Slashdot Mirror

← Back to Stories (view on slashdot.org)

New IM Worm Exploiting WMF Vulnerability

Posted by CmdrTaco on from the happy-new-years-windows-users dept.

An anonymous reader writes "After less than a four days after original mailing list posting there are reports about a new Instant Messaging worm exploiting unpatched Windows Metafile vulnerability. This worm is using MSN to spread, reports Viruslist.com."

8 of 360 comments (clear)

  1. Developers, stop using ... by IAAP · · Score: 3, Interesting
    POP-UP windows!

    From MS' site: 4: Block pop-up windows in your browser

    My credit union requires that I allow pop-ups! I don't know how many times I've gone to legitimate websites and scratched my head for a while trying to figure out why I wasn't seeing anything - all because I'm blocking pop-ups! Firefox tells you with that little message on top of the window, but you know how it is, after a while, you don't notice it anymore.

  2. There needs to be... by Caspian · · Score: 3, Interesting

    ...a dedicated, well-written, well-publicized effort to educate the general public about this sort of thing. We need to establish a meme among the Joe Sixpacks, Moms and Dads, and Grandma Sues of this country that they're foolish if they don't read stories on [whatever].com each week. And on that site, we need to explain, in plain English, [A] what the flaw could do to their computer, [B] what they can do to temporarily/permanently fix the flaw, and [C] what the flaw is due to (99% of the time, this will be 'due to Microsoft software').

    Microsoft obviously isn't interested in having an educated user base, or they'd make such a site themselves and advertise it extensively.

    Who's with me?

    --
    With spending like this, exactly what are "conservatives" conserving?
    1. Re:There needs to be... by Spoing · · Score: 3, Interesting
      If such a site were to exist, people would start catching on that it's all Microsoft's fault in the first place. Then people *would* switch to other systems.

      Nope.

      I've had conversations with regular non-techy people. They don't get it; they think that they are safe and/or don't want to think about the dangers or alternatives. Ever. It is not possible to convince them and if you point them to a technical site, they will ignore it. They must come to the decision by themselves after long years of abuse, if they drop Windows at all. That said, to my surprise, my brother in law decided to get a Mac Mini for his kids this Christmas. I gladly helped them configure it and bring over data from the old Windows box they (unfortunately) still use. I've given him that advice for about 5 years, and did not talk with him about it for the last 6 months...so whatever I've said or pointed out to him had very little to do with his decision. (My brother-N-L is a smart guy and does not ignore most other advice w/o good reasons.)

      Personally, I just refuse to help them to secure the Windows-based systems they chose to use unless it is a single-function server that I can configure how I see fit. I do reinforce with them just how hard it is to use Microsoft's products in a safe manner; 'exceedingly frustrating and still I'm unconvinced that it is secure when I'm done' is a phrase I use often.

      NOTE: I _DO_NOT_ subscribe to the idea that if you keep a system updated with the current patches, use a firewall, and be careful, it is safe to use. If that system is safe, it is more by luck and chance and not by your hard work. This exploit is a perfect example of how all those methods fall apart and can not be relied on.

      --
      A firewall can not protect you from yourself. Turn off what you do not need. Do not use the firewall to do your work.
  3. Another GOOD reason not to run IM! by jackb_guppy · · Score: 3, Interesting

    IM is just a person private email system, period. Try using email, you can even use filters to pick your freinds messages out of the background noise, like inter-departmental mail.

    To fix the security risk of IM, either the you give up point to point email that it is to force it though filtering servers (sound like email there again). The Anti-Virus programs on every machine will have to start filtering all that traffic too (wait they are doing this for wmail today also!!)
    --
    When will people learn that NEW is not always GOOD.

  4. Fearmongering by eddy · · Score: 4, Interesting

    What we need now is for someone to find a remote exploit in a popular webserver and combine both exploits into a worm, 'cause then we're all really fucked.

    --
    Belief is the currency of delusion.
  5. Re:How do I avoid it? Fixes? by nacturation · · Score: 4, Interesting

    That's about as helpful as advising tsunami victims that they move.

    For those who want actual advice: http://www.hexblog.com/ -- a fix which creates a hook to disable the affected code. The fix has been analyzed by Steve Gibson.

    --
    Want to improve your Karma? Instead of "Post Anonymously", try the "Post Humously" option.
  6. Comment removed by account_deleted · · Score: 3, Interesting

    Comment removed based on user account deletion

  7. Re:"because it's there" doesn't cut it... by drachen · · Score: 3, Interesting
    Apparently the attackers aren't awesome programmers because history has shown that the real danger comes after a sample exploit is made, not when the info becomes known.

    Apparently you fail to realize this was a 0-day exploit. That is, there were people already exploiting this flaw before anyone else found out about it. Because they didn't release their source code do you feel safer by this? So your argument that the attackers aren't "awesome programmers" is completely worthless because these attackers found and wrote the original exploit code to begin with. We don't know how long this flaw may have been used in the wild before this one was found. Some "awesome programmers" could've been using this flaw years ago to break into networks. Re-read my original reply.

    Now some people who happen to have analyzed that exploit figured out just exactly how seriously this flaw is and what could be done with it if it's not fixed.

    A simple explanation is plenty.

    So you're saying that if all the attackers have is a simple explanation that they wouldn't be able to write code based upon that explanation? Yeah right. The people who wrote these sample exploits didn't even have that to begin with and look at what they've been able to come up with. The people ("attackers") who wrote the originally known exploit didn't need a simple explanation either.

    So now virus scan writers and IDS maintainers, etc, now have a LOT more information for how to defend against this particular threat. A simple explanation isn't sufficient. Now scanners and IDS can use these discovered methods to improve detection and prevention of exploitation of this flaw.

    Again, I just don't see why someone would need to make the most evil version of this possible and distribute the source code.

    Well, I can't explain it any clearer. You're using the "security through obscurity" argument that history has shown to be insufficient for protecting our computers and networks.