Slashdot Mirror

← Back to Stories (view on slashdot.org)

New IM Worm Exploiting WMF Vulnerability

Posted by CmdrTaco on from the happy-new-years-windows-users dept.

An anonymous reader writes "After less than a four days after original mailing list posting there are reports about a new Instant Messaging worm exploiting unpatched Windows Metafile vulnerability. This worm is using MSN to spread, reports Viruslist.com."

81 of 360 comments (clear)

  1. How do I avoid it? Fixes? by Ruff_ilb · · Score: 4, Insightful

    These would be good things to know...

    --
    http://www.TheGamerNation.com/Forums
    1. Re:How do I avoid it? Fixes? by hahafaha · · Score: 2, Funny

      Perhaps the reason they posted it on Slashdot was that they were hoping that one of the thousands of programmers there would be able to fix it. ;-)

    2. Re:How do I avoid it? Fixes? by Ruff_ilb · · Score: 4, Funny
      Perhaps the reason they posted it on Slashdot was that they were hoping that one of the thousands of programmers there wrote it. ;-)

      Fixed ;)
      --
      http://www.TheGamerNation.com/Forums
    3. Re:How do I avoid it? Fixes? by ergo98 · · Score: 2, Informative

      How do I avoid it? Fixes?

      Follow the suggested action in the Microsoft advisory linked right up there above.

    4. Re:How do I avoid it? Fixes? by Maroulis · · Score: 4, Informative

      Microsoft suggests to unregister the problem dll.
      start->run
      regsvr32 -u %windir%\system32\shimgvw.dll

      http://www.microsoft.com/technet/security/advisory /912840.mspx

    5. Re:How do I avoid it? Fixes? by Lehk228 · · Score: 5, Funny

      use gaim, the image support is terrible you will be safe

      --
      Snowden and Manning are heroes.
    6. Re:How do I avoid it? Fixes? by Anonymous Coward · · Score: 5, Informative

      See discussion list at
      http://www.aota.net/forums/showthread.php?p=143053
      also check out FSecure's blog:
      http://www.f-secure.com/weblog/

    7. Re:How do I avoid it? Fixes? by FhnuZoag · · Score: 4, Informative

      That works for some things, but not everything, because shimgvw is NOT the problem dll. The real problem is in gdi32.dll, which IIRC is too important to be removed.

    8. Re:How do I avoid it? Fixes? by R3NZ · · Score: 5, Informative

      There seems to be a first fix.

      There is now a "Windows WMF Metafile Vulnerability HotFix" available from Ilfak Guilfanov. Have a look here http://www.hexblog.com/2005/12/wmf_vuln.html

      The problem - and the fix - has been discussed also at GRC.com's Security Now podcast. Check out this link http://www.grc.com/sn/notes-020.htm

    9. Re:How do I avoid it? Fixes? by gb506 · · Score: 3, Insightful

      We non-MS users may be ignorant, but not having to deal with the constant parade of Windows security exploits makes our ignorance extraordinarily blissful... ;)

    10. Re:How do I avoid it? Fixes? by nacturation · · Score: 4, Interesting

      That's about as helpful as advising tsunami victims that they move.

      For those who want actual advice: http://www.hexblog.com/ -- a fix which creates a hook to disable the affected code. The fix has been analyzed by Steve Gibson.

      --
      Want to improve your Karma? Instead of "Post Anonymously", try the "Post Humously" option.
    11. Re:How do I avoid it? Fixes? by cortana · · Score: 2, Funny

      Remove gdi32.dll until your vendor sees fit to provide you with a fix.

    12. Re:How do I avoid it? Fixes? by slugstone · · Score: 2, Insightful

      Own it! Can I sell it? Can I make a copy of it? Do I have the source code to look at? I feel like I am just borrowing it. This owner is slow to fix it.

    13. Re:How do I avoid it? Fixes? by Sinus0idal · · Score: 2, Informative

      Haha analysed by Steve Gibson, well NOW I feel safe. I think I'll take my advice from a proper security authority

    14. Re:How do I avoid it? Fixes? by jrockway · · Score: 4, Insightful

      > Don't blame Windows lack of security, it's more its market share

      Explain to me, then, why IIS is less widely-deployed than Apache, but IIS has significantly more worms.

      --
      My other car is first.
    15. Re: How do I avoid it? Fixes? by Black+Parrot · · Score: 2, Insightful

      > There seems to be a first fix.

      By Tuesday we'll probably be getting e-mail trojans claiming to be a fix.

      --
      Sheesh, evil *and* a jerk. -- Jade
    16. Re:How do I avoid it? Fixes? by jZnat · · Score: 3, Informative

      Funny as that might be, we're already talking about how the current mandatory support for MSN custom smilies is both an annoyance and a security hazard (either 2.0.0beta1 or CVS, I forget which version). If the infected WMFs are even cached anywhere and a program like Picasa sniffs it out and uses the win32 GDI library, you still get fucked. Lovely!

      --
      'Yes, firefox is indeed greater than women. Can women block pops up for you? No. Can Firefox show you naked women? Yes.'
    17. Re:How do I avoid it? Fixes? by ltbarcly · · Score: 5, Insightful

      As soon as Windows is dead and "insert linux distro here" gets their market share we will still be hearing about the latest and greatest worms for that distro.

      Pure speculation. There is absolutely no reason to believe that market share is the cause of low security. Shitty programmers with little or no Q/A, and a huge festering codebase which is continually patched together with duck tape to keep it going, along with a refusal to force 3rd party vendors to release software which runs properly (IE doesn't require local admin to run) causes security holes. For example, TOAD, some sql development software for Oracle, requires, REQUIRES, full write privileges to the directory it is installed in, or it refuses to run. This is mainstream software, and is used probably by millions of developers. But it still places fucking ini files in the install directory.

      Don't blame Windows lack of security, it's more its market share, transparency between versions to blame and the lack of brains on the end user's parts.

