ZERO DAY! Huge Microsoft Security Flaw...

Originally posted by curme
Why is there an independent patch, but Microsoft hasn't put one out yet?

Because Microsoft chose to release the patch along with the regularly scheduled updates for January rather than releasing it faster to make it available when it's needed. I still haven't quite figured out the logic behind waiting to release a patch for a problem that is serious NOW until January 10, but here's what Microsoft themselves had to say:

Original Source: Microsoft
Based on strong customer feedback, all Microsoft’s security updates must pass a series of quality tests, including testing by third parties, to assure customers that they can be deployed effectively in all languages and for all versions of the Windows platform with minimum down time.

Now, just because I think you should know this, Microsoft has already released a patch, but only if you pay extra for Windows OneCare:

Original Source: Microsoft
If you are a Windows OneCare user and your current status is green, you are already protected from known malware that uses this vulnerability to attempt to attack systems.

Don't know what conclusions other people will draw, but either Microsoft doesn't consider this to be much of a serious threat or they're simply trying to get new Windows OneCare users, your call.

UO

Edit: added Windows OneCare quote

[edit on 3-1-2006 by UnknownOrigins]

Originally posted by Zipdot
Google's thumbnails have nothing to do with local thumbnails on your computer. If you unregister that .dll, you should no longer see thumbnails when running explorer.exe and browsing a directory on your computer composed of mostly images.

Thanks.

Originally posted by Zipdot
The thumbnails aren't really the problem, though. Displaying thumbnails automatically is just one possible way that your computer can get pwned.

Right, I knew that, my confusion stemmed from the fact that supposedly once the "fix" was installed you no longer needed to disable the .dll manually.

Wasn't sure if the patch did this (thumb blocking/.dll disable) on it's own, or if it fixed the problem through another route to prevent malicious code from running.

[edit on 1/3/06 by redmage]

Some say yes, some say no. But this is what caught my eye.

This morning chief research officer at F-Secure said:

ZD Net AU
04 January 2006 09:18 AM

"We have seen dozens of different attacks using this vulnerability since Dec. 27," Hypponen said. "One exploits image files and tries to get users to click on them; another is an MSN Messenger worm that will send the worm to people on your buddy list, and we have seen several spam attacks."

This afternoon:

Smart Money
Published: January 03, 2006 2:58 PM

Johannes Ullrich, chief research officer at SANS Institute, said there are hundreds of Web sites that carry the infected images, and he's tracking the possibility that an online ad service is serving up infected image files. He says 5% to 10% of users appear to be infected,"an order of magnitude more than other attacks."

5 - 10% of users? That's right. And McAffee gives us more numbers to work with.

McAfee
To date, McAfee is aware of over 120,000 McAfee VirusScan Online customers who have reported detecting Exploit-WMF files attempting to execute on their systems

120,000 is a comparatively small number, but remember, this is just 1 company reporting from their clients.

On a similar note:
One reason that this WMF vulnerability is worrisome is because it is so easy to create an exploit. In fact, Panda Software has found a "kit" being passed around the internet which aids in creating WMF exploits.

Panda Discovers WMFMaker
This WMF generation kit is designed to be used from the commandline, by including the full path of the tool and of the executable file that will be run if the vulnerability is exploited. By doing this, a file with a windowsmetafile extension is generated under a name that varies between "evilwindowsmetafile" and the name of the executable file included inside it.

This tool allows malicious WMFs to be generated from any other code, which allows malware to be dropped on user’s systems by exploiting the critical vulnerability in the Windows Meta File process that has not yet been resolved.

This ease of availability is probably the reason for the increase of the WMF exploits. This ease of creation is causing additional worries that it will will bring on innumerable variations of the exploit.

Freely available, point & click exploit creator, for a vulnerability with no cure. Ay, there's the rub!

I will leave you with one more thing to think about.

National Business Review
Reportedly, Microsoft is concerned that, since the windowsmetafile function is built so deeply into Windows, a large but unknown number of third party applications may depend on it.

