Slashdot Mirror
New IM Worm Exploiting WMF Vulnerability
An anonymous reader writes "After less than a four days after original mailing list posting there are reports about a new Instant Messaging worm exploiting unpatched Windows Metafile vulnerability. This worm is using MSN to spread, reports Viruslist.com."
These would be good things to know...
http://www.TheGamerNation.com/Forums
Looks potentially nasty.
You are not the customer.
Well that didn't take long.
There is information available on temporary fixes from the following sites
http://isc.sans.org/diary.php?rss&storyid=996
http://www.f-secure.com/weblog/#00000760
http://www.grc.com/sn/notes-020.htm
be aware the runnable patch is completely unofficial, the only action microsoft suggest is unregistering a vulnerable dll which only mitigates the most common method of exploitation while not fixing the underlying problem.
NFI how long it will take microsoft to have an official patch out, but from the sans site, it doesnt look promising that it will appear soon.
My prediction: in 2006, MS innovation will lead the way in new fronts!
The war with islam is a war on the beast
The war on terror is a war for peace
You MUST mean MSN Messenger.
From MS' site: 4: Block pop-up windows in your browser
My credit union requires that I allow pop-ups! I don't know how many times I've gone to legitimate websites and scratched my head for a while trying to figure out why I wasn't seeing anything - all because I'm blocking pop-ups! Firefox tells you with that little message on top of the window, but you know how it is, after a while, you don't notice it anymore.
There's a patch available here
...a dedicated, well-written, well-publicized effort to educate the general public about this sort of thing. We need to establish a meme among the Joe Sixpacks, Moms and Dads, and Grandma Sues of this country that they're foolish if they don't read stories on [whatever].com each week. And on that site, we need to explain, in plain English, [A] what the flaw could do to their computer, [B] what they can do to temporarily/permanently fix the flaw, and [C] what the flaw is due to (99% of the time, this will be 'due to Microsoft software').
Microsoft obviously isn't interested in having an educated user base, or they'd make such a site themselves and advertise it extensively.
Who's with me?
With spending like this, exactly what are "conservatives" conserving?
Beware of this IM-Worm which spreads via MSN using a link to "http://[snip]/xmas-2006 FUNNY.jpg".
Though it's spread mainly in Netherlands as the link sais.
an up to date antivirus should keep you safe.
IM is just a person private email system, period. Try using email, you can even use filters to pick your freinds messages out of the background noise, like inter-departmental mail.
To fix the security risk of IM, either the you give up point to point email that it is to force it though filtering servers (sound like email there again). The Anti-Virus programs on every machine will have to start filtering all that traffic too (wait they are doing this for wmail today also!!)
--
When will people learn that NEW is not always GOOD.
Talk about trolling flamebait. Apple makes money on hardware, not operating systems, so it behooves them to make their operating system work on their hardware. The nice thing about this is that they make some damn nice harware (I'm typing this on a PowerBook), and that they have very little incentive to 'feature-pack' their OS like Microsoft does -- so you get less in the way of quirky 'features', and a hell of a lot of functionality.
Plus, OS X is a Unix, which means it plays nicely with other Unices, and it behaves like a Unix on the command line -- so I get all the power of pipes, vi, Bash, the BSD ports collection (a la Darwinports), gcc, and so on. On the GUI side, it behaves like a Mac -- and I think you'd be hard-pressed to fault Apple for their GUI design.
Best of both worlds; you just have to shell out a slight premium for the hardware, and given that you get a REAL OS with it, I'd say that Mac offers a better bargain for the desktop user than any Dell or Gateway.
--
I Hit the Karma Cap, and All I Got Was This Lousy
Since the first exploit came to light, H.D.Moore of the Metasploit project has reworked the original package they did. The new exploit spits out exploit WMF files that come:
- with a random size;
- no
.wmf extension, (.jpg), but could be any other image extension actually;
- a random piece of junk in front of the bad call; carefully crafted to be larger than the MTU on an ethernet network;
- a number of possible calls to run the exploit are listed in the source;
- a random trailer
This makes it rather hard for antivirus and IDS sigs to detect it, though Snort and the A/V people are working late over their holidays to improve detection.SANS/ISC have provided excellent continued summaries of events around this. Here's their FAQ on the issue.
This is looking truly horrible. On Tuesday morning zillions of Windows desktops will be fired up for the first time in a week or two. This thing's already in widespread use by a number of malware distribution networks for the usual reasons. As such it's a nightmare for network and system admins with Windows machines to look after (and us security people trying to provide advice & assistance for them...) But the stealth nightmare is that this is an absolute jackpot for the less visible targetted attacks, such as those emanating from China for the past couple of years (google around, Slashdot and Schneier have covered this as well as many other places.) There are also the opportunistic types who see an easy opportunity to pwn some key machines where they work, say. I will stick my neck out here and make a prediction. Virtually all organisations with Windows machines are effectively wide open to total compromise by a reasonably informed person. That means much of the IT dept as well as significant numbers of the 'interested poweruser' types, developers with a casual interest in security,.. anyone who's heard of this and is capable of running the findingm, running and using the new exploit, basically. Of course we're all tweaking our IDSes and antivirus, locking things down as tight as possible in the 48 hours remaining, but... *shudder*
For ten years I've been waiting for Microsoft's luck to run out. This is about #3 on my list of catastrophic MS incidents. There aren't many ways things could be worse.