      Why would an end user suspect that opening a picture file could cause a virus to be installed on to their computer? Windows doesn't have *bad* security, Windows has no security. In order to have a useable system you MUST run Windows as local administrator. Thus every program you run has the power to format your hard drive if it likes. Every process which is run and has a flaw has the potential to fuck your computer up.

      Transparency between versions? How does that cause poor security? Shouldn't the fact that MS recycles about 90% of their code between releases give them a lot more resources to track down those HUGE, GAPING holes in their OS?

      FOR CHRISTS SAKE! Windows can be infected by a virus just by having certain things displayed on the screen! What an insane piece of shit it must be.

    18. Re:How do I avoid it? Fixes? by Heembo · · Score: 4, Informative
      This patch is a good start - but I would take a more defense-in-depth approach:

      1. unregister the ms pic and fax viewer dll
      2. make WMF file extension default to an erroneous app like notepad
      3. turn DEP up a notch
      4. turn off downloads in IE if you must use it (set default security settings to HIGH)
      5. load unofficial patch at http://handlers.sans.org/tliston/wmffix_hexblog13. exe - make sure you check against the md5 hash!!
      6. antivirus up to date, please check several times a day
      7. block all WMF files at the perimiter
      --
      Horns are really just a broken halo.
    19. Re:How do I avoid it? Fixes? by nacturation · · Score: 2, Informative

      Haha analysed by Steve Gibson, well NOW I feel safe.

      Security researcher he isn't (really), but I do respect his ability to code. At any rate, for those who don't know why that's potentially laughable, see the GRC sucks website.

      --
      Want to improve your Karma? Instead of "Post Anonymously", try the "Post Humously" option.
    20. Re:How do I avoid it? Fixes? by Anonymous Coward · · Score: 3, Informative
      Ha! You're right. Until I order my Mac (after macworld next week) I'm still using XP sometimes on my machine that dual boots with Linux. I checked into setting up a 'user' (non-administrator) account on XP. According to this page:
      Note - Some programs might not work properly for users with limited accounts. If so, change the user's account type to computer administrator, either temporarily or permanently.
      That right there is Microsoft's solution. Absolutely breathtaking....
    21. Re:How do I avoid it? Fixes? by (negative+video) · · Score: 3, Insightful
      Shitty programmers with little or no Q/A, and a huge festering code base which is continually patched together with duck tape to keep it going
      Why isn't this drivel modded as flamebait?
      Because it's true.
      If you have even a shallow knowledge of Microsoft's engineering practices you would know that their Q/A is probably the most intensive that any software company has on the planet, and it's getting more intensive every day. Want an example? The ASP.NET team had 505,000 test scenarios for ASP.NET 2.0 that it had to pass 100% before they would lock it down as RTM.
      We're not talking about one bleeding-edge product from one particular team, but rather the tens (hundreds?) of millions of lines of code haphazardly thrown together over the past few decades. It is claimed that the present flaw is in an obsolete interface (the SETABORTPROC GDI escape) provided for compatibility with ancient programs designed for DOS/Win16.
      This problem is an extremely difficult one to solve, and a lot of it has to do with Microsoft's failure to produce specs and guidelines from the start that let ISVs know what they needed to do to make sure software ran as non-admin.
      No. The sole and exclusive cause is that IDE (compiler and friends) has to be run as Administrator, because Microsoft is too lazy to fix even a single application. This is despite having solid gold opportunities when it was rewritten from scratch three times*, and substantially redesigned several more times.

      This is the cause for a simple reason: Imagine you're a programmer making an app that runs properly as a less-privileged user. You do a little developing. You log out. You log back in as a less-privileged user. You test the app, using printf as the main debugging tool. You log out. You log back in. You restart the IDE and get everything back like it was. You do a little developing. And so forth. It's a waking nightmare of the type formerly encountered only in H.P. Lovecraft stories.

      Microsoft's tools punish you for trying to do the right thing, because they want bad software so the customers expect to be on an upgrade treadmill.

      *The original total rewrite of the C-language tools, the Java toolset, and the CLR toolset.

      The security model in Windows is actually more extensive than the security model in most flavors of Unix, including Linux.
      Indeed. If only Bill Gates had put sane people like Dave Cutler (NT kernel chief architect) in charge of every major project, instead of whoring out the codebase in a mad dash to squash Netscape and Sun. It's one thing for a tiny company barely staying afloat to cut standards, and entirely another for a rich company with billion dollar piles of cash lying about. The former is understandable, the latter is recklessness bordering on malice.
    22. Re:How do I avoid it? Fixes? by ltbarcly · · Score: 2, Interesting

      their Q/A is probably the most intensive that any software company has on the planet

      A bunch of automated tests for one piece of software will prevent bugs which effect *functionality*. They cannot find bugs|vulnerabilities which are the result of poor design.

      And as for MS making good software, Windows does not even come with a plain text editor which can handle UNIX line termination! Notepad shits all over it, and Wordpad is NOT a reasonable editor to edit source or shell script code. EVERY OTHER text editor in the world, from nano, vim, joe, emacs, the OSX text editor, even fucking DOS edit can handle Unix line termination properly.

      MS's goal is to prevent interoperability with any other OS, and within their OS prevent the creation of software which can run on more than one platform. Beyond that they fail in everything.

    23. Re:How do I avoid it? Fixes? by ltbarcly · · Score: 2, Insightful

      How about an example of bad design in Windows?

      Let's see... How about forcing you to run even much of microsoft's own software as local admin in order to get it to work?

      How about running active X code with the same privileges as the current user? Hundreds of exploits have depended on this... clearly bad design.

      Instead of closing these ongoing and massive security holes, they have now released anti-spyware as a solution. So MS's idea of security is to have a daemon which can recognize and kill any known threat (which will always be one step behind), instead of just closing the holes those threats make use of.

