Slashdot Mirror
Windows XP Flaw 'Extremely Serious'
scottott wrote to mention a Washington Post article with the news that the security hole we mentioned on Wednesday has widened. Computers can now be infected just by visiting infected web sites, or looking at images in the preview panel of older versions of Outlook. From the article: "At first, the vulnerability was exploited by just a few dozen Web sites. Programming code embedded in these pages would install a program that warned victims their machines were infested with spyware, then prompted them to pay $40 to remove the supposed pests. Since then, however, hundreds of sites have begun using the flaw to install a broad range of malicious software. SANS has received several reports of attackers blasting out spam e-mails containing links that lead to malicious sites exploiting the new flaw, Ullrich said."
"Mac and Linux computer users are not at risk with this attack, even if their computers run Microsoft programs such as Office or the Internet Explorer Web browser."
Amazing!
Guys, you keep posting that same story about a serious security flaw in Windows.
If you use Windows, go get the vmware browser appliance and use it - connecting to the internet through a virtual machine is like wearing gloves in the OR - it's just common sense.
http://www.vmware.com/vmtn/vm/browserapp.html
Using plain ol' text since 1968
until a patch is released.
IAAL
When is a Windows flaw ever not extremely serious?
Would someone tell me if the "just by visiting an infected site" link, is a link to an infected site, or an article about the infected sites?
Start-->Run-->regsvr32 /u shimgvw.dll
You lose thumbnail view, and a few other (minor) built-in-Windows-picture-viewing tools break, but you use IrfanView anyway, don't you?
I dub thee... Sir Phobos, Knight of Mars, Beater of Ass.
Another day, another flaw! Just another happy day in "paradise"! Call me when you wake up and smell the OSX/*nix brewing....
Attention: Common-sense and forethought have been retired from service, due to lack of demand. Thank you.
I needed a bit of underground info(cd key) and went to the best site for that and with out thinking I used IE -- couldent have shut my browser down fast enough.
Spent the next few hours removing all the junk that installed, I was lucky no root kits were installed.
Get another browser, such as Opera of Firefox.
Opera Watch - An Opera browser blog.
Have you been touched by his noodly appendage?
It's a good thing most savvy Windows users know not to ever visit web site links they don't trust. Hey look - it's a web site about goats! Neat!
Sorry, it is a tradition.
You don't have to be smart to use a Mac, you just have to be smart enough to buy one
Just "avoid visiting unfamiliar Web sites" was supposed to be bolded. D'oh.
Have you been touched by his noodly appendage?
TFA says "...Windows users who eschew Internet Explorer in favor of alternative Web browsers, such as older versions of Firefox and Opera, can still get their PCs infected if they agree to download a file from a site taking advantage of the flaw."
So is it IE or Windows that is home to the vulnerability?
Question everything
...is brought to you by http://update.microsoft.com/
Programming code embedded in these pages would install a program that warned victims their machines were infested with spyware, then prompted them to pay $40 to remove the supposed pests.
Where do you send the money? And they aren't afraid of getting caught?
He who knows best knows how little he knows. - Thomas Jefferson
scottott wrote to mention a Washington Post article with the news that the security hole we mentioned on Wednesday has widened. Computers can now be infected just by visiting infected web sites, or looking at images in the preview panel of older versions of Outlook.
There are two major factual errors here. One, the security hole has not "widened" - the scope of exposure is exactly what we read about Wednesday. Using shimgvw.dll to view a specially constructed WMF file results in system compromise (web site viewing of malicious WMF, previewing, opening w/MS picture and fax viewer, etc). The hole is exactly the same - exposure has increased, but the hole has not widened. Two: the web sites are not infected, they are malicious. The system is infected after visiting a malicious web site.
The full (well, as full as it is now) MS advisory is here. I'm not very pleased with how MS is handling this at all, but that does not excuse this shoddy "journalism". How hard is it to state facts correctly? All you had to do was change a few words, and it would have read much more accurately:
scottott wrote to mention a Washington Post article with the news that the security hole we mentioned on Wednesday is now affecting many more users. Computers can now be infected just by visiting malicious web sites, which are now rapidly increasing in number, or looking at images in the preview panel of older versions of Outlook.
For the last sentence, note that I sent mysefl WMF files win Outlook 2000 and 2003 while running Sysinternals process explorer and never saw shimgvw.dll called. Opening a WMF attachment called it, but not previewing, so there might be three errors, but I didn't test all versions that way, so I don't know...
Those of us who use free operating systems shouldn't be too complacent. This exploit is serious because the WMF rendering library has full access to the user's data, and (at least on a 'home' setup where it's a single-user machine) access to the whole PC.
But it was really just bad luck that the bug happened to be found in the Windows WMF library and not, say, its Unix/X11 equivalent. Or libpng, or zlib, or whatever. Anyone who thinks otherwise is deluded. All software has bugs, and even if the quality of the free libraries is ten times higher (unlikely) there will still be plenty of memory tramplings and buffer overruns.
So, when the next vulnerability is found in a commonly used Unix library, will we be in any better position? Not really. Still the library is linked into the application and runs in the application's address space. It has access to all the files the app does, and traditionally on Unix that means everything the user has access too. Your email application may only need to read ~/.mail_settings and connect via IMAP to some host, but it runs with permission to overwrite any file owned by you and connect on any TCP/IP port it wants.
Why does the WMF rendering code need to run with any more permissions than: read a block of memory with the WMF file, and write a block with the rendered bitmap? (Or perhaps make display / GDI calls, if performance is a concern.)
What support is there in Unix operating systems for running common library code with only the privileges it needs? As far as I know Linux has no simple way to run a dynamically-linked library (.so file) in its own address space or without permitting it to make system calls. So when the next exploit is found in a common Linux library - and it will be found - the situation will be just as embarassing.
-- Ed Avis ed@membled.com
Come on people!!!
I do tech support for 60+ machines at work...
The one user that refused to use firefox...
called me a week ago.BEGGING..Her computer had started TALKING
(i.e. audio advertisements in english)
The people in the other cubicles were claiming for an EXORCIST for the biatch.
Serious security flaw? Are you on CRACK? Joking, joking. But seriously. If they were forced to make their software OSS (which might actually happen in Europe), they would be pretty much forced to patch their software VERY quickly. They would also have to keep their software up to par and have fewer holes because it is concievable that OSS means that people are going to be looking for 'sploits.