It will be a good time to be running Linux on work machine, though :)
Microsoft recommends, for the time being to just
regsvr32 -u %windir%\system32\shimgvw.dll
BUT according to this analysis, the real fault lies with gdi32.dll ! How the hell do you get rid of that? It's about as deeply embedded in windows as, say, glibc is in Linux distributions..
SCO employee? Check out the bounty
First of all your comment is largely off-topic, causing mine to be as well, but I am only responding to this because I could not bear to read what you wrote and not answer (Mods, please be compassionate!)
You are addressing to largely unrelated issues as one, Freedom of software, and usefulness of the company. Allow me to address them seperately.
The former (Freedom) is a much bigger problem with Windows than Macs, at least with Mac OSX. Sure, they both use proprietary code, but at least Mac OSX uses some Free software.
The latter (usefulness) is very subjective. No doubt Microsoft would think they are useful, while Apple thinks they are. As much as I do not like Microsoft, I am going to have to say that it *and* Apple were both useful, if not so much now. They did start a revolution of computing at home. Unfortunately, it has taken a bad path over the years, but it is the same sort of idea.
As a final note I would like to ask, why did you think you would get +5 funny? I find nothing funny about what you wrote.
... when Hulkamania runs wild on you? Oh, wait, WMF. Never mind.
It's unofficial, but it works.
http://www.hexblog.com/2005/12/wmf_vuln.html
I'm impressed at the timing on this one -- it hits during the slowest time of the year.
I figure the exploiters, even if they aren't the fastest in the bunch, will have massive penetration by the time people start modifying their systems to protect themselves.
So I'm wondering if the bad guys knew about this one for a while and just waited until now to spring it, or did the Microsoft customers just get profoundly unlucky.
Steve Jobs is probably laughing away over this one.
http://www.thebricktestament.com/the_law/when_to_
Ah, Slashdot... where the first post is modded "redundant".
What we need now is for someone to find a remote exploit in a popular webserver and combine both exploits into a worm, 'cause then we're all really fucked.
Belief is the currency of delusion.
Are images turned off when browsing?
That's right, Timmy. Your purely subjective opinion is the ONE TRUE WAY. You let those dirty conservatives know it, Timmy. I'm proud of ya.
Slashdot - where whining about luck is the new way to make the world you want.
I've noticed numerous TGP porn sites have been trying to get me to open a WMF file (Not that I uh.... would know about this first hand or anything ;p). Didn't think there was anything to it until seeing this article- my guess is it's being used to install crapware of some kind.
lucky I'm using Linux.
but somebody can finish this joke... it has to do with a hacked Windows PC... I am teh lose today.
"and on the 7th day 'after' Christmas my true-love gave to me"
Doesn't this virus still require the user to click a link? It's not fully automated?
Why are so many people making it sound like the end of the world?
you just have to shell out a slight premium for the hardware, and given that you get a REAL OS with it
A real OS that won't run a large proportion of the software people want to run. It doesn't matter how good it is it's how practical it is that counts. I'd quite like an Apple myself but it can't do everything that I want my Windows box to do. Same reason that I have a Linux partition rather than a solely Linux box.
Does a Christian soccer team even need a goalkeeper?
separately
An exploit of "gdi32.dll" using a WMF file for the attack was documented back in November. Does this new exploit use the same attack approach?
Comment removed based on user account deletion
Yea, it was a real rib tickler, alright.
Right, sorry for the typo.
No one said that using something other than Windows would solve all security problems, only this one. The grandparent was entirely correct in its observation.
Get a patch here: http://www.hexblog.com/2005/12/wmf_vuln.html
All the necessary information and explanation (plus q/a) is here. This is the only hope at present. Good luck to everyone on Jan 2 when this thing takes over the world.
Why in the world would a WMF file need to be able to execute a script? And aren't most of Microsoft's vulnerabilities related to the wanton running of scripts without a user being aware that it's happening?
The nice thing about this is that they make some damn nice harware
You have got to be kidding. My iBook came with dead pixels and a flakey keyboard. My iMac sometimes doesn't even power on the screen when you turn it on. My buddy has a G5 that required a new motherboard (and it still doesn't work right, the fans don't always come on and it overheats).
Apple stuff is good looking, trendy, and comes in a fancy box, nothing else. That's what you are paying for, not quality components. In fact, my generic systems have been of better quality over time than any Apple hardware I have ever used.
if everybody bought their grandma an iMac, there would be a lot more exploits on them then there are now. As many as wintel boxes? Probably not. But more than there are now.
