Slashdot Mirror
New IM Worm Exploiting WMF Vulnerability
An anonymous reader writes "After less than a four days after original mailing list posting there are reports about a new Instant Messaging worm exploiting unpatched Windows Metafile vulnerability. This worm is using MSN to spread, reports Viruslist.com."
These would be good things to know...
http://www.TheGamerNation.com/Forums
Looks potentially nasty.
You are not the customer.
Well that didn't take long.
There is information available on temporary fixes from the following sites
http://isc.sans.org/diary.php?rss&storyid=996
http://www.f-secure.com/weblog/#00000760
http://www.grc.com/sn/notes-020.htm
be aware the runnable patch is completely unofficial, the only action microsoft suggest is unregistering a vulnerable dll which only mitigates the most common method of exploitation while not fixing the underlying problem.
NFI how long it will take microsoft to have an official patch out, but from the sans site, it doesnt look promising that it will appear soon.
My prediction: in 2006, MS innovation will lead the way in new fronts!
The war with islam is a war on the beast
The war on terror is a war for peace
You MUST mean MSN Messenger.
From MS' site: 4: Block pop-up windows in your browser
My credit union requires that I allow pop-ups! I don't know how many times I've gone to legitimate websites and scratched my head for a while trying to figure out why I wasn't seeing anything - all because I'm blocking pop-ups! Firefox tells you with that little message on top of the window, but you know how it is, after a while, you don't notice it anymore.
This is a serious comment, i am only doing this as an AC to avoid being modded +5 funny, -7 flamebait. Why do people on slashdot not mind macs, and yet act like microsoft is the devil (which it, obviously is). Apple's Macintosh is not only just as a proprietary piece of crap as Windows, but it also forces you to purchase their HARDWARE if you want to use it the "legit" way (though this may change with mactels, they have been operating this way for years). In my opinion, each of the two companies is, after all considerations THE WORST FUCKING THING TO EVER HAPPEN TO COMPUTING.
There's a patch available here
...a dedicated, well-written, well-publicized effort to educate the general public about this sort of thing. We need to establish a meme among the Joe Sixpacks, Moms and Dads, and Grandma Sues of this country that they're foolish if they don't read stories on [whatever].com each week. And on that site, we need to explain, in plain English, [A] what the flaw could do to their computer, [B] what they can do to temporarily/permanently fix the flaw, and [C] what the flaw is due to (99% of the time, this will be 'due to Microsoft software').
Microsoft obviously isn't interested in having an educated user base, or they'd make such a site themselves and advertise it extensively.
Who's with me?
With spending like this, exactly what are "conservatives" conserving?
Beware of this IM-Worm which spreads via MSN using a link to "http://[snip]/xmas-2006 FUNNY.jpg".
Though it's spread mainly in Netherlands as the link sais.
an up to date antivirus should keep you safe.
IM is just a person private email system, period. Try using email, you can even use filters to pick your freinds messages out of the background noise, like inter-departmental mail.
To fix the security risk of IM, either the you give up point to point email that it is to force it though filtering servers (sound like email there again). The Anti-Virus programs on every machine will have to start filtering all that traffic too (wait they are doing this for wmail today also!!)
--
When will people learn that NEW is not always GOOD.
Since the first exploit came to light, H.D.Moore of the Metasploit project has reworked the original package they did. The new exploit spits out exploit WMF files that come:
- with a random size;
- no
.wmf extension, (.jpg), but could be any other image extension actually;
- a random piece of junk in front of the bad call; carefully crafted to be larger than the MTU on an ethernet network;
- a number of possible calls to run the exploit are listed in the source;
- a random trailer
This makes it rather hard for antivirus and IDS sigs to detect it, though Snort and the A/V people are working late over their holidays to improve detection.SANS/ISC have provided excellent continued summaries of events around this. Here's their FAQ on the issue.
