Slashdot Mirror
Windows XP Flaw 'Extremely Serious'
scottott wrote to mention a Washington Post article with the news that the security hole we mentioned on Wednesday has widened. Computers can now be infected just by visiting infected web sites, or looking at images in the preview panel of older versions of Outlook. From the article: "At first, the vulnerability was exploited by just a few dozen Web sites. Programming code embedded in these pages would install a program that warned victims their machines were infested with spyware, then prompted them to pay $40 to remove the supposed pests. Since then, however, hundreds of sites have begun using the flaw to install a broad range of malicious software. SANS has received several reports of attackers blasting out spam e-mails containing links that lead to malicious sites exploiting the new flaw, Ullrich said."
I needed a bit of underground info(cd key) and went to the best site for that and with out thinking I used IE -- couldent have shut my browser down fast enough.
Spent the next few hours removing all the junk that installed, I was lucky no root kits were installed.
In 1.5 the behaviour changed, and for some reason .WMF was associated in FireFox with Windows Media Player. So 1.5 is secure against this flaw, by lucky accident.
Windows has the vulnerability. Web browsers and some versions of Outlook are the means that the malicious .wmf files are introduced into the operating system. Firefox and Opera can also be used to introduce malicious .wmf files, the difference is that Firefox and Opera ASK the user for confirmation before they download the files. I understand that newer versions of Firefox are misconfigured and do not handle .wmf files as Microsoft intended, this may be a case where a configuration error is actually a security feature.
Could someone please elaborate on whether using Firefox browser will help avoid this security hole.
The CoolWebSearch family of malware has been around forever... one of the major effects of many of the versions is to replace any IE entry of "search.msn.com" or "www.google.com" with "www.coolwebsearch.com", a rather shitty search engine.
Have you been touched by his noodly appendage?
How come no-one ever includes a link to an infected site. I'm surfing with Firefox under Linux and I would just like to check out some of the infected sites so I can look at the source to see what they are doing. Links anyone? P.S., windoze users please don't click the link.
Some settling may occur during posting.
How could you know? They can do pretty much whatever they want to your* computer. There's no one single indication to look for.
*assuming "your" computer is running Windows.
It reminds me of problems a long time ago with Display Postscript, which, in addition to drawing, was also a full-blown programming language that had access to the filesystem. There were some early exploits that took advantage of this (on the few systems that employed DPS), but the solution was simple -- keep the functionality there, in theory, but have a default context that disabled the filesystem functions and other insecure operations in any program which dealt with insecure data (e.g., e-mail or web browser). To get the functionality back (it was sometimes useful), you had to hand-code a different DPS context from what the OS provided as a standard, which meant a programmer had to go out of their way to be intentionally insecure.
Microsoft's biggest problem has never been 'lack of security' (although lack of security is a symptom of their biggest problem) regardless of what Linux/Mac fans seem to think; the problem with Microsoft is that they have become so large that one hand doesn't know what the other is doing. This is a problem because the effect of a set of changes that are designed to increase functionality (like adding Macros, plugins, etc.) are difficult to consider on a 'global' scale; everyone who was adding the WMF functionality could have told you that this could happen, but they probably never expected this data to be viewable from the web.
I have said it before and I will say it again, in the future more people are going to start to recognize that code re-use (and code theft) can become more costly than creating code from scratch because often you do not recognize the assumptions that were made when developing the code; WMF probably became web viewable because someone wanted a small portion of its functionality and re-used the code rather than starting from scratch.
Does this mean that, when Firefox renders JPGs on an HTML page normally (without asking for a downloading), the WMF file could be executed?
No. It's another exploit in the same system:
http://www.kb.cert.org/vuls/id/181038
Why is it so hot? Where am I going? What am I doing in this handbasket?
At least in a sandbox they cannot execute privilidged code, at most they could infect executabes on said share.
Depends on your level of safety in the sandbox. Do not some versions of Windows have protected-mode device drivers--you know, for speed reasons? If you didn't have image-rendering and sound-playback also handled by the sandbox--also for speed reasons--then it might be possible to escape the sandbox given the right kind of vulnerability in the device driver.
I would hope VMWare fully simulates all hardware and wouldn't have this kind of vulnerability. It's slow, but it's safe.
Incidentally, that choice is one that Microsoft often appears to choose perceived speed at the expense of safety.
Yes, seriously. That old knee-jerk meme of "IIS vs Apache disproves the myth of exploits due to install base" has to die. Yet someone invariably posts it, and they invariably get modded up. I just hope a few rational mods find your post quickly.
Not to mention that the OP seems to have confused the issue of "exploits" with the issue of "user permissions" which is what was actually being talked about.
The following sentence is true. The preceding sentence was false.
F-secure mentions these as bad URLS:
"And finally, you might want to start to filter these domains at your corporate firewalls too. Do not visit them.
toolbarbiz[dot]biz toolbarsite[dot]biz toolbartraff[dot]biz toolbarurl[dot]biz buytoolbar[dot]biz buytraff[dot]biz iframebiz[dot]biz iframecash[dot]biz iframesite[dot]biz iframetraff[dot]biz iframeurl[dot]biz"
Why not just put them into a HOSTS file as a 127.0.0.1 and avoid it?
No, Slashdot isn't "to blame". Stop talking like Zonk.
.wmf files to popular forums that I read. I'd guess that it's because the company exploiting this vulnerability the most -- Spyaxe -- is making a buck off of it, and mere pranksters won't.
Anti-virus and virus writers follow different websites that were already posting the details of the WMF vulnerability and the exploits. Slashdot did not have anything to do with that.
Thanks to Slashdot, I found out about this vulnerability in time to shut off our company's internet access before people came in to work, and find out what do (unregister shimgvw.dll, add rules to IDS, send alarmist email to everyone explaining what to look out for).. I'm sure that thousands of other admins found out about this within 24 hours, thanks to Slashdot, and were able to warn co-workers, friends, and family.
It's very different to ask "Is the publicity from Slashdot to blame?" vs. "I'm curious to know the effects that the media has on catalyzing the growth of exploits like this." I'm curious too, but *very* glad that Slashdot reported this exploit.
I'd believe that a few "prank" infections (IM) have occurred because of the publicity. I'm honestly surprised that no one seems to have posted these
Everyone is entitled to his own opinions, but not his own facts.
What I'd like to know is -- how long has this exploit been "in the wild?"
... they could have EASILY breached your Windows box, done whatever the hell they wanted, erased all their tracks ... and you'd have to convince a judge and jury it wasn't you.
... ?
If it has been there since WMFs began, that's a long, long time. We're talking Windows '95 or earlier. It all depends when the GDI callbacks feature was added.
So here's what you need to consider: since this exploitable code first "shipped" with Windows, anyone "in the know", e.g. potentially FOLKS AT MICROSOFT, the NSA, your neighbor, whomever
If I build and sell a car that is advertised as having a security system, but that security system is defeatable by running a magnet over the car lock, and that information is "out in the wild" for years and years, maybe even by folks in my company... what is the legal liability?
The only three external things that will adjust Microsoft's behavior regarding security are: (1) customers switching to other products, (2) criminal justice investigations, and (3) lawsuits. I don't see #1 happening so long as customers remain locked in, #2 is a joke as we know, but #3