Slashdot Mirror
Windows XP Flaw 'Extremely Serious'
scottott wrote to mention a Washington Post article with the news that the security hole we mentioned on Wednesday has widened. Computers can now be infected just by visiting infected web sites, or looking at images in the preview panel of older versions of Outlook. From the article: "At first, the vulnerability was exploited by just a few dozen Web sites. Programming code embedded in these pages would install a program that warned victims their machines were infested with spyware, then prompted them to pay $40 to remove the supposed pests. Since then, however, hundreds of sites have begun using the flaw to install a broad range of malicious software. SANS has received several reports of attackers blasting out spam e-mails containing links that lead to malicious sites exploiting the new flaw, Ullrich said."
Er... Microsoft Office and Internet Explorer do run on Linux using wine.
If you use Windows, go get the vmware browser appliance and use it - connecting to the internet through a virtual machine is like wearing gloves in the OR - it's just common sense.
http://www.vmware.com/vmtn/vm/browserapp.html
Using plain ol' text since 1968
until a patch is released.
IAAL
Start-->Run-->regsvr32 /u shimgvw.dll
You lose thumbnail view, and a few other (minor) built-in-Windows-picture-viewing tools break, but you use IrfanView anyway, don't you?
I dub thee... Sir Phobos, Knight of Mars, Beater of Ass.
scottott wrote to mention a Washington Post article with the news that the security hole we mentioned on Wednesday has widened. Computers can now be infected just by visiting infected web sites, or looking at images in the preview panel of older versions of Outlook.
There are two major factual errors here. One, the security hole has not "widened" - the scope of exposure is exactly what we read about Wednesday. Using shimgvw.dll to view a specially constructed WMF file results in system compromise (web site viewing of malicious WMF, previewing, opening w/MS picture and fax viewer, etc). The hole is exactly the same - exposure has increased, but the hole has not widened. Two: the web sites are not infected, they are malicious. The system is infected after visiting a malicious web site.
The full (well, as full as it is now) MS advisory is here. I'm not very pleased with how MS is handling this at all, but that does not excuse this shoddy "journalism". How hard is it to state facts correctly? All you had to do was change a few words, and it would have read much more accurately:
scottott wrote to mention a Washington Post article with the news that the security hole we mentioned on Wednesday is now affecting many more users. Computers can now be infected just by visiting malicious web sites, which are now rapidly increasing in number, or looking at images in the preview panel of older versions of Outlook.
For the last sentence, note that I sent mysefl WMF files win Outlook 2000 and 2003 while running Sysinternals process explorer and never saw shimgvw.dll called. Opening a WMF attachment called it, but not previewing, so there might be three errors, but I didn't test all versions that way, so I don't know...
Okay, really, she said Arkanoid, but you get my point.
Have you been touched by his noodly appendage?
Its in one of Windows standard libraries - but using IE makes it more dangerous.
Using Firefox with Adblock installed one can stop all files of this dangerous type by adblocking them until a patch is available.
Just saying it like it are.
Er.... Mac and Linux machines are no more succeptable to Windows XP exploits than you are to kennel cough or feline leukemia.
No folly is more costly than the folly of intolerant idealism. - Winston Churchill
If all you are doing is browsing the web, there is absolutely no reason to not do it in a sandbox. In fact, I don't get why all browsers run in sandboxes. Why do they *ever* need access to the host OS? If they need to save downloaded files, they can do so via a mounted share. At least in a sandbox they cannot execute privilidged code, at most they could infect executabes on said share.
This is not an ie flaw. This is a Windows flaw. You can still be affected with other browsers, you just have to try harder. Anything using the Windows DLL that does the WMF processing will be affected.
When will Windows be ready for the desktop?
http://www.sysinternals.com/utilities/rootkitrevea ler.html
It's an exploit of functionality built into Windows (it allows you to view thumbnails in folders full of pictures, for example). The reason it's more dangerous with IE is that IE by default will open these files, while Firefox (or some other browsers) will give you the good old Open/Save box first. If you open at this point, you're still screwed.
For those who are ranting about FF. Read the article, says that older versions of Opera and FF are vulnarable too - on Windows ofcourse.
Since last time it has been reportet that this can also be exploited by renaming infected wmf files to other image formats like jpg, gif and tif:0 /threaded
http://www.securityfocus.com/archive/1/420378/30/
Snort sigs have been available from BleedingSnort for some time now; I pushed them out to our corporate IDS yesterday morning.
(Warning, mangled by Slashcode - remove newlines)
t afile.pm.php; classtype:attempted-user; sid:2002734; rev:1;)
0 05/3086; sid:2002733; rev:1;)
#by mmlange alert tcp any any -> $HOME_NET any (msg:"BLEEDING-EDGE CURRENT WMF Exploit"; flow:established; content:"|01 00 09 00 00 03 52 1f 00 00 06 00 3d 00 00 00|"; content:"|00 26 06 0f 00 08 00 ff ff ff ff 01 00 00 00 03 00 00 00 00 00|"; reference: url,www.frsirt.com/exploits/20051228.ie_xp_pfv_me
# By Frank Knobbe, 2005-12-28 alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"BLEEDING-EDGE EXPLOIT WMF Escape Record Exploit"; flow:established,from_server; content:"|01 00 09 00 00 03|"; depth:500; content:"|00 00|"; distance:10; within:12; content:"|26 06 09 00|"; within:5000; classtype:attempted-user; reference:url,www.frsirt.com/english/advisories/2
Once again it looks like Microsoft are going to escape the 'perfect exploit' meltdown by the skin of their teeth. This is exploitable remotely, but Dr Evil can't sit at a console typing in arbitrary IP addresses to 0wn with the exploit. On the other hand you can get close to that sort of thing using Metasploit Framework.