[edit on 1/3/06 by makeitso]

Apparently, hardware-DEP (Data Execution Prevention) helps with the situation somewhat as it has been found to prevent some instances of the exploit. I found this searching on google for more information. So, if you have a computer capable of enabling DEP, you might want to check this out (I dont use XP so I can't try it out):
Link

A previous post above me had a link mentioning something about a third-party ad service potentially carrying the infection, I found more information on that as well (apparently it's a network known as Exfol): More info on that here

There is also a possibility that it's only the newer operating systems that are affected (XP, Server 2003) and that Windows 2000, 98, and older may not be as vulnerable:

Original Source
It is true, as F-Secure says, that all versions of Windows back to 3.0 have the vulnerability in GDI32. But most versions of Windows are not quite as vulnerable as they appear. Except for Windows XP and Windows Server 2003, no Windows versions, in their default configuration, have a default association for WMF files

There is also evidence of a user-friendly application that is basically a "Make Your Own Exploit!" available, so by now their could be hundreds, if not thousands of variants.

Remember folks, that just viewing an infected website will set off the exploit. And Firefox is NOT immune to this particular exploit.

Edit (Forgot to add this): Running as a user without administrator access privileges could possibly lessen the severity if you are infected. Apparently, the virus only has as much power as the user viewing the image.
Source:

Source: Symantec
The issue may be exploited remotely or by a local attacker. Any remote code execution that occurs will be with the privileges of the user viewing a malicious image. An attacker may gain SYSTEM privileges if an administrator views the malicious file.

UO

2nd Edit: Spelling

[edit on 3-1-2006 by UnknownOrigins]

[edit on 3-1-2006 by UnknownOrigins]

Originally posted by SwearBear
This will disable WMF:
Start > Run > regsvr32 -u %windir%\system32\shimgvw.dll

This means you can't view thumbnails or anything with "Windows Picture and Fax Viewer"


When you have the official fix, turn it on again:
Start > Run > regsvr32 %windir%\system32\shimgvw.dll


I think that's the safest way to go right now. If you have the program which has the bug, disabled, you shouldn't have anything to worry about regarding various worms, viruses etc. that might exploit this vulnerability.


BTW, the bug also affects other browsers, like Firefox.

Forgot to mention you have to reboot for it to take effect.

The only thing I have done is disable shimgvw.dll, and the WMF vulnerability checker says I'm invulnerable to the exploit.

Here's a solution though:
Switch to Loonix (Linux) or Mac. A Mac is more expensive than a PC. Loonix is free but harder to use than Windows and Mac ... but I'm sure you people are smart enough to figure it out
You can even use Windows on a Loonix computer, and vice versa, with VMWare, or then run some Windows applications on Loonix with Wine.

[edit on 4/1/2006 by SwearBear]

OMG do you people still use M$ Windows
I never have to worry about virusses or spyware on my debian linux machine

Anyway, Ive heard all these patches disable far too much things on your PC, and dont protect you very good from this major flaw. I'd say use a good anti-virus program, most of them already got updates which detect and prevent this bug.

Its best to have a good up-to-date virus scanner, *and* wait for the jan 10th patch (dont just wait for jan 10th, if you use Windows, you should ALWAYS have an up-to-date virus scanner).

Originally posted by UnknownOrigins
Don't know what conclusions other people will draw, but either Microsoft doesn't consider this to be much of a serious threat or they're simply trying to get new Windows OneCare users, your call.

UO

Edit: added Windows OneCare quote

Microsoft is still testing the hotfix apparently. And isn't OneCare still in Beta mode??

Originally posted by TheBandit795

Microsoft is still testing the hotfix apparently. And isn't OneCare still in Beta mode??

Yes, Windows OneCare is still in beta as far as I know, but the point is that they have already made the patch available if you're a subscriber to it. I'm not sure as to the cost of OneCare when it comes out of beta, but I see no reason why the patch should only be released to those using OneCare until January 10th. Perhaps they're being honest and really testing it and putting it in the OneCare beta is just one of their methods of testing, I'm not sure.

UO

Folks, if you're going to download and install any "unofficial" patches, be very careful about where these patches are coming from. Go only to the most well-known and respectable Internet Security sites.

