Slashdot Mirror
Windows XP Flaw 'Extremely Serious'
scottott wrote to mention a Washington Post article with the news that the security hole we mentioned on Wednesday has widened. Computers can now be infected just by visiting infected web sites, or looking at images in the preview panel of older versions of Outlook. From the article: "At first, the vulnerability was exploited by just a few dozen Web sites. Programming code embedded in these pages would install a program that warned victims their machines were infested with spyware, then prompted them to pay $40 to remove the supposed pests. Since then, however, hundreds of sites have begun using the flaw to install a broad range of malicious software. SANS has received several reports of attackers blasting out spam e-mails containing links that lead to malicious sites exploiting the new flaw, Ullrich said."
"Mac and Linux computer users are not at risk with this attack, even if their computers run Microsoft programs such as Office or the Internet Explorer Web browser."
Amazing!
Guys, you keep posting that same story about a serious security flaw in Windows.
If you use Windows, go get the vmware browser appliance and use it - connecting to the internet through a virtual machine is like wearing gloves in the OR - it's just common sense.
http://www.vmware.com/vmtn/vm/browserapp.html
Using plain ol' text since 1968
until a patch is released.
IAAL
When is a Windows flaw ever not extremely serious?
Would someone tell me if the "just by visiting an infected site" link, is a link to an infected site, or an article about the infected sites?
Start-->Run-->regsvr32 /u shimgvw.dll
You lose thumbnail view, and a few other (minor) built-in-Windows-picture-viewing tools break, but you use IrfanView anyway, don't you?
I dub thee... Sir Phobos, Knight of Mars, Beater of Ass.
I needed a bit of underground info(cd key) and went to the best site for that and with out thinking I used IE -- couldent have shut my browser down fast enough.
Spent the next few hours removing all the junk that installed, I was lucky no root kits were installed.
Have you been touched by his noodly appendage?
...is brought to you by http://update.microsoft.com/
Programming code embedded in these pages would install a program that warned victims their machines were infested with spyware, then prompted them to pay $40 to remove the supposed pests.
Where do you send the money? And they aren't afraid of getting caught?
He who knows best knows how little he knows. - Thomas Jefferson
scottott wrote to mention a Washington Post article with the news that the security hole we mentioned on Wednesday has widened. Computers can now be infected just by visiting infected web sites, or looking at images in the preview panel of older versions of Outlook.
There are two major factual errors here. One, the security hole has not "widened" - the scope of exposure is exactly what we read about Wednesday. Using shimgvw.dll to view a specially constructed WMF file results in system compromise (web site viewing of malicious WMF, previewing, opening w/MS picture and fax viewer, etc). The hole is exactly the same - exposure has increased, but the hole has not widened. Two: the web sites are not infected, they are malicious. The system is infected after visiting a malicious web site.
The full (well, as full as it is now) MS advisory is here. I'm not very pleased with how MS is handling this at all, but that does not excuse this shoddy "journalism". How hard is it to state facts correctly? All you had to do was change a few words, and it would have read much more accurately:
scottott wrote to mention a Washington Post article with the news that the security hole we mentioned on Wednesday is now affecting many more users. Computers can now be infected just by visiting malicious web sites, which are now rapidly increasing in number, or looking at images in the preview panel of older versions of Outlook.
For the last sentence, note that I sent mysefl WMF files win Outlook 2000 and 2003 while running Sysinternals process explorer and never saw shimgvw.dll called. Opening a WMF attachment called it, but not previewing, so there might be three errors, but I didn't test all versions that way, so I don't know...
Those of us who use free operating systems shouldn't be too complacent. This exploit is serious because the WMF rendering library has full access to the user's data, and (at least on a 'home' setup where it's a single-user machine) access to the whole PC.
But it was really just bad luck that the bug happened to be found in the Windows WMF library and not, say, its Unix/X11 equivalent. Or libpng, or zlib, or whatever. Anyone who thinks otherwise is deluded. All software has bugs, and even if the quality of the free libraries is ten times higher (unlikely) there will still be plenty of memory tramplings and buffer overruns.