It's a misfeature of Windows itself. If you surf with ANY browser, you'll get zapped if you surf to a site set up to take advantage of this latest hole.
I am not merely a "consumer" or a "taxpayer". I am a Citizen of the State of Texas
Okay, really, she said Arkanoid, but you get my point.
Have you been touched by his noodly appendage?
If all you are doing is browsing the web, there is absolutely no reason to not do it in a sandbox. In fact, I don't get why all browsers run in sandboxes. Why do they *ever* need access to the host OS? If they need to save downloaded files, they can do so via a mounted share. At least in a sandbox they cannot execute privilidged code, at most they could infect executabes on said share.
As another reply noted, you could use SAMBA, but the easiest way for me is to save them to a USB key drive.
Using plain ol' text since 1968
http://www.sysinternals.com/utilities/rootkitrevea ler.html
I dislike MS as much as anyone else on Slashdot; however, is this a Windows XP flaw or is it just an Internet Explorer/Outlook flaw? Unless I missed it when I read (okay, skimmed) TFA, the article implies that Windows XP is the problem. Looks more to me like it's an IE/Outlook flaw.
I run Firefox and Eudora on XP in addition to Zone Alarm, Ad-Aware, Spybot, and McAfee AV. My wife uses Firefox and Thunderbird. IE is used only on those web sites that require it (which are very, very, very, few) and I uninstall Outlook from every PC. Will I be infected just because I'm running XP? I highly doubt it. I'm not saying that it's impossible, but my doubt factor is nearly maximum. That does not downgrade the severity threat. After all, Firefox, Thunderbird, and Eudora are in a very small minority of Windows users' favorite applications. Believe me, I love to see Microsoft dragged through the mud when possible, but let's at least keep it realistic.
This clearly is a slow news week. The anti-Bush-administration people are making an issue over an NSA web cookie and now we're blaming an entire operating system for application flaws. (I know the whole argument about IE and Outlook being integrated into the operating system, but I still don't see this as an operating system issue if other apps on the same operating system are not vulnerable.)
The Overrated mod is for reversing inappropriate, positive mods, not for voicing disagreement with a post.
Although in my case, I was even dumber... I was surfing with firefox, but the web page that (apparently) had what I needed refused to render, so I grudingly started up IE, and... well, some of what it downloaded set off Norton, luckily. I was already late getting to bed that night, by the time I cleared out everything (including that irritating "Spyware blocker" ad they put on my desktop & kept re-spawning) I pretty much got no sleep that night. So I finally decided to lock out access to IE on my normal XP login, to protect me from my sleep-deprived self.
Have you been touched by his noodly appendage?
If it can be embedded into webpage cant it also be embedded in actual emails? Its true that loads of email apps stop images from being viewed but there are a fair few that dont.
My browser touches all sorts of things in the host OS, from the sound card to files that I upload and download. Luckily when I get AIM spam for foo.exe or some other sillyness I don't get far unless I type 'wine foo.exe', then even then ;-)
The true challenge is how to dial in the security to a reasonable level. Problem is getting all the millions of programmers to adopt more secure standards combined with the users, IT managers, etc.. that deploy the apps on desktops. Then, getting that out across the millions of home users too. Daunting task.
For those who are ranting about FF. Read the article, says that older versions of Opera and FF are vulnarable too - on Windows ofcourse.
The problem with the WMF (Windows Metafile) file format turns out to be one of those careless things Microsoft did years ago with little or no consideration for the security consequences.
Almost all exploits you read about are buffer overflows of some kind, but not this one. WMF files are allowed to register a callback function, meaning that they are allowed to execute code, and this is what is being exploited in the WMF bug.
I find this mind-boggling to the point of absurdity. Regardless of any supposed benefit gained by this, allowing a data file to execute arbitrary code upon it being viewed is simply begging for an exploit like this. No matter whan spin Microsoft will try to put on this one, it makes them look bad. Extremely bad.
I hear there's rumors on the Slashdots
Snort sigs have been available from BleedingSnort for some time now; I pushed them out to our corporate IDS yesterday morning.
(Warning, mangled by Slashcode - remove newlines)
t afile.pm.php; classtype:attempted-user; sid:2002734; rev:1;)
0 05/3086; sid:2002733; rev:1;)
#by mmlange alert tcp any any -> $HOME_NET any (msg:"BLEEDING-EDGE CURRENT WMF Exploit"; flow:established; content:"|01 00 09 00 00 03 52 1f 00 00 06 00 3d 00 00 00|"; content:"|00 26 06 0f 00 08 00 ff ff ff ff 01 00 00 00 03 00 00 00 00 00|"; reference: url,www.frsirt.com/exploits/20051228.ie_xp_pfv_me
# By Frank Knobbe, 2005-12-28 alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"BLEEDING-EDGE EXPLOIT WMF Escape Record Exploit"; flow:established,from_server; content:"|01 00 09 00 00 03|"; depth:500; content:"|00 00|"; distance:10; within:12; content:"|26 06 09 00|"; within:5000; classtype:attempted-user; reference:url,www.frsirt.com/english/advisories/2
Once again it looks like Microsoft are going to escape the 'perfect exploit' meltdown by the skin of their teeth. This is exploitable remotely, but Dr Evil can't sit at a console typing in arbitrary IP addresses to 0wn with the exploit. On the other hand you can get close to that sort of thing using Metasploit Framework.
"None are more hopelessly enslaved than those who falsely believe they are free." -- Goethe
Could someone please elaborate on whether using Firefox browser will help avoid this security hole.
Windows XP Flaw 'Extremely Comical'
No folly is more costly than the folly of intolerant idealism. - Winston Churchill
Let's hope there's something worse than Highly Critical! HOOORAY FOR SLASHDOT. WHAT A GLORIOUS WAY TO END 2005!
PS!
LINUX RULES!(*@(@^ #$
PPS!
I'M GOING TO SPEND NEW YEARS EVE ON IRC IF ANYONE WANTS TO JOIN ME!(@&
And not only does the exploit work with .WMF (Windows MetaFile), but if the attacker renames it to, say, .JPG, Windows will detect this a really being a .WMF, and STILL execute it. Pretty serious stuff. See this bugtraq link for details.
640YB ought to be enough for anybody.
I was just thinking.. I could really use an operating system with serious, critical flaws in, say, a car. Current cars just don't get me from point A to point B well enough.
Maybe someone could make a car with embedded windows? That would be *awesome*!
The theory of relativity doesn't work right in Arkansas.
