Slashdot Mirror
New IM Worm Exploiting WMF Vulnerability
An anonymous reader writes "After less than a four days after original mailing list posting there are reports about a new Instant Messaging worm exploiting unpatched Windows Metafile vulnerability. This worm is using MSN to spread, reports Viruslist.com."
There is information available on temporary fixes from the following sites
http://isc.sans.org/diary.php?rss&storyid=996
http://www.f-secure.com/weblog/#00000760
http://www.grc.com/sn/notes-020.htm
be aware the runnable patch is completely unofficial, the only action microsoft suggest is unregistering a vulnerable dll which only mitigates the most common method of exploitation while not fixing the underlying problem.
NFI how long it will take microsoft to have an official patch out, but from the sans site, it doesnt look promising that it will appear soon.
How do I avoid it? Fixes?
Follow the suggested action in the Microsoft advisory linked right up there above.
Microsoft suggests to unregister the problem dll.
y /912840.mspx
start->run
regsvr32 -u %windir%\system32\shimgvw.dll
http://www.microsoft.com/technet/security/advisor
You MUST mean MSN Messenger.
Netherlands being the place where it first appeared, and being from Belgium myself, I can say that everybody here simply says 'MSN' when they mean 'MSN Messenger'.
It's more common in europe anyway to use MSN instead of other popular IM networks used thoughout the USA and other countries. IM was never popular with non-geek computer users here and when broadband internet (with a fixed price/month) arrived most teenagers (the primary group of users in europe) all started using MSN Messenger.
Dependency hell? =>
See discussion list at3
http://www.aota.net/forums/showthread.php?p=14305
also check out FSecure's blog:
http://www.f-secure.com/weblog/
It's unofficial, but it works.
http://www.hexblog.com/2005/12/wmf_vuln.html
Block popups on the internet security zone and allow them in the trusted zone then add your credit union to the list of sites you trust and refresh the page for the settings to take effect. Basically you need to create a white list of trusted sites while blocking all the riff raff. It doesn't matter what version of IE you use install the IE5.5 power toys which will add two settings to the tools menu called add to restricted zone and add to trusted zone. It ain't rocket science.
That works for some things, but not everything, because shimgvw is NOT the problem dll. The real problem is in gdi32.dll, which IIRC is too important to be removed.
There seems to be a first fix.
There is now a "Windows WMF Metafile Vulnerability HotFix" available from Ilfak Guilfanov. Have a look here http://www.hexblog.com/2005/12/wmf_vuln.html
The problem - and the fix - has been discussed also at GRC.com's Security Now podcast. Check out this link http://www.grc.com/sn/notes-020.htm
The problem is not with gdi32.dll. The problem is with the way the WMF handler uses the SetEscape() API.
/" and blaming the rm executable when your files disappear.
Pointing the finger at gdi32.dll is like running a malicious script that executes "rm -fr
I work for a major electronics retailer in the Service department. Most of our duties are simple PC repair, data backup, and virus/spyware removal.
I have seen in the past week our work increase 5 fold because of this exploit. What is normally a very slow time of the year for us has become very busy for us and it's making me nervous myself.
We had a few customer that bought brand new computers and laptop and are bringing them back the same day with this exploit. A quick check reveals that their Norton was up-to-date, yet this stuff still slipped in. Other customers are getting this thing left and right. Unfortunately I have not much to tell them except to keep updating all your security products daily as it's only going to get worse before it gets better. Hand them a copy of Norton and Sunbelt Counterspy and tell them good luck.
I do believe there is a bit a social engineering planned into this. Customers with year-end financials, tax season starting up, holiday credit card payments and statements coming through. Very ripe time to plucking financial and personal data. And with this being an extended holiday weekend, this exploit has a bit of time to fester and refine itself before the big trojan/virus with a major payload slips past the AV and Adware detections and onto millions of computers. What happens when someone combines with exploit with a backgood into a major ad server network? Imagine the damage then.
I'm doing the best I can at my house against this thing, but looking at the 7+ Windows boxes I'm now worrying about updating, installing, patching and unregistering, and the 1 Apple laptop I haven't had to restart in 6 months, and I wonder if this is going to be the big one that really gives Microsoft the black eye it can't recover from.
Yeah I've been starving them, teasing them, singing off key. Me may mah mo, me mo ma me.
Get a patch here: http://www.hexblog.com/2005/12/wmf_vuln.html
All the necessary information and explanation (plus q/a) is here. This is the only hope at present. Good luck to everyone on Jan 2 when this thing takes over the world.