So, when the next vulnerability is found in a commonly used Unix library, will we be in any better position? Not really. Still the library is linked into the application and runs in the application's address space. It has access to all the files the app does, and traditionally on Unix that means everything the user has access too. Your email application may only need to read ~/.mail_settings and connect via IMAP to some host, but it runs with permission to overwrite any file owned by you and connect on any TCP/IP port it wants.
Why does the WMF rendering code need to run with any more permissions than: read a block of memory with the WMF file, and write a block with the rendered bitmap? (Or perhaps make display / GDI calls, if performance is a concern.)
What support is there in Unix operating systems for running common library code with only the privileges it needs? As far as I know Linux has no simple way to run a dynamically-linked library (.so file) in its own address space or without permitting it to make system calls. So when the next exploit is found in a common Linux library - and it will be found - the situation will be just as embarassing.
-- Ed Avis ed@membled.com
Okay, really, she said Arkanoid, but you get my point.
Have you been touched by his noodly appendage?
Its in one of Windows standard libraries - but using IE makes it more dangerous.
Using Firefox with Adblock installed one can stop all files of this dangerous type by adblocking them until a patch is available.
Just saying it like it are.
If all you are doing is browsing the web, there is absolutely no reason to not do it in a sandbox. In fact, I don't get why all browsers run in sandboxes. Why do they *ever* need access to the host OS? If they need to save downloaded files, they can do so via a mounted share. At least in a sandbox they cannot execute privilidged code, at most they could infect executabes on said share.
This is not an ie flaw. This is a Windows flaw. You can still be affected with other browsers, you just have to try harder. Anything using the Windows DLL that does the WMF processing will be affected.
When will Windows be ready for the desktop?
http://www.sysinternals.com/utilities/rootkitrevea ler.html
It's an exploit of functionality built into Windows (it allows you to view thumbnails in folders full of pictures, for example). The reason it's more dangerous with IE is that IE by default will open these files, while Firefox (or some other browsers) will give you the good old Open/Save box first. If you open at this point, you're still screwed.
In 1.5 the behaviour changed, and for some reason .WMF was associated in FireFox with Windows Media Player. So 1.5 is secure against this flaw, by lucky accident.
My browser touches all sorts of things in the host OS, from the sound card to files that I upload and download. Luckily when I get AIM spam for foo.exe or some other sillyness I don't get far unless I type 'wine foo.exe', then even then ;-)
The true challenge is how to dial in the security to a reasonable level. Problem is getting all the millions of programmers to adopt more secure standards combined with the users, IT managers, etc.. that deploy the apps on desktops. Then, getting that out across the millions of home users too. Daunting task.
For those who are ranting about FF. Read the article, says that older versions of Opera and FF are vulnarable too - on Windows ofcourse.
Windows has the vulnerability. Web browsers and some versions of Outlook are the means that the malicious .wmf files are introduced into the operating system. Firefox and Opera can also be used to introduce malicious .wmf files, the difference is that Firefox and Opera ASK the user for confirmation before they download the files. I understand that newer versions of Firefox are misconfigured and do not handle .wmf files as Microsoft intended, this may be a case where a configuration error is actually a security feature.
The problem with the WMF (Windows Metafile) file format turns out to be one of those careless things Microsoft did years ago with little or no consideration for the security consequences.
Almost all exploits you read about are buffer overflows of some kind, but not this one. WMF files are allowed to register a callback function, meaning that they are allowed to execute code, and this is what is being exploited in the WMF bug.
I find this mind-boggling to the point of absurdity. Regardless of any supposed benefit gained by this, allowing a data file to execute arbitrary code upon it being viewed is simply begging for an exploit like this. No matter whan spin Microsoft will try to put on this one, it makes them look bad. Extremely bad.