The CoolWebSearch family of malware has been around forever... one of the major effects of many of the versions is to replace any IE entry of "search.msn.com" or "www.google.com" with "www.coolwebsearch.com", a rather shitty search engine.
Have you been touched by his noodly appendage?
yes i know i need to slow down cowboy!
Friends and relatives ask more and more often to help with problems with PCs at home, because "you work in an IT company and know these things". Luckily I can point out that I'm using a Mac, and thus I can't help with virus protection issues or other Windows problems. But nevertheless I get phone calls all the time. Today I had a half-hour discussion with a relative about how having her pc serviced messed up the system.
So they're "blasting out spam e-mails", eh? Well geez, I gotta get me one of them MTAs!
Just like in biological systems the more diverse a community the less likely a single weakness will call massive damage.
See my blog http://ilovecookes.blogspot.com/ for light hearted technical information.
Hey, at least I admitted to skimming over the article, unlike those who don't even bother to click the link then come out with some major diatribe/lecture just on the summary. (And of course we all know how accurate Slashdot summaries have a tendency of being!)
:P
I'll also do something else very rare on Slashdot: MY BAD! I MISSED THAT PART OF IT! A Slashdot mea culpa! Who would have thought?!
Besides, that doesn't preclude the fact that this is a slow news week so let the conspiracies abound!
The Overrated mod is for reversing inappropriate, positive mods, not for voicing disagreement with a post.
How come no-one ever includes a link to an infected site. I'm surfing with Firefox under Linux and I would just like to check out some of the infected sites so I can look at the source to see what they are doing. Links anyone? P.S., windoze users please don't click the link.
Some settling may occur during posting.
Don't bet on Irfanview being immune to the exploit (which has been around, I suspect, for quite a while now, stealthily -- read on.)
A year or two ago, I d'led a porno movie file (wmf? wmv? avi?) from a notorious P2P site, during the time many corrupt and adware-infested files were being distributed. Like you, I thought Irfanview would protect me and went through the stuff deleting adware and such, when my box crashed hard instantly one file was opened.
Rebooting windows through lilo, I found windows had been hosed completely. I couldn't even get to a DOS prompt without a boot diskette. Using linux, I tried to fix the windows side, to no avail. I had to reinstall the entire OS.
My point is Irfanview is not a palliative for this type of exploit.
The problem seems to be that Windows handles these files (WMFs) in the OS.
What other files get interpreted in "Ring 0" by the OS, besides these WMFs?
E.g. I know that ".doc" and ".xls" files don't -- but if they did, a bad spreadsheet would allow an attacker to root the box.
I'm looking for an encyclopedic description of all windows files that are interpreted with highest priviledge.
Thanks.
http://www.thebricktestament.com/the_law/when_to_
I for one will be exploiting this flaw in my continued effort to replace windows machines at my clients and another link to the problems of running a stand alone single user OS in the internet world would be appreciated. I've been installing *nix OSes since '98 and I'm still waiting for the day when that vulnerability comes by that can't be handled or there is no patch for.
What's an MCSE worth? Less than half my rate and I have more time to work for other clients because most of my calls can be fixed over the net. How about this, let's have a race to totally rebuild a production machine or back up a running machine or even to find all the users files and move them to a new machine.
--The best way to accelerate Windows is at -9.8 m/s^2
What you are describing is the Principle Of Least Authority. PLASH (Principle Of Least Authority SHell) is a nifty project to tackle this at the application level for Linux http://plash.beasts.org/. HP Labs has a project called Polaris which does this for windows http://www.hpl.hp.com/research/mmsl/projects/adv/p olaris.html.
If you come across this, you SHOULD get a dialog saying whether or not you want to open a WMF file (Save/Open/Cancel).
However, if you configured FF such that the dialog no longer comes up (automatically opens files in default viewers), you're screwed.
Also, there was a post back on Wednesday from a guy saying that he did, in fact, click "Cancel" but still got infected...
4 out of 5 doctor's agree that Cancer is serious
FWIW, I think it would be a big mistake to force Microsoft or any other vendor to open source their product. Such a dangerous precedent would be akin to forcing OSS to be closed, which could then be attempted further down the road if political opinions shift against OSS.
That said, I agree that given time, it is plausible that the security of Windows would be better if it were open sourced rather than not.
Bruce Schneier, January 2002
... data files, really. They've always been, in effect, "code" that is executed by an interpreter. That so it's hardly astonishing that there might be a callback mechanism to handle things the interpreter can't cope with.
Remember too that the WMF stuff was designed in the days when getting a virus from one machine to another involved walking across the room with a floppy and deliberately rebooting the target machine with the infected floppy in the drive!
It's still a cock-up though. Whoever originally designed WMFs as code-based rather than data-based really wasn't trying hard enough.
..to add a new mime-type definition to the Windows defaults..
Identifier: X-Application/WinTrojan
Name: Windows Trojan File
File Extension Pattern: *.wtf
~ Better a freak than a sheep. ~
Does this mean that, when Firefox renders JPGs on an HTML page normally (without asking for a downloading), the WMF file could be executed?
http://malfeasance.50megs.com/
However OSX is not to far behind interms of issues: October security update 1 for tiger introduced a potentiall SSH problem. Panther Security patch 2-10-2005 had a problem with ARD etc.
Uh huh. Wake me when we have a malicious exploit in the wild that takes advantage of any of those. Bonus points if you find a malicious exploit for a hole that Apple hasn't patched.
Don't try to mitigate a serious Windows flaw, especially one that is unpatched by Microsoft, by going "but OS X has flaws, too!"-- because you look pretty stupid. And don't play the market share card, either, because that will prove to be bullshit as well.
I visited the website http://www.heaven666.org/ today to see the latest bloppers and pics (some mature content) and I got bite the second the webpage loaded. Symantec 10.0 notified me, quarentined the file but was unable to remove it so far.
Didn't Microsoft already release a patch for this on Nov 8th? According to Symantec's info page on this attack directs you to this Microsoft bulletin links to patches for each Windows release.
I'm not sure if this is technically correct, but I treated this thing like the Smitfraud/Quicknavigate/Virtual Maid infections.. html/ to remove it.
It took about an hour and involved a lot of scaning and rebooting but I eventually got it all.
:)
My step-sons pc got hit with this on Monday and I followed the Method 1 instructions found here... http://www.bleepingcomputer.com/forums/topic17258
I then installed Firefox for him and blocked his access to IE
BTW, Mcafee did not do a single thing to stop this from being installed, nor did it give any type of warnings after the fact. I hate Mcafee.
sweet. --suse 10 work/home/school
Because MS Word and PowerPoint can import WMF files, does this mean that those programs can be a vector for infection too?