Have you been touched by his noodly appendage?
If you're an IT pro and you're running Windows at home, you should have your boxes imaged so you can just unhook from the net, image, apply the fix, take a new image and hook back up to the net. Seven boxen shouldn't take you more than a couple hours -- less if you use a standard image.
If you're setting this up for the first time, don't forget to redirect "My Documents" to a different partition, or better yet a server with a backup regime. Oh, yeah, and choose the "Activate Windows over the phone" option before you make your first image so you don't have to re-activate each time.
If you're an IT pro and you're not using Windows at home, take the extra hours and spend some holiday time with your friends and family. Life is short.
Help stamp out iliturcy.
Twelve IRC bots spying,
Eleven worms-a-wriggling,
Ten Paypal phishes,
Nine ActiveX holes,
Eight Blaster variants,
Seven Sony rootkits,
Six keystroke loggers,
Five porn diallers!
Four Exploit.WMFs,
Three Mytobs,
Two Bifrose-Ds,
And a homepage stuck on goatse.
(You, ettlz, rock.)
You can hold down the "B" button for continuous firing.
i would guess its like a situation of choosing to be haunted by
1 a sixth circle poltergeist that sometimes does nice stuff for you
and
2 a ninth circle deamon that not only gets hostile with you but always has hordes of Imps trashing your place
aka "the lesser of two evils"
Any person using FTFY or editing my postings agrees to a US$50.00 charge
Microsoft Word? Microsoft Excel? Powerpoint? Outlook (Entourage)? Photoshop? Quicken? Dreamweaver? Firefox? Illustrator? InDesign? GoLive? Flash, Freehand, Fireworks? Or most anything not native that will run under Virtual PC?
I just bought a Powerbook recently, and have everything covered that I had running on my Dell. So I guess I'm not sure what major software is missing that most people want to run...
Oh. You must mean GAMES. Okay, but personally, I'd get a "real" computer, and then buy a PS2 or XBox to pound on...
Any sect, cult, or religion will legislate its creed into law if it acquires the political power to do so.
I can understand spreading the fact that the exploit exists. I could maybe argue whether or not you should spread info on the exploit. I can barely see why one would make an example exploit.
But why would someone make a program specifically designed to make an undetectable/untraceable version of the exploit?
I can only see harm coming from this.
And I'm sorry, but "because it's there" doesn't work when you know there's only negative outcomes of what you do.
http://lkml.org/lkml/2005/8/20/95
Oh. You must mean GAMES. Okay, but personally, I'd get a "real" computer, and then buy a PS2 or XBox to pound on...
some people like consoles and i must admit there are a few console games that i quite like but no console even comes close to the back catalogue of PC games (though admittedly a lot of those can be hard to make work on the non-dos versions of windows) and even if they did very few console games support mods or even custom maps and internet play is a pretty new feature for consoles (yet its something the PC has been doing for years).
note: i'm known as plugwash most places but i screwd up registering that here somehow in the past and now can't register
Try this regsvr32 /u shimgvw.dll
lol no im not a wmf worm!
In Soviet Russia, backwards is everything.
You sure?
Hint: Think different.
Apple stuff is good looking, trendy, and comes in a fancy box, nothing else. That's what you are paying for, not quality components.
Hell yes, mod parent up! Most people who buy Apple are doing it because they are trendwhores who want to be seen as hip. Just look at the number of fuckwitted emo kids on Livejournal who use Apple products and you'll understand.
It is just like iPods. There are plenty of other great mp3 players out there but people choose iPods because they want to look like cool hipsters with the trademark white ear buds, etc. Apple users are some of the most sheeplike people that I have ever met. There is a real reason why they call it the cult of the Mac. Fuck new age corporate hippies like Steve Jobs. Fuck proprietary hardware bundled with proprietary operating systems. And fuck the entire obnoxious Apple userbase. Fuck them like the simple minded whores that they are.
It doesn't have to be major software though does it? It just has to be a device with Windows-only drivers that you need to use or an app that will never be ported to anything but the latest version of Windows. You forget that people use PCs for all sorts of things and that a lot of things will only work with a Windows box. Otherwise I'd be typing this in Linux right now instead of being in Windows about to log on to my favourite MMORPG which only runs on Windows.
All those apps above either exist natively or can run with Crossover. That isn't the case with everything though, the above-mentioned MMORPG refuses to run under WINE, Cedega or Crossover.
Does a Christian soccer team even need a goalkeeper?
e.g. is there a way for a remote user to make it display a wmf without the recipiants consent?
note: i'm known as plugwash most places but i screwd up registering that here somehow in the past and now can't register
I've got a big box of old PC games but as you said, w/o a DOS-based Win95-class system (which I no longer own) I can't play most of them anyway. And it will be interesting to see what "Virtual PC" options become available on the x86-based Macs. It could well be that one could have the best of both worlds...
