Slashdot Mirror
Exploit Released for Unpatched Windows Flaw
woodchuck writes "Washington Post reports that another Windows hole has been found and exploit code is now running lose that makes swiss cheese of current patches and security measures.
From the article: "Security researchers have released instructions for exploiting a previously unknown security hole in Windows XP and Windows 2003 Web Server with all of the latest patches applied. Anti-virus company Symantec warned of the new exploit, which it said uses a vulnerability in the way Windows computers process certain image files (Windows Meta Files, or those ending in .wmf). Symantec said the exploit is designed to download and run a program from the Web that downloads several malicious files, including tools that attackers could use to control vulnerable computers via IRC.""
So they're researchers now? I'm sorry, but I have to disagree, they are computer hackers.
Unregister the dll that provides WMF viewing. Click Start, Run, and enter this:
/U SHIMGVW.DLL
REGSVR32
Sunbelt has more detail here.
before MS starts using less-quick security patches as the reason to move from XP to vista?
The important line filtered from the article, the fix:
/u shimgvw.dll"
"regsvr32
From what I read about this earlier (sorry, don't have the link), this exploit was already in the wild and was being used before any of the security companies learned of it. So no, the AV companies did not "let this one loose".
Be a real patriot: Question authority. Think for yourself. Formulate your own conclusions.
With Vista you'll be able to get this from the comfort of an RSS feed!
Trolling is a art,
Here is the fix, from the linked article in case you DNRTFA:
/u shimgvw.dll" to disable.
----
According to iDefense, Windows users can disable the rendering of WMF files using the following hack:
1. Click on the Start button on the taskbar.
2. Click on Run...
3. Type "regsvr32
4. Click ok when the change dialog appears.
iDefense notes that this workaround may interfere with certain thumbnail images loading correctly, though I have used the hack on my machine and haven't had any problems yet. The company notes that once Microsoft issues a patch, the WMF feature may be enabled again by entering the command "regsvr32 shimgvw.dll" in step three above.
----
I'm not sure if you need to type this every reboot, or just once. Since it requires re-enabling, I'm hoping it's just once.
"Don't believe anything you read on the net. Except this. Well, including this, I suppose." --Douglas Adams
I read the article and realized it's the same trojan I got like 1 week ago. The first thing I did was a good old format. When stuff get messed, there is nothing better than a good old format. Now realizing they say they don't have a fix yet, I assume I did the right thing quickly.
Also, read Broadband Reports' security forum thread for discussions and what people observed.
Ant(Dude) @ Quality Foraged Links (AQFL.net) & The Ant Farm (antfarm.ma.cx / antfarm.home.dhs.org).
... there has not yet been a real, severe, in-the-wild exploit (like Sasser) since XP SP2, right? I hate to admit it as much as the next guy, but MS has been pretty tight for a while--unless there's something I've missed. Have I?
Dear Slashdot: next time you want to mess with the site, add a rich-text editor for comments.
This is hardly a "prevously unknown security hole." In fact, MS released a patch for it two weeks ago.
The exploit's new, but the vulnerability has been known for a while and is only still around because the patch doesn't work.
Actually it's security and they are trying. Go ahead and mod me down as flamebait but nothing is more ironic than "experts", who cannot spell security, ridicule another organisation for failing to be more secure.
Microsoft said in it's late night response on new years day that a patch is being made, the flaw is not critical since no-one actually uses WMF and the rest who do use them never should surf to porn and warez sites anyway. A patch will be available in Windows Shoehorn.
Custom electronics and digital signage for your business: www.evcircuits.com
Surfing for porn with IE on Windows is like having unprotected anal sex with everybody on the internet.
Also watch out for Google desktop search, as that caused a downloaded file to be run and exploited the machine.
S T(\1=(^/))" .WMF Extension Killed\k))"
.WMF [Kye-U]"
Kye-U also has released a filter for proxomitron that will block wmf file downloads:
[HTTP headers]
In = FALSE
Out = TRUE
Key = "URL-Killer: Kill WMF Connection [Kye-U] (Out)"
URL = "(^*=(^http://./^([a-z]+{2,4})(^/))))*.wmf(*)\1$T
Match = "*&($CONFIRM(.WMF FILE EXTENSION FOUND\n\nAllow connection to the URL below?\n\n\u\n\1)|$SET(1=URL with
Replace = "\1"
[Patterns]
Name = "Kill
Active = TRUE
Bounds = ""
Limit = 256
Match = "*.wmf*"
Replace = "$ALERT(.WMF Extension Killed on:\n\n\u)"
Opera, Proxomitron-Grypen,GPG 0x0A1C6EE3
No, it's a buffer overload in Windows Picture and Fax Viewer.
Secuarity is absolutely the correct spelling, because Microsoft knows squat about security. Just like you know nothing about irony. But that's all right, I don't like you anyway.
we will end no whine before its time
It's a Windows only format, or at least seems to be. I don't find any references of ports to other platforms. It's an old format for doing vector graphics in Windows 3.1.