I hear there's rumors on the Slashdots
Snort sigs have been available from BleedingSnort for some time now; I pushed them out to our corporate IDS yesterday morning.
(Warning, mangled by Slashcode - remove newlines)
t afile.pm.php; classtype:attempted-user; sid:2002734; rev:1;)
0 05/3086; sid:2002733; rev:1;)
#by mmlange alert tcp any any -> $HOME_NET any (msg:"BLEEDING-EDGE CURRENT WMF Exploit"; flow:established; content:"|01 00 09 00 00 03 52 1f 00 00 06 00 3d 00 00 00|"; content:"|00 26 06 0f 00 08 00 ff ff ff ff 01 00 00 00 03 00 00 00 00 00|"; reference: url,www.frsirt.com/exploits/20051228.ie_xp_pfv_me
# By Frank Knobbe, 2005-12-28 alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"BLEEDING-EDGE EXPLOIT WMF Escape Record Exploit"; flow:established,from_server; content:"|01 00 09 00 00 03|"; depth:500; content:"|00 00|"; distance:10; within:12; content:"|26 06 09 00|"; within:5000; classtype:attempted-user; reference:url,www.frsirt.com/english/advisories/2
Once again it looks like Microsoft are going to escape the 'perfect exploit' meltdown by the skin of their teeth. This is exploitable remotely, but Dr Evil can't sit at a console typing in arbitrary IP addresses to 0wn with the exploit. On the other hand you can get close to that sort of thing using Metasploit Framework.
"None are more hopelessly enslaved than those who falsely believe they are free." -- Goethe
Could someone please elaborate on whether using Firefox browser will help avoid this security hole.
Windows XP Flaw 'Extremely Comical'
No folly is more costly than the folly of intolerant idealism. - Winston Churchill
And not only does the exploit work with .WMF (Windows MetaFile), but if the attacker renames it to, say, .JPG, Windows will detect this a really being a .WMF, and STILL execute it. Pretty serious stuff. See this bugtraq link for details.
640YB ought to be enough for anybody.
The CoolWebSearch family of malware has been around forever... one of the major effects of many of the versions is to replace any IE entry of "search.msn.com" or "www.google.com" with "www.coolwebsearch.com", a rather shitty search engine.
Have you been touched by his noodly appendage?
How come no-one ever includes a link to an infected site. I'm surfing with Firefox under Linux and I would just like to check out some of the infected sites so I can look at the source to see what they are doing. Links anyone? P.S., windoze users please don't click the link.
Some settling may occur during posting.
Using Firefox with Adblock installed one can stop all files of this dangerous type by adblocking them until a patch is available.
.wmf even if the file is renamed to .jpg .
This comment says that you can't block it (ny blocking a file extention as is done in adblock), as Windows will execute the file as a
FWIW, I think it would be a big mistake to force Microsoft or any other vendor to open source their product. Such a dangerous precedent would be akin to forcing OSS to be closed, which could then be attempted further down the road if political opinions shift against OSS.
That said, I agree that given time, it is plausible that the security of Windows would be better if it were open sourced rather than not.
... data files, really. They've always been, in effect, "code" that is executed by an interpreter. That so it's hardly astonishing that there might be a callback mechanism to handle things the interpreter can't cope with.
Remember too that the WMF stuff was designed in the days when getting a virus from one machine to another involved walking across the room with a floppy and deliberately rebooting the target machine with the infected floppy in the drive!
It's still a cock-up though. Whoever originally designed WMFs as code-based rather than data-based really wasn't trying hard enough.
..to add a new mime-type definition to the Windows defaults..
Identifier: X-Application/WinTrojan
Name: Windows Trojan File
File Extension Pattern: *.wtf
~ Better a freak than a sheep. ~
Does this mean that, when Firefox renders JPGs on an HTML page normally (without asking for a downloading), the WMF file could be executed?
Didn't Microsoft already release a patch for this on Nov 8th? According to Symantec's info page on this attack directs you to this Microsoft bulletin links to patches for each Windows release.