Any sect, cult, or religion will legislate its creed into law if it acquires the political power to do so.
at least back to +3 so anyone who reads it will see the clarification. as it stands this is very uninformitive.
note: i'm known as plugwash most places but i screwd up registering that here somehow in the past and now can't register
to: all contacts
==========
omgzz listn ths whateva u do if cmdrtaco@hotmail.com adds u, do not ACCEPT!!! its a virus and wll brk msn!! frward ths msg to every1 lt thm kno.
...to block AIM & MSN chat, and all their clones, at the corporate firewall. Before it was simply a time wastage issue...now it's a big security risk.
Most people's favorite MMORPG already runs under OSX. ;)
GLaDOS for President 2016! "Well here we are again. It's always such a pleasure." -- GLaDOS, 2011
I think switching OSs is a less difficult proposition for someone who has time to read slashdot than picking up your family and moving is for someone who can barely feed his or her own kids.
THIS THING CAN TURN ON A DIME, MACROSSZERO STYLE ALSO FUCK BETA, ~NYORON
I'm willing to bet that if you took a survey of 100 random mac users, the majority would say that the OS is the reason they got it, not the hardware.
Apple seems to agree with me: They're changing over to the same hardware that Windows PCs run on.
GLaDOS for President 2016! "Well here we are again. It's always such a pleasure." -- GLaDOS, 2011
NOD32 (www.nod32.com) catches it. Supposedly McAfee can catch it as well, but Norton doesn't.
Hunt your preferred prey at Aliens vs Predator MUD. Join the war at avpmud.com port 4000
ScummVM and DosBox will allow you to play nearly all DOS based games under XP, rediscover your games.
All of my Linux boxes work, yet I never had to pay for Debian or Gentoo. Why can't software that I paid for work properly?
Ok, done venting. Thanks for that.
"Avoid employing unlucky people - throw half of the pile of CVs in the bin without reading them." -- David Brent
From http://isc.sans.org/diary.php?rss&storyid=994 :
. exe Our own Tom Liston reviewed the patch and we tested it. The reviewed and tested version is available here (now at v1.3, MD5: 14d8c937d97572deb9cb07297a87e62a). THANKS to Ilfak Guilfanov for providing the patch!!
1. Microsoft has not yet released a patch. An unofficial patch was made available by Ilfak Guilfanov. http://handlers.sans.org/tliston/wmffix_hexblog13
2. You can unregister the related DLL.
3. Virus checkers provide some protection.
To unregister the DLL:
* Click Start, click Run, type "regsvr32 -u %windir%\system32\shimgvw.dll" (without the quotation marks), and then click OK.
* A dialog box appears to confirm that the un-registration process has succeeded. Click OK to close the dialog box.
Horns are really just a broken halo.
Don't forget Linux is ready for the desktop- not all distributions but some are. Linspire mainly, but Xandros also is getting better. Both beat Fedora, Ubuntu and others in terms of integration. You get support for commercial DVD(with CNR'd dvd player), streaming video (through the web browser), flash, java, win4lin (win9x boots under 10 seconds with Linspire on 750mhz), auto mounting of CD/DVD/USB FLASH (full support, not just half-ass support like other distros), support for most file formats like PDF, Mp3, Real, Windows Media, & Quicktime. :) Linspire truly is the best distribution and not cause they support evil formats but because they support open source so much. Mac OS X isn't bad since they turned it into a Unix clone but they still are an evil company like Microsoft. Don't be fooled- Linspire just appears evil but it's not. The whole OS is esentially is open source except the stuff they have licensed. Proof- just look at Xandros as they now include everything Linspire has put money into (ie Lphoto, Lsongs, etc).
I know next to nothing about Instant Messaging clients, but is it possible that an employee could have left his computer powered on, and logged into windows, and with an IM client running on his desktop, and could that IM client then download this worm automatically [without any manual user input, such as clicking on a link]?
I.e. might it be the case that when Admins return from New Years' vacation [Monday, or Tuesday, or whenever], there could be [quite literally] MILLIONS of infected desktops?
And I trust downloading a DLL that injects into gdi32...why? I'll just do what I always do to avoid viewing pictures that I don't need (goatse, web beacons, etc.).
Who is this guy and why should I trust him? Or better yet, is the code open-source, or is the exact method publicly available so I can write my own hook?
Mind you, the only ones who know enough of the Windows internals to pull such a stunt are Microsoft employees, and I seriously doubt they'd risk a stunt like that. Especially as they'd likely be on said chair when Microsoft's CEO lobbed it off the roof.
It's a small world and it smells funny; I'd buy another if it wasn't for the money; Take back what I paid (SoM)
Ok, ignore my other message, I trust him.
Information of how to obtain a fix is available here.