      Of course, I could just point out the huge insane flaws in previous versions of windows, such as the screen saver running as local administrator, and so changing the screen saver to cmd.exe would give one administrator access in NT, or a malformed packet to a certain port bluescreening 98, but you would just reply that "they are better now!". Which is hard to dispute, not because it is true, but because we don't know of all the huge holes that may still be discovered in Windows. You might claim that they aren't there, but that is just arguing from ignorance, and the fact is we don't know. Every single piece of evidence and experience says that they are there and that they are potentially killer threats.

      Now I'm going to appeal to my own lying eyes. I rarely surf the web for more than 5 or 6 hours before explorer.exe mysteriously dies and has to restart itself. You'll notice when this happens because everything on your screen goes away except your desktop wallpaper, and about 8 seconds later your desktop and programs reappear (sometimes) and every instance of explorer or internet explorer is missing. Sometimes this will happen repeatedly in a short period of time, other times it won't.

      Another example from the lying eyes department. Windows gradually gets slower, and errors start appearing more and more often, as the uptime increases. After about a week or two of uptime on a desktop machine outlook starts to wig out, things paint slowly, applications start to grind to a halt, etc etc. Despite repeated claims to the contrary, this continues to happen even in the newest and most patched versions of windows.

      In windows I have to run a virus scan daemon. If I don't I will be infected with a virus within a few days of web surfing. Unless I use Firefox, which doesn't seem to have all the gaping vulnerabilities of IE in this regard.

      At work I routinely have to fix computers which are infected with spyware. These machines are fully patched, not that they should allow magic remote spyware installation by default. The user manages to get spyware, not by installing software or running an executable, but merely by clicking on links which have been emailed to them to "look at the funny movie/picture on this website". This is a FUCKING MASSIVE SECURITY CONCERN. There is nothing preventing this spyware from phoning home with lots of information, screen shots, and files from the users computer, including keylogs etc etc.

      An since you are accusing me of changing the subject, how does 4 hundred bajillion automated tests have anything to do with Q/A in the sense of vulnerabilities? See: http://www.asp101.com/articles/john/kb887289/defau lt.asp

    24. Re:How do I avoid it? Fixes? by timcharper · · Score: 2, Insightful

      Linux isn't perfect either. I believe no OS is. Probably because it's made by people, and people make mistakes. Give windows a break. They have a big load to carry. A lot of the things they do are great. Granted they may do some that don't seem so great, but they are in the biggest spotlite. All the guns are pointed at windows users because they are the majority. They undergo the most fire. Parts of my linux distro break from time to time because of upgrades. Luckily linux provides me also with the tools to fix it myself. I'm not saying which OS is better, but windows XP definitely isn't a piece of crap. Its really great and has its place. It has some great components - the device manager is great. Its much easier to install a printer in windows than in linux. A lot of things are easier to do. Its great for people who really don't care about what's going in their computer, but just want it to work. There's really no need to flame about it or get upset. Just let it be.

  2. Happy New Year! by Pedals · · Score: 4, Funny

    Well that didn't take long.

  3. temporary fixes by Phil246 · · Score: 5, Informative

    There is information available on temporary fixes from the following sites
    http://isc.sans.org/diary.php?rss&storyid=996
    http://www.f-secure.com/weblog/#00000760
    http://www.grc.com/sn/notes-020.htm

    be aware the runnable patch is completely unofficial, the only action microsoft suggest is unregistering a vulnerable dll which only mitigates the most common method of exploitation while not fixing the underlying problem.
    NFI how long it will take microsoft to have an official patch out, but from the sans site, it doesnt look promising that it will appear soon.

  4. Developers, stop using ... by IAAP · · Score: 3, Interesting
    POP-UP windows!

    From MS' site: 4: Block pop-up windows in your browser

    My credit union requires that I allow pop-ups! I don't know how many times I've gone to legitimate websites and scratched my head for a while trying to figure out why I wasn't seeing anything - all because I'm blocking pop-ups! Firefox tells you with that little message on top of the window, but you know how it is, after a while, you don't notice it anymore.

    1. Re:Developers, stop using ... by Anonymous Coward · · Score: 4, Informative

      Block popups on the internet security zone and allow them in the trusted zone then add your credit union to the list of sites you trust and refresh the page for the settings to take effect. Basically you need to create a white list of trusted sites while blocking all the riff raff. It doesn't matter what version of IE you use install the IE5.5 power toys which will add two settings to the tools menu called add to restricted zone and add to trusted zone. It ain't rocket science.

    2. Re:Developers, stop using ... by CodeBuster · · Score: 2, Informative

      You can allow a popup to be shown in IE on a per instance basis, whether the site is trusted or not, by holding down the CTRL button while clicking the link that launches the popup window. If the site uses javascript to automatically launch popups and you absolutely must use it then you can also add the site to your list of trusted sites under Tools->Internet Options->Security Tab. It makes sense add your online banking portal to the list of trusted sites anyway.

  5. Re:MSN? by sucker_muts · · Score: 5, Informative

    You MUST mean MSN Messenger.

    Netherlands being the place where it first appeared, and being from Belgium myself, I can say that everybody here simply says 'MSN' when they mean 'MSN Messenger'.
    It's more common in europe anyway to use MSN instead of other popular IM networks used thoughout the USA and other countries. IM was never popular with non-geek computer users here and when broadband internet (with a fixed price/month) arrived most teenagers (the primary group of users in europe) all started using MSN Messenger.

    --
    Dependency hell? => /bin/there/done/that
  6. There needs to be... by Caspian · · Score: 3, Interesting

    ...a dedicated, well-written, well-publicized effort to educate the general public about this sort of thing. We need to establish a meme among the Joe Sixpacks, Moms and Dads, and Grandma Sues of this country that they're foolish if they don't read stories on [whatever].com each week. And on that site, we need to explain, in plain English, [A] what the flaw could do to their computer, [B] what they can do to temporarily/permanently fix the flaw, and [C] what the flaw is due to (99% of the time, this will be 'due to Microsoft software').

