Slashdot Mirror

← Back to Stories (view on slashdot.org)

New IM Worm Exploiting WMF Vulnerability

Posted by CmdrTaco on from the happy-new-years-windows-users dept.

An anonymous reader writes "After less than a four days after original mailing list posting there are reports about a new Instant Messaging worm exploiting unpatched Windows Metafile vulnerability. This worm is using MSN to spread, reports Viruslist.com."

18 of 360 comments (clear)

  1. Developers, stop using ... by IAAP · · Score: 3, Interesting
    POP-UP windows!

    From MS' site: 4: Block pop-up windows in your browser

    My credit union requires that I allow pop-ups! I don't know how many times I've gone to legitimate websites and scratched my head for a while trying to figure out why I wasn't seeing anything - all because I'm blocking pop-ups! Firefox tells you with that little message on top of the window, but you know how it is, after a while, you don't notice it anymore.

  2. There needs to be... by Caspian · · Score: 3, Interesting

    ...a dedicated, well-written, well-publicized effort to educate the general public about this sort of thing. We need to establish a meme among the Joe Sixpacks, Moms and Dads, and Grandma Sues of this country that they're foolish if they don't read stories on [whatever].com each week. And on that site, we need to explain, in plain English, [A] what the flaw could do to their computer, [B] what they can do to temporarily/permanently fix the flaw, and [C] what the flaw is due to (99% of the time, this will be 'due to Microsoft software').

    Microsoft obviously isn't interested in having an educated user base, or they'd make such a site themselves and advertise it extensively.

    Who's with me?

    --
    With spending like this, exactly what are "conservatives" conserving?
    1. Re:There needs to be... by Spoing · · Score: 3, Interesting
      If such a site were to exist, people would start catching on that it's all Microsoft's fault in the first place. Then people *would* switch to other systems.

      Nope.

      I've had conversations with regular non-techy people. They don't get it; they think that they are safe and/or don't want to think about the dangers or alternatives. Ever. It is not possible to convince them and if you point them to a technical site, they will ignore it. They must come to the decision by themselves after long years of abuse, if they drop Windows at all. That said, to my surprise, my brother in law decided to get a Mac Mini for his kids this Christmas. I gladly helped them configure it and bring over data from the old Windows box they (unfortunately) still use. I've given him that advice for about 5 years, and did not talk with him about it for the last 6 months...so whatever I've said or pointed out to him had very little to do with his decision. (My brother-N-L is a smart guy and does not ignore most other advice w/o good reasons.)

      Personally, I just refuse to help them to secure the Windows-based systems they chose to use unless it is a single-function server that I can configure how I see fit. I do reinforce with them just how hard it is to use Microsoft's products in a safe manner; 'exceedingly frustrating and still I'm unconvinced that it is secure when I'm done' is a phrase I use often.

      NOTE: I _DO_NOT_ subscribe to the idea that if you keep a system updated with the current patches, use a firewall, and be careful, it is safe to use. If that system is safe, it is more by luck and chance and not by your hard work. This exploit is a perfect example of how all those methods fall apart and can not be relied on.

      --
      A firewall can not protect you from yourself. Turn off what you do not need. Do not use the firewall to do your work.
    2. Re:There needs to be... by tsa · · Score: 2, Interesting

      My ISP regularly sends me emails about new MS vulnerabilities and what to do about them. I chuck them immediately because I use Windows only for playing games, but the fact that they send these mails means that a lot of Joe Sixpacks get to know about the dangers and can do something about it. I think that the main reason Joe Sixpack doesn't use non-MS software is that when something on a computer is more difficult than 'click here', 90% of the people doesn't even try. And another thing: people stick to what they know. That's very hard to change.

      --

      -- Cheers!

  3. Another GOOD reason not to run IM! by jackb_guppy · · Score: 3, Interesting

    IM is just a person private email system, period. Try using email, you can even use filters to pick your freinds messages out of the background noise, like inter-departmental mail.

    To fix the security risk of IM, either the you give up point to point email that it is to force it though filtering servers (sound like email there again). The Anti-Virus programs on every machine will have to start filtering all that traffic too (wait they are doing this for wmail today also!!)
    --
    When will people learn that NEW is not always GOOD.

  4. Great.. by wfberg · · Score: 2, Interesting

    Microsoft recommends, for the time being to just

    regsvr32 -u %windir%\system32\shimgvw.dll

    BUT according to this analysis, the real fault lies with gdi32.dll ! How the hell do you get rid of that? It's about as deeply embedded in windows as, say, glibc is in Linux distributions..

    --
    SCO employee? Check out the bounty
  5. Fearmongering by eddy · · Score: 4, Interesting

    What we need now is for someone to find a remote exploit in a popular webserver and combine both exploits into a worm, 'cause then we're all really fucked.

    --
    Belief is the currency of delusion.
  6. Can't think with a hang-over by Anonymous Coward · · Score: 1, Interesting

    but somebody can finish this joke... it has to do with a hacked Windows PC... I am teh lose today.

    "and on the 7th day 'after' Christmas my true-love gave to me"

  7. Re:How do I avoid it? Fixes? by nacturation · · Score: 4, Interesting

    That's about as helpful as advising tsunami victims that they move.

    For those who want actual advice: http://www.hexblog.com/ -- a fix which creates a hook to disable the affected code. The fix has been analyzed by Steve Gibson.