This is looking truly horrible. On Tuesday morning zillions of Windows desktops will be fired up for the first time in a week or two. This thing's already in widespread use by a number of malware distribution networks for the usual reasons. As such it's a nightmare for network and system admins with Windows machines to look after (and us security people trying to provide advice & assistance for them...) But the stealth nightmare is that this is an absolute jackpot for the less visible targetted attacks, such as those emanating from China for the past couple of years (google around, Slashdot and Schneier have covered this as well as many other places.) There are also the opportunistic types who see an easy opportunity to pwn some key machines where they work, say. I will stick my neck out here and make a prediction. Virtually all organisations with Windows machines are effectively wide open to total compromise by a reasonably informed person. That means much of the IT dept as well as significant numbers of the 'interested poweruser' types, developers with a casual interest in security,.. anyone who's heard of this and is capable of running the findingm, running and using the new exploit, basically. Of course we're all tweaking our IDSes and antivirus, locking things down as tight as possible in the 48 hours remaining, but... *shudder*
For ten years I've been waiting for Microsoft's luck to run out. This is about #3 on my list of catastrophic MS incidents. There aren't many ways things could be worse.
It will be a good time to be running Linux on work machine, though :)
Microsoft recommends, for the time being to just
regsvr32 -u %windir%\system32\shimgvw.dll
BUT according to this analysis, the real fault lies with gdi32.dll ! How the hell do you get rid of that? It's about as deeply embedded in windows as, say, glibc is in Linux distributions..
SCO employee? Check out the bounty
... when Hulkamania runs wild on you? Oh, wait, WMF. Never mind.
It's unofficial, but it works.
http://www.hexblog.com/2005/12/wmf_vuln.html
I'm impressed at the timing on this one -- it hits during the slowest time of the year.
I figure the exploiters, even if they aren't the fastest in the bunch, will have massive penetration by the time people start modifying their systems to protect themselves.
So I'm wondering if the bad guys knew about this one for a while and just waited until now to spring it, or did the Microsoft customers just get profoundly unlucky.
Steve Jobs is probably laughing away over this one.
http://www.thebricktestament.com/the_law/when_to_
They're pretty boring aren't they. You'd have to be a pretty sad fucker to think that they're worthy of making headline news on anything other than a specialist security web site. Bye bye /.
http://www.novell.com/linux/suse/
http://fedora.redhat.com/
http://www.ubuntulinux.org/
http://frontal1.mandriva.com/community/
https://www.scientificlinux.org/
Ah, Slashdot... where the first post is modded "redundant".
What we need now is for someone to find a remote exploit in a popular webserver and combine both exploits into a worm, 'cause then we're all really fucked.
Belief is the currency of delusion.
Are images turned off when browsing?
I've noticed numerous TGP porn sites have been trying to get me to open a WMF file (Not that I uh.... would know about this first hand or anything ;p). Didn't think there was anything to it until seeing this article- my guess is it's being used to install crapware of some kind.
lucky I'm using Linux.
but somebody can finish this joke... it has to do with a hacked Windows PC... I am teh lose today.
"and on the 7th day 'after' Christmas my true-love gave to me"
Doesn't this virus still require the user to click a link? It's not fully automated?
Why are so many people making it sound like the end of the world?
This is only going to get worse. According to the blog at F-Secure, there is so many variants coming out it isn't even funny. Also, it doesn't help that just by allowing google desktop to index the file, you can get a virus. From what I can gather, you can unregister shimgvw.dll, but the problem lays deep inside Windows, so you still aren't 100% safe. There is also an unofficial patch out, but how many newbie computer users will actually apply it? I have a feeling that this exploit is going to be a real bad one until Microsoft can release a patch, as tons of different worms and trojans can be released into a machine with this exploit.
An exploit of "gdi32.dll" using a WMF file for the attack was documented back in November. Does this new exploit use the same attack approach?
to i7s laid-back
Comment removed based on user account deletion
No one said that using something other than Windows would solve all security problems, only this one. The grandparent was entirely correct in its observation.
Get a patch here: http://www.hexblog.com/2005/12/wmf_vuln.html
All the necessary information and explanation (plus q/a) is here. This is the only hope at present. Good luck to everyone on Jan 2 when this thing takes over the world.