    Microsoft obviously isn't interested in having an educated user base, or they'd make such a site themselves and advertise it extensively.

    Who's with me?

    --
    With spending like this, exactly what are "conservatives" conserving?
    1. Re:There needs to be... by W2k · · Score: 3, Insightful

      The problem isn't that the user base is completely uneducated - it's that for the majority of the educated users on Windows, they're not switching because THERE'S NOTHING BETTER TO SWITCH TO. I'm not trolling; I'd be off Windows in a heartbeat if I had the option. I've replaced pretty much everything else on my box with FSS/OSS alternatives. Windows remains because for the stuff I do with my computer and the expectations I place upon it, there's nothing else to use.

      --
      Quality, performance, value; you get only two, and you don't always get to pick.
    2. Re:There needs to be... by Spoing · · Score: 3, Interesting
      If such a site were to exist, people would start catching on that it's all Microsoft's fault in the first place. Then people *would* switch to other systems.

      Nope.

      I've had conversations with regular non-techy people. They don't get it; they think that they are safe and/or don't want to think about the dangers or alternatives. Ever. It is not possible to convince them and if you point them to a technical site, they will ignore it. They must come to the decision by themselves after long years of abuse, if they drop Windows at all. That said, to my surprise, my brother in law decided to get a Mac Mini for his kids this Christmas. I gladly helped them configure it and bring over data from the old Windows box they (unfortunately) still use. I've given him that advice for about 5 years, and did not talk with him about it for the last 6 months...so whatever I've said or pointed out to him had very little to do with his decision. (My brother-N-L is a smart guy and does not ignore most other advice w/o good reasons.)

      Personally, I just refuse to help them to secure the Windows-based systems they chose to use unless it is a single-function server that I can configure how I see fit. I do reinforce with them just how hard it is to use Microsoft's products in a safe manner; 'exceedingly frustrating and still I'm unconvinced that it is secure when I'm done' is a phrase I use often.

      NOTE: I _DO_NOT_ subscribe to the idea that if you keep a system updated with the current patches, use a firewall, and be careful, it is safe to use. If that system is safe, it is more by luck and chance and not by your hard work. This exploit is a perfect example of how all those methods fall apart and can not be relied on.

      --
      A firewall can not protect you from yourself. Turn off what you do not need. Do not use the firewall to do your work.
    3. Re:There needs to be... by tsa · · Score: 2, Interesting

      My ISP regularly sends me emails about new MS vulnerabilities and what to do about them. I chuck them immediately because I use Windows only for playing games, but the fact that they send these mails means that a lot of Joe Sixpacks get to know about the dangers and can do something about it. I think that the main reason Joe Sixpack doesn't use non-MS software is that when something on a computer is more difficult than 'click here', 90% of the people doesn't even try. And another thing: people stick to what they know. That's very hard to change.

      --

      -- Cheers!

    4. Re:There needs to be... by HairyCanary · · Score: 3, Informative

      With the exception of games (and I don't play PC games anyway), my Mac does everything Windows can do, plus some. I've been a die-hard PC guy, anti-Mac for a long time. Until I decided that I was done with Windows, and looked for alternatives. Linux just isn't quite there yet as a good, usable, stable day-to-day desktop operating system. But MacOS X is. And I've even grown to appreciate some of the ways in which it is superior to both Windows and Linux from a usability standpoint, even ignoring the well known security advantages.

    5. Re: There needs to be... by Black+Parrot · · Score: 4, Insightful

      > Windows remains because for the stuff I do with my computer and the expectations I place upon it

      If people would aim their expectations at their software vendors rather than their computers, that problem would go away.

      --
      Sheesh, evil *and* a jerk. -- Jade
    6. Re:There needs to be... by Hosiah · · Score: 3, Insightful
      Who's with me?

      We've all been trying this years ago. But just yesterday, I got my ass kicked down to troll and flamebait for daring to suggest that Linux/Open Source/OS X/BSD/Anything-but-Windows is anything but an utter turd. What hope is there to educate a public who cannot get past the idea that the internet is just AOL and Bill Gates invented the computer and a hundred other misconceptions? You're advocating college education for people who can't pass kindergarten.

      From my ledge, I see it as counterproductive to call users "Joe Sixpack" and "Gramma". These are false stereotypes. Given the opportunity, anybody can learn. Nobody was born knowing Windows 20 years ago, but it caught on, didn't it? There's more "for Dummies" books where "DOS for Dummies" came from.

      But yeah, I do my part to post hints 'n' tips every other day on my geek blog, but it's more directed at people who've already found Linux. I tried in a past life to do similar for Windows users, and got nowhere: it's a hole with no bottom.

    7. Re:There needs to be... by HairyCanary · · Score: 2, Informative
      I have a pair of Linux PC's in addition to the Mac Mini I use for daily activity. One of the Linux boxes runs Fedora Core 4 (it usually does duty as my MythTV box, though, not a regular desktop), and the other box runs OpenSUSE 10. I'm not sure either of these distributions really qualifies as junk.

      Having used both, I stand by my comment that they're rough around the edges. Not hard to use, perhaps, but they have a number of odd behaviors that are not intuitive to anybody who isn't familiar with them. And Linux lacks the one big thing MacOS has -- easy support for the most comment media types, including Windows Media, and Quicktime. Trying to get Linux to support both of these is an exercise in futility. Sure it can be done, but not by Joe Schmoe. It's all in the little details, and these are just two little details among many.

      Disclaimer: I am a professional Unix Systems Administrator with almost a decade of experience (and I've been playing with Linux since before it had Ethernet support ;-)). If I can see the potholes in the user experience, what do you think it's like for someone who doesn't have the background to understand why it is the way it is?