For those who have web sites, perhaps this would be a good opportunity to influence your users to try a non Microsoft browser such as Firefox or Opera. I did so by posting an announcement to my message board.
I can imagine people with Mac or Linux laughing their ass off... Microsoft has to work on security more than they do right now. Security should be #1 priority at Microsoft for 2006.
Serious?! Eh show me an infected web site, and I will traverse it! Unless its filled with trannies and dog sex. Than good riddance.
I think they did... get the pitch-forks and the shotguns! We's gonna have ar sels a hangin'!
.NET (properly), and then knock up some gorgeous images in the latest version of a top graphics package for a site (hosted on my Linux server btw) followed by a Flash game and a couple of viral banners, turn off for a bit a destroy some friends on Battlefield 2.. I need Windows cos I can't get all the best software for anything else. I might get somewhere with the graphics package on a Mac but not have it run at a decent pace for the _right price_.
Windows is attacked more due to desktop marketshare. "Tired old arguement." someone said, "What about Apache?" Well, forget for a moment that Apache is a web server application, not an O/S, and that it's inherently more straight-forward to secure something the size of Apache compared with something the size of Windows (especially with it's mish-mash of new and old code from 1000s of different devs). Whatever the individual purpose of a virus/worm/other exploit writer they will almost certainly be more successful, by their measures, by sitting their "product" on the greatest number of machines and where the information is juicier and more accessible.. the Windows home (and office) desktop market.
Now I'm not an MS cock-sock.. I hate rebooting and regular patching as much as the next guy, I use OSS FTP, archiving, email, browsing and office software wherever possible. That's mainly cos if I don't have to pay for it then why the hell not, but also because there are some superior solutions out there for certain problems that are OSS and why not support that noble effort.
But then comes the deal-breaker for me.. I need to develop something in the latest version of Java and/or C#
I would _love_ to switch to Linux tommorrow. No, today. Not OS X, I just think it's horrible - personal opinion - but Linux. But I need certain packages, with the features and ease of use they provide, to get the jobs done. And I need Windows to run them on. Not everything's going to work with Wine.
Whenever another Windows security story appears everyone start prodding, pointing and shouting. I'd agree with any balanced anti-Windows arguement. But when you can't offer me a replace-all solution then I don't buy (or download for free) from you.
As a matter of fact, I have before seen women that killed my pop up. Ten pounds of ugly stuffed into a five pound sack.
Anyone for Windows XP SP3?
Can someone please confirm that this can be spread when using Firefox or Opera on Windows XP?
And, if so, is it by just visiting the site or is there anything that needs to be done (Like download and view an image with a windows program, or something like that).
Help! I'm a slashdot refugee.
I saw this coming a few days before this story broke. I was browsing a - ahem - "recreational" ;) site on my laptop (linux/firefox), when I got prompted to download a .wmf file. I knew (or had a good hunch anyway) it was a new exploit - it was fun to sit back and watch the story unfold though.
That being said, it's no laughing matter. I warned the various people who will undoubtedly ask me to fix their machines once they're infected, however, I'm still waiting for the calls. Apparently, this is a nasty one and may require a reinstall once a machine is affected - wonderful.
My questions are: Once this is patched, what functionality/ies will break? Maybe that's why they haven't patched it yet?
I implore MS to write a new OS from scratch. Here's hoping.
This will be the main vector for spreading this, obviously.
Everything I've read seems to indicate that this only affects Windows ME, Windows 2000, Windows XP and Windows 2003. So, I guess those of us still chugging along with ancient machines on Windows 98 are cool?
(CTTOI, most of the really nasty exploits I've read about recently seem to only affect post-98 OS's. Another good reason to keep my old fogey running, with spit and duct tape if necessary....)
assuming you want do move your uploads & downloads (e.g. images) from/to your sandbox, you'll probably moving infected files from your sanbox, via the mounted share, into your real environment.
Ok, so everytime some Windoze blowhard comes on slashdot and accuses us Macheads or 'nix users of exaggerating Windoze's problems, we can now use some very scathing meat for our argument (in addition to all of the other security problems that Winblows has). I personally own a Mac and am laughing my ass off.
"Windows XP Flaw 'Extremely Serious"
:)
Who cares. They all sound extremely life threatening and the world could end as we know it, not to mention Christmas ruined because XP is flawed!
go buy a mac....and that's comin from a guy that doesn't like macs.
DJBeSSeR
This is definately a mind-set issue that linux users (who have forever logged in as user, and su/sudo for priv'd stuff) already have.
Perhaps in time, win-users will gain the same level of understanding that it's for their own good.
If you think imaginary property and real property are the same, when does your house become public domain?
The stores you have already been to can now get you, if they have not already exploited one of the other 1,001 holes you don't know about. With companies like American Express and Home Depot paying people to infect M$ encumbered computers with advert servers, the internet is anything but a trusted network to begin with.
The advice is not being given to help the user, it's being given to BLAME the user. When something goes wrong, clueless administrators everywhere will now blame their users for all the late hours they will spend cleaning up after Bill Gates.
Friends don't help friends install M$ junk.
I just love the fanboys rushing out of the woodwork whenever there is *another* bloody HUGE hole found in windows.
"Oh it could happen to any OS", but doesn't
"You should be using a virtual machine to browse the internet anyway", windows is *so* easy to use.
"It's only because Windows is popular", broken, braindead 'features' being exploited has something to do popularity
"All software is buggy", some software is much worse than others it would appear
In a few months we will be hearing from the same people how much better Windows is now all the probelms are fixed will and things like this will never happen again, that those 'lunix zealots just will never get over it, its not 1998 anymore l00Z3R$", that Windows is just as secure as anything, and on and on it goes...
It's time for a new soundbite...
Windows, only usable if your time is worthless.
"Currently, eSafe is the only gateway product capable of providing complete protection against this threat."
_ no=21953
http://www.esafe.com/home/csrt/valerts2.asp?virus
I am seeing WMF files being blocked as CID activeex exploits.
eSafe is protecting SMTP, FTP, HTTP in my environment. I believe it has the ability to do POP3 and SSL if you purchase those features.
The internet is going to crawl when someone writes a worm around this exploit. Any program that uses the vulnerable dll can cause the compromise. So, for example, Google's desktop search file indexer can trigger the payload without the user ever interacting with the file (as others have already pointed out).