Can someone explain to me exactly how an image viewer
program running on my client computer can be
made to execute code? Honestly, I don't really understand
these exploits that supposedly take advantage of
a client buffer overflow (or some such thing) to execute
code on my local machine. What makes the instruction pointer in
the code that is reading (in this case) the wmf file suddenly
jump to code that is in the data segment? (Presumably embedded in
the wmf file itself).
http://www.bleedingsnort.com/cgi-bin/viewcvs.cgi/s igs/CURRENT_EVENTS/CURRENT_WMF_Exploit
Carousel is a lie!
Comment removed based on user account deletion
- computer systems should not be released until they pass some theoretical threshold of security
- and if the above is not done, then the authors of said systems shall be held (financially? criminally?) liable.
In other words, you have just basically killed off free (both as in beer and as in speech) software as we know it.Not to mention about the fact that we're talking about an exploit in an older DLL that has gone unnoticed for years. Exactly how many years until your theoretical notion of "reasonably" safe is met? If you dont think (OS of your choice) has similar weaknesses, you are deluding yourself. And so what if it 'affects only one user, not the whole system?' To that user, that IS his world.
Security companies are useless if they can't protect us. First the Sony Root Kit and now this in a short period of time. I wonder what else we probaly got and don't know about. Their attitude is to be questionned, they are waiting for people to report virus/trojan. What they should do is put up some "ghosts dormant computers" around the net and check if they get infected of any way. They should also browse porn/warez sites more often ;-)
Why doesn't somebody just *pin* a story (maybe the 1996 one) with the security issues with MS and/or IE and leave it there...
;-)
Then we don't need to read about it all over again every 20 days
I remember the days when only exe and com files were what you had to guard. The day word files became dangerous I thought - why did they put all the functionality in them? Idiots. At least image files and plain text files were safe.
I was eating crow shortly thereafter.
I miss the old days.
So I'm kind of curious why he states "though I have used the hack on my machine and haven't had any problems yet. " since it breaks basic XP functionaliry.
Anyway, losing thumbnails and that program is IMHO a very minor price to pay for not having your machine rooted. So just make sure and warn others before you tell them to use this temporary workaround.
I wonder how long we will have to wait for MS to fix this one? Oh well, more money for me if they don't.
If you wanna get rich, you know that payback is a bitch
In other words, whatever asshat took advantage of this loophole did so because he thought he could make a buck. If his goal was simply to bring Windows to its knees, cause havoc, or make a political/economic statement of some sort, he would have chosen something else. Wiping out My Documents of all the infected machines, for example.
Whoever did this is obviously deluded. While some money will of course ultimately flow from this nonsense to the "see no evil" people who are the beneficiaries of spamvertisements, spyvertisements and so forth, the actual exploiter basically has little to know chance of getting it (even if he is in Russia, as I'd suspect is a good bet) as his affiliate commission links will be tracked, as will wherever the hell that credit card box for SpySherriff was pointing to and so forth.
So we have somebody smart enough (and make no mistake, it takes some smarts) to either discover or be in a small clique of people discovering a quite obscure loophole (it must be obscure, given just how old the affected .dll is), but have ABSOLUTELY NO FUCKING CLUE how to go about exploiting it other than in the most juvenile and unlikely way to fail imaginable. Furthermore, even though it is likely to fail, the guy has shown himself to basically be a psychopath, with little to no concern about the hundreds of thousands of hours (read: PEOPLE-LIFE-EQUIVALENTS) that will be spent agonizing over and fixing this.
Whoever that person is, they are human filth. But, there's a lot of human filth out there. The sad thing is that this person obviously has potential to do so much more but simply pisses it away intead. Pathetic.
Isn't this just another incarnation of the Smitfraud extortion by the nice New Zealand company SpyAxe?
The tool to remove that crapware is called smitrem, available here: http://noahdfear.geekstogo.com/
Oh well, what the hell...
People actually use that image file format? I've never used that file format in my life (and never even heard of it before), so no exploits for me! :-D
From F-secure's blog:
Repton.
They say that only an experienced wizard can do the tengu shuffle.
Once again, as noted previously here and here:
10) find big remote vulnerability in product
20) perfect the exploit
30) have fun with it for months
40) find another big hole in same product
50) perfect exploit for hole
60) alert vendor about original hole
70) have fun with new hole
80) goto 40
No, you just have to visit a porn site with Internet Exploder to get automatically infected by this worm. It doesn't require any user action, apart from clicking links in normal browsing.
If you are using Firefox, then what you say is true, since FF requires the user to confirm that he really wants to run the malicious program, so the user actually has to click a confirmation button. The infection is not automatic on FF.
Oh well, what the hell...