Why in the world would a WMF file need to be able to execute a script? And aren't most of Microsoft's vulnerabilities related to the wanton running of scripts without a user being aware that it's happening?
...because the internet owns us!
regsvr32 -u %windir%\system32\ntoskrnl.exe
Nothing less will do it.
if everybody bought their grandma an iMac, there would be a lot more exploits on them then there are now. As many as wintel boxes? Probably not. But more than there are now.
Have you been touched by his noodly appendage?
If you're an IT pro and you're running Windows at home, you should have your boxes imaged so you can just unhook from the net, image, apply the fix, take a new image and hook back up to the net. Seven boxen shouldn't take you more than a couple hours -- less if you use a standard image.
If you're setting this up for the first time, don't forget to redirect "My Documents" to a different partition, or better yet a server with a backup regime. Oh, yeah, and choose the "Activate Windows over the phone" option before you make your first image so you don't have to re-activate each time.
If you're an IT pro and you're not using Windows at home, take the extra hours and spend some holiday time with your friends and family. Life is short.
Help stamp out iliturcy.
Twelve IRC bots spying,
Eleven worms-a-wriggling,
Ten Paypal phishes,
Nine ActiveX holes,
Eight Blaster variants,
Seven Sony rootkits,
Six keystroke loggers,
Five porn diallers!
Four Exploit.WMFs,
Three Mytobs,
Two Bifrose-Ds,
And a homepage stuck on goatse.
(You, ettlz, rock.)
You can hold down the "B" button for continuous firing.
I can understand spreading the fact that the exploit exists. I could maybe argue whether or not you should spread info on the exploit. I can barely see why one would make an example exploit.
But why would someone make a program specifically designed to make an undetectable/untraceable version of the exploit?
I can only see harm coming from this.
And I'm sorry, but "because it's there" doesn't work when you know there's only negative outcomes of what you do.
http://lkml.org/lkml/2005/8/20/95
Try this regsvr32 /u shimgvw.dll
lol no im not a wmf worm!
In Soviet Russia, backwards is everything.
You sure?
Hint: Think different.
e.g. is there a way for a remote user to make it display a wmf without the recipiants consent?
note: i'm known as plugwash most places but i screwd up registering that here somehow in the past and now can't register
at least back to +3 so anyone who reads it will see the clarification. as it stands this is very uninformitive.
note: i'm known as plugwash most places but i screwd up registering that here somehow in the past and now can't register
to: all contacts
==========
omgzz listn ths whateva u do if cmdrtaco@hotmail.com adds u, do not ACCEPT!!! its a virus and wll brk msn!! frward ths msg to every1 lt thm kno.
...to block AIM & MSN chat, and all their clones, at the corporate firewall. Before it was simply a time wastage issue...now it's a big security risk.
I think switching OSs is a less difficult proposition for someone who has time to read slashdot than picking up your family and moving is for someone who can barely feed his or her own kids.
THIS THING CAN TURN ON A DIME, MACROSSZERO STYLE ALSO FUCK BETA, ~NYORON
NOD32 (www.nod32.com) catches it. Supposedly McAfee can catch it as well, but Norton doesn't.
Hunt your preferred prey at Aliens vs Predator MUD. Join the war at avpmud.com port 4000
All of my Linux boxes work, yet I never had to pay for Debian or Gentoo. Why can't software that I paid for work properly?
Ok, done venting. Thanks for that.
"Avoid employing unlucky people - throw half of the pile of CVs in the bin without reading them." -- David Brent
From http://isc.sans.org/diary.php?rss&storyid=994 :
. exe Our own Tom Liston reviewed the patch and we tested it. The reviewed and tested version is available here (now at v1.3, MD5: 14d8c937d97572deb9cb07297a87e62a). THANKS to Ilfak Guilfanov for providing the patch!!
