Windows XP Flaw 'Extremely Serious'

scottott wrote to mention a Washington Post article with the news that the security hole we mentioned on Wednesday has widened. Computers can now be infected just by visiting infected web sites, or looking at images in the preview panel of older versions of Outlook. From the article: "At first, the vulnerability was exploited by just a few dozen Web sites. Programming code embedded in these pages would install a program that warned victims their machines were infested with spyware, then prompted them to pay $40 to remove the supposed pests. Since then, however, hundreds of sites have begun using the flaw to install a broad range of malicious software. SANS has received several reports of attackers blasting out spam e-mails containing links that lead to malicious sites exploiting the new flaw, Ullrich said."

Late breaking news from the article:

"Mac and Linux computer users are not at risk with this attack, even if their computers run Microsoft programs such as Office or the Internet Explorer Web browser."

Amazing!

Re:Late breaking news from the article:

[$RANDOMLUSER]

At the risk of getting cluelessly flamed again:

1) Yes, Virtual PC and WINE allow you to run Microsoft programs like Internet Explorer and Office.
2) The vulnerability is in the Microsoft Windows Graphics Rendering Engine, which is a part of the Windows kernel, and is why the exploit affects Windows versions from Win98 to WinXP.
3) Virtual PC and WINE running under Linux do not use the Microsoft Graphics Rendering Engine.
4) Even if they did, a Windows program trying to run in a Linux environment is a fish out of water, and can't do much besides SEGFAULT and exit.
5) Therefore, Linux (and Mac) users are safe, even if they are running IE or Office - just like the article said.

Re:Late breaking news from the article:

[bushidocoder]

Not to be nitpicky, but the graphics rendering engine is not entirely in the kernel on 2000/XP/2003. Most of it is in the Win32 subsystem which runs in userspace.

The graphics rendering engine is divided between the Win32 subsystem which is a user process (csrss.exe), and the Win32 executive (Win32.sys) which actually runs in kernel space. The portion of the graphics system in the executive is limitted almost exclusively to the actual displaying of images and direct interaction with the drivers that interface with the display hardware. I'm not 100% sure, but I can't ever recall there being a vulnerability found in this part of the executive.

This specific vulnerability, like almost all image processing vulnerabilities, occurs in the image format parser, which is in the Win32 subsystem. As such its not in the kernel and runs in standard user scope. I know this doesn't change the point you were trying to make, which was the vulnerability doesn't occur on other systems. I just wanted to correct the statement about it being a kernel vulnerability.

Another /. dupe

Guys, you keep posting that same story about a serious security flaw in Windows.

Browser appliance

[QuaintRealist]

If you use Windows, go get the vmware browser appliance and use it - connecting to the internet through a virtual machine is like wearing gloves in the OR - it's just common sense.

http://www.vmware.com/vmtn/vm/browserapp.html

Temporary Solution

[Hank+Chinaski]

run

regsvr32 -u %windir%\system32\shimgvw.dll

until a patch is released.

at work on a M$ machine

[Alchemar]

Would someone tell me if the "just by visiting an infected site" link, is a link to an infected site, or an article about the infected sites?

Sorry to say it got me

[aka_big_wurm]

I needed a bit of underground info(cd key) and went to the best site for that and with out thinking I used IE -- couldent have shut my browser down fast enough.

Spent the next few hours removing all the junk that installed, I was lucky no root kits were installed.

Gotta love it...

[Chmcginn]

From the article:

Reavey encouraged users to update their anti-virus software, ensure all Windows security patches are installed, avoid visiting unfamiliar Web sites, and refrain from clicking on links that arrive via e-mail or instant message.

(Emphasis added by me) Three good pieces of advice, and... I mean, seriously, avoid visiting unfamiliar web sites? That's like saying "There's been lots of credit card scams recently, you shouldn't go into any store you haven't been to before."

Come on, "editors", let's try to edit properly

scottott wrote to mention a Washington Post article with the news that the security hole we mentioned on Wednesday has widened. Computers can now be infected just by visiting infected web sites, or looking at images in the preview panel of older versions of Outlook.

There are two major factual errors here. One, the security hole has not "widened" - the scope of exposure is exactly what we read about Wednesday. Using shimgvw.dll to view a specially constructed WMF file results in system compromise (web site viewing of malicious WMF, previewing, opening w/MS picture and fax viewer, etc). The hole is exactly the same - exposure has increased, but the hole has not widened. Two: the web sites are not infected, they are malicious. The system is infected after visiting a malicious web site.

The full (well, as full as it is now) MS advisory is here. I'm not very pleased with how MS is handling this at all, but that does not excuse this shoddy "journalism". How hard is it to state facts correctly? All you had to do was change a few words, and it would have read much more accurately:

scottott wrote to mention a Washington Post article with the news that the security hole we mentioned on Wednesday is now affecting many more users. Computers can now be infected just by visiting malicious web sites, which are now rapidly increasing in number, or looking at images in the preview panel of older versions of Outlook.

For the last sentence, note that I sent mysefl WMF files win Outlook 2000 and 2003 while running Sysinternals process explorer and never saw shimgvw.dll called. Opening a WMF attachment called it, but not previewing, so there might be three errors, but I didn't test all versions that way, so I don't know...

Re:Solution

[KilobyteKnight]

Get another browser, such as Opera of Firefox.

This is not an ie flaw. This is a Windows flaw. You can still be affected with other browsers, you just have to try harder. Anything using the Windows DLL that does the WMF processing will be affected.

Re:RootKit Revealer

[GigsVT]

You can't prove a rootkit doesn't exist on your system, unless you have a checksum database on read only media, and some sort of hardware (not firmware) method of computing those checksums.

You can't even be reasonably sure of it without at least some checksumming system like tripwire.