What is your definition of a REAL OS?
My definition is as follows: Any piece of software that helps you gain control over your computer, and the way it functions and interacts with the attached hardware.
Of course, by that definition, the BIOS is, in essence, a very BASIC OS (Though BIOS means Basic Input/Output System)
Still waiting on Serviscope_minor to wake up to fucking reality and realize that Jessica Price isn't going to fuck him.
Yes, that was frustrating. Fortunately, VMWare patched it pretty quickly, but you had to re-download the whole thing.
I think still, though, the analogy holds up - surgical gloves dont prevent you accidentally infecting yourself with a scalpel, but are a best practice for infection control anyway. Sandboxing your browser may not be perfect either, but it has protected our practice from the nasty bits web for some time now, and we are by no means an IT-savy bunch.
Using plain ol' text since 1968
Why every day there's a story in /. that there's a flaw in Windows. And in Linux??? There are no flaws?? Really? I'm getting suspicous...
More dirt bags are using the exploit, so your risk has increased. It's kind of like more people are ready to put ice where Bill Gates left a hole in your pants. When your computer goes poof, you will feel pretty naked.
the web sites are not infected, they are malicious.
A web site may serve such images without knowing it through their ad server or through vandalism. The user's perspective of those events would be that the site was "infected" with a disease that wiped them out.
For other editorial problems, send a letter to the Washington Post and other industry experts who use the same kind of language.
To save your ass, heed their warning: a big fat worm is coming that will exploit this. I'd convert my users to Mepis if I were you.
Friends don't help friends install M$ junk.
Would disabling images in firefox keep me from getting infected?
In Firefox, just disable the images (Tools, options, content).
Anyone tried this yet?
(I had to re-activate this to post this comment - it stops the bot decection word loading!)
Hey guys, just thought that you should be warned about a possible OE issue that could be abused. As you may know, OE can disable showing you pictures when you open an email until youu agree to see them by clicking the little bar asking you to display them right? Well, theres a serious catch to this. If you decide to forward a copy of ANY email to say fraud addresses for say ebay, the government, the police, another account etc. OE will NO MATTER WHAT download AND display these images WITHOUT prompting you. I have wrote MS about the issue and recieved a reply confirming the issue. They say that it is a "design feature" and that I should switch to Outlook if I want to be prompted about showing pictures on a Forward.
THIS MESSAGE IS EXTREMELY IMPORTANT!!! MOD IT UP ASAP!
I do not know the details of the exploit, and this probably wont help in this case but "Dropmyrights" will reduce rights while running IE (at leasts is makes IE a bit better): http://msdn.microsoft.com/library/default.asp?url= /library/en-us/dncode/html/secure11152004.asp/
cheers
When the exploit was posted to Slashdot, it wasn't nearly as widespread. Since that time, it has mushroomed. Granted, the people who would use this exploit would probably have found out about it anyway, but would they have implemented it so fast if it wasn't so public? I don't know if I would prefer Slashdot not to post it, but I'm curious to know the effects that the media has on catalyzing the growth of exploits like this.
In theory, XP Pro has better security capabilities than Linux. I don't think that's true of XP Home (which needs it more because its users are less saavy), and I know it's not true by DEFAULT.
Out of the box, XP Home has one user called "Owner" with Admin priviledge and no password. IMO, that crappy default setting is one reason why developers ASSume everyone is root, and write crap that doesn't work on a Limited Account.
Slow down, cowboy! It has been 4 hours since you last posted. You must wait another few hours.
You mention that why run code with more permissions than it really needs.
That kind of functionality was part of Multics, with its multiple privelige rings. Unix doesn't have this capability, in fact, the name Unix comes from Multics, with "Multi-" switched to "Uni-" to indicate it has only one user privelige level.
Under Multics, you could run tasks with less priveliges than you have normally. Those could then run tasks with even less privelige. Basically, back when CPU time cost money, a teacher could blow all their alloted CPU time by running a student's program that looped forever. There were also issues with the students perhaps sneaking something in there to read files that only the teacher could read (as they were run as the teacher). Although that kind of thing probably didn't happen much, there wasn't really much malicious software at that time.
In terms of allocating priveliges on a "need to know" basis, ironically, Windows is a lot better than Unix. Unix really only has two privelige levels, user and root. If you need to elevate your privelige to get the ability to kill a task or open a restricted port, you also get priveliges to read and write any file on the machine or even create setuid files. Windows has a lot finer-grained permissions allocations, although most users don't use it. Unix also has a few hacks like the "nobody" account which increase security a bit more, but not as much as a system like Windows' or Multics'.
Really, what is needed is MS needs to modify IE so it can run as a restricted user even when the user running it is an admin (privileged) one. This capability is in Windows XP, but most MS programs (like Outlook) won't run when set this way. Does Firefox?
Big asterisk here. Although multiple privilege levels was specifically removed as a feature of UNIX in the beginning, some people/companies have hacked some of it back in. Maybe it'll make it into mainline distros someday. Additionally, AFS (Andrew File System) doesn't automatically recognize uid 0 as a privileged user.
http://lkml.org/lkml/2005/8/20/95
I guess MS really got lucky that this happened in the holiday season when at least in Europe a lot of the offices are closed.
Otherwise companies relying on MS Windows could've been hit hard.
And again they're lucky that these exploits are not written by MS haters. If they were one of them would simply messed up MBRs/bioses beyond repair. THAT would hurt MS!
Look, Mr. Softy has become the richest outfit on earth by understanding the fundamental truth: people are sheep.
You can lead those sheep to water, but it's going to take an enema to spare them from death by dehydration, oral methods carrying too great a drowning risk.
I guess that may have sounded negative.
Get thee glass eyes, and, like a scurvy politician, seem to see things thou dost not.--King Lear
Ooh big news, Windows has yet another security flaw. Who cares. Why the fuck is this still news?
It's the core security problem of Windows: the development culture doesn't respect security. Developers went for decades of DOS and Windows 3.1/9x without needing to worry about users and permissions. So they got used to assuming they could write whereever they wanted. When real user seperation and permissions became mainstream with Windows 2000 and XP, they weren't prepared to change. Because so much software required full access the easiest way to get stuff running is to run in an Administrator account. And since so many people (developers included) run as Administrator, why bother doing the right thing? Games are usually guilty, but there are piles of business and research software that is equally guilty. My brother is a sysadmin for a research lab. To keep Administrator access out of users hands, he has to bend of backwards to get the machines running the software his users need. A 2005 release of a $3,000 package that refuses to be placed in a directory with whitespace or a tilde, meaning it can't be installed in C:\Program Files. A $500 package that demands write access to a file in the C:\Windows directory.