1. Microsoft has not yet released a patch. An unofficial patch was made available by Ilfak Guilfanov. http://handlers.sans.org/tliston/wmffix_hexblog13
2. You can unregister the related DLL.
3. Virus checkers provide some protection.
To unregister the DLL:
* Click Start, click Run, type "regsvr32 -u %windir%\system32\shimgvw.dll" (without the quotation marks), and then click OK.
* A dialog box appears to confirm that the un-registration process has succeeded. Click OK to close the dialog box.
Horns are really just a broken halo.
I know next to nothing about Instant Messaging clients, but is it possible that an employee could have left his computer powered on, and logged into windows, and with an IM client running on his desktop, and could that IM client then download this worm automatically [without any manual user input, such as clicking on a link]?
I.e. might it be the case that when Admins return from New Years' vacation [Monday, or Tuesday, or whenever], there could be [quite literally] MILLIONS of infected desktops?
And I trust downloading a DLL that injects into gdi32...why? I'll just do what I always do to avoid viewing pictures that I don't need (goatse, web beacons, etc.).
Who is this guy and why should I trust him? Or better yet, is the code open-source, or is the exact method publicly available so I can write my own hook?
Mind you, the only ones who know enough of the Windows internals to pull such a stunt are Microsoft employees, and I seriously doubt they'd risk a stunt like that. Especially as they'd likely be on said chair when Microsoft's CEO lobbed it off the roof.
It's a small world and it smells funny; I'd buy another if it wasn't for the money; Take back what I paid (SoM)
Ok, ignore my other message, I trust him.
Information of how to obtain a fix is available here.
The SANS guys have reverse engineered it and given it the thumbs up if that's any help to you : http://isc.sans.org/diary.php?storyid=999
You may have been only talking about yourself, but it made it sound like there were no options for anyone... like the Mac.
How ironic you actually used the word "switch".
Unless you NEED to run Autocad or something along those lines, there are very few people anymore who really cannot switch to a Mac.
"There is more worth loving than we have strength to love." - Brian Jay Stanley
Yet another fine reason to use Trillian, GAIM, or other multi-service messenging clients of the sort. Since some of these clients are open source, bugs can be fixed immediately. Or others, like Trillian, don't have these kind of security holes because these worms are designed for a specific client.
You swallowed and regurgitated the MS line perfectly: always blame the users. Users were not the reason IE exposed an UNPATCHED remote code execution bug for all EXCEPT 7 days of 2004 (http://bcheck.scanit.be/bcheck/page.php?name=STAT S2004). Users are prevented by law and the MS cops (BSA) from seeing or tinkering with MS code, yet you and MS blame them for the damage they suffer due to the lousy quality of MS code.
The users did not create the incestuous, inherently insecure entanglements among the "apps" and operating system in MS Windows. There is no warning on the box of MS Windows saying that the product is unsuitable for use by new users of computers. There is no warning on the box of MS Windows saying that only experts in network security have any chance of safely using the product in any computer that is not completely isolated from others.
How many more years and MS Windows versions will trolls, astroturfers and shills directly dispute the evidence and continue to claim both that MS Windows is suitable for uneducated users and that those users are to be blamed for not being security experts?
MS Windows is demonstrably unsuited to any networked environment. MS Windows is demonstrably unsuited for use by anyone who is not a highly trained network security expert.
Save your friends from the dangers of MS Windows: install GNU/Linux for them and don't give them the root password.
I have seen in the past week our work increase 5 fold because of this exploit. What is normally a very slow time of the year for us has become very busy for us and it's making me nervous myself.
I know next to nothing about IM/RSS software, so I am just speculating here.
But suppose you had some IM/RSS client [MSN, AOL, Yahoo, whatever] that had an image rendering aspect to it. For example, suppose your IM/RSS client were capable of rendering the JPGs in an HTML message.