All you are doing is scanning for certain known rootkits. That's a weak strategy that's reactive and guaranteed to fail some of the time.

Windows Major Foul-Up

[spellraiser]

Larry Seltzer has a concise column about this exploit, where he doesn't exactly pull the punches on Microsoft. The most interesting piece of information there is this:

The problem with the WMF (Windows Metafile) file format turns out to be one of those careless things Microsoft did years ago with little or no consideration for the security consequences.

Almost all exploits you read about are buffer overflows of some kind, but not this one. WMF files are allowed to register a callback function, meaning that they are allowed to execute code, and this is what is being exploited in the WMF bug.

I find this mind-boggling to the point of absurdity. Regardless of any supposed benefit gained by this, allowing a data file to execute arbitrary code upon it being viewed is simply begging for an exploit like this. No matter whan spin Microsoft will try to put on this one, it makes them look bad. Extremely bad.

Re:Real easy (temp) fix.

[value_added]

Start-->Run-->regsvr32 /u shimgvw.dll

Good idea. But how do you "reactivate" this feature once a patch is released? I use Ifranview, but I also depend heavily on the thumbnail feature in explorer.

Sigh. I do wish people would offer some information with their click here/type-this instructions so people would understand WTF they're doing.

regsvr32 - This command-line tool registers .dll files as command components in the registry.
 
regsvr32 /u /s /n /i[:cmdline] dllname
 
/u unregister server
/s silent
/i call DllInstall passing it an optional cmdline, when
        used with /u calls dll uninstall
/n do not call DllRegisterServer; this option must be used
        with /i

To register (or re-register) the dll:

regsvr32 shimgvw.dll

To run the command, you can use a console window (cmd.exe), or the Run dialog box (accessible from the Start Menu).

Re:Not a total solution...

[jafiwam]

That's not enough.

The flaw can be used with a JPG file (read; the image of the button, or the site seal, or the photo) in the web page.

And since the flaw is in data in the header of the WMF file type, it can be executed even if the file extension is not WMF.

In other words, if you are seeing images on web pages with Windows, you can get this. No downloading is necessary even in other browsers. Until it's patched, the only true safe method is unregister the DLL or don't get on the internet with Windows at all.

As an FYI, I had to deal with this thing several weeks back when it was rare. (The bimbo doesn't remember what web site did it.) IF you do, just pull the drive, mount it on another machine, get your data, and wipe the damn thing. It's a really really tough infection to clean. It screwed the OS more ways than Courtney Love and ate so much CPU it was unusable. PLUS it downloaded other stuff and started to try to infect other machines on the network.

Shoot to kill this one guys, the patient is already dead.

IDS signatures

[Cally]

The Microsoft advisory says:

** Are there any third party Intrusion Detection Systems (IDS) that would help protect against attempts to exploit this vulnerability?

While we don't know of specific products or services that currently scan or detect for attempts to render specially crafted WMF files, we are working with our partners through industry programs like VIA to provide information as we have it. . Customers should contact their IDS provider to determine if it offers protection from this vulnerability.

Snort sigs have been available from BleedingSnort for some time now; I pushed them out to our corporate IDS yesterday morning.

(Warning, mangled by Slashcode - remove newlines)

#by mmlange alert tcp any any -> $HOME_NET any (msg:"BLEEDING-EDGE CURRENT WMF Exploit"; flow:established; content:"|01 00 09 00 00 03 52 1f 00 00 06 00 3d 00 00 00|"; content:"|00 26 06 0f 00 08 00 ff ff ff ff 01 00 00 00 03 00 00 00 00 00|"; reference: url,www.frsirt.com/exploits/20051228.ie_xp_pfv_met afile.pm.php; classtype:attempted-user; sid:2002734; rev:1;)

# By Frank Knobbe, 2005-12-28 alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"BLEEDING-EDGE EXPLOIT WMF Escape Record Exploit"; flow:established,from_server; content:"|01 00 09 00 00 03|"; depth:500; content:"|00 00|"; distance:10; within:12; content:"|26 06 09 00|"; within:5000; classtype:attempted-user; reference:url,www.frsirt.com/english/advisories/20 05/3086; sid:2002733; rev:1;)

Once again it looks like Microsoft are going to escape the 'perfect exploit' meltdown by the skin of their teeth. This is exploitable remotely, but Dr Evil can't sit at a console typing in arbitrary IP addresses to 0wn with the exploit. On the other hand you can get close to that sort of thing using Metasploit Framework.

Firefox?

[freg]

Could someone please elaborate on whether using Firefox browser will help avoid this security hole.

Re:Firefox?

[99BottlesOfBeerInMyF]

You can be infected whenever Windows uses its default image viewer to display certain image types. This means there is a long list of applications that are vulnerable that rely upon the image viewer code, but as far as I know no one has yet compiled that list. Windows uses this code when previewing images (for example). The current way this is being exploited is to tell your web browser to open an image (wmf and jpg that I have heard about) in the picture viewer. On IE, this behavior defaults to happening automatically. That means you go to a page and it installs whatever code it wants. With Firefox, you go to a page and a dialogue asks to open a .jpg or .wmf file. If you agree, it installs whatever, but if you decline you're in the clear.

more serious

[spacemky]

And not only does the exploit work with .WMF (Windows MetaFile), but if the attacker renames it to, say, .JPG, Windows will detect this a really being a .WMF, and STILL execute it. Pretty serious stuff. See this bugtraq link for details.

Re:Well, Duh...

[Foofoobar]

When is a Windows flaw ever not extremely serious?

Oh wait... I know this joke...

When it's a feature :)

The time has come..

[wraith0x29a]

..to add a new mime-type definition to the Windows defaults..

Identifier: X-Application/WinTrojan
Name: Windows Trojan File
File Extension Pattern: *.wtf