ZERO DAY! Huge Microsoft Security Flaw...

I have nothing to add to the conversation but that I hate people that bash windows and think that linux is all the rage.




Nothing is perfect.

I would not worry about this either.

Surf smart.

Easiest thing you could do is use firefox until the official fix is out.

Watch your email attachments like a hawk.

Live in fear.

And if you are not using firefox already... why not?

www.mozilla.com...

Originally posted by Dulcimer
I would not worry about this either.

No offense but...


I already know several people hurt by this... two of which opened ".JPG" files, and one, simply an email with a hidden .JPG that was actually a WMF file.

ZDnet.com
The Internet Storm Center admitted that many businesses would be very reluctant to deploy an unofficial patch on their systems, but insisted that such drastic action is needed.

"We've received many emails from people saying that no-one in a corporate environment will find using an unofficial patch acceptable," said Tom Liston of the Internet Storm Center, in his blog. "Acceptable or not, folks, you have to trust someone in this situation."

All I can say is surf smart. This is a case that you can avoid by staying on websites you trust.

And I say wait for the official patch. Definately.

Heres one thing I found to watch for:

One of the hidden dangers of the WMF vulnerability is that things are not always what they appear. Usually, WMF files can be identified by their windowsmetafile file extension, and blocked as a precaution, but attackers may choose to disguise malicious files simply by giving them another image file suffix, such as .JPG, because the Windows graphics rendering engine attempts to identify graphics files by their content, not their name. That was the case with a file with the title "happynewyear.jpg" that began circulating in e-mail messages on December 31: If opened on a Windows machine, the file attempts to download and install a backdoor called Bifrose.

The problem with these things is idiots at places like metasploit publish source code and the thing really gets out of hand with new variants.

This thing has been going around since early december. It is only recently that it has picked up steam.

Surf smart.

makeitso,

I feel it imperative that ALL members of ATS read an excerpt from your linked article on VNUNET.

Iain Thomson, vnunet.com:

"This is not really a bug, it's just bad design. When Windows Metafiles were designed in the late 1980s, a feature was included that allowed the image files to contain actual code," he said in a blog entry.

"This code would be executed via a call-back in special situations. This was not a bug; this was something which was needed at the time."

Hyppönen explained that the code was needed to stop print runs if they were cancelled mid-job. This means that other vulnerabilities in the WMF system are likely, and that every version of Windows is potentially affected.

The code in question was designed to allow for/create the capability to cancel mid-job printing, by allowing for executable code within images/graphics. By allowing image files to contain executable code, they actually created the vulnerability.

Personally, I can't stress it enough ...

ALL WINDOWS USERS NEED TO INSTALL THIS PATCH!

The linked patch is: Ilfak's Temporary WMF Patch

4 paragraphs ... to include future removal instructions:
This safely and "dynamically patches" the vulnerable function in Windows to neuter it and, after rebooting, renders any Windows 2000, XP, 64-bit XP and 2003 systems completely invulnerable to exploitation of the Windows Metafile vulnerability.

Please Note: Unlike the "DLL unregister" recommendation offered by Microsoft (see RED box below) Ilfak's patch completely eliminates the vulnerability. Therefore, until Microsoft is able to update and repair their vulnerable GDI32.DLL, this is what you should use. You do NOT need to unregister the DLL as described in the RED box below.

You SHOULD REMOVE THIS PATCH to restore full functionality to Windows Metafile processing once WIndows has been officially updated and repaired.

To Remove: Simply open the Windows Control Panel "Add/Remove Programs", where you will find the "Windows WMF Metafile Vulnerability HotFix" listed. Remove it, then reboot.

Many users simply don't realise/give thought to the extent that their systems can and/or will be compromised.

* a note to all Linux/Mac/etc. users ... yeah, yeah, yeah?!








[edit on 1/3/2006 by 12m8keall2c]

Originally posted by Dulcimer
All I can say is surf smart. This is a case that you can avoid by staying on websites you trust.

This is not good advice for this current exploit.

"Trusted sites" have been found to be infected.

Infected PC's have been found to spread the exploit via small embedded images in email signatures. Meaning, opening an expected email from a known source will infect you, if the source is infected.

Some variants attach the malicious code to all WMF files on the local and network drives.

One variant reportedly overwrites JPG files with infected WMF files (retaining the JPG extension).



Use the HotFix, get the official patch when it's out.

Surfing smart may not be enough to prvent an infection, in this case. While it seems perfectly logical that not opening a virus-containing file will not execute the code, in this case it is different. Here's something I found from a google search on the topic:

Original Source:
Computer World

However, simply viewing the folder that contains the affected file, or even allowing the file to be indexed by desktop search utilities such as Google Desktop, can trigger its payload, F-Secure Chief Research Officer Mikko Hypponen wrote in his company's blog.