Then it seems to me that if you had such an IM/RSS client running on your desktop, and if someone knew your IM/RSS handle, then they could send you an IM/RSS message with very elementary instructions for downloading the evil file:
and you'd be hosed without ever having clicked on any link. And if the worm were really smart, it could then install "thttpd" trivial http daemons to spread itself internally on any corporate network [via each person's IM/RSS "address book"].If that's true, and if lots of employees left their computers running and logged into windows with such "automatic" IM/RSS clients running on the desktop, then Tuesday or Wednesday morning [or whenever people decide to come back from their New Year's vacation], there could be literally MILLIONS of infected machines.
So the question: Are there IM/RSS clients that can download files automatically?
I've noticed numerous TGP porn sites have been trying to get me to open a WMF file (Not that I uh.... would know about this first hand or anything
In this particular instance, I think I'd choose first hand knowledge over second hand knowledge.
You are arguing "because it's there". Why did someone do it? Because they could. Or, go to back to the mountain climbing roots of the original quote, because then others would know it can be done (and you've done it).
It doesn't take an example to show it can be done, thanks. Believe it or not, even Microsoft understands software is mutable.
A simple explanation is plenty.
As to your comment that the people we really need to worry about won't even be affected by this: history has shown this not to be true.
Apparently the attackers aren't awesome programmers because history has shown that the real danger comes after a sample exploit is made, not when the info becomes known.
Again, I just don't see why someone would need to make the most evil version of this possible and distribute the source code.
http://lkml.org/lkml/2005/8/20/95
Not sure if this is the case for anyone else, but I've found that while i can previous thumbnails, ACDSee (latest version) no longer works, giving an "internal error" message and a white screen, instead of the image. Still, better than getting pwned.
Is there an extension that will at least keep the Firefox toolbars and menus available in pop-ups even if the Javascript prohibits it?
Being a security specialist, I can see how this would alarm you, but I think it's not so bad. There have been numerous 0-day IE exploits before and the world hasn't ended.
First of all, this worm requires SOME form of user interaction...they either must go to a website that uses it, or be chatting on specific IM app and get a malicious message. Second of all, due to the fact that 95% (yes, I pulled that stat out of my ass but I'm sure it's close) of Windows users run as admin, these exploits all assume admin privs and this fall flat on their face if run by a non admin user.
In a corporate setting users will normally (I HOPE) not be running as admin, which would effectively kill most if not all of the worms due to the fact that they assume admin rights, and AV apps are fully capable of deteting and blocking the actions of this exploit if they do get through.
There will be a patch soon, we will all apply it to our corporate networks and the world will continue to spin.
I don't always use unix-like operating systems; but when I do, I prefer FreeBSD.
WMF IS a script. now with root exploit goodness. :)
It's odd but I've noticed a lack of Microsoft cheerleading over the past couple of days. I'm sure as soon as a patch is made for this latest Windows exploit the cheerleading with resume with the usual vociferous putridity. Shine on!
Life is a gift. And my Karma couldn't possibly be 'Positive'
"reverse engineered"?
:( It was a single file, would have been pretty easy to read it and make sure it doesn't look like it does anything malicious, *then* compile it...
You do realize that the installer at hexblog dumps the source to the "install dir"? (The actual useful DLL goes into system32 instead...)
It would have been nice to have the option to get just the sources w/o the installer though
The 'patch' requires a reboot
Just thought I'd point that out for all you windows guys who worry about their up-time.
[Fuck Beta]
o0t!
JPG, PNG, GIF etc. all have headers that should surely be checked before displaying the picture. Do IE not do this?
In short, do i have to actively click a "Open this file" dialog on the browser?
I imagine the worm's authors wrote just enough to execute a vbs file.
In theory though, an entire virus could be written in the wmf file.
Msgr opens the file locally, and creates a small jpg which is sent to the friend you're talking to as thumbnail.
A nasty user, using the MSN network, not using the official client, and sending WMF data instead of a jpeg preview picture might cause some trouble though!
IMs and email are exactly the same. The only apparent differences are in the implementations and the default (and available) settings for the clients, as well as the meta-communication functions of most IM clients that simply duplicate the features of 'what are you doing right now' systems of the past such as finger. My email client can pop up a notice the second I recieve new mail, and even give me a text box to type a reply into. My IM client can store messages for me to read at my leisure. I can check my email on the web. I can check my stored IMs on the web. I can turn off my email client. I can turn off my IM client. Either way I can respond immediately or wait an hour. Either way the person on the other end has no idea what I am doing if I do not want them to.