This is one case where backward compatibility came at the expense of security. The development culture is moving too slowly. Bigger companies are starting to do the right thing and you get the occasional smaller development house following the rules. The killer is that huge mass of more specialized software. Apple bit the bullet when they cut over to Mac OS X; software had to do the right thing or it stopped working. Microsoft needs to make such a dramatic change or we'll be putting up with this bullshit for at least another five years.
Search 2010 Gen Con events
Here is a link about an unsecessful attempt to run five Windows viruses under Linux:
Running Windows viruses with Wine
It is possible to run some versions of Internet Explorer under Linux. The Codeweavers CrossOver Office version of Wine can run IE 6.0 under Linux.
Some Linux users also do use Codeweaver's CrossOver Office to Word 2000 under Linux or Excel 2000 under Linux. CrossOver Office is a slightly enhanced version of Wine with a more user friendly front end.
As a desktop Linux user, I have never had to worry about viruses, worms or most spyware. I can open my email without the fear of Active-X extensions, attachments, and viruses that most Windows users have. Of course, I do use one of the several free firewalls available for Linux. I don't run unnecessary services which a desktop user would not need and regularly check for security updates. Linux is not perfect, but it is much less vulneable to most of these problems.
I got to work today to discover that my boss got one of the emails and installed a whole lot of spyware on his system. The spyware software the article mentions is called Spyaxe. That was easy to get rid of. However, there is some spyware that loads using the profile notify method, which loads even in safe mode.
Very annoying to get off. Among other things, the infection loads porno ads, repeatedly shows fake Windows security messages, and disables the task manager. It also throws a ton of files in the windows directory (about 30).
Anyone know of any threat pages about this yet? I want to make sure I didn't miss anything.
Proof that a +5 comment from a low UID means absolutely nothing.
Way to post false statements as if they were facts. Every one who read your post is now less informed than they were before. How does that make you feel?
visiting infected websites is a url rofl
went to file types in folder options and temporarily disabled automatic opening of WMF file types until flaw is patched (simple).
The VM image uncompressed is almost 1GB, and honestly it offers very little over using any decent (non-IE) browser (FF, Opera, etc) on Windows (I've NEVER caugh a virus, spyware or other crap that way). If it was some version of DSL with an updated Firefox (DSL still uses FF 0.9.1 IIRC) that would be pretty cool/useful, but 1GB (using Ubuntu)? Not a chance in hell. It's probablt slow as molasses too, and getting your downloads from that Linux in a VM onto your Windows machine must suck... This is going to very extreme limits to prevent something minor that might happen perhaps once every 5 years and takes 5 minutes to fix.
I have had 7 customers already call me in the past 2 days, as of today, have recieved 10 calls regarding this damn exploit. Looks like us IT people will be busy for a while
Can search engines like Google provide a bargraph or colorcode of how much a particular domain is known for pushing malicious software. This idea may require distributed crawling/indexing to be effective though.
Since a graphics rendering engine common to all versions of windblows uses file magic to determine the image file type - microsucks has a major problem on its hands as do all 90% of the world's computer users. An infected WMF image can simply be renamed to a .jpg or .gif and included in any displayable html (read any web page or html formatted email) and the code will be activated on any windblows box accessing it. This is MAJOR issue folks unless microsucks comes out with a fix for all versions of winblows very soon.
All this accomplishes is to keep Windows from automatically rendering the graphic when accessed by the Windows' system programs like file/Internet Explorer and Outlook email programs. If any other program on the system renders the graphic, if you do something that lets you see the graphic anywhere, you will activate the infection on your system. Since the WMF image file can be renamed to any other image type and the Windows graphic rendering engine will still recognize it as a WMF, the infected graphic can be disguised as almost anything - system icons, banners, pictures in my documents, template clip art... whatever.
"Computers can now be infected just by visiting infected web sites, [...]"
:-).
I think the editors forgot the 'again' part
(Yes, I admit that XP SP2 did some good things, but does anyone remember porn sites and surfing in general a few years back? HONESTLY. Computers being infected automatically is NOTHING new!)
File extensions are hidden by default in Windows. Yes, stupid but true. NekkidTennisPlayer.JPG.exe looks like NekkidTennisPlayer.JPG to most Windows users.
You don't even NEED a vulnerability. Windows' design IS a vulnerability.
Note to people in Redmond: PLEASE FIX THIS!!! k?thx.
Someone should make an extra nasty version of goatse with this. Being goatsed would no longer just scar you for life.
Hello, world. MRC-"aggrieve."
I tried the feature of Windows that lets you run a program with restricted privileges. Firefox doesn't even launch.
The latest version of IE will launch! I went to cnn.com with it. It gets slightly weird at times, it apparently cannot access many files on the disk. Maybe I'll try this a while.
Score one for MS here I guess.
http://lkml.org/lkml/2005/8/20/95
Baiscally this does *NOT* work, and Microsoft saying so doesn't make it an more so.
Only the new HARDWARE based DEP, and especially those on AMD processors seem to stop this threat. The stock software DEP that Microsoft uses on NON-DEP Intel processors does *nothing* to resolve this issue. There are questions as to whether or not the DEP on Intel processors work.
So this is where WINE's incompatibility with software comes to it's advantage.
Will Symantec Antivirus Corporate v10 protect against this infection? How about Microsoft Antispyware?
Thanks for the Larry Seltzer link.
F-secure mentions these as bad URLS:
"And finally, you might want to start to filter these domains at your corporate firewalls too. Do not visit them.
toolbarbiz[dot]biz toolbarsite[dot]biz toolbartraff[dot]biz toolbarurl[dot]biz buytoolbar[dot]biz buytraff[dot]biz iframebiz[dot]biz iframecash[dot]biz iframesite[dot]biz iframetraff[dot]biz iframeurl[dot]biz"
Why not just put them into a HOSTS file as a 127.0.0.1 and avoid it?
This is the book your looking for. Microsoft Windows Internals, Fourth Edition: Microsoft Windows Server(TM) 2003, Windows XP, and Windows 2000 (Pro-Developer) (Hardcover) That and technet. I have the 3rd edition and I found it very informative.