Further along in the article, it mentions that Windows' DEP service may help but not eliminate the problem:

According to Ken Dunham, director of the rapid response team at iDefense, Windows machines running Windows Data Execution Prevention (DEP) software are at least safe from the WMF attacks seen so far. However, Microsoft said that software DEP offered no protection from the threat, although hardware DEP may help.

Also, keep in mind, that if you unregister the .dll file, the code can still be executed if the infected image is opened manually (eg. opening in Paint). I only say this because I know someone who got infected this way.

thanx for the heads up SO

Downloaded and i have pasted the link of to friends

I will have to admit that I did install the temporary unofficial hotfix. I will definately be getting the official one when it is released.

You have to also realize that this hotfix will not protect you from all variants as this thing is all over the place.

The only thing I am worried about is browsing forums like ATS with tons of image linking, general linking to unknown content etc.

"Don't patch, surf smart" is not good advice at all. The patch is safe and when Microsoft releases an official patch in a week, this patch can easily be uninstalled. For home/desktop/small business users, installing the patch is a no brainer. Do it.

Zip

Originally posted by Dulcimer
The only thing I am worried about is browsing forums like ATS with tons of image linking, general linking to unknown content etc.

... in the meantime, fall back on your "Safe Surfing" approach to the web, including ATS!

As noted by SkepticOverlord, ATS has done what they can from a "server/website" aspect, yet all-in-all that will not prevent the possibility of infection.


As you inferred, ANY image file-type is suspect, at this point.


[edit on 1/3/2006 by 12m8keall2c]

My computer geek brother-in-law emailed me this earlier this a.m.
All my laptops and desktops are temp. patched.

I already noticed some of the typical Windows begrudgements.
As such, I found this mention from the Steve Bass Tips site to the point, so to speak:

Your car has a huge number of vulnerabilities. Can it withstand a brick to the window? A knife to the tire? A particle beam accelerator? You people that expect Microsoft to anticipate every way someone might invent an attack in today's fast-paced technologically advancing world must be the same ones that think the world owes you a home, a job, and happiness. Go buy something better if you don't like it. What a dummy.

Grab a Windows WMF Metafile Vulnerability HotFix

Thanks for the heads-up, SO, especially since your an Apple man anyhow?






seekerof

[edit on 3-1-2006 by Seekerof]

Originally posted by SkepticOverlord
Our forum server is altering the file name of any WMF files in posts, U2U's, and signatures into a harmless non-executing line of text.

I just realized that this probably only applies to wmf files hosted on the ATS server, is there anything that can be done about members (even accidentally) uploading an infected avatar (or other image) offsite and then posting it on ATS? Since the image would load even though it wasn't from ATS's server, I'm assuming that the infection could still be spread that way...

Edit: Or did I just misinterpret the sentence and links to external wmf images were changed as well

[edit on 3-1-2006 by UnknownOrigins]

[edit on 3-1-2006 by UnknownOrigins]

YES... All links to WMF files are text-filtered.


-


Posted Via ATSmobile (BETA v0.3)


-

Thanks for the heads-up SkepticOverlord, much appreciated Bud.

This will disable WMF:
Start > Run > regsvr32 -u %windir%\system32\shimgvw.dll

This means you can't view thumbnails or anything with "Windows Picture and Fax Viewer"


When you have the official fix, turn it on again:
Start > Run > regsvr32 %windir%\system32\shimgvw.dll


I think that's the safest way to go right now. If you have the program which has the bug, disabled, you shouldn't have anything to worry about regarding various worms, viruses etc. that might exploit this vulnerability.


BTW, the bug also affects other browsers, like Firefox.

[edit on 3/1/2006 by SwearBear]

I've downloaded the patch. Thanks guys for the info and
I've passed it along to several friends

Thanks for the news SO.

Question, I've downloaded and run the temp fix and as a "trial by fire" I did a google image search and I still see the thumbnails returned; is there a way to test that the fix works or that it installed correctly?

Or, is thumbnail blocking only done by disabling the shimgvw.dll manually?


edit: just found the vulnerability checking program here.

Download Ilfak's WMF Vulnerability test from GRC — version 1.1, 3.6 kb (download link: www.grc.com... )


This is Ilfak's small and simple WMF vulnerability test program. It safely and benignly checks to see whether your system is currently vulnerable to the newly-discovered WMF vulnerability. It can be used to test your system's pre- and post-installation vulnerability with and without Ilfak's vulnerability suppression patch installed.

Source: www.grc.com...

Interesting, it says I'm "safe" at the moment but I still see thumbnails.

So is thumbnail blocking only done by disabling the shimgvw.dll manually?


[edit on 1/3/06 by redmage]

Why is there an independent patch, but Microsoft hasn't put one out yet?

Google's thumbnails have nothing to do with local thumbnails on your computer. If you unregister that .dll, you should no longer see thumbnails when running explorer.exe and browsing a directory on your computer composed of mostly images.

The thumbnails aren't really the problem, though. Displaying thumbnails automatically is just one possible way that your computer can get pwned.

Zip