The SANS guys have reverse engineered it and given it the thumbs up if that's any help to you : http://isc.sans.org/diary.php?storyid=999
So, you're saying they lose money on the OS? I don't think so. They release more upgrades, which you must pay for, than Microsoft. That's for sure.
You may have been only talking about yourself, but it made it sound like there were no options for anyone... like the Mac.
How ironic you actually used the word "switch".
Unless you NEED to run Autocad or something along those lines, there are very few people anymore who really cannot switch to a Mac.
"There is more worth loving than we have strength to love." - Brian Jay Stanley
Yet another fine reason to use Trillian, GAIM, or other multi-service messenging clients of the sort. Since some of these clients are open source, bugs can be fixed immediately. Or others, like Trillian, don't have these kind of security holes because these worms are designed for a specific client.
You swallowed and regurgitated the MS line perfectly: always blame the users. Users were not the reason IE exposed an UNPATCHED remote code execution bug for all EXCEPT 7 days of 2004 (http://bcheck.scanit.be/bcheck/page.php?name=STAT S2004). Users are prevented by law and the MS cops (BSA) from seeing or tinkering with MS code, yet you and MS blame them for the damage they suffer due to the lousy quality of MS code.
The users did not create the incestuous, inherently insecure entanglements among the "apps" and operating system in MS Windows. There is no warning on the box of MS Windows saying that the product is unsuitable for use by new users of computers. There is no warning on the box of MS Windows saying that only experts in network security have any chance of safely using the product in any computer that is not completely isolated from others.
How many more years and MS Windows versions will trolls, astroturfers and shills directly dispute the evidence and continue to claim both that MS Windows is suitable for uneducated users and that those users are to be blamed for not being security experts?
MS Windows is demonstrably unsuited to any networked environment. MS Windows is demonstrably unsuited for use by anyone who is not a highly trained network security expert.
Save your friends from the dangers of MS Windows: install GNU/Linux for them and don't give them the root password.
You confuse the definition of hardware.
I bought a Mac for the OS. So I agree with such a statement, but as for the hardware, people want to buy hardware that 'just works'.
I spent several hours today getting a video card working on a Windows XP machine. The entire process was stupid. The error messages were useless (and wrong). The FAQs I read hinted at the issues, but didn't address them. In the end, to get the video drivers to do anything I needed to install new drivers for everything else on the system. (Which, without good cause I am reluctant to do as they could conceivably break something that is working just fine.). [and even this didn't solve the problem till I put the old video card in, cleaned out all the attempted install of drivers, re-installed the new video card and re-ran the entire process.]
The process to get hardware working on a Mac, in my experience, is far easier and less troublesome. It smees to be far better controlled and thought out. Less ad-hoc.
That is something I am entirely willing to pay for. (And also why I don't run Linux, which suffers the same issues...)
Uh, if anything, OS X comes with *more* stuff "bundled" than Windows.
On the GUI side, it behaves like a Mac -- and I think you'd be hard-pressed to fault Apple for their GUI design.
The Dock ? Generall sluggishness on anything but fire-breathing G5s ? An inability to decided what their applications should look like and why ?
Best of both worlds; you just have to shell out a slight premium for the hardware, and given that you get a REAL OS with it, I'd say that Mac offers a better bargain for the desktop user than any Dell or Gateway.
This should be pretty funny. Just why isn't Windows a "REAL OS" ?
I have seen in the past week our work increase 5 fold because of this exploit. What is normally a very slow time of the year for us has become very busy for us and it's making me nervous myself.
I know next to nothing about IM/RSS software, so I am just speculating here.
But suppose you had some IM/RSS client [MSN, AOL, Yahoo, whatever] that had an image rendering aspect to it. For example, suppose your IM/RSS client were capable of rendering the JPGs in an HTML message.
Then it seems to me that if you had such an IM/RSS client running on your desktop, and if someone knew your IM/RSS handle, then they could send you an IM/RSS message with very elementary instructions for downloading the evil file:
and you'd be hosed without ever having clicked on any link. And if the worm were really smart, it could then install "thttpd" trivial http daemons to spread itself internally on any corporate network [via each person's IM/RSS "address book"].If that's true, and if lots of employees left their computers running and logged into windows with such "automatic" IM/RSS clients running on the desktop, then Tuesday or Wednesday morning [or whenever people decide to come back from their New Year's vacation], there could be literally MILLIONS of infected machines.
So the question: Are there IM/RSS clients that can download files automatically?
I've noticed numerous TGP porn sites have been trying to get me to open a WMF file (Not that I uh.... would know about this first hand or anything
In this particular instance, I think I'd choose first hand knowledge over second hand knowledge.
You are arguing "because it's there". Why did someone do it? Because they could. Or, go to back to the mountain climbing roots of the original quote, because then others would know it can be done (and you've done it).
It doesn't take an example to show it can be done, thanks. Believe it or not, even Microsoft understands software is mutable.
A simple explanation is plenty.