    8. Re:There needs to be... by HermanAB · · Score: 2, Informative

      Well, by switching to Linux, you basically trade one head-ache for another, but I can assure you that the Linux head-ache is much smaller and infrequent. Most people who complain about Linux do so because they tried some 5 year old version or tried to use last year's Red Hat or Fedora. If you would install a current Mandriva or Suse however, then you won't look back. Anyhoo, my notebook PC is dual booting XP/Mandriva. I only use XP for deliberately infecting and trying out virus fixes before I go and fix a client's machine...

      --
      Oh well, what the hell...
    9. Re:There needs to be... by Q2Serpent · · Score: 2, Insightful

      Just because you get everything you need from your Mac doesn't mean it can replace Windows for everyone else. It's a crummy world, but some of us still rely on software that is Windows-only. As long as certain vendors still publish Windows-only software and certain business still require their use, many users will be stuck on Windows. C'est la via. No amount of "Mac does everything I need it to" will change that.

    10. Re:There needs to be... by dbIII · · Score: 3, Insightful
      With the exception of games (and I don't play PC games anyway), my Mac does everything Windows can do, plus some
      There is a lot of in house software out there - which is why MS Windows98 was installed on a few single purpose machines where I work this year. The current developers are making all new software as portable as they can - and not developing to the moving MS Windows target.

      The earlier poster was correct - some poeple have no choice but to use MS Windows - but the answer as it has been for years is not to let their machines onto the net without adult supervision. I completely block this MS windows clone of IRC and it doesn't bother anyone - using instant messaging for business communication is a braindead idea anyway unless everyone is tied to their desks and focuses on short term tasks, and luckily I don't work in such an environment.

  7. Another GOOD reason not to run IM! by jackb_guppy · · Score: 3, Interesting

    IM is just a person private email system, period. Try using email, you can even use filters to pick your freinds messages out of the background noise, like inter-departmental mail.

    To fix the security risk of IM, either the you give up point to point email that it is to force it though filtering servers (sound like email there again). The Anti-Virus programs on every machine will have to start filtering all that traffic too (wait they are doing this for wmail today also!!)
    --
    When will people learn that NEW is not always GOOD.

    1. Re:Another GOOD reason not to run IM! by unity · · Score: 5, Insightful

      My customers use IM. My coworkers use IM. I use IM.

      IM is potentially the most influential communication medium since email.
      I have had quite a few of my customers tell me that "The simple fact that I can reach you via IM, has made your company's service better than any other partner."

      IM is "instant", offers logging of communications and doesn't require somebody to check their email (it pops up on their screen). In many ways it is a better communication tool than other options: phone, email or fax. You can even use it to see if somebody is in the office yet, or out to lunch. I could go on and on...

      Feel free to not use it; the rest of the modern business world won't be joining you.

    2. Re:Another GOOD reason not to run IM! by the_macman · · Score: 2, Insightful
      IM is just a person private email system, period. Try using email, you can even use filters to pick your freinds messages out of the background noise, like inter-departmental mail. To fix the security risk of IM, either the you give up point to point email that it is to force it though filtering servers (sound like email there again). The Anti-Virus programs on every machine will have to start filtering all that traffic too (wait they are doing this for wmail today also!!)
      Ummm, not really. Half the people I know check their email via the web and have to login everytime vs IM where you just keep a small window open (in fact you can minimize it) and messages pop up if someone contacts you. Plus with IM, when I send someone an IM I *know* if they are in front of their computer that instant, or idle, or away. Plus according to your plan it's effiecient to send an email to someone saying "Hey wanna goto the movies tonight" only for them to check their email the next day.
    3. Re:Another GOOD reason not to run IM! by S.O.B. · · Score: 3, Insightful

      I am forced to use IM at work and all the benefits you list also have negatives associated with them.

      Being "instant" allows people to annoy you for any little thing. The dozen or so phone interruptions I used to get a day are now 20-30 IM interruptions.

      "Logging of communications" also means you have no privacy. And if you think your boss isn't tracking you by your IM status you're kidding yourself.

      Screen popups mean that you don't have to wait for the recipient to check their email/vmail but it also means that you just interrupted what they were doing. I don't know how many times I was trying to solve a problem and I got IMed by multiple people asking if I had solved the problem.

      The difference between IM and previous forms of communication is that I used to have a choice.

      --
      Some of what I say is fact, some is conjecture, the rest I'm just blowing out my ass...you guess.
  8. Re:Macs by Hiro+Antagonist · · Score: 4, Insightful

    Talk about trolling flamebait. Apple makes money on hardware, not operating systems, so it behooves them to make their operating system work on their hardware. The nice thing about this is that they make some damn nice harware (I'm typing this on a PowerBook), and that they have very little incentive to 'feature-pack' their OS like Microsoft does -- so you get less in the way of quirky 'features', and a hell of a lot of functionality.

    Plus, OS X is a Unix, which means it plays nicely with other Unices, and it behaves like a Unix on the command line -- so I get all the power of pipes, vi, Bash, the BSD ports collection (a la Darwinports), gcc, and so on. On the GUI side, it behaves like a Mac -- and I think you'd be hard-pressed to fault Apple for their GUI design.

    Best of both worlds; you just have to shell out a slight premium for the hardware, and given that you get a REAL OS with it, I'd say that Mac offers a better bargain for the desktop user than any Dell or Gateway.

    --

    --
    I Hit the Karma Cap, and All I Got Was This Lousy .sig.
  9. It's worse than that by Anonymous Coward · · Score: 5, Insightful
    I do infosec stuff at a well-known corporation, including Incident Response, and I've been following this closely & working on our response.

    Since the first exploit came to light, H.D.Moore of the Metasploit project has reworked the original package they did. The new exploit spits out exploit WMF files that come:

    • with a random size;
    • no .wmf extension, (.jpg), but could be any other image extension actually;
    • a random piece of junk in front of the bad call; carefully crafted to be larger than the MTU on an ethernet network;
    • a number of possible calls to run the exploit are listed in the source;
    • a random trailer
    This makes it rather hard for antivirus and IDS sigs to detect it, though Snort and the A/V people are working late over their holidays to improve detection.

