Exploit Released for Unpatched Windows Flaw

woodchuck writes "Washington Post reports that another Windows hole has been found and exploit code is now running lose that makes swiss cheese of current patches and security measures. From the article: "Security researchers have released instructions for exploiting a previously unknown security hole in Windows XP and Windows 2003 Web Server with all of the latest patches applied. Anti-virus company Symantec warned of the new exploit, which it said uses a vulnerability in the way Windows computers process certain image files (Windows Meta Files, or those ending in .wmf). Symantec said the exploit is designed to download and run a program from the Web that downloads several malicious files, including tools that attackers could use to control vulnerable computers via IRC.""

so what else is new?

[EllynGeek]

Trusted Computing in action. Yes, secuarity is Job One in Redmond. Well done, doodz!

Re:Not Previously Unknown

[Trick]

From November 8th: http://www.securityfocus.com/bid/15352

New metasploit plugin = new exploit
New metasploit plugin != new vulnerability

Re:Amazing

[Mr+Thinly+Sliced]

Dude, you are clearly new here.

Stop by at the entrance, pick our free magazine 'Razzle', and just format that baby. Linux man. Then you can join us.

Who cares

[JackieBrent]

Who cares ......

Stop the dupes!

[Skiron]

Why doesn't somebody just *pin* a story (maybe the 1996 one) with the security issues with MS and/or IE and leave it there...

Then we don't need to read about it all over again every 20 days ;-)

Re:In other news...

[circusfire]

, the flaw is not critical since no-one actually uses WMF Microsoft did have the audacity make this statement! I am looking forward to the day when they make a press release "these flaws were never critical since no-one actually uses Windows"

Re:Amazing

[FudRucker]

if you format and re-install after every vulnerability that gets posted in the media you will wear out your PC just re-installing that --MS-Win-kludge, i suggest you learn to live without MS-Windows and give GNU/Linux or FreeBSD a spin, and actually take the time to learn it and not give up after half a day...

PATCH!!

[a.out]

This issue has been addressed here: http://www.microsoft.com/technet/security/advisory /912840.mspx Cheers!

The fix was released months ago

[DoofusOfDeath]

The patch can be found here:

http://www.ubuntulinux.org/newsitems/release510/

Why does /. report so much on Windows flaws?

[Awptimus+Prime]

Why is it every time a Windows flaw comes out, it gets posted on this site, one which claims to be geared toward Linux users? I see daily flaws reported on Sourceforge and Security Focus for Linux and Linux software, but very rarely an advisory posted on this site. Why is that?

Has /. just become a site not above circle-jerking over how bad Windows is while offering no real content beyond plugs for the occasional OSS developer?

Watch out for M$ Desktop

[twitter]

It seems that Google Desktop creates an index of the metadata of all images too, and it issues an API call to the vulnerable Windows component SHIMGVW.DLL to extract this info. This is enough to invoke the exploit and infect the machine. This all happens in realtime as Google Desktop contains a file system filter and will index new files in realtime.

I imagine the M$ equivalent will call the same sucky M$ code and explode the same way. No telling though, you might have to drum your fingers waiting for it to explode because they did not bother to make an index on the fly. No telling, but you can't win for losing.

We can be sure that Google will have a fix before M$ does. We can also be sure no other program on any other platform viewing the same information will have the same kind of problem.

Remember, the shills will tell us, it's all the user's fault.