As to your comment that the people we really need to worry about won't even be affected by this: history has shown this not to be true.
Apparently the attackers aren't awesome programmers because history has shown that the real danger comes after a sample exploit is made, not when the info becomes known.
Again, I just don't see why someone would need to make the most evil version of this possible and distribute the source code.
http://lkml.org/lkml/2005/8/20/95
Not sure if this is the case for anyone else, but I've found that while i can previous thumbnails, ACDSee (latest version) no longer works, giving an "internal error" message and a white screen, instead of the image. Still, better than getting pwned.
Is there an extension that will at least keep the Firefox toolbars and menus available in pop-ups even if the Javascript prohibits it?
So we're talking niche app's and/or hardware? That seems to be a bit different than the original statement regarding a OS that won't run a large proportion of the software people want to run...
Any sect, cult, or religion will legislate its creed into law if it acquires the political power to do so.
Being a security specialist, I can see how this would alarm you, but I think it's not so bad. There have been numerous 0-day IE exploits before and the world hasn't ended.
First of all, this worm requires SOME form of user interaction...they either must go to a website that uses it, or be chatting on specific IM app and get a malicious message. Second of all, due to the fact that 95% (yes, I pulled that stat out of my ass but I'm sure it's close) of Windows users run as admin, these exploits all assume admin privs and this fall flat on their face if run by a non admin user.
In a corporate setting users will normally (I HOPE) not be running as admin, which would effectively kill most if not all of the worms due to the fact that they assume admin rights, and AV apps are fully capable of deteting and blocking the actions of this exploit if they do get through.
There will be a patch soon, we will all apply it to our corporate networks and the world will continue to spin.
I don't always use unix-like operating systems; but when I do, I prefer FreeBSD.
WMF IS a script. now with root exploit goodness. :)
This ignores the fact that they're still the ultimate in proprietary lock-in.
But not in any useful way (I hate how unix has become a buzzword.)
So? You can on windows with cygwin too. That doesn't mean it's very useful. The power of unix is how all the systems are interoperable open and modular and everything is controllable from the commandline. With MacOS, it's like having a unix emulator strapped on the side of a run of the mill proprietary desktop platform.
You obviously hang around with a lot of Apple apologists and armchair UI experts.
Malike Bamiyi wanted my assistance.
plus you are locked into one vendor for both software and hardware.
why do people who suggest "alternatives" to the proprietary and closed-source os, Windows, name OSX, another proprietary closed-source os that cannot be decoupled from the vendor's hardware?
that's "out of the frying pan and into the oven" mentality.
the real alternative to, is a truly free (as in freedom) OS such as (GNU)linux. even freeBSD is far far better than anything else out there.
why, after having been bitten by windows, do people suggest to go with a solution from another pitbull (apple)?
DosBox works under OS X too.
After all, I am strangely colored.
The process to get hardware working on a Mac, in my experience, is far easier and less troublesome. It smees to be far better controlled and thought out. Less ad-hoc.
Of course, on the other hand there are very few Macs out there where you could even install a new video card. You don't have to support all kinds of strange hardware when most of your computers come with everything integrated and very little expandability. I'll take the upgrade woes and inexpensive commodity hardware over a disposable computer appliance.
It's odd but I've noticed a lack of Microsoft cheerleading over the past couple of days. I'm sure as soon as a patch is made for this latest Windows exploit the cheerleading with resume with the usual vociferous putridity. Shine on!
Life is a gift. And my Karma couldn't possibly be 'Positive'
A Driver, on the other hand, is a piece of software that tells the OS how to interface with hardware. Usually they are shipped with either the OS or the product itself. They are also OS dependant.
Part of the problem with Windows is that the drivers that actually ship with Windows are considerably out of date. A number of them have not been upgraded since the initial launch in 2001. This is why each product from motherboards on down comes with a drivers disc. These discs are not there just there to file in a case and ignore.
Linux distrubutions are a different ballgame. They tend to have a hardware auto-discovery program that runs on boot. From there, it tells the kernel which drivers (kernel modules) to load. Since almost all drivers in Linux are written by the kernel team, actually hitting a conflict between drivers written by the kernel team is rare.
ATI and NVidia cards are the exception to the kernel team written driver rule. These two companies don't want anyone to know how their drivers work, so they ship them as pre-compiled binaries. However, it's not guaranteed to be shipped in a particular distribution.
Even though OSX only has a limited subset of hardware (as pointed out by toddestan) that it has to deal with, not everything Just Works.
GLaDOS for President 2016! "Well here we are again. It's always such a pleasure." -- GLaDOS, 2011
"reverse engineered"?
:( It was a single file, would have been pretty easy to read it and make sure it doesn't look like it does anything malicious, *then* compile it...
You do realize that the installer at hexblog dumps the source to the "install dir"? (The actual useful DLL goes into system32 instead...)