    SANS/ISC have provided excellent continued summaries of events around this. Here's their FAQ on the issue.

    This is looking truly horrible. On Tuesday morning zillions of Windows desktops will be fired up for the first time in a week or two. This thing's already in widespread use by a number of malware distribution networks for the usual reasons. As such it's a nightmare for network and system admins with Windows machines to look after (and us security people trying to provide advice & assistance for them...) But the stealth nightmare is that this is an absolute jackpot for the less visible targetted attacks, such as those emanating from China for the past couple of years (google around, Slashdot and Schneier have covered this as well as many other places.) There are also the opportunistic types who see an easy opportunity to pwn some key machines where they work, say. I will stick my neck out here and make a prediction. Virtually all organisations with Windows machines are effectively wide open to total compromise by a reasonably informed person. That means much of the IT dept as well as significant numbers of the 'interested poweruser' types, developers with a casual interest in security,.. anyone who's heard of this and is capable of running the findingm, running and using the new exploit, basically. Of course we're all tweaking our IDSes and antivirus, locking things down as tight as possible in the 48 hours remaining, but... *shudder*

    For ten years I've been waiting for Microsoft's luck to run out. This is about #3 on my list of catastrophic MS incidents. There aren't many ways things could be worse.

    It will be a good time to be running Linux on work machine, though :)

    1. Re:It's worse than that by Lehk228 · · Score: 4, Insightful

      this is MUCH worse than a network worm.

      worms are pretty easy to seal out with a firewall and are easally patched. this exploit allows all sorts of local user exploits in a corporate environment. it also so far has been able to fly through hardware and software firewalls of all shapes and sizes.

      --
      Snowden and Manning are heroes.
    2. Re:It's worse than that by borderpatrol · · Score: 5, Informative

      I work for a major electronics retailer in the Service department. Most of our duties are simple PC repair, data backup, and virus/spyware removal.

      I have seen in the past week our work increase 5 fold because of this exploit. What is normally a very slow time of the year for us has become very busy for us and it's making me nervous myself.

      We had a few customer that bought brand new computers and laptop and are bringing them back the same day with this exploit. A quick check reveals that their Norton was up-to-date, yet this stuff still slipped in. Other customers are getting this thing left and right. Unfortunately I have not much to tell them except to keep updating all your security products daily as it's only going to get worse before it gets better. Hand them a copy of Norton and Sunbelt Counterspy and tell them good luck.

      I do believe there is a bit a social engineering planned into this. Customers with year-end financials, tax season starting up, holiday credit card payments and statements coming through. Very ripe time to plucking financial and personal data. And with this being an extended holiday weekend, this exploit has a bit of time to fester and refine itself before the big trojan/virus with a major payload slips past the AV and Adware detections and onto millions of computers. What happens when someone combines with exploit with a backgood into a major ad server network? Imagine the damage then.

      I'm doing the best I can at my house against this thing, but looking at the 7+ Windows boxes I'm now worrying about updating, installing, patching and unregistering, and the 1 Apple laptop I haven't had to restart in 6 months, and I wonder if this is going to be the big one that really gives Microsoft the black eye it can't recover from.

      --
      Yeah I've been starving them, teasing them, singing off key. Me may mah mo, me mo ma me.
    3. Re:It's worse than that by borderpatrol · · Score: 3, Insightful
      This too slips right past Internet security packages such as Norton and McAfee. For the money people pay for AV protection the vendors really need to get their act together in my opinion.

      But this is where the issue lies and why IMO viruses are of virtually no threat anymore, it's going to be all ad/spyware from here on. For instance, I finished up a cleanup of a machine yesterday. Went through it with 1 AV scanner, and 7 different AntiSpyware tools, plus had to go in by hand and do manual removals. 1 virus, over 36 different ad/spyware programs from over 900 traces. Norton was of course expired and hadn't been updated in 8 months.

      When the virus fight used to be AV Companies vs. Johnny Scriptkiddy, it's now AV Companies vs. Permission Based Marketing (read: Adware) companies, or an army of zombie bots controlled by the Russian Mafia.

      Companies like Symantec, Mcafee, and Microsoft are very careful to step on toes in labeling other companies products as ad/spyware. Those very companies profiting from the adware also have their own army of lawyers and will file suit against anyone who dare defile their product! After all, you read the EULA right?

      So when a customer tells me she still has Norton and she wants to know why she is still getting popups, I have to explain to her what the difference between viruses and adware, and why Norton just plain sucks for the new threats we face.

      Never thought I would wish for the days of Melissa again, lol

      BTW, Sometimes after a cleanup I install MS AntiSpy and Firefox with the IE Theme (http://www.firefoxie.net/). Just change that blue "e" to point to FF, and they're just a bit more secure.

      --
      Yeah I've been starving them, teasing them, singing off key. Me may mah mo, me mo ma me.
  10. Great.. by wfberg · · Score: 2, Interesting

    Microsoft recommends, for the time being to just

    regsvr32 -u %windir%\system32\shimgvw.dll

    BUT according to this analysis, the real fault lies with gdi32.dll ! How the hell do you get rid of that? It's about as deeply embedded in windows as, say, glibc is in Linux distributions..

    --
    SCO employee? Check out the bounty
    1. Re:Great.. by Anonymous Coward · · Score: 2, Informative

      The problem is not with gdi32.dll. The problem is with the way the WMF handler uses the SetEscape() API.

      Pointing the finger at gdi32.dll is like running a malicious script that executes "rm -fr /" and blaming the rm executable when your files disappear.

  11. What you gonna do, internet..... by Channard · · Score: 3, Funny

    ... when Hulkamania runs wild on you? Oh, wait, WMF. Never mind.