How about the (at least) $500 you'll spend switching to the Mac? Not to mention the costs of repurchasing software like Office and Photoshop if you use those sorts of programs.
The system cost depends on if you were going to buy a new PC anyway, or if you are buying a new computer for someone else (like a business or a parent).
Furthermore most programs offer free crossgrades - Photoshop is one, and I think Office is at least reduced in price (not sure about that).
Switching to Linux means Photoshop or Office will not run at all - you can use replacements but they are not (quite yet) as compatible - I use Open Office all the time so I know how close it is but it's not quite there yet.
But really Linux is by any measure just not as easy to switch to as the Mac is right now. For some users it will be OK, for businesses with existing PC's I think it's perfect, but for lots of single users it's just not as good an idea at the moment (though it's getting there).
"There is more worth loving than we have strength to love." - Brian Jay Stanley
one word: fortinet
s ory.html
http://www.fortinet.com/FortiGuardCenter/wmf_advi
But then again, when it was discovered that there was a simple way to get into Hondas using a pencil, did people go out and explain what it was? This actually happened in about 1994, and Honda fixed the problem once informed of it. But were the details widely publicized? No.
/etc/passwd file on a modern UNIX machine. Do you see your crypted password in there? No? Well, perhaps there's a lesson to be learned there about whether obscurity really does have some value.
As to me offering "security through obscurity", you're trying to make a phrase fit that doesn't fit. Security through obscurity is to design a system where simply not knowing something is the security. Here I am merely speaking of not telling EVERYONE all the details of a security flaw while the company that is responsible fixes it. I didn't say you shouldn't tell Microsoft. I didn't say Microsoft shouldn't explain there is a vulnerability. I didn't even preclude details of the vulnerability being given out. I didn't even preclude someone writing an exploit to show it can be done.
What I did was condemn writing the most evil version of the exploit possible before the patch is even released, and then giving out the code so others can do it too!
You say it's to make virus scanners better. By making it bigger than an MTU, presumably to make sniffing firewalls better. Well, what about those of us who don't have sniffing firewalls? Am I well served by a metaexploit being written? And additionally, you say this will let people recognize the exploiters (worms) better. How are they supposed to do that? This program makes all the versions of its exploits look different. For that matter, how can someone even tell a legitmate user of this escape sequence from a worm? There are literally an infinite number of ways to write code that does identical things (exploit and propagate). So how can a program inspect code that is used with this escape command to tell if it propagates? Answer, it CANNOT. Even by running it you can't be sure, maybe you just didn't give it the right conditions under which to trigger.
The only thing that can be done is pattern matching, and this metaexploit defeats that.
Honestly, MS is just going to have to remove this feature and deal with the fallout. We just have to give them a little time to do it before handing weapons to those with criminal intent. It's like selling arms. It does increase fighting, even though in theory, people could already have made weapons to take out their greivances upon other.
Perhaps this flaw has been being used for years to get into machines. How does that excuse this? This metaexploit is neither going to undo that, nor is it likely to get MS to fix it faster. It just might get more people hurt before MS can write and test a fix.
In short, I do understand there are already some people who exploited this hole. But there's no reason to make the problem worse. And that's what releasing this code will do.
Additional note on "security through obscurity". The first major proponents of this were the people who decided that UNIX shouldn't hide passwords, instead just 1-way crypt them and store the results in a publically readable file (passwd). Well, guess what, they were wrong. UNIX got greatly boned by this decision. It was wrong for two reasons.
1. Because it allowed offline and parallel dictionary attacks on user passwords.
2. Because it meant that you couldn't use any "shared secret" type of authentication, because UNIX didn't know your password. It could recognize it if you sent your password to it, but it didn't actually know it. This led to a lot of difficulties with protocols like POP and FTP sending your password in the clear.