Coincidentally I was browsing an ad-heavy lyrics site in another tab (Firefox, of course) and was prompted for an action to handle "track5.wmf" ... Geez, they don't waste any time, do they?
http://www.dslreports.com/speak/print/default;1512 1004
There's an excerpt of our chat in that post too.
[Fuck Beta]
o0t!
Say it isn't so!! (Score:1, Redundant) by Foofoobar (318279) Alter Relationship on Wednesday December 28, @07:56PM (#14355427) Windows Exploit? Isn't that redundant?
Wow...sometimes, Slashdot ratings really DO match the content in posts!
Isn't modding a post about the redundancy of windows exploits as redundant in itself also redundant?
% mkdir
% ls -dF
woo, I am sooo scolded, chastised, shamed, and abashed. I shall now crawl under a rock and die, as you so wisely suggested. Thank you thank you, o wise whoever, for pointing out the error of my ways! I'm a better person for it, even though I'm dead. You may have my dead carcass for making tasty stews, I'm a bit tough for steaks and roasts. BTW, anyone who defends Microsoft's security record is so not credible. But nice try! Hopefully you're getting paid to be that wrong!
we will end no whine before its time
Internet Storm Center Coverage - Alert moved to yellow as of this morning. http://isc.sans.org/diary.php?rss&storyid=975/ wmf-movie.wmv it shows step-by-step what happens to a clean machine as it gets exploited by this new menace.
Also, take a look at this movie from websense: http://www.websensesecuritylabs.com/images/alerts
Horns are really just a broken halo.
Users of PivX PreEmpt (formerly called Qwik-fix) have been protected against WMF vulnerabilities since December 7th. PivX is the company which maintained the infamous 'still unpatched IE vulnerabilities' webpage a few years ago.
Please indicate a recent worm on an FOSS operating system.
Comparing it to Windows will be a moot point, since El Dorado is going to have a 40% larger code base than XP.
There is an exposed method in the .dll that has gone unnoticed for years:
ExploitCodeRunningLose()
It has been confounded with a private method,
ExploitCodeRunningLoose()
Lesson: coders should lern2spel.
Umm, numbnutz, there is no patch there. Just an advisory.
Hey, I typed "regsvr32 /u shimgvw.dll" in the terminal, and I got "tcsh: regsvr32: Command not found." Does this mean I was racked or hooted?
It's not offtopic, dumbass. It's orthogonal.
""Kye-U also has released a filter for proxomitron that will block wmf file downloads[....]"
Careful, The folks at the Internet Storm Center are warning that Windows often ignores the file extension and reads the 'magic bits' at the beginning of the file to decide how to process it. This means that someone could rename a .wmf to .jpg, for example, in order to get it past that filter.
The best workaround currently available is to un-register the shimgvw.dll as suggested above.
Crumb's Corollary: Never bring a knife to a bun fight.
There were, in some older file formats, methods for running programs so that images could be overlaid with other images (as in schematics). If I remember correctly AutoCAD and some of the other CAD type files used to use this to link various files in to a give file (like layers on diagrams). Some file formats (one of the GE file formats - can't remember the name right now) actually had such things as the capability to send e-mail built in to the specs. Many of these "gotcha" things have been removed from the file formats now and others were dropped either due to concerns over viruses or just because they were a flash-in-the-pan kind of thing that never caught on.
:-/
Like the other poster though - this has nothing to do with an overflow problems. Which, if I remember correctly, first started showing up (for me) with TCP/IP stack overflows and PING of death kinds of things. Not that viruses were not around before this (I remember an IBM PC XT having a list of something like fifty viruses), but the first viruses I actually ran into had to do with the TCP/IP stack overflows and PINGs of death (another type of buffer overflow problem).
But to answer your question - some older file formats for graphics actually had commands in there to execute other programs. Sort of a "Look! You can have this graphics start this other graphic" and so on. You give it the command and the path to that command and it tries to execute it. So long as the program is just on your system there isn't a lot of problems with this. When the program resides on another computer somewhere on the internet and when a company integrates the capability to execute programs anywhere on the net (for whatever reason they may want to state), then it becomes bad news. Because you basically are giving control of your system to the other person.
My big question is - why are they even bothering to ask you for credit card information? Why not first do a scan to see if you have this information already on your hard drive and then just suck the info over the net to their site? I guess that maybe they've already done the search thing, but it doesn't seem (from those reporting in) that a search was already done. It looks more like they just tried to make it seem like you had to pay them to get rid of the virus activity. Maybe they think people really are that stupid.
Someone put a black hole in my pocket and now I'm broke.
You must be new around here...
"hey look at me, I can hurl weak insults anonymously"
Dork.
The Christian Right is Neither (Christian nor right). See: Matthew 23, Matthew 25, Ezekiel 16:48-50
And break a whole bunch of other stuff in the process!
Small price to pay for security. I'd rather give up thumbnails (they slow down explorer anyway) and avoid being r00ted by the latest internet worm.