I believe you can be "infected" by the wmf-borne issue, but for it to then download and install the malicious code without notfying you first is an IE thing..?
It's a misfeature of Windows itself. If you surf with ANY browser, you'll get zapped if you surf to a site set up to take advantage of this latest hole.
This is completely untrue. BTW: I've visited many of the sites in question using a virtual session, so I know first hand.
Internet Explorer uses the broken DLL in question to help it rendering the inline WMF in a webpage. Thus, if the site has a WMF as an image, IE can be exploited immediately. On Windows 2003 Server, it should be mentioned, WMFs are blocked by default (because it requires an external renderer, and IE disallows external helpers outside of trusted sites, or by explicitly allowing it with the security bar on a case-by-case basis).
Mozilla/Firefox doesn't render or handle WMF at all. It'll ask you if you want to open the file, encouraging (at least in current versions) you to open it with Media Player. Even if you click OK you're okay, as Media Player won't know what to do with the file.
Opera is in between - if it sees a WMF it will ask if you want to open it, and it'll suggest the Windows Picture and Fax viewer (which uses the affected DLL), so one OK later and you're owned.
I just love the fanboys rushing out of the woodwork whenever there is *another* bloody HUGE hole found in windows.
"Oh it could happen to any OS", but doesn't
"You should be using a virtual machine to browse the internet anyway", windows is *so* easy to use.
"It's only because Windows is popular", broken, braindead 'features' being exploited has something to do popularity
"All software is buggy", some software is much worse than others it would appear
In a few months we will be hearing from the same people how much better Windows is now all the probelms are fixed will and things like this will never happen again, that those 'lunix zealots just will never get over it, its not 1998 anymore l00Z3R$", that Windows is just as secure as anything, and on and on it goes...
It's time for a new soundbite...
Windows, only usable if your time is worthless.
Look, Mr. Softy has become the richest outfit on earth by understanding the fundamental truth: people are sheep.
You can lead those sheep to water, but it's going to take an enema to spare them from death by dehydration, oral methods carrying too great a drowning risk.
I guess that may have sounded negative.
Get thee glass eyes, and, like a scurvy politician, seem to see things thou dost not.--King Lear
It's the core security problem of Windows: the development culture doesn't respect security. Developers went for decades of DOS and Windows 3.1/9x without needing to worry about users and permissions. So they got used to assuming they could write whereever they wanted. When real user seperation and permissions became mainstream with Windows 2000 and XP, they weren't prepared to change. Because so much software required full access the easiest way to get stuff running is to run in an Administrator account. And since so many people (developers included) run as Administrator, why bother doing the right thing? Games are usually guilty, but there are piles of business and research software that is equally guilty. My brother is a sysadmin for a research lab. To keep Administrator access out of users hands, he has to bend of backwards to get the machines running the software his users need. A 2005 release of a $3,000 package that refuses to be placed in a directory with whitespace or a tilde, meaning it can't be installed in C:\Program Files. A $500 package that demands write access to a file in the C:\Windows directory.
This is one case where backward compatibility came at the expense of security. The development culture is moving too slowly. Bigger companies are starting to do the right thing and you get the occasional smaller development house following the rules. The killer is that huge mass of more specialized software. Apple bit the bullet when they cut over to Mac OS X; software had to do the right thing or it stopped working. Microsoft needs to make such a dramatic change or we'll be putting up with this bullshit for at least another five years.
Search 2010 Gen Con events
Here is some information on the WMF threats.
OR they could sit back and watch MS sweat
F-secure mentions these as bad URLS:
"And finally, you might want to start to filter these domains at your corporate firewalls too. Do not visit them.
toolbarbiz[dot]biz toolbarsite[dot]biz toolbartraff[dot]biz toolbarurl[dot]biz buytoolbar[dot]biz buytraff[dot]biz iframebiz[dot]biz iframecash[dot]biz iframesite[dot]biz iframetraff[dot]biz iframeurl[dot]biz"
Why not just put them into a HOSTS file as a 127.0.0.1 and avoid it?