Take a look in your
http://lkml.org/lkml/2005/8/20/95
Can Microsoft Windows AntiSpyware (Beta) program protect our system from this problem?
You don't even have to download the patch! It just tried to display patch.jpg.wmf, and then my system was patched! Must have self healed or something...
Well that's nice that they are the same in your setup. But what about the 200 million other users who don't have their email integrated into their life like you do. For them IM is much more convenient and practical.
What's stopping Microsoft from running IE in some sort of a sandbox? That keeps all those apps running but IE would be a lot safer, and IE is mostly where the viruses are getting in.
No sig today...
1. Don't use the MSN client, use something like Gaim.
2. Don't use the MSN protocol, use something like Jabber, ICQ or Yahoo!
3. Don't use Windows, use something like Linux.
Hey, works for me. And has for years. And not just for safety reasons either, among other things, you should never ever feed the trolls!
The dynamic patch uses Sony $rootkit code. Great.
A WMF file *is* a script, it's a vector language like postscript.
And aren't most of Microsoft's vulnerabilities related to the wanton running of scripts without a user being aware that it's happening?
Quite often, but this is just a good old programming error.
I am trolling
Do all anti MS /.folk now have these images as their IM avatar?
"you should have used linux, like i told you to"
Yes, the bad guys have apparently been exploiting this for a little while. That's something we can agree upon.
But why does releasing the most evil version of it possible help anything?
I can see how it hurts, it helps those with criminal intent but no brains in making versions of the exploit that can't be detected.
But how does it help? It doesn't help make scanners better, as scanners have to pattern match and this defeats pattern matching. It doesn't help pressure MS, as they surely have a fire lit under them already.
Again, I ask not why would the "good guys" write an exploit, but why would they need to write a version meant to be undetectable? They are good guys, they don't have anything to hide, so why hide? You don't need to hide to see how the exploit works.
http://lkml.org/lkml/2005/8/20/95
So they have a few different options checked. The available options are still the same, as is the range of behaviors.
The fix is from Ilfak Guilfanov.
1 22005.html#00000756):
To quote F-Secure (http://www.f-secure.com/weblog/archives/archive-
"Now, we wouldn't normally blog about a security patch that is not coming from the original vendor. But Ilfak Guilfanov isn't just anybody. He's the main author of IDA (Interactive Disassembler Pro) and is arguably one of the best low-level Windows experts in the world.
More details from Ilfak's blog: http://www.hexblog.com./"
The guy is legit.
Big deal. If anything, that's part of the problem.
.wmfs. It just happens that the code in some cases might be evil. How do you analyze code to tell if it is evil? Answer, you cannot. There are literally infinite combinations of instructions that are evil.
Again, what does this help?
As to being merely *hard* to detect, I would say otherwise, well, at least as a practical matter.
Perhaps you don't understand this exploit. This isn't a buffer overflow issue, it's a legitimate part of the file format. You can embed code in
So, you could just look for the use of this escape sequence (that says code follows), and flag that as problematic. You'll flag legitimate uses too, but do you have any choice? And given that this is the way you have to do it, how does making variants of code designed to be difficult to pattern match help you see this escape sequence?
Again, I just don't see how this helps anybody but the bad guys, 100% disclosure or no.
http://lkml.org/lkml/2005/8/20/95
The image could be the text Got Firefox? No? You have now.
There you go, an antibody - uses the virus' vector to immunise the recipient.Or perhaps Trojan Hearse?
I just didn't like the analogy. It was a little grandiose.
You could have made the same point by talking about getting a new car/coffee maker/whatever if they issue a recall w/free repairs on some part or something.
THIS THING CAN TURN ON A DIME, MACROSSZERO STYLE ALSO FUCK BETA, ~NYORON
vulgarly: "don't trust the firewall filters, don't trust the antivirus vendors, don't wait for Microsoft. Install the patch immediately. If you are running a Windows operating system the patch doesn't support, time to shut it off and wait."
--
Keylogger killed my marriage, but saved my life.