    --
    Want to improve your Karma? Instead of "Post Anonymously", try the "Post Humously" option.
  8. Is this the exploit reported back in November? by Animats · · Score: 2, Interesting

    An exploit of "gdi32.dll" using a WMF file for the attack was documented back in November. Does this new exploit use the same attack approach?

  9. Comment removed by account_deleted · · Score: 3, Interesting

    Comment removed based on user account deletion

  10. why would they do this? by YesIAmAScript · · Score: 2, Interesting

    I can understand spreading the fact that the exploit exists. I could maybe argue whether or not you should spread info on the exploit. I can barely see why one would make an example exploit.

    But why would someone make a program specifically designed to make an undetectable/untraceable version of the exploit?

    I can only see harm coming from this.

    And I'm sorry, but "because it's there" doesn't work when you know there's only negative outcomes of what you do.

    --
    http://lkml.org/lkml/2005/8/20/95
  11. Re:so... by Geoffreyerffoeg · · Score: 2, Interesting

    Out of curiosity, where's the documentation that describes this? I was thinking of writing a WMF that pops up a window saying "Warning, you haven't patched the WMF vulnerability. I was able to open this window on your computer by simply loading a picture. Imagine if this had been a virus too. Click here to download the fix - and here's why you should trust that guy."

  12. Re:Yet another fine reason... by (-hrair-) · · Score: 2, Interesting

    completely agreed. it also shows something of a lack of effort on microsoft's part. i believe that the problem has still not been fixed with an official patch (others have to do the dirty work) and i think the vulnerability was known about four days ago! That is unheard of on open source systems because their creators aren't busy marketing the newest XBox game. I recommend gaim or naim (if you don't mind console) for the aim and everything. I hear Trillian is good but have not gotten around to trying it yet. I believe it is for windows, no? Probably has better protection against this stuff than MSN does though (that doesn't say too much...) (-hrair-)

    --
    Beware of the shining wires...
  13. Re:"because it's there" doesn't cut it... by drachen · · Score: 3, Interesting
    Apparently the attackers aren't awesome programmers because history has shown that the real danger comes after a sample exploit is made, not when the info becomes known.

    Apparently you fail to realize this was a 0-day exploit. That is, there were people already exploiting this flaw before anyone else found out about it. Because they didn't release their source code do you feel safer by this? So your argument that the attackers aren't "awesome programmers" is completely worthless because these attackers found and wrote the original exploit code to begin with. We don't know how long this flaw may have been used in the wild before this one was found. Some "awesome programmers" could've been using this flaw years ago to break into networks. Re-read my original reply.

    Now some people who happen to have analyzed that exploit figured out just exactly how seriously this flaw is and what could be done with it if it's not fixed.

    A simple explanation is plenty.

    So you're saying that if all the attackers have is a simple explanation that they wouldn't be able to write code based upon that explanation? Yeah right. The people who wrote these sample exploits didn't even have that to begin with and look at what they've been able to come up with. The people ("attackers") who wrote the originally known exploit didn't need a simple explanation either.

    So now virus scan writers and IDS maintainers, etc, now have a LOT more information for how to defend against this particular threat. A simple explanation isn't sufficient. Now scanners and IDS can use these discovered methods to improve detection and prevention of exploitation of this flaw.

    Again, I just don't see why someone would need to make the most evil version of this possible and distribute the source code.

    Well, I can't explain it any clearer. You're using the "security through obscurity" argument that history has shown to be insufficient for protecting our computers and networks.

  14. Re:so... by borderpatrol · · Score: 2, Interesting

    Older versions of FF will open it natively. (pre 1.0 I believe) Newer versions of FF and Opera will pull it up but will ask if you'd like to open the image with MS Picture and Fax viewer or whatever associated program. If you click no, you should be safe. If you click yes, you're infected. If this thing gets stored on you HDD or your cache somewhere though, the mere act of single clicking on the file or even the folder in some cases can trigger it. And if you have Google Desktop Search installed, google will index and execute the code as soon as it hits the drive. Some DOS boxes are getting infected this way even.

    --
    Yeah I've been starving them, teasing them, singing off key. Me may mah mo, me mo ma me.
  15. Questions re: vulnerabilty by Anonymous Coward · · Score: 2, Interesting
    If i rename a malicious .WMF as a .JPG, and display it as an <IMG> on a website, will IE execute the WMF, or will the JPG just not work?

    JPG, PNG, GIF etc. all have headers that should surely be checked before displaying the picture. Do IE not do this?

    In short, do i have to actively click a "Open this file" dialog on the browser?

  16. Re:How do I avoid it? Fixes? by ltbarcly · · Score: 2, Interesting

    their Q/A is probably the most intensive that any software company has on the planet

    A bunch of automated tests for one piece of software will prevent bugs which effect *functionality*. They cannot find bugs|vulnerabilities which are the result of poor design.

    And as for MS making good software, Windows does not even come with a plain text editor which can handle UNIX line termination! Notepad shits all over it, and Wordpad is NOT a reasonable editor to edit source or shell script code. EVERY OTHER text editor in the world, from nano, vim, joe, emacs, the OSX text editor, even fucking DOS edit can handle Unix line termination properly.

    MS's goal is to prevent interoperability with any other OS, and within their OS prevent the creation of software which can run on more than one platform. Beyond that they fail in everything.