You can create a process that is unable to do pretty much anything other
than crunch numbers and perform IO on existing file descriptors.
Red Hat will be using this for parsing multimedia data (image, sound,
video, etc.) in an upcoming release. The GNOME app sends the data
over DBUS, then gets back the results.
What I'd like to know is -- how long has this exploit been "in the wild?"
... they could have EASILY breached your Windows box, done whatever the hell they wanted, erased all their tracks ... and you'd have to convince a judge and jury it wasn't you.
... ?
If it has been there since WMFs began, that's a long, long time. We're talking Windows '95 or earlier. It all depends when the GDI callbacks feature was added.
So here's what you need to consider: since this exploitable code first "shipped" with Windows, anyone "in the know", e.g. potentially FOLKS AT MICROSOFT, the NSA, your neighbor, whomever
If I build and sell a car that is advertised as having a security system, but that security system is defeatable by running a magnet over the car lock, and that information is "out in the wild" for years and years, maybe even by folks in my company... what is the legal liability?
The only three external things that will adjust Microsoft's behavior regarding security are: (1) customers switching to other products, (2) criminal justice investigations, and (3) lawsuits. I don't see #1 happening so long as customers remain locked in, #2 is a joke as we know, but #3
This software requries that you run the game with Administrator privs when using it on Win32 because you need to be an Administrator to detect many of the cheats, read MAC addresses, and read the serial numbers off harddrives.
XJS*C4JDBQADN1.NSBN3*2IDNEN*GTUBE-STANDARD-ANTI-U
Yeah, where I work, we often create email template designs for companies who wish to send out "email blasts" (marketing campaign emails sent to thousands+ of contacts, essentially).
Needless to say the first time I was told to cut up an "email blast template", I had to ask what the hell email "blasting" was. It sounded like some kind of widespread ("distributed"?) Denial of Service attack launched by zombie PCs running hacked up MTAs or something!
I'll say it again.
Use Windows. Get Infected.
It's not restricted to unpatched Windows 98. It affects fully patched Windows XP SP2 running fully updated anti-virus.
Use Windows, and you'll Get Infected.
A firewall will protect you sometimes. Safe browsing will protect you other times. But in the end, something will get you. WMF, or a buffer overflow in IE, a spoofing vulnerability involving Windows Update, a Windows only Firefox bug.
use Windows. Get Infected. Period.
WhiteWolf666 an exBush supporter. All you new-school,compassionate,save the children Republicans can rot in hell
We Apple users have had ammunition all along. Sony rootkit, LSASS, UPNP buffer overflow. IE "do me" exploits weekly or monthly. And I'd be LMAO without reservation if I didn't have to administer 35 of these fifth columns at work.
Seriously, this is helping a couple of my coworkers make the switch to Mac, even though my boss claims he's happy with his $600 laptop. He's happy because ignorance is bliss, and he has a short memory. He has no idea what his laptop is doing without his knowledge, and every six months he brings it in to me to get it cleaned or wiped.
Everyone is entitled to his own opinions, but not his own facts.
visa/mastercard etc presumablly have branches in different countries. Can say the US branch of visa/mastercard stop payments from us cards to ukranian merchants?
note: i'm known as plugwash most places but i screwd up registering that here somehow in the past and now can't register
I call shenanigans.
I've checked three times today, and I'm not seeing any patches for Windows. Maybe you were confused or hacked?
Everyone is entitled to his own opinions, but not his own facts.
I don't remember how long I was wondering how to run Explorer.exe (and thus, Control Panel) with runAs, before I realised what parent said. It really makes runAs much more useful.
“Wait for Hurd if you want something real” –Linus
Sys Admins have a new way to keep their users' windows machines up to date. Simply enocde your updates into a WMF file and place it on the intranet home page.
carefully ignoring the mac version of $ony's rootkit.
how "short term memory" of you...
instead of being an immature kiddy and acting smug, why not help others.
a good first step would be to help migrate those users to linux.
having to buy new hardware when the old hardware is perfectly functional is a waste.
out of the frying pan and into the oven. hmmm
Please read: http://kyeu.info/proxo/forums/viewtopic.php?t=699 I have created a filter that would kill any WMF-Exploit file, regardless of file extension. This is due to a new matching method I've discovered in Proxomitron, where it matches the magic bytes of known exploit files. Most people don't know Proxomitron can serve as a workaround to this issue. In my opinion, it serves the same protection as an antivirus in this case, as it's basically matching hex values and killing the connection upon a successful match.
just block all .jpg, .gif and .png images too! After all, they're the most commonly used formats, so one must be in safe after blocking them all!
Oh, wait...
“Wait for Hurd if you want something real” –Linus
Anyone else offended that people still refer to them as "hackers"? They're crackers!!!!!
Perhaps you'd volunteer to migrate our Windows business software to Linux? We depend on Foxpro's command UI and speed. We have thousands of VB scripts. And some GUI-heavy custom analysis software. Do they run on Linux? Can you make them run quickly on Linux? Can you retrain all of our programmers. No, you can't.
:)
What is the Mac version of Sony's rootkit? Is that the one when you open the CD, you find a readme begging you to install the DRM, so you do, but then you have to type in the administrator password?
Nah. I'm doing what I can, which is protecting our business needs. And highlighting the security costs of Windows as often as possible, to help people make the switch. Sure I'm smug, but you're ugly.
Everyone is entitled to his own opinions, but not his own facts.
Sounded great. Downloaded the player and browser appliance.
Takes for-freaking-ever to load (5 min+) the player.
Takes nearly as long to start up the browser.
Every page takes a minute or more to load.
NO way to use this setup.
I have a 995 mhz celeron laptop with 512 meg ram running xp home sp2. I'll disable the dll and browse without the vm.
Maybe when I upgrade this thing I'll try again, but not for now.
Here's a decent analysis of the exploit, which I call UnionSeek or W32/PFV-Exploit.A-C.
% 5D
http://www.nist.org/news.php?extend.50%5Bnist.org
This article suggests that the best way to protect yourself is to disable the Windows Picture and Fax Viewer. I would change it's name and drop an icon onto my desktop. If you need to view a trusted pic, just drop the file onto the new icon.
What annoys me is that the reporter repeated this line from Microsoft & didn't even think it through...
Although, as someone else said in reply to my original post, what can you expect from reporters, anyway...
Have you been touched by his noodly appendage?