No, Slashdot isn't "to blame". Stop talking like Zonk.
.wmf files to popular forums that I read. I'd guess that it's because the company exploiting this vulnerability the most -- Spyaxe -- is making a buck off of it, and mere pranksters won't.
Anti-virus and virus writers follow different websites that were already posting the details of the WMF vulnerability and the exploits. Slashdot did not have anything to do with that.
Thanks to Slashdot, I found out about this vulnerability in time to shut off our company's internet access before people came in to work, and find out what do (unregister shimgvw.dll, add rules to IDS, send alarmist email to everyone explaining what to look out for).. I'm sure that thousands of other admins found out about this within 24 hours, thanks to Slashdot, and were able to warn co-workers, friends, and family.
It's very different to ask "Is the publicity from Slashdot to blame?" vs. "I'm curious to know the effects that the media has on catalyzing the growth of exploits like this." I'm curious too, but *very* glad that Slashdot reported this exploit.
I'd believe that a few "prank" infections (IM) have occurred because of the publicity. I'm honestly surprised that no one seems to have posted these
Everyone is entitled to his own opinions, but not his own facts.
What I'd like to know is -- how long has this exploit been "in the wild?"
... they could have EASILY breached your Windows box, done whatever the hell they wanted, erased all their tracks ... and you'd have to convince a judge and jury it wasn't you.
... ?
If it has been there since WMFs began, that's a long, long time. We're talking Windows '95 or earlier. It all depends when the GDI callbacks feature was added.
So here's what you need to consider: since this exploitable code first "shipped" with Windows, anyone "in the know", e.g. potentially FOLKS AT MICROSOFT, the NSA, your neighbor, whomever
If I build and sell a car that is advertised as having a security system, but that security system is defeatable by running a magnet over the car lock, and that information is "out in the wild" for years and years, maybe even by folks in my company... what is the legal liability?
The only three external things that will adjust Microsoft's behavior regarding security are: (1) customers switching to other products, (2) criminal justice investigations, and (3) lawsuits. I don't see #1 happening so long as customers remain locked in, #2 is a joke as we know, but #3
I'll say it again.
Use Windows. Get Infected.
It's not restricted to unpatched Windows 98. It affects fully patched Windows XP SP2 running fully updated anti-virus.
Use Windows, and you'll Get Infected.
A firewall will protect you sometimes. Safe browsing will protect you other times. But in the end, something will get you. WMF, or a buffer overflow in IE, a spoofing vulnerability involving Windows Update, a Windows only Firefox bug.
use Windows. Get Infected. Period.
WhiteWolf666 an exBush supporter. All you new-school,compassionate,save the children Republicans can rot in hell
No, but laughing their asses off at the misfortune of others when you warned them..... 5 years in advance?
That seems reasonable to me.
Fuck up once, blame someone else.
Fuck up three times, blame someone else.
Once you've fucked up dozens and dozens of time, its your own damn fault. Pay some attention. Take some responsibility.
WhiteWolf666 an exBush supporter. All you new-school,compassionate,save the children Republicans can rot in hell
Sys Admins have a new way to keep their users' windows machines up to date. Simply enocde your updates into a WMF file and place it on the intranet home page.
Please read: http://kyeu.info/proxo/forums/viewtopic.php?t=699 I have created a filter that would kill any WMF-Exploit file, regardless of file extension. This is due to a new matching method I've discovered in Proxomitron, where it matches the magic bytes of known exploit files. Most people don't know Proxomitron can serve as a workaround to this issue. In my opinion, it serves the same protection as an antivirus in this case, as it's basically matching hex values and killing the connection upon a successful match.
After some hours looking at WMF file format I developed a fix for it:
http://www.hexblog.com/
My fix works for Windows XP systems. I have tested it on my machines.