This is the same basic exploit - but the seriousness and criticality is dramatically harder. A malicious file can contain any file extension of any random size and still be a WMF file on the "inside" and still have a "arbitrary code" payload. Most security groups are way freaked out now since IDS/IPS and AV patches are not patching this complete yet. Check out http://isc.sans.org/diary.php?rss&storyid=994 more a more indepth answer.
Horns are really just a broken halo.
Why in the world would a WMF file need to be able to execute a script? And aren't most of Microsoft's vulnerabilities related to the wanton running of scripts without a user being aware that it's happening?
Does your website have an image on it? It can be exploited that way. Does your email render html, even with scripting turned off? It can be exploited that way. A few trusted sites have been compromised with this exploit. Some seedier as networks (with hundreds or thousands of affiliates) are using this to generate cash. There is no patch for Windows ME, 98, or 95 and there will never be as these OSes are unsupported. These systems will ALWAYS have this vulnerability.
Imaginine if someone uploaded this to MySpace (http://www.alexa.com/data/details/traffic_details ?q=&url=www.myspace.com/), as they allow full html formatting, embed, iframes and all kinds of crazy crap. One exploit on a popular blog will cause A LOT of damage.
Yeah I've been starving them, teasing them, singing off key. Me may mah mo, me mo ma me.
If you're an IT pro and you're running Windows at home, you should have your boxes imaged so you can just unhook from the net, image, apply the fix, take a new image and hook back up to the net. Seven boxen shouldn't take you more than a couple hours -- less if you use a standard image.
If you're setting this up for the first time, don't forget to redirect "My Documents" to a different partition, or better yet a server with a backup regime. Oh, yeah, and choose the "Activate Windows over the phone" option before you make your first image so you don't have to re-activate each time.
If you're an IT pro and you're not using Windows at home, take the extra hours and spend some holiday time with your friends and family. Life is short.
Help stamp out iliturcy.
It's already happening dude - there are still a bunch of sites at major shared hosting providers (*cough* iPowerWeb *cough*) which are being exploited and code added via an old cPanel vulnerability. There are dozens if not hundreds of compromised web servers out there right now spreading this thing.
There is a real possibility that the shit is going to hit the fan big time with this one.
Haha analysed by Steve Gibson, well NOW I feel safe. I think I'll take my advice from a proper security authority
With the exception of games (and I don't play PC games anyway), my Mac does everything Windows can do, plus some. I've been a die-hard PC guy, anti-Mac for a long time. Until I decided that I was done with Windows, and looked for alternatives. Linux just isn't quite there yet as a good, usable, stable day-to-day desktop operating system. But MacOS X is. And I've even grown to appreciate some of the ways in which it is superior to both Windows and Linux from a usability standpoint, even ignoring the well known security advantages.
Funny as that might be, we're already talking about how the current mandatory support for MSN custom smilies is both an annoyance and a security hazard (either 2.0.0beta1 or CVS, I forget which version). If the infected WMFs are even cached anywhere and a program like Picasa sniffs it out and uses the win32 GDI library, you still get fucked. Lovely!
'Yes, firefox is indeed greater than women. Can women block pops up for you? No. Can Firefox show you naked women? Yes.'
From http://isc.sans.org/diary.php?rss&storyid=994 :
. exe Our own Tom Liston reviewed the patch and we tested it. The reviewed and tested version is available here (now at v1.3, MD5: 14d8c937d97572deb9cb07297a87e62a). THANKS to Ilfak Guilfanov for providing the patch!!
1. Microsoft has not yet released a patch. An unofficial patch was made available by Ilfak Guilfanov. http://handlers.sans.org/tliston/wmffix_hexblog13
2. You can unregister the related DLL.
3. Virus checkers provide some protection.
To unregister the DLL:
* Click Start, click Run, type "regsvr32 -u %windir%\system32\shimgvw.dll" (without the quotation marks), and then click OK.
* A dialog box appears to confirm that the un-registration process has succeeded. Click OK to close the dialog box.
Horns are really just a broken halo.
Having used both, I stand by my comment that they're rough around the edges. Not hard to use, perhaps, but they have a number of odd behaviors that are not intuitive to anybody who isn't familiar with them. And Linux lacks the one big thing MacOS has -- easy support for the most comment media types, including Windows Media, and Quicktime. Trying to get Linux to support both of these is an exercise in futility. Sure it can be done, but not by Joe Schmoe. It's all in the little details, and these are just two little details among many.
Disclaimer: I am a professional Unix Systems Administrator with almost a decade of experience (and I've been playing with Linux since before it had Ethernet support ;-)). If I can see the potholes in the user experience, what do you think it's like for someone who doesn't have the background to understand why it is the way it is?