"Your argument basically is that:"
Sounds reasonable, except that the threshold should be measurable. This is relatively easily achieved, even in very complex applications, if responsible coding practices and code management are used. I refuse to work for companies that do less than that, and avoid recommending any software that wasn't developed using that method. Which, of course, is why I've only supported *nix servers from about 1999 onwards.
I don't want to put words in the GP's mouth (it's unsanitary), but IMO software should be warrantable just like any number of other products. There is a de facto expectation of suitability to use, EULAs notwithstanding, and it only remains for law to catch up to consumer expectations.
My preference would be to see financial liability for software vendors measured as a proportion of the sale price, except in cases where software failure directly caused death, disability or significant loss of property.
"In other words, you have just basically killed off free (both as in beer and as in speech) software as we know it."
Not at all. Under the model I've described above, only those companies who package and sell the software would be responsible for maintaining a certain degree of quality. Hackers in the FOSS community would not be directly liable for releasing a no-cost application, unless it actually kills people, which is somewhat unlikely. 8^)
I think that decent software quality is achievable. I've seen it done. One company I worked for not so long ago ran a network operations centre whose management software had a six week development cycle. Two weeks of design, followed by two weeks of development, followed by two weeks of testing.
This had a very salutary effect on code quality, not the least of which was that stupid errors (e.g. syntax mistakes, border conditions, fencepost errors etc.) never saw the light of day. But the biggest benefit was that the cost of failure was low. We deliberately worked in small increments for this very reason. Even if a new feature turned out to be a steaming pile, we'd typically find out before release. But even if we didn't, the cost of rolling back was very low.
Now, I realise that this particular model doesn't apply directly to a number of areas, not the least of which are desktop client applications. But consider that if this incremental development approach were used internally (i.e. without constant public releases), the same practices could be used. This is only one example, though, of the many ways in which code quality can be improved without undue effort or expense.
One key to ensuring quality is frequent review and auditability of the code. This of course puts developers of proprietary applications at a bit of a deficit, but heck, them's the breaks. 8^)
Crumb's Corollary: Never bring a knife to a bun fight.
This workaround broke thumnail view for me in explorer, but it's no big deal, thumbnail view looks pretty but it slows down explorer. At least you have a choice -- being r00ted by some new worm or lose one little eyecandy feature.
This thing is nasty! I was browsing the internet this afternoon and got it. I have a fully patched copy of Windows XP SP2 with Symantec Antivirus Corporate 9.0. Neither stopped it. I spent about 6 hours running virus scans, Ad-Aware, and Spy-Bot in safe mode. This didn't even come close to detecting everything. I had to manually remove files based on searches by creation date. Interestingly, none of the three tools picked up any of the DLLs mentioned in the next paragraph.
...". I clicked on this and ... WHAM! Here's the Google search - http://www.google.com/search?q=cache+killer&hl=en& lr=&start=0&sa=N. It's the last link on the page - h**p://www.crackz.ws/down/25335/Cache.Killer.Pro.v 5.0_crack_serial_keygen.html. This is the page that contains the ad within an ad within an ad. Beware!!!
I traced it to an ad within an ad within an ad that sources a WMF file in an iframe. If you want to see this thing in action then use VMWare to load the following link: h**p://iframeurl.biz/dl/xpladv470.wmf. After all is said and done, you'll have trojan.byteverify, trojan.dropper, trojan.bookmarker, download.trojan, w32.conycspa.G@mm, backdoor.shellbot, backdoor.trojan, w32.looksky.A@mm, among others. I also had some new DLLs that were particularly hard to get rid of - msupdate32.dll, msctl32.dll, uytpu.dll, qrlmq.dll - all in the system32 directory.
This has actually never happened to me. I am religious about keeping Windows and my antivirus software up-to-date. It was a good learning experience to see it all in action.
And, by the way, I was not browsing for porn. I was doing a google search for a old Macintosh program named Cache Killer. One of the links listed was "Download Cache Killer Pro v5.0 crack / keygen / serial / patch
See http://www.microsoft.com/technet/security/advisory /912840.mspx for all the goodness than can only come from MS. It just gives the same info given other places but is done in an official capacity.
Neither. You are just one of the .00001% of /. posters that don't run Windows.
A few people on this thread don't seem to be familiar with the WMF format or GDI. This format provides for a set of commands which are supposed to be graphics only. (I guess they got carried away in this case.) As the viewer is basically a scripting engine, the exploiters would certainly try to target it for vulnerabilities. I don't have a copy of the dangerous file, so I don't know whether this particular exploit is a buffer overflow or something else.
.. paranoid crackpot leftover from the days of Amiga.
... let this one loose. It is a problem with windows, and it was disclosed by a responsible hacker. If you want to protect the general population still using MS software, this is the only option. Microsoft isn't about to make a secure platform on their own, so until the next big mistake hits the news they wont do anything about it.