You want the Microsoft Management Console:
/user:AdminUser mmc
/user:AdminUser "control name.cpl"
.cpl extensions (sort by Type, look for "Control Panel extensions" -- also look at their Properties and read the description under the "version" tab to identify them)
runas
You can get all the snap-ins that cover nearly all the Control Panel stuff from inside there.
And if you must run a control panel:
runas
You can find all of your Control Panels in your %SystemRoot%/System32 (C:\windows\system32) folder... they have
THIS THING CAN TURN ON A DIME, MACROSSZERO STYLE ALSO FUCK BETA, ~NYORON
What about Firefox Safe Mode? Does that help?
Btw, my firefox is acting up for the very first time: it loads but shows nothing, not even the bookmarks toolbar. Nothing. But safe mode is ok (which is how i'm posting this), as is IE. Does anybody know wtf? Is this related? Thanks.
This isn't a Unix vs Windows issue. I feel for the admins coming back to work on Monday. I raise a toast in your honor. Drink well and drink much on Saturday Night for your next 90 days are going to be hell.
For those about to work long hours, I salute you.
Bottoms up.
Enjoy.
It's just the normal noises in here.
The FAQ has been updated to say the opposite:
y /912840.mspx
"I have DEP enabled on my system, does this help mitigate the vulnerability?
Software based DEP does not mitigate the vulnerability. However, Hardware based DEP may work when enabled: please consult with your hardware manufacturer for more information on how to enable this and whether it can provide mitigation."
http://www.microsoft.com/technet/security/advisor
OTOH, the computer will not warn you if you double-click to open an app for the first time. Really, what would it say? Something like "You're running this app I haven't seen before. I don't know where it came from, and Alan Turing says it's impossible for me to predict what it will do. Are you sure you wanted to double-click on it?"
I don't think it was in the inital Tiger release, I think it came as a patch - but in fact Tiger (OS X) now does EXACTLY what you just said! You try to run an app for the first time, it says "This is the first time running this app, are you sure?" (more long winded though).
If you download an app the "OK to download the APP' dialogue counts as your OK and you don't get asked when you run this.
I am quite positive about this feature because I just upgraded an older OS X computer to Tiger today and it was putting up that dialogue for GoLive and other porgrams on the system when we ran them for tests.
"There is more worth loving than we have strength to love." - Brian Jay Stanley
Interesting... I haven't used OSX much, but I have downloaded programs to friends' OSX boxes, and run them, and gotten no such prompt. In which cases does the OS ask you this?
How recently was this? in one of the later Tiger patches (I think) it asks whenever you run a new app for the first time.
I think if it detects an installer (run by you) it does not ask (might be a loophole)? If you download an app and say OK to the "downloading an APP" dialogue it does not ask you again when you run it (as you hope).
I have not explored all the corner cases, but I was just upgrading a computer to Tiger today and got the "running the app for the first time, is that OK" dialogue on pretty much everything we ran as far as I can remember.
"There is more worth loving than we have strength to love." - Brian Jay Stanley
After some hours looking at WMF file format I developed a fix for it:
http://www.hexblog.com/
My fix works for Windows XP systems. I have tested it on my machines.
Uh, it's just like unix, just "su -" to a shell as root and then run the stuff you want. In fact given there's no xwindows you don't even have to "export DISPLAY" etc.
/user:rootuser "%SystemRoot%\system32\cmd.exe"
.msc stuff e.g. gpedit.msc, services.msc.
Create a shortcut with something like this:
%SystemRoot%\system32\runas.exe
Then read this:
http://support.microsoft.com/?kbid=180025
You can also do "start compmgmt.msc" if you want to start the computer management stuff. There are a whole bunch of
Don't like this command line stuff? Well, you wouldn't like the unix command line stuff then.
In fact, at my prev workplace with Windows XP I used to run my web browser as a different user account from my normal user account (non admin). That way if my web browser got exploited it's a lot harder for my normal user account stuff to be affected.
Now I do a similar thing with SuSE and KDE at my current workplace. I run mozilla with a different user from my main (non root user).
People grumble a lot about windows being insecure. Windows NT/2000/XP onwards aren't really that much more insecure than most Linux distros.
It's just most people who are currently running Windows, would probably want to run a Linux distro as root.
In my opinion Windows and Linux aren't really secure or suitable for normal users.
Users should be able to _easily_ run stuff with restricted privileges - sandboxed. Say they run some silly Xmas game that someone emailed to them, such a program should only be given limited rights e.g. graphics, sound, but no access to documents files, only write to temp directory, no network...
Not everything a user launches should run with the user's full account privileges.
Currently there's windows firewall software which help do something like this, but there's a long way to go.
The trouble is Microsoft and other companies don't want to empower users, they'd rather DRM stuff be the solution. That way what the user runs and what access it has is under the control of the big companies.
Basically the long term strategy for them is to let things get really messy and insecure on the desktops and then propose DRM stuff as The Solution. When in actual fact there are alternative ways of solving the problem that don't involve everything being signed by Big Corps.
And the Big Corps do make mistakes too. Witness the insecure _signed_ ActiveX control that was released by Sony's DRM stuff. Then there are the flawed/buggy Microsoft ActiveX controls, which can in theory be reinstalled again without warning (since they're signed by msoft), and then reexploited.
Of course their "solution" to that would be for your computer to download certificate revocation lists on a regular basis.
But if users just run unknown/exposed stuff in sandboxes by default there wouldn't be such problems.
How much does it interfere with normal webserving behaviour? I mean, it may stop lots of malicious stuff, but what if it blocks the things that are not malicious too?
Anyways, this is normal beviour for modern desktop systems. The filename is just a name (a label, a hint) and nothing more than that. For most people, especially those who who where used to DOS based operating systems, this might be a surprise. But it's kind of common nowadays.
Caveat emptor ... I have not tried this - Windows WMF Metafile Vulnerability HotFix.
.. paranoid crackpot leftover from the days of Amiga.
1. Use mime-type.
2. Use extension.
3. Use content.
Skipping the first two, when they are present, is not normal.
Why did GEAR crush RDP?
Seriously, I think about security, too, but it's not worth running a 1GB virtual machine just to browse the freakin' internet.
1) Yes, Virtual PC and WINE allow you to run Microsoft programs like Internet Explorer and Office.
Actually, you can run Office and Internet Explorer on a Mac even without Virtual PC. Believe it or not, there exists Office:Mac and even IE (although Microsoft cancelled support and announced no longer updating past v5.2).
Sorry to disappoint, but software developers often create packages that run on multiple platforms.