You can allow a popup to be shown in IE on a per instance basis, whether the site is trusted or not, by holding down the CTRL button while clicking the link that launches the popup window. If the site uses javascript to automatically launch popups and you absolutely must use it then you can also add the site to your list of trusted sites under Tools->Internet Options->Security Tab. It makes sense add your online banking portal to the list of trusted sites anyway.
Well, by switching to Linux, you basically trade one head-ache for another, but I can assure you that the Linux head-ache is much smaller and infrequent. Most people who complain about Linux do so because they tried some 5 year old version or tried to use last year's Red Hat or Fedora. If you would install a current Mandriva or Suse however, then you won't look back. Anyhoo, my notebook PC is dual booting XP/Mandriva. I only use XP for deliberately infecting and trying out virus fixes before I go and fix a client's machine...
Oh well, what the hell...
Dude, you don't have to click 'open'. On Bugtraq it has been reported that this thing runs itself quite happily in an IFRAME.
WMF IS a script. now with root exploit goodness. :)
Horns are really just a broken halo.
Haha analysed by Steve Gibson, well NOW I feel safe.
Security researcher he isn't (really), but I do respect his ability to code. At any rate, for those who don't know why that's potentially laughable, see the GRC sucks website.
Want to improve your Karma? Instead of "Post Anonymously", try the "Post Humously" option.
There is absolutely no reason to believe that market share is the cause of low security.
It's certainly not the cause of "low security", but it definitely makes Windows a target. This argument has been rehashed here and everywhere else a thousand times. The popularity of Windows makes it a target for more hackers. This says nothing about Microsoft's code quality, nor does it say anything about the quality of other OS's code bases. I'm just saying that it makes sense that the most used operating system would also be the most attacked. More attacks yield more results.
Shitty programmers with little or no Q/A, and a huge festering code base which is continually patched together with duck tape to keep it going
Why isn't this drivel modded as flamebait? Microsoft's coders are really any shittier than anybody else's coders, or at least I've seen no evidence of this. No Q/A? You have to be kidding me. If you have even a shallow knowledge of Microsoft's engineering practices you would know that their Q/A is probably the most intensive that any software company has on the planet, and it's getting more intensive every day.
Want an example? The ASP.NET team had 505,000 test scenarios for ASP.NET 2.0 that it had to pass 100% before they would lock it down as RTM.
along with a refusal to force 3rd party vendors to release software which runs properly (IE doesn't require local admin to run) causes security holes
Indeed, 3rd party software, and even Microsoft's own software (try developing an ASP.NET application with VS.NET 2k3 without admin privs), often fails to run correctly as non-admin. Microsoft has made a lot of changes to improve this, but 3rd party support is still lagging. Why? Because Windows is used by basically everybody, and if a patch or new version of Windows suddenly broke 75% of the applications out there nobody would upgrade.
This problem is an extremely difficult one to solve, and a lot of it has to do with Microsoft's failure to produce specs and guidelines from the start that let ISVs know what they needed to do to make sure software ran as non-admin. Microsoft's solutions in Vista are a huge step in the right direction.
Windows doesn't have *bad* security, Windows has no security.
Baloney. The Windows security model is a solid one. Aside from the applications that don't like installing or running as non-admin (mostly ASP.NET development, really), I run Windows as non-admin 100% of the time. The security model in Windows is actually more extensive than the security model in most flavors of Unix, including Linux. (At least out of the box.) Regardless, Windows gets a bad rap for security not because of design of Windows is bad, but because there have been lots of high profile, highly damaging exploits for Windows over the years. With a few glaring exceptions, such as the WMF exploit, Microsoft has always had patches available for weeks if not months before the bastards out there released their worms or viruses.
Transparency between versions? How does that cause poor security?
As I explained earlier, Microsoft can't just break everybody's applications, even if they're insecure. That's not the way it works when you have 90% of the computer using world running your software.
Using IE, you're fucked. You can write <img src="evil.wmf"> into an html file, and it'll display it clear as day. (And this means, that the exploit can be used.)
Firefox (without any WMF support) won't show up the picture inline.
I suggest that you try it yourself. Personally, I think this is an enormous unseen benefit to firefox. Even though you can be infected if you download and let explorer (or google desktop) see the file, this is still a big step from merely viewing it in a website!
Without actually knowing I'm pretty sure it'll work. The exploit can work through an image displayed on a webpage and work through a renamed image, so I don't see any reason it wouldn't work with both.
JPG, PNG, GIF etc. all have headers that should surely be checked before displaying the picture. Do IE not do this?
The mimetypethe webserver gave (which will presumably be application/x-wmf) should take priority over the extension anyway, and I believe IE's approach is "It claims to be an image of some sort, so call the image rendering library".
In short, do i have to actively click a "Open this file" dialog on the browser?
No.
I am trolling