If anything, we need earlier reporting so the public can realize just how little microsoft cares about security.
"And we have seen and do testify that the Father sent the Son to be the Savior of the World"
1 John 4:14
3 things about computers: they're alive, they're self-aware, and they hate your guts.
not sure about the "you are going to get inffected if you are browsing porn sites"...if an attacker is already performing an arp spoofing attack he can easily redirect (dnsspoof) any web traffic to a web site under his control so under this scenario, any vulnerable explorer browser may get exploited regardless of the site it is visiting (it could be CNN's, whitehouse.gov, etc.)...
The fact is, the impression that slashdot is anti-MS and pro-linux is wrong. We just like to know about vulnerabilities in an operating system that 90% of computer users have installed on their systems, and utilize every day. Not many people care about vulnerabilities in gqview for gnome (to take a random app for example). There are just so many apps that are not core to the system. Now, if there was a vulnerability in PHP or Apache that had an exploit in the wild, then that would make the news I'm sure.
Honestly, I think someone should go through all the windows vulnerability stories and count the number of anti-ms, pro-ms, and the smart people posts (i.e., those who realize that simply bashing an OS because of a discovered security flaw is silly, because all Operating Systems have flaws). In the end I think you would see that the majority of people on slashdot do not see Microsoft Windows as the Ultimate Evil. I could be wrong of course. I'm not exactly an authority on the subject. I haven't gone through counting the number of posts.
BTW where on slashdot does it say it's geared towards linux users?
Hell bring it on. I opened my own shop about 4 months ago and can clean most anything off a machine. Its 95% of my buisness so far and im tired of being poor. This week alone Ive cleaned 8 xp home boxes all still sp1 with no antispy or antivirus still running. Only one of the machines needed parts. It had a winlogon popup running that killed windows update and automatic update (senslogn key was missing). I think the real proplem with the current state of affairs is not that the exploits are produced and released but that microsoft builds to fast and to often. They need to can vista and put more R&D into fast fixes. If they want discreet disclosure of exploits they should offer $$ for it. Just tell them and get a check :)..... nah never happen they will just build the new big security hole called a OS.
because nobody bothers other than few /.ers to use Foss anyway.
95% desktop runs Windows, 3.5% OSX and rst may be 100s of flavours of *nixs. So why would bother to write any exploit for them?
I hear Windows Vista is going to fix all of these previously unknown problems...stay tuned for the exciting conclusion in 2006.
He who knows best knows how little he knows. - Thomas Jefferson
For a second - just for a second - I thought this might be an extremely clever play on words, making fun both of Windows ("Win") by referring to it as "Lose" (as the exploit code would be running on Windows and controlling it, so you could (in a slightly ungrammatical way, but whatever) say the code is running Win, or indeed Lose) and combining this with a witty rejoinder at all the individuals who write "lose" instead of "loose" (and vice versa), emphasising what losers they are.
Then I remembered that this is Slashdot.
Sigh.
Was Thor Larholm ever assosiated with this company? As my memory recalls, he had an extensive list of his own, and I'm thinking maybe they are on in the same.
If an officer ever threatens to taze you, say you have a pacemaker.
Anyone know if you can get hit with this if you are running a limited user account?
I clicked on the link and was prompted by firefox if I wanted to open the file in xine or save it to disk. What should I do? If I open it in xine, will crossover office install the malicious code and then I will be infected by M$ sploits? I'm at a loss. Should I open it in xine or save it to my home directory and view it later?
Sure, though I would like to think that whoever is running the DNS for the Federal Gov or AOL, would be reputable and won't spoof things and try to infect visitors. Therefore, one would usually only pick up fluff from sites of ill repute.
Oh well, what the hell...
And was the code 100% bug free all the time ?
To err is human To err always is MicroSoft...
Confirming what Herman states above.
A user on my network got this thing about two months ago. It's been around a little while.
(Spyware Sherriff installed, keylogger, IRC bot and swears up and down didn't do anything but visit a web page.)
Had to format the machine. At least it was ready for it.... but damn!
Porn sites != "sites of ill repute", necessarily.
Warez sites are more of ill repute, and are the cause of most virus infection.
-- "I never gave these stories much credence." - HAL 9000
Doesn't he mean Windows Explorer rather then Internet Explorer?
The Windows file manager is the same thing as Internet Explorer, and Control Panel for that matter. Don't belive me? Change the path sometime... load up "http://www.google.com", then change the address to "C:\" or "Control Panel". Or conversely, open the control panel from the Start menu, then change the address from "Control Panel" to your URL of choice.
This kind of works with the file manager in IRIX 6.3+, although it's HTML engine is very outdated. Open up any file manager window and change the path to a URL, such as "http://www.google.com"! Neat stuff back in 1996...
Silly rabbit, don't you know that pirated warez sites is much more dangerous than browsing porn sites? This'll learn ya!!
