Slashdot Mirror

← Back to Stories (view on slashdot.org)

Exploit Released for Unpatched Windows Flaw

Posted by samzenpus on from the patch-it dept.

woodchuck writes "Washington Post reports that another Windows hole has been found and exploit code is now running lose that makes swiss cheese of current patches and security measures. From the article: "Security researchers have released instructions for exploiting a previously unknown security hole in Windows XP and Windows 2003 Web Server with all of the latest patches applied. Anti-virus company Symantec warned of the new exploit, which it said uses a vulnerability in the way Windows computers process certain image files (Windows Meta Files, or those ending in .wmf). Symantec said the exploit is designed to download and run a program from the Web that downloads several malicious files, including tools that attackers could use to control vulnerable computers via IRC.""

9 of 386 comments (clear)

  1. Re:They call hackers researchers now? by dorkygeek · · Score: 5, Informative
    They're not hackers, they are crackers. Or intruders. Or black hats. Or fucking idiots. But not hackers. Linus Torvalds is a hacker. Alan Cox is one, and RMS definitely. Maybe even ESR.

    Thank you.

    --
    Windows is like decaf - it tastes like the real thing, but it won't get you through the day.
  2. Fix from article by Rangsk · · Score: 5, Informative

    Here is the fix, from the linked article in case you DNRTFA:

    ----
    According to iDefense, Windows users can disable the rendering of WMF files using the following hack:

    1. Click on the Start button on the taskbar.
    2. Click on Run...
    3. Type "regsvr32 /u shimgvw.dll" to disable.
    4. Click ok when the change dialog appears.

    iDefense notes that this workaround may interfere with certain thumbnail images loading correctly, though I have used the hack on my machine and haven't had any problems yet. The company notes that once Microsoft issues a patch, the WMF feature may be enabled again by entering the command "regsvr32 shimgvw.dll" in step three above.
    ----

    I'm not sure if you need to type this every reboot, or just once. Since it requires re-enabling, I'm hoping it's just once.

    --
    "Don't believe anything you read on the net. Except this. Well, including this, I suppose." --Douglas Adams
  3. Re:They call hackers researchers now? by ninja_assault_kitten · · Score: 5, Informative

    The exploit was published by HD Moore after reverse engineering some malware. HD Moore is absolutely a very prominent researcher and hacker. Secondly the person(s) who discovered the vulnerabilty and wrote the initial malware to exploit it are also hackers. Even by the historical definition. Intent has no bearing on the term. Skill does. And you can't tell me discoverying a 0day affecting any MS platform doesn't require skill. There are tens of thousands of researchers out there right now who can't.

  4. Re:They call hackers researchers now? by Anonymous Coward · · Score: 5, Informative

    They're not hackers, they are crackers.

    UUuummm no. Ever since the 1980's underground scene the word cracker has refered to a person who breaks the protection on copywritten software. It was that way for years until that ruddy faced blowhard "ESR" decided to start using the term "cracker" as a synonym for "computer criminal."

    Talk about hypocrisy. ESR gets all pissed about the media misusing the word hacker so he turns around and starts misusing the word cracker. And because of his position as editor of "The Jargon File" he has influenced the web culture (newbies at least) that the word cracker is synonymous with cybercriminal even though anyone who was in the pirate scene back in the eighties can tell you that a cracker was by the following DEFINITION:

    "Software cracking is the modification of software to remove encoded copy prevention. Distribution of cracked software (warez) is generally an illegal (or more recently, criminal) act of copyright infringement. Software cracking is most often done by software reverse engineering."

  5. Watch out for Google Desktop by Repton · · Score: 5, Informative

    From F-secure's blog:

    Do note that it's really easy to get burned by this exploit if you're analysing it under Windows. All you need to do is to access an infected web site with IE or view a folder with infected files with the Windows Explorer.

    You can get burned even while working in a DOS box! This happened on one of our test machines where we simply used the WGET command-line tool to download a malicious WMF file. That's it, it was enough to download the file. So how on earth did it have a chance to execute?