"None are more hopelessly enslaved than those who falsely believe they are free." -- Goethe
And not only does the exploit work with .WMF (Windows MetaFile), but if the attacker renames it to, say, .JPG, Windows will detect this a really being a .WMF, and STILL execute it. Pretty serious stuff. See this bugtraq link for details.
640YB ought to be enough for anybody.
What we have in the Linux and BSD world at least are very good Mandatory Access Control systems that help mitigate some of this risk. In the Linux world you can use SELinux (shudder) or use something even easier, AppArmor. If you properly profile an application to determine what it should and should not do you'll be in much better shape when new exploits like this come out. It won't save you from everything since they can still get access to anything the program could legitimately access in the first place but it's much more efficient than setting up sandboxes for everything like chroot and much more secure.
Never ever visit astalavista from windows, not even in Firefox - even using firefox, free-av catched ~10 viruses that tried to execute while only visiting the site, and searching for my lost cd key (well, lost CD to be precise, taht came with my TV card, with the only app that worked for me).
Using Firefox with Adblock installed one can stop all files of this dangerous type by adblocking them until a patch is available.
.wmf even if the file is renamed to .jpg .
This comment says that you can't block it (ny blocking a file extention as is done in adblock), as Windows will execute the file as a
Why does the WMF rendering code need to run with any more permissions than: read a block of memory with the WMF file, and write a block with the rendered bitmap? (Or perhaps make display / GDI calls, if performance is a concern.)
Because the WMF rendering code *is* GDI. Seriously - a WMF file is basically a list of GDI functions to call in order, along with the parameters to pass to them.
If you come across this, you SHOULD get a dialog saying whether or not you want to open a WMF file (Save/Open/Cancel).
However, if you configured FF such that the dialog no longer comes up (automatically opens files in default viewers), you're screwed.
Also, there was a post back on Wednesday from a guy saying that he did, in fact, click "Cancel" but still got infected...
You can be infected whenever Windows uses its default image viewer to display certain image types. This means there is a long list of applications that are vulnerable that rely upon the image viewer code, but as far as I know no one has yet compiled that list. Windows uses this code when previewing images (for example). The current way this is being exploited is to tell your web browser to open an image (wmf and jpg that I have heard about) in the picture viewer. On IE, this behavior defaults to happening automatically. That means you go to a page and it installs whatever code it wants. With Firefox, you go to a page and a dialogue asks to open a .jpg or .wmf file. If you agree, it installs whatever, but if you decline you're in the clear.
1) Yes, Virtual PC and WINE allow you to run Microsoft programs like Internet Explorer and Office.
2) The vulnerability is in the Microsoft Windows Graphics Rendering Engine, which is a part of the Windows kernel, and is why the exploit affects Windows versions from Win98 to WinXP.
3) Virtual PC and WINE running under Linux do not use the Microsoft Graphics Rendering Engine.
4) Even if they did, a Windows program trying to run in a Linux environment is a fish out of water, and can't do much besides SEGFAULT and exit.
5) Therefore, Linux (and Mac) users are safe, even if they are running IE or Office - just like the article said.
No folly is more costly than the folly of intolerant idealism. - Winston Churchill
The last time there were flaws in zlib and libpng, security was an apt-get upgrade away. Compare that to Windows where most software seems to have its own private copy of those DLLs.
Microsoft released patches for the libpng that came with Windows, along with a tool that scanned your hard drive, looking for copies of libpng embedded in third party executables and libraries. Unfortunatly, it would basically only say: "you {have,have not} installed Microsoft's patch for this issue; furthermore you have third party programs on your system, please install any updates available from your vendors". I can't remember a single program that released an update merely to fix the libpng flaw; in all probability every Windows machine with some kind of third party software on it probably still has dozens of copies of libpng and zlib lurking around on it.
Your latter points are interesting. What you are describing is a mandatory access control security scheme, like the one implemented by SELinux. This has yet to catch on because it's bloody complicated--and I believe SELinux only restricts what an application can do based on the 'tag' that its executable recieves; I don't know if SELinux policies can grant permissions to a process based on the shared library that is executing at any one time, or even how SELinux policies interact with interpreters like sh, perl, python, and so on.
Didn't Microsoft already release a patch for this on Nov 8th? According to Symantec's info page on this attack directs you to this Microsoft bulletin links to patches for each Windows release.
The real lesson is of course that once again mr buffer overflow strikes (don't implement anything in C if it needs to be secure). This time it's on windows.