The single most important thing you can do to protect your system until a widely-accepted official patch comes out, is watch the links you click when you are opening email. If it doesn't come from someone you know, or if it DOES come from someone you know but it looks "funny" in any way, just delete it. If you need to find little visual jokes and funny animations, go to a place like ebaum's world.

I have installed one of the unofficial patches, but I got it from an internet security site that I've used and trusted for several years. I'd give their address, but I don't think they'd appreciate it if their servers went down because I gave out their address. It's a private site, you see.

Just like with terrorism, we can't live our lives or use our computers in fear of something bad happening. Common sense, reasonable care, and keep your zipper up are the watchwords of the day.

Microsoft has the patch up early.
Upgrade today .

Yeah it is out

www.microsoft.com...

Thanks for the link, Dulcimer!

Now, I can uninstall the Windows One Care beta.

Dont forget to uninstall the Windows WMF Metafile Vulnerability HotFix 1.2 first. It requires a reboot to finish the uninstall.

Dont forget to re-register the shimgvw.dll with “regsvr32 %windir%\system32\shimgvw.dll” (without the quotation) if you unregistered it manually.

Looks like the update is named:
Security Update for Windows 2000 (KB912919) Date last published: 1/5/2006

The technical details and FAQ are located here

It appears that Windows 98, Windows NT, and Windows 2000 sp2, and sp3 clients are left out in the cold as usual.

Windows XP (all versions) Prerequisites
This security update requires Microsoft Windows XP Service Pack 1 or a later version.

Windows 2000 (all versions) Prerequisites
For Windows 2000, this security update requires Service Pack 4 (SP4).

Disclaimer:

The information provided in this security bulletin is provided "as is" without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose.

Originally posted by makeitso
It appears that Windows 98, Windows NT, and Windows 2000 sp2, and sp3 clients are left out in the cold as usual.

It may seem that way, but apparently while pre-XP operating systems are still vulnerable, there aren't as vulnerable as XP is. This is mostly due to the fact that although pre-XP operating systems have the .dll that is exploited, they have no default handler for wmf files, so unless you have a third-party WMF viewer installed on these operating systems, WMF files shouldn't open automatically.

However, Microsoft will release a patch for these operating systems if this exploit is ever declared worthy of a critical security update as per their extended support phase:

Original Source: Microsoft
How does the extended support for Windows 98, Windows 98 Second Edition, and Windows Millennium Edition affect the release of security updates for these operating systems?
For these versions of Windows, Microsoft will only release security updates for critical security issues. Non-critical security issues are not offered during this support period.

Are Windows 98, Windows 98 Second Edition, or Windows Millennium Edition critically affected by one or more of the vulnerabilities that are addressed in this security bulletin?
No. Although Windows 98, Windows 98 Second Edition, and Windows Millennium Edition do contain the affected component, the vulnerability is not critical because an exploitable attack vector has not been identified that would yield a Critical severity rating for these versions.

Edit: fixed quote

UO

I did just notice that on the page I linked to, it does list the exploit as having a critical severity rating, yet they have not released a patch for older operating systems despite their claim to do so in the event of a critical security issue. Try and figure that one out.

[edit on 5-1-2006 by UnknownOrigins]

UnknownOrigins
does list the exploit as having a critical severity rating, yet they have not released a patch for older operating systems despite their claim to do so in the event of a critical security issue. Try and figure that one out.

The FAQ may help us understand their reasoning on that. It says:

Although Windows 98, Windows 98 Second Edition, and Windows Millennium Edition do contain the affected component, the vulnerability is not critical because an exploitable attack vector has not been identified that would yield a Critical severity rating for these versions

Thanks for the good info.

I know this post is a couple of years old, but The Guardian just reported about a lot of people, mostly in China, are getting attacked for their game codes so that they could steal them and sell them on the black market. Recently, it seems, more sites are getting injected with the malware that cracks the back of IE5/6/7 and makes your information openly vulnerable.

Or perhaps, this is still a flaw that people are trying to keep in the spotlight so that IE users dont get too comfy and think they are not vulnerable.

Apparently, MS cant fix the hole, since they have had 2 years and new releases that are still in affect in the trashed out IE browser.

Chrome, FTW!