  12. Most importantly: THERE IS A FIX by FhnuZoag · · Score: 5, Informative

    It's unofficial, but it works.

    http://www.hexblog.com/2005/12/wmf_vuln.html

    1. Re:Most importantly: THERE IS A FIX by W2k · · Score: 2, Informative

      Parent is a troll who obviously didn't even RTFA. This patch is legit, it comes with complete source code, and it's been verified good by at least one third party, Steve Gibson of GRC.com. It immunizes against the vulnerability and has no known ill effects. It's as good a counter-measure as there can be before an official fix is released.

      --
      Quality, performance, value; you get only two, and you don't always get to pick.
    2. Re:Most importantly: THERE IS A FIX by chris_eineke · · Score: 3, Insightful

      You actually want to trust Steve Gibson? That's a pretty bold move.

      --
      "All you have to do is be fragile and grateful. So stay the underdog." Chuck Palahniuk, Choke
  13. Ah, Slashdot... by SheeEttin · · Score: 4, Funny

    Ah, Slashdot... where the first post is modded "redundant".

  14. Fearmongering by eddy · · Score: 4, Interesting

    What we need now is for someone to find a remote exploit in a popular webserver and combine both exploits into a worm, 'cause then we're all really fucked.

    --
    Belief is the currency of delusion.
  15. Is this the exploit reported back in November? by Animats · · Score: 2, Interesting

    An exploit of "gdi32.dll" using a WMF file for the attack was documented back in November. Does this new exploit use the same attack approach?

    1. Re:Is this the exploit reported back in November? by Heembo · · Score: 4, Informative

      This is the same basic exploit - but the seriousness and criticality is dramatically harder. A malicious file can contain any file extension of any random size and still be a WMF file on the "inside" and still have a "arbitrary code" payload. Most security groups are way freaked out now since IDS/IPS and AV patches are not patching this complete yet. Check out http://isc.sans.org/diary.php?rss&storyid=994 more a more indepth answer.

      --
      Horns are really just a broken halo.
  16. Comment removed by account_deleted · · Score: 3, Interesting

    Comment removed based on user account deletion

  17. Re:Can't think with a hang-over by ettlz · · Score: 5, Funny

    Seven Sony rootkits,
    Six keystroke loggers,
    Five porn diallers!
    Four Exploit.WMFs,
    Three Mytobs,
    Two Bifrose-Ds,
    And a homepage stuck on goatse.

  18. Straw Man, Mod Parent Down by Moth7 · · Score: 2, Insightful

    No one said that using something other than Windows would solve all security problems, only this one. The grandparent was entirely correct in its observation.

  19. Do. This. Now. by Bozdune · · Score: 4, Informative

    Get a patch here: http://www.hexblog.com/2005/12/wmf_vuln.html

    All the necessary information and explanation (plus q/a) is here. This is the only hope at present. Good luck to everyone on Jan 2 when this thing takes over the world.

  20. VBS in WMF? WTF?! by void*p · · Score: 2, Informative

    Why in the world would a WMF file need to be able to execute a script? And aren't most of Microsoft's vulnerabilities related to the wanton running of scripts without a user being aware that it's happening?

  21. Re:so... by borderpatrol · · Score: 5, Informative
    ...Because it's a simple image. Who would think that an image can deliver such a nasty payload? It doesn't need any user interaction. This blows right through fully patched copies of windows, and IE opens and executes it automatically (video here - http://www.websensesecuritylabs.com/images/alerts/ wmf-movie.wmv)

    Does your website have an image on it? It can be exploited that way. Does your email render html, even with scripting turned off? It can be exploited that way. A few trusted sites have been compromised with this exploit. Some seedier as networks (with hundreds or thousands of affiliates) are using this to generate cash. There is no patch for Windows ME, 98, or 95 and there will never be as these OSes are unsupported. These systems will ALWAYS have this vulnerability.

    Imaginine if someone uploaded this to MySpace (http://www.alexa.com/data/details/traffic_details ?q=&url=www.myspace.com/), as they allow full html formatting, embed, iframes and all kinds of crazy crap. One exploit on a popular blog will cause A LOT of damage.

    --
    Yeah I've been starving them, teasing them, singing off key. Me may mah mo, me mo ma me.
  22. I'm doing the best I can... by symbolset · · Score: 4, Informative
    I'm doing the best I can at my house against this thing, but looking at the 7+ Windows boxes I'm now worrying about updating, installing, patching and unregistering, and the 1 Apple laptop I haven't had to restart in 6 months, and I wonder if this is going to be the big one that really gives Microsoft the black eye it can't recover from.

    If you're an IT pro and you're running Windows at home, you should have your boxes imaged so you can just unhook from the net, image, apply the fix, take a new image and hook back up to the net. Seven boxen shouldn't take you more than a couple hours -- less if you use a standard image.

    If you're setting this up for the first time, don't forget to redirect "My Documents" to a different partition, or better yet a server with a backup regime. Oh, yeah, and choose the "Activate Windows over the phone" option before you make your first image so you don't have to re-activate each time.

    If you're an IT pro and you're not using Windows at home, take the extra hours and spend some holiday time with your friends and family. Life is short.

    --
    Help stamp out iliturcy.
  23. Adding the other days and some emphasis... by game+kid · · Score: 5, Funny

    Twelve IRC bots spying,
    Eleven worms-a-wriggling,
    Ten Paypal phishes,
    Nine ActiveX holes,
    Eight Blaster variants,
    Seven Sony rootkits,
    Six keystroke loggers,
    Five porn diallers!
    Four Exploit.WMFs,
    Three Mytobs,
    Two Bifrose-Ds,
    And a homepage stuck on goatse.

    (You, ettlz, rock.)

    --
    You can hold down the "B" button for continuous firing.
  24. why would they do this? by YesIAmAScript · · Score: 2, Interesting

    I can understand spreading the fact that the exploit exists. I could maybe argue whether or not you should spread info on the exploit. I can barely see why one would make an example exploit.