-- "I never gave these stories much credence." - HAL 9000
This workaround makes one unable to view thumbnails when you're uploading images.
The /. threads themselves regarding MS have gotten less bias over the past year, but until /. stops using the Borg icon for Microsoft stories and broken stained glass for Windows stories, /. has no credibility regarding Microsoft stories. Every other topic has a neutral icon without editorial spin.
-- "I never gave these stories much credence." - HAL 9000
Installing that patch took almost an hour, and when my computer restarted the internet is missing from the desktop! And I can't find bonzi buddy anywhere, I think my Windows got formatted!
Er... wait, where is the surprise in this?
It's not even a patch, but an advisory! Furthermore, Microsoft's "advice" is to "keep your antivirus software up-to-date, and download Microsoft's AntiSpyware Beta"
Great. An <duh>obvious</duh> recommendation, and an invitation to load more junk (beta!) Microsoft ware.
My big question is - why are they even bothering to ask you for credit card information? Why not first do a scan to see if you have this information already on your hard drive and then just suck the info over the net to their site? wtf?
"Our interests are to see if we can't scale it up to something more exciting," he said.
Because it is us Linux advocates who get called in to fix all the Windoze machines. Fixing MS Crapware is actually a major part of my revenue...
Oh well, what the hell...
Well actually, there are many times more Linux machines in the world than Windows machines. Windows only dominates the desktops. Linux dominates servers, routers, cell phones and so on. Last I saw, IBM Marketing estimated that there are more than 2 billion Linux systems in the world (mostly cell phones).
Oh well, what the hell...
Nah, doesn't work in CxOffice. SpyAxe won't work in CxOffice either. I even downloaded the program and ran the installer and it just sat there. We should complain to http://www.spyaxe.com/ since they are discriminating against Linux users.
Oh well, what the hell...
WMV = Windows Media Video
WMF = Windows Metafile
They are not the same format. Which is not to say that there may not be vulnerabilities in WMV.
Vista:XPSP2::ME:98SE
Linux just isn't ready for the desktop yet, since these programs are obviously an essential part of the Windows experience and they just won't run on Linux.
Oh well, what the hell...
Maybe they think people really are that stupid. :-/
Well, in many cases, yes, people really are that stupid.
--guru
http://www.websensesecuritylabs.com/ is a reputable security provider that I have personally done business with as Director of Vendor Relations at SANS. I did not post that URL lightly.
Horns are really just a broken halo.
Ok, to calm your nerves, here is the screenshot version: http://www.websensesecuritylabs.com/alerts/alert.p hp?AlertID=385
Horns are really just a broken halo.
Vista:XPSP2::ME:98SE
http://www.microsoft.com/technet/security/advisory /912840.mspx
"Microsoft encourages users to exercise caution when they open e-mail and links in e-mail from untrusted sources."
well... not really helpfull, but when MS has a patch, it should be linked on this page
Problem is, that patch breaks more of my programs and utilities I like to use than Windows XP SP2 did. How can I fix this? Someone told me I needed Wine, but I fail to see how getting drunk will solve anything!
bugger, I wish I'd read /. before browsing porno this afternoon.
despite it saying you must agree to something, my XP SP2 laptop got hit by this this afternoon - no 'downloads', just happened to browse to a porno page that wanted to auto-start a download of:
http://85.255.115.171/bt/7/wmf/wmf_dcode.wmf
I clicked no, I didn't want to run or save the file... but a few minutes later, up came the spyware. First time this box has been infected. This was on Mozilla 1.7.12
Is that all the hackers you can come up with?
Friend of mine sent me a link to some topless video of whatever movie star he thought was hot. Being only mildly retarded but not completely so I fired up Firefox and disabled Javascript before I opened the link. I was asked by Firefox if I wanted to open or save a file called "xxxxxx.wmf" and I canceled the operation at that point.
Score one for Firefox.
According to the article, Google desktop was partly responsible for executing the code - even when the file is being downloaded without IE.
This means that you firefox users are also vulnerable (and what user does Google desktop run as ?)
Quidquid latine dictum sit, altum videtur
I want to confirm on all systems at work that the WMF viewer has been unregistered with "regsvr32 /u shimgvw.dll". This command modifies the registry in some way to disable the .dll.
Would anyone know what specific registry key is changed? I can easily check registry settings on all the work machines, and I'd like to to make sure that the fix above worked for each system.
Thanks in advance.
Everyone is entitled to his own opinions, but not his own facts.
The WMF format is simply a stream of GDI commands. GDI (Graphics Device Interface) is the Windows API and abstraction layer for graphics, allowing the same set of drawing functions to be targetted at a variety of different "device contexts" such as printers and the screen.