This isn't a buffer overflow, its a design flaw that allows metafiles to register callbacks with GDI32. And I fail to see what language a programmer uses has anything to do with it. Bad programmers are bad programmers reguardless of the language used. To the CPU its all instructions, it doesn't care if its issued by the crt or the java_vm.
Enjoy,
It's just the normal noises in here.
"Because the vulnerability exists within a faulty Windows component, security experts warn that Windows users who eschew Internet Explorer in favor of alternative Web browsers, such as older versions of Firefox and Opera, can still get their PCs infected if they agree to download a file from a site taking advantage of the flaw."
Baltika
I believe you can be "infected" by the wmf-borne issue, but for it to then download and install the malicious code without notfying you first is an IE thing..?
It's a misfeature of Windows itself. If you surf with ANY browser, you'll get zapped if you surf to a site set up to take advantage of this latest hole.
This is completely untrue. BTW: I've visited many of the sites in question using a virtual session, so I know first hand.
Internet Explorer uses the broken DLL in question to help it rendering the inline WMF in a webpage. Thus, if the site has a WMF as an image, IE can be exploited immediately. On Windows 2003 Server, it should be mentioned, WMFs are blocked by default (because it requires an external renderer, and IE disallows external helpers outside of trusted sites, or by explicitly allowing it with the security bar on a case-by-case basis).
Mozilla/Firefox doesn't render or handle WMF at all. It'll ask you if you want to open the file, encouraging (at least in current versions) you to open it with Media Player. Even if you click OK you're okay, as Media Player won't know what to do with the file.
Opera is in between - if it sees a WMF it will ask if you want to open it, and it'll suggest the Windows Picture and Fax viewer (which uses the affected DLL), so one OK later and you're owned.
The graphics rendering engine is divided between the Win32 subsystem which is a user process (csrss.exe), and the Win32 executive (Win32.sys) which actually runs in kernel space. The portion of the graphics system in the executive is limitted almost exclusively to the actual displaying of images and direct interaction with the drivers that interface with the display hardware. I'm not 100% sure, but I can't ever recall there being a vulnerability found in this part of the executive.
This specific vulnerability, like almost all image processing vulnerabilities, occurs in the image format parser, which is in the Win32 subsystem. As such its not in the kernel and runs in standard user scope. I know this doesn't change the point you were trying to make, which was the vulnerability doesn't occur on other systems. I just wanted to correct the statement about it being a kernel vulnerability.
Games should not be doing the kind of things that need Administrator privilege to do!
They have no business doing that, people without Admininstrator should be able to play, anything running as Administrator (or in that group) can do great damage (e.g. virus infections, file deletion, even destroy the BIOS), and doing things that require Administrator wrongly can also trash the system (accidently corrupting a DLL, locking up hardware, etc).
There is a RunAs on Windows, and it is useful for doing sys admin stuff only when needed. It would be nice if it could be configured that a browser run by Administrator (lets say to need to Google for a solution to a problem you are working on) would drop privs (but even Linux doesn't do that).
But my main point is games and other user programs should need Administrator.
Just because it CAN be done, doesn't mean it should!
If there ever was a smoking-gun lead-pipe indictment of Microsoft's sloppy love of whizzo features, security, stability, maintainability, administerability be damned; this has GOT to be it. If the filetype API is that flawed, we need to just get rid of .WMF files, period.
No folly is more costly than the folly of intolerant idealism. - Winston Churchill
That's because Windows understands structered storage format natively and owner application's GUID is stored as the first entry.
Here is some information on the WMF threats.
Same as IE. It's in the way Windows processes and displays this type of image file, so it doesn't matter what program is displaying the image.
At least in Firefox, you will get a prompt asking you to run the script before it executes. So as long as you always remember to click on "Hell NO", you should be pretty safe.
Actually, there's a fantastic book about the Windows internals called Microsoft Windows Internals, Fourth Edition by Mark Russinovich. Every Windows programmer should have this book. Even if your work is entirely in .NET, its important to know why some of the decisions in .NET were made as they were, and its also vitally important to know exactly how Windows handles process security.
I'll say it again.
Use Windows. Get Infected.
It's not restricted to unpatched Windows 98. It affects fully patched Windows XP SP2 running fully updated anti-virus.
Use Windows, and you'll Get Infected.
A firewall will protect you sometimes. Safe browsing will protect you other times. But in the end, something will get you. WMF, or a buffer overflow in IE, a spoofing vulnerability involving Windows Update, a Windows only Firefox bug.
use Windows. Get Infected. Period.
WhiteWolf666 an exBush supporter. All you new-school,compassionate,save the children Republicans can rot in hell
Please read: http://kyeu.info/proxo/forums/viewtopic.php?t=699 I have created a filter that would kill any WMF-Exploit file, regardless of file extension. This is due to a new matching method I've discovered in Proxomitron, where it matches the magic bytes of known exploit files. Most people don't know Proxomitron can serve as a workaround to this issue. In my opinion, it serves the same protection as an antivirus in this case, as it's basically matching hex values and killing the connection upon a successful match.
After some hours looking at WMF file format I developed a fix for it:
http://www.hexblog.com/
My fix works for Windows XP systems. I have tested it on my machines.