It would have been nice to have the option to get just the sources w/o the installer though
The 'patch' requires a reboot
Just thought I'd point that out for all you windows guys who worry about their up-time.
[Fuck Beta]
o0t!
JPG, PNG, GIF etc. all have headers that should surely be checked before displaying the picture. Do IE not do this?
In short, do i have to actively click a "Open this file" dialog on the browser?
I imagine the worm's authors wrote just enough to execute a vbs file.
In theory though, an entire virus could be written in the wmf file.
Msgr opens the file locally, and creates a small jpg which is sent to the friend you're talking to as thumbnail.
A nasty user, using the MSN network, not using the official client, and sending WMF data instead of a jpeg preview picture might cause some trouble though!
IMs and email are exactly the same. The only apparent differences are in the implementations and the default (and available) settings for the clients, as well as the meta-communication functions of most IM clients that simply duplicate the features of 'what are you doing right now' systems of the past such as finger. My email client can pop up a notice the second I recieve new mail, and even give me a text box to type a reply into. My IM client can store messages for me to read at my leisure. I can check my email on the web. I can check my stored IMs on the web. I can turn off my email client. I can turn off my IM client. Either way I can respond immediately or wait an hour. Either way the person on the other end has no idea what I am doing if I do not want them to.
How about the (at least) $500 you'll spend switching to the Mac? Not to mention the costs of repurchasing software like Office and Photoshop if you use those sorts of programs.
The system cost depends on if you were going to buy a new PC anyway, or if you are buying a new computer for someone else (like a business or a parent).
Furthermore most programs offer free crossgrades - Photoshop is one, and I think Office is at least reduced in price (not sure about that).
Switching to Linux means Photoshop or Office will not run at all - you can use replacements but they are not (quite yet) as compatible - I use Open Office all the time so I know how close it is but it's not quite there yet.
But really Linux is by any measure just not as easy to switch to as the Mac is right now. For some users it will be OK, for businesses with existing PC's I think it's perfect, but for lots of single users it's just not as good an idea at the moment (though it's getting there).
"There is more worth loving than we have strength to love." - Brian Jay Stanley
one word: fortinet
s ory.html
http://www.fortinet.com/FortiGuardCenter/wmf_advi
But then again, when it was discovered that there was a simple way to get into Hondas using a pencil, did people go out and explain what it was? This actually happened in about 1994, and Honda fixed the problem once informed of it. But were the details widely publicized? No.
/etc/passwd file on a modern UNIX machine. Do you see your crypted password in there? No? Well, perhaps there's a lesson to be learned there about whether obscurity really does have some value.
As to me offering "security through obscurity", you're trying to make a phrase fit that doesn't fit. Security through obscurity is to design a system where simply not knowing something is the security. Here I am merely speaking of not telling EVERYONE all the details of a security flaw while the company that is responsible fixes it. I didn't say you shouldn't tell Microsoft. I didn't say Microsoft shouldn't explain there is a vulnerability. I didn't even preclude details of the vulnerability being given out. I didn't even preclude someone writing an exploit to show it can be done.
What I did was condemn writing the most evil version of the exploit possible before the patch is even released, and then giving out the code so others can do it too!
You say it's to make virus scanners better. By making it bigger than an MTU, presumably to make sniffing firewalls better. Well, what about those of us who don't have sniffing firewalls? Am I well served by a metaexploit being written? And additionally, you say this will let people recognize the exploiters (worms) better. How are they supposed to do that? This program makes all the versions of its exploits look different. For that matter, how can someone even tell a legitmate user of this escape sequence from a worm? There are literally an infinite number of ways to write code that does identical things (exploit and propagate). So how can a program inspect code that is used with this escape command to tell if it propagates? Answer, it CANNOT. Even by running it you can't be sure, maybe you just didn't give it the right conditions under which to trigger.
The only thing that can be done is pattern matching, and this metaexploit defeats that.
Honestly, MS is just going to have to remove this feature and deal with the fallout. We just have to give them a little time to do it before handing weapons to those with criminal intent. It's like selling arms. It does increase fighting, even though in theory, people could already have made weapons to take out their greivances upon other.
Perhaps this flaw has been being used for years to get into machines. How does that excuse this? This metaexploit is neither going to undo that, nor is it likely to get MS to fix it faster. It just might get more people hurt before MS can write and test a fix.
In short, I do understand there are already some people who exploited this hole. But there's no reason to make the problem worse. And that's what releasing this code will do.
Additional note on "security through obscurity". The first major proponents of this were the people who decided that UNIX shouldn't hide passwords, instead just 1-way crypt them and store the results in a publically readable file (passwd). Well, guess what, they were wrong. UNIX got greatly boned by this decision. It was wrong for two reasons.
1. Because it allowed offline and parallel dictionary attacks on user passwords.
2. Because it meant that you couldn't use any "shared secret" type of authentication, because UNIX didn't know your password. It could recognize it if you sent your password to it, but it didn't actually know it. This led to a lot of difficulties with protocols like POP and FTP sending your password in the clear.