A WMF file is (traditionally) created by obtaining a device context on a file and drawing to it using the GDI API functions, which "records" the sequence of commands to disk ready to be replayed later to recreate the image. These days, of course, there are libraries and applications which read and write WMF files directly, such as libwmf. There's little practical use for this format outside of Windows development, however.
There's a second format called "Enhanced Metafile" (EMF) which is a newer, 32-bit version of the WMF format introduced with the 32-bit Windows API.
Since the vulnerability is apparently in GDI32.DLL, I'd guess that every version of Windows going back to Windows 95 is vulnerable, since metafiles have been around since Windows 3 (I think?) and GDI32.DLL was introduced with the 32-bit Windows API.
Oh and those wonderfull windows exploits, works, spyware, wild tangent, trojan horses, worms and blue screens. And then, linux. What I never thought I could afford happened. I had a unix at home. It looked just like the real thing. Root easily accesible from your user account to make it workable to split your accounts. Didn't you hate it when in windows if you wanted to install any software no matter how trivial you had to logout and login as admin to do it and the only way to get some work done was to always get admin privileges on every machine?
Nowadays when someone gives me the root password on a unix like machine I always demand a pay raise. It probably means they expect me to fix it in the weekend.
Thank you MS for making me stick with linux. The energy bill had me y contemplating scrapping my dual P3 linux desktop and only keep my P4 gaming rig. Windows 2003 is actually pretty stable, now all they got to do is clear the goddamn fucking security holes.
Geez, just a few articles ago people were actually talking about how MS was changing and bam we get the mother of all exploits. The only thing worse would be a worm. This is so easily exploitable. Just make an account on forum that allows those awfull avatar images and bam.
I can't believe the slashdot reader reaction either, first bunch of posts are some insane ramblings about hackers/crackers and the rest have some insane fix that even the most moronic idiot can see is a total failure.
Yes fucktards who suggest that whole unregister crap, because of the way MS has setup its OS many a windows program comes with its own copy of the dll it uses EVEN if it is a copy of a Windows OS dll. To avoid versioning problems it is easier to include it then hope the user OS has the right version.
Do a dupe check your dll's in the main windows directories and where you install your programs some times. What do you think the chances are they will all be patched? It is a well known problem and in fact one of the reasons the whole dynamic linking idea was so attractive.
MMO Quests are like orgasms:
You may solo them, I prefer them in a group.
Will Adblocking *.wmf stop a malicious site from infecting me?
Like you I was surfing around this morning and I got nailed by it. I went to open a page, and suddenly 'Windows picture and fax viewer' popped up blank for about a quarter second, and went away. I am on my friends computer (because he leaves it at my house, and it is faster than mine), and luckily I installed spyware doctor a few hours earlier. It went nuts. I had about 400 attacks within 30 seconds, and it blocked all but the spysherrif. I ran an antivirus scan and got it all off before it could finish doing anything, so I barely saved it. That was some scary sh*t though.
But clearly you have something better to say...
As a Linux user, I do worry that Linux distro's could end up as bad as windows in say 10/15 years time. I realise that as linux users we do things differently, like run regular user accounts etc. bla, bla, bla; but it would be interesting to find out how the FOSS development community take into account the potential threat of a community of crackers targeting unix systems.....mmmmmmmm......
lets see here this will take M$ about 2 weeks to fix AFTER half their users become affected by it
(yes i know i suck at spelling fell free to correct my grammar and/or spellin i dont care, im still not going to change
the flaw is not critical since no-one actually uses WMF
Unless a site trojans your computer by getting an inexperienced user to confuse WMF ("Windows Media File"?) with WMV.
Movie? Read up on Windows Meta Files, it's static images.
Inexperienced users are the target of such attacks, and they're not likely to have "read up". It's like those trojans that prey on people who think command.com is the domain of a web site.
http://linux.slashdot.org/article.pl?sid=05/11/08/ 140203&tid=220&tid=106
I'm no Microsoft fan, but Linux and Unix boxen aren't invulnerable.
Beating the rogue access point (AP) dead horse a bit here, and spelling it out for those who don't "get it".
Badguy creates hostile "website" with Windows exploit. Badguy goes to local airport terminal or Starbucks and pretends to be a legitimate wireless hotspot using Airsnarf or similar rogue AP utility. Badguy FORCES any user who joins wireless network to browse the hostile website that has the Windows exploit. User gets owned. Lather, rinse, repeat.
You can do this to your neighbor, too, if they have an open access point. FYI.
The point is that it does NOT require coincidental surfing of hostile websites to gather and exploit targets with a Windows 0-day these days. The rich and elite road warriors carrying all their financial and corporate data with them are prime targets. Attackers with rogue AP setups can make easy money from hotspot users by FORCING them to browse a hostile "website" with a rogue AP "splash page".
Particularly vulnerable, are hotspot users that have the Windows operating system installed and use IE as their default browser.
Sincerely,
Beetle
I may be a bit paranoid but I'd like to turn off images and video for a few days until this ".wmf" issue is resolved.