    The test machine had Google Desktop installed. It seems that Google Desktop creates an index of the metadata of all images too, and it issues an API call to the vulnerable Windows component SHIMGVW.DLL to extract this info. This is enough to invoke the exploit and infect the machine. This all happens in realtime as Google Desktop contains a file system filter and will index new files in realtime.

    --
    Repton.
    They say that only an experienced wizard can do the tengu shuffle.
  6. Re:Scary. by k00110 · · Score: 5, Informative

    "Update, 12:30 p.m. ET: Several security groups are reporting that it is extremely easy to get whacked by this vulnerability/exploit just by visiting one of a growing number of malicious Web sites that are now employing this attack. F-Secure's blog post on this indicates that -- because the vulnerability lies in the way Windows parses WMF image files -- Firefox and Opera users also can get infected -- although they at least have to agree to download and run a file first"

    That's what they say in the article but the only thing I did was to open a .wmf movie in Firefox. I did not click/agree/install anything else.
    The thing just auto-installed it-self from that point.

  7. Re:How/Why does thi skeep happening by dtfinch · · Score: 5, Informative

    On x86 processors (and probably most others), the stack pushes backward in memory. Each function call pushes the return address onto the stack. Because the stack pushes backwards, a buffer overflow will overwrite the previously pushed values that follow it in memory. So when the overflowed function returns, it'll return to the new address that has been written by the overflowed buffer.

    Good stack overflow exploit code is pretty reusable for exploiting newly discovered stack overflows with little modification, which makes these exploits appear so quickly after a new vulnerability is discovered. There's also something called a heap overflow, but using it to run executable code is quite a bit harder and must be tailered to each specific vulnerability.

  8. Nasty! by sdh968251 · · Score: 5, Informative

    This thing is nasty! I was browsing the internet this afternoon and got it. I have a fully patched copy of Windows XP SP2 with Symantec Antivirus Corporate 9.0. Neither stopped it. I spent about 6 hours running virus scans, Ad-Aware, and Spy-Bot in safe mode. This didn't even come close to detecting everything. I had to manually remove files based on searches by creation date. Interestingly, none of the three tools picked up any of the DLLs mentioned in the next paragraph.

    I traced it to an ad within an ad within an ad that sources a WMF file in an iframe. If you want to see this thing in action then use VMWare to load the following link: h**p://iframeurl.biz/dl/xpladv470.wmf. After all is said and done, you'll have trojan.byteverify, trojan.dropper, trojan.bookmarker, download.trojan, w32.conycspa.G@mm, backdoor.shellbot, backdoor.trojan, w32.looksky.A@mm, among others. I also had some new DLLs that were particularly hard to get rid of - msupdate32.dll, msctl32.dll, uytpu.dll, qrlmq.dll - all in the system32 directory.

    This has actually never happened to me. I am religious about keeping Windows and my antivirus software up-to-date. It was a good learning experience to see it all in action.

    And, by the way, I was not browsing for porn. I was doing a google search for a old Macintosh program named Cache Killer. One of the links listed was "Download Cache Killer Pro v5.0 crack / keygen / serial / patch ...". I clicked on this and ... WHAM! Here's the Google search - http://www.google.com/search?q=cache+killer&hl=en& lr=&start=0&sa=N. It's the last link on the page - h**p://www.crackz.ws/down/25335/Cache.Killer.Pro.v 5.0_crack_serial_keygen.html. This is the page that contains the ad within an ad within an ad. Beware!!!

  9. The file extension is not critical by whitehatlurker · · Score: 5, Informative
    I want to point out that the file extension is not used exclusively for file type detection, and the magic string at the beginning of the file will trigger the use of the WMF processing. A ".tiff" extension will also work in a similar manner. (Likely there are several good candidates.)

    A few people on this thread don't seem to be familiar with the WMF format or GDI. This format provides for a set of commands which are supposed to be graphics only. (I guess they got carried away in this case.) As the viewer is basically a scripting engine, the exploiters would certainly try to target it for vulnerabilities. I don't have a copy of the dangerous file, so I don't know whether this particular exploit is a buffer overflow or something else.

    --
    .. paranoid crackpot leftover from the days of Amiga.