Take a look in your
http://lkml.org/lkml/2005/8/20/95
Can Microsoft Windows AntiSpyware (Beta) program protect our system from this problem?
I'm glad once again that, whatever the rhetoric above and elsewhere, WMF is (yet) another thing I, as a Mac owner, don't have to deal with ... except for all the freakin' Windows boxes I have to administer for a living. =:-O
You don't even have to download the patch! It just tried to display patch.jpg.wmf, and then my system was patched! Must have self healed or something...
Well that's nice that they are the same in your setup. But what about the 200 million other users who don't have their email integrated into their life like you do. For them IM is much more convenient and practical.
What's stopping Microsoft from running IE in some sort of a sandbox? That keeps all those apps running but IE would be a lot safer, and IE is mostly where the viruses are getting in.
No sig today...
1. Don't use the MSN client, use something like Gaim.
2. Don't use the MSN protocol, use something like Jabber, ICQ or Yahoo!
3. Don't use Windows, use something like Linux.
Hey, works for me. And has for years. And not just for safety reasons either, among other things, you should never ever feed the trolls!
The dynamic patch uses Sony $rootkit code. Great.
No we aren't. We're talking most games, lots of apps and lots of devices. Look I think that Macs are great but calling people stupid for not wanting a system that costs more and doesn't run everything they want it to is a bit much really. People buy x86 systems with Windows because they know that it will run everything they throw at it albeit with all the 'joys' of malware and random crashing at the same time. My point was never that Windows is better, it's just so entrenched that either the EU taking Win32 off MS or a complete technological shift is going to move it.
Does a Christian soccer team even need a goalkeeper?
A WMF file *is* a script, it's a vector language like postscript.
And aren't most of Microsoft's vulnerabilities related to the wanton running of scripts without a user being aware that it's happening?
Quite often, but this is just a good old programming error.
I am trolling
Do all anti MS /.folk now have these images as their IM avatar?
"you should have used linux, like i told you to"
Oh yeah? Linux too.
Browsing with classic discussion, noscript, at -1 and nested
no hidden comments and I only mod UP
Yes, the bad guys have apparently been exploiting this for a little while. That's something we can agree upon.
But why does releasing the most evil version of it possible help anything?
I can see how it hurts, it helps those with criminal intent but no brains in making versions of the exploit that can't be detected.
But how does it help? It doesn't help make scanners better, as scanners have to pattern match and this defeats pattern matching. It doesn't help pressure MS, as they surely have a fire lit under them already.
Again, I ask not why would the "good guys" write an exploit, but why would they need to write a version meant to be undetectable? They are good guys, they don't have anything to hide, so why hide? You don't need to hide to see how the exploit works.
http://lkml.org/lkml/2005/8/20/95
So they have a few different options checked. The available options are still the same, as is the range of behaviors.
The fix is from Ilfak Guilfanov.
1 22005.html#00000756):
To quote F-Secure (http://www.f-secure.com/weblog/archives/archive-
"Now, we wouldn't normally blog about a security patch that is not coming from the original vendor. But Ilfak Guilfanov isn't just anybody. He's the main author of IDA (Interactive Disassembler Pro) and is arguably one of the best low-level Windows experts in the world.
More details from Ilfak's blog: http://www.hexblog.com./"
The guy is legit.
Big deal. If anything, that's part of the problem.
.wmfs. It just happens that the code in some cases might be evil. How do you analyze code to tell if it is evil? Answer, you cannot. There are literally infinite combinations of instructions that are evil.
Again, what does this help?
As to being merely *hard* to detect, I would say otherwise, well, at least as a practical matter.
Perhaps you don't understand this exploit. This isn't a buffer overflow issue, it's a legitimate part of the file format. You can embed code in
So, you could just look for the use of this escape sequence (that says code follows), and flag that as problematic. You'll flag legitimate uses too, but do you have any choice? And given that this is the way you have to do it, how does making variants of code designed to be difficult to pattern match help you see this escape sequence?
Again, I just don't see how this helps anybody but the bad guys, 100% disclosure or no.
http://lkml.org/lkml/2005/8/20/95
The image could be the text Got Firefox? No? You have now.
There you go, an antibody - uses the virus' vector to immunise the recipient.Or perhaps Trojan Hearse?
I just didn't like the analogy. It was a little grandiose.
You could have made the same point by talking about getting a new car/coffee maker/whatever if they issue a recall w/free repairs on some part or something.
THIS THING CAN TURN ON A DIME, MACROSSZERO STYLE ALSO FUCK BETA, ~NYORON
vulgarly: "don't trust the firewall filters, don't trust the antivirus vendors, don't wait for Microsoft. Install the patch immediately. If you are running a Windows operating system the patch doesn't support, time to shut it off and wait."
--
Keylogger killed my marriage, but saved my life.