6 69
- attack-zero-day-windows
s p
n dows-Metafile/story.xhtml?story_id=131004IKPNAU
s p
".wma" and ".wmv" file extensions seem closer to the ".wmf" extension than ".jpg" or ".tif" extensions, so they may also be loaded by programs that open ".wmf" files only to read the internal label and execute the malicious code.
I unchecked the box called "load images" in Firefox, but animated web sites still come up. So I reinstalled Firefox (also deleting the directory) to try to return to Firefox's original default settings, but my settings were still active. Apparently, Firefox saves personal settings in the registry even after it is uninstalled.
Security web sites seem to be of little help:
Secunia, Kaspersky strongly caution against opening any untrusted *.wmf files
http://secunia.com/advisories/18255/
http://www.viruslist.com/en/alerts?alertid=176701
VNUNet.com says Firefox will first ask the user before opening the file.
http://www.vnunet.com/vnunet/news/2147909/hackers
Pete Lindstrom, research director for Spire Security LLC, said,
"There's no such thing as 'extremely critical' when user interaction is required. [...] That's just silly."
Lisa Vaas of eweek.com says "Google had no immediate comment. To avoid the problem, security experts suggest disabling the feature's indexing of media files, or to remove Google Desktop altogether."
http://www.eweek.com/article2/0,1895,1906177,00.a
Jay Wrolstad at CIO-Today says, "Current exploits use the Windows Picture and Fax Viewer to attack any application that can handle Windows Metafiles. Disabling the Windows Picture and Fax Viewer will not eliminate the risk as the flaw exists in the Windows Graphical Device Interface library".
http://www.cio-today.com/news/Flaw-Detected-in-Wi
Alex Eckelberry, president of Sunbelt Software.
"There is no user interaction required," he wrote in an e-mail exchange. "You hit the Web site, you get hit immediately. No prompts, nothing."
http://www.eweek.com/article2/0,1895,1906489,00.a
Yeah, the usual. They won't say. This one is high profile, so they will move quickly. That won't save you from the other exploits that have been around for years. This one reaches back to Windoze 98, eight years of exploits!
Friends don't help friends install M$ junk.
To test this I emailed an ".rtf" file to myself and the ".wmf" (dragged and dropped via wordpad) was carried within it.
Then why bite the hand that feeds? Enjoy your pay/flaws. Welcome to the first ever noted form of job security in the IT industry.
Google Desktop runs as SYSTEM.
;)
If you get infected because IE tried to view the file, then the exploit runs as you.
If you get infected because you saved/cached the file, and Google Desktop decides to index it, then the exploit runs as SYSTEM.
That's how I understand it after reading these threads, but I could be wrong..
(VIVA LA MAC! -- Virus-free since 2003!)
Everyone is entitled to his own opinions, but not his own facts.
Tiffany Felicienne
Recruiting SW Developers & Linux Admins for MobiTV, Inc.
tfelicienne at mobitv dot com
Partially correct - it's the call to SHIMGVW.DLL which handles the display functionality for the .WMF file. This is bundled with Windows and has been since 16-bit days, IIRC. Although it's not integral to the system and can be disabled (look at earlier articles for using regsvr -u to disable the functionality) it is considered part of the OS in a vanilla install of Windows. It is considered a system process in the same way that gdi is.
.wmf that results in a call to shimgvw.dll, will expose a machine to the risk of compromise; this includes google desktop on a Windows box.
As I understand it, any attempt to read an affected
Any attached gmail files with the ".txt" extension can not be safely opened to notepad directly from the Firefox browser.
This is probably about as in depth as I care to research or discuss this ".wmf" problem for now.
The holes are leaking all over the place.
The problem with the WMF (Windows Metafile) file format turns out to be one of those careless things Microsoft did years ago with little or no consideration for the security consequences.
Almost all exploits you read about are buffer overflows of some kind, but not this one. WMF files are allowed to register a callback function, meaning that they are allowed to execute code, and this is what is being exploited in the WMF bug.
I find this mind-boggling to the point of absurdity. Regardless of any supposed benefit gained by this, allowing a data file to execute arbitrary code upon it being viewed is simply begging for an exploit like this. No matter whan spin Microsoft will try to put on this one, it makes them look bad. Extremely bad.
I hear there's rumors on the Slashdots
P.S.: there are little bit more Linux users than OS X users... Definitely in Europe and in global probably too: http://www.w3schools.com/browsers/browsers_stats.a sp
There are kits for building payloads for this exploit all over the Net.
There's a third party patch that tries to block the exploit.
Any Gray Hats out there interested in creating a variant that patches the vulnerability????
"Live Free or Die." Don't like it? Then keep out of the USA
OK, i really misunderstood what you were saying. I thought you were talking about some company's legitimate web app or something. Sorry.
"Our interests are to see if we can't scale it up to something more exciting," he said.