box appears to confirm that the un-registration process has succeeded. Click OK to close the dialog box.

Systems Affected

Systems Affected------------- Vendor Status Date Updated
Google Vulnerable -----------------30-Dec-2005
Lotus Software Unknown ----------30-Dec-2005
Microsoft Corporation Vulnerable -29-Dec-2005
Mozilla, Inc. Unknown--------------28-Dec-2005

There are a lot of rumors, chaos, paranoia, and outright terror related to this latest exploit.

There are unconfirmed rumors of a malicious trojan "in the wild" carried by this flaw that systematically causes a cascade of chaos to your system, and anyone you communicate with.

Some corporate networks are already preparing to disable web and email access for all Windows users.

There are conflicting stories about which "hacking group" researched and developed this exploit, but good money is on a Pacific Rim origin. Some are thinking this is part of the "hacking war" going on... which is essentially N. Korea against the U.S. (with fringe players).

Since this has the potential to open up an infected system to anything the exploiting party would like to do... the level of seriousness is the most extreme yet. As an example: a hostile party could use the exploit to install dormant trojans that are not recognized by any malware scanner, and wait for some future event or instructions.

Very nasty.


Seriously consider the hot-fix or disabling WMF file associations (if you know how).

Our forum server is altering the file name of any WMF files in posts, U2U's, and signatures into a harmless non-executing line of text.

However... be aware that Windows Meta Files do not need the WMF extension. They will display properly with any extension.

thanks for the alert dling the fix.

In response to Gools,

By "unregistering" the windowsmetafile file type (regsvr32 /u shimgvw.dll) you basically lose the "thumbnail" viewing of files. At least that's all I've noticed since doing so 3 - 4 days ago.

Just my $.02

Note to SO,

Good job on the file filter/rename code!

My "original" reply to Gools simply contained the text (. you know) of the file extension, and the filter changed it to it's current content!

From SO's hotfix link:

Dunham characterizes the threat as "significant," while Secunia rates it "extremely critical." Symantec labels it as a "level two" threat, on a scale in which "level four" is the most critical.

Secunia lists the vulnerable operating systems as Windows Server 2003 Datacenter Edition, Windows Server 2003 Enterprise Edition, Windows Server 2003 Standard Edition, Windows Server 2003 Web Edition, Windows XP Home Edition, and Windows XP Professional.

Ilfak Guilfanov (see GREEN box below) produced a highly-effective true patch which successfully suppresses all known exploitable vulnerabilities for anyone using Windows 2000, XP, server 2003, or 64-bit XP. No patch is available for Windows 95, 98, ME or NT, and none is expected to be forthcoming. But anyone using Windows 2000, XP, server 2003, or 64-bit XP should IMMEDIATELY install Ilfak's exploit suppressor into all of their systems.

and

Windows 98/SE/ME users: Microsoft's original advice to "unregister the shimgvw.dll" (shell image viewer) was never correct or useful on those platforms. The good news is that all current WMF exploits appear to be non-functional on the older Win9x vintage platforms . . . so you will likely be okay until Microsoft has updated your system with the next security patches. There is no short-term workaround for Windows 9x users.

I'm still using Windblows 98 so all I can do is watch.

Keep the information comming and pass the popcorn...
.

[edit on 1/2/2006 by Gools]

Originally posted by 12m8keall2c
By "unregistering" the windowsmetafile file type (regsvr32 /u shimgvw.dll) you basically lose the "thumbnail" viewing of files. At least that's all I've noticed since doing so 3 - 4 days ago.

That is correct. It is what you want, because......

Security Focus Discussion

The thumbnail view in Windows Explorer will parse the graphics files in a folder, even if the file is never explicitly opened. This is enough to trigger the exploit.

Even more frightening is that you don't have to use the thumbnail view for a thumbnail to be generated. Under some circumstances, just single-clicking on the file will cause it to be parsed.

Also, The Windows Picture and Fax Viewer will no longer be started when users click on a link to an image type that is associated with the Windows Picture and Fax Viewer.

While this workaround will not correct the underlying vulnerability, it will help block known attack vectors.


[edit on 1/2/06 by makeitso]

makeitso,

Yeah, I saw this on Wired or SlashDot a couple of days ago.

My response was meant only to answer the question put forth by Gools,
What effect will be experienced by the average user?[paraphrased]

However, as SO has noted, simply unregistering the file type is not a complete fix. An actual WindowsMetaFile will be executed, regardless of extension/file-type, by several components within the Windows operating system.

However, as SO has noted, simply unregistering the file type is not a complete fix. An actual WindowsMetaFile will be executed, regardless of extension/file-type, by several components within the Windows operating system.

Yes, correct. Acknowledged. Thank you.


I found some input on the tech details from the patch that SO pointed out for us.

Fix Site Ilfak Guilfanov
Technical details: this is a DLL which gets injected to all processes loading user32.dll.

It patches the Escape() function in gdi32.dll. The result of the patch is that the SETABORT escape sequence is not accepted anymore.

Tom Liston at SAN Internet Storm Center helped work on the patch with Ilfak, and examined the fix.

Tom has taken this thing apart and looked at it very, very closely. It does exactly what it advertises and nothing more. The wmfhotfix.dll will be injected into any process loading user32.dll. It then will then patch (in memory) gdi32.dll's Escape() function so that it ignores any call using the SETABORTPROC (ie. 0x09) parameter. This should allow for Windows to display WMF files normally while still blocking the exploit.

SANS WMF FAQ good info

[edit on 1/2/06 by makeitso]

www.microsoft.com...

Microsoft intends to release the patch on Tuesday, January 10, 2006,

makeitso,

As always, a day late and an exploit short!?

.. just as with several of the issues addressed by Service Pack 2 for WinXP, that were discovered/known about almost two years prior to it's release!

Way to go, Bill [Gates, not SO]!? NOT!

Thanks for the heads up, makeitso!

[edit on 1/3/2006 by 12m8keall2c]

Originally posted by makeitso
www.microsoft.com...

Microsoft intends to release the patch on Tuesday, January 10, 2006,

And we do what till then?

Mr. Gates has a simple fix Nerdling my friend. Just purchase Microsofts latest software.

Windows OneCare. Users who have purchased this are already protected according to VNUNET


Sound like a familiar theme?