    But why would someone make a program specifically designed to make an undetectable/untraceable version of the exploit?

    I can only see harm coming from this.

    And I'm sorry, but "because it's there" doesn't work when you know there's only negative outcomes of what you do.

    --
    http://lkml.org/lkml/2005/8/20/95
    1. Re:why would they do this? by drachen · · Score: 2, Insightful
      They do it to show what can be done with a flaw such as this. The people who we really have to worry about can (and probably have) already come up with other ways of crafting exploits around this bug that we aren't likely to find out about until after the major exploits come out. And the people we really have to worry about aren't going to make major exploits at all, but use it to exploit machines with potentially sensitive information (such as your personal information).

      Until Micorosft fixes the problem, publishing information such as linked in the post above helps those of us who have to actually secure machines. True it might result in more end-user Windows PC's being exploited, but at least we can figure out how to protect the computers that must be secure.

      The information may help the "bad guys" but it's not anything they couldn't have come up with themselves. "Because it's there" isn't the reason.

  25. Best WMF Mitigation Strategy by Heembo · · Score: 3, Informative

    From http://isc.sans.org/diary.php?rss&storyid=994 :

    1. Microsoft has not yet released a patch. An unofficial patch was made available by Ilfak Guilfanov. http://handlers.sans.org/tliston/wmffix_hexblog13. exe Our own Tom Liston reviewed the patch and we tested it. The reviewed and tested version is available here (now at v1.3, MD5: 14d8c937d97572deb9cb07297a87e62a). THANKS to Ilfak Guilfanov for providing the patch!!
    2. You can unregister the related DLL.
    3. Virus checkers provide some protection.


    To unregister the DLL:


    * Click Start, click Run, type "regsvr32 -u %windir%\system32\shimgvw.dll" (without the quotation marks), and then click OK.
    * A dialog box appears to confirm that the un-registration process has succeeded. Click OK to close the dialog box.

    --
    Horns are really just a broken halo.
  26. Re:so... by Geoffreyerffoeg · · Score: 2, Interesting

    Out of curiosity, where's the documentation that describes this? I was thinking of writing a WMF that pops up a window saying "Warning, you haven't patched the WMF vulnerability. I was able to open this window on your computer by simply loading a picture. Imagine if this had been a virus too. Click here to download the fix - and here's why you should trust that guy."

  27. Re:so... by FhnuZoag · · Score: 2, Insightful

    Jesus freaking Christ...

    Worse is that implanting this thing doesn't even need ownership of a site. If a site allows tags, an anonymous commenter, forum poster or anything can drop an infected file on it, and screw over every IE user that visits. I don't know if it is possible, but imagine if someone adds an infected file to the Main Page of Wikipedia...

  28. Re:Seen this on porn sites by Mixel · · Score: 2, Informative

    Dude, you don't have to click 'open'. On Bugtraq it has been reported that this thing runs itself quite happily in an IFRAME.

  29. Re:Yet another fine reason... by (-hrair-) · · Score: 2, Interesting

    completely agreed. it also shows something of a lack of effort on microsoft's part. i believe that the problem has still not been fixed with an official patch (others have to do the dirty work) and i think the vulnerability was known about four days ago! That is unheard of on open source systems because their creators aren't busy marketing the newest XBox game. I recommend gaim or naim (if you don't mind console) for the aim and everything. I hear Trillian is good but have not gotten around to trying it yet. I believe it is for windows, no? Probably has better protection against this stuff than MSN does though (that doesn't say too much...) (-hrair-)

    --
    Beware of the shining wires...
  30. Can IM/RSS clients download automatically? by mosel-saar-ruwer · · Score: 3, Insightful

    I have seen in the past week our work increase 5 fold because of this exploit. What is normally a very slow time of the year for us has become very busy for us and it's making me nervous myself.

    I know next to nothing about IM/RSS software, so I am just speculating here.

    But suppose you had some IM/RSS client [MSN, AOL, Yahoo, whatever] that had an image rendering aspect to it. For example, suppose your IM/RSS client were capable of rendering the JPGs in an HTML message.

    Then it seems to me that if you had such an IM/RSS client running on your desktop, and if someone knew your IM/RSS handle, then they could send you an IM/RSS message with very elementary instructions for downloading the evil file:

    <img src="http://blackhats.com/evilfile.jpg">
    and you'd be hosed without ever having clicked on any link. And if the worm were really smart, it could then install "thttpd" trivial http daemons to spread itself internally on any corporate network [via each person's IM/RSS "address book"].

    If that's true, and if lots of employees left their computers running and logged into windows with such "automatic" IM/RSS clients running on the desktop, then Tuesday or Wednesday morning [or whenever people decide to come back from their New Year's vacation], there could be literally MILLIONS of infected machines.

    So the question: Are there IM/RSS clients that can download files automatically?

  31. Re:"because it's there" doesn't cut it... by drachen · · Score: 3, Interesting
    Apparently the attackers aren't awesome programmers because history has shown that the real danger comes after a sample exploit is made, not when the info becomes known.

    Apparently you fail to realize this was a 0-day exploit. That is, there were people already exploiting this flaw before anyone else found out about it. Because they didn't release their source code do you feel safer by this? So your argument that the attackers aren't "awesome programmers" is completely worthless because these attackers found and wrote the original exploit code to begin with. We don't know how long this flaw may have been used in the wild before this one was found. Some "awesome programmers" could've been using this flaw years ago to break into networks. Re-read my original reply.

    Now some people who happen to have analyzed that exploit figured out just exactly how seriously this flaw is and what could be done with it if it's not fixed.

    A simple explanation is plenty.

    So you're saying that if all the attackers have is a simple explanation that they wouldn't be able to write code based upon that explanation? Yeah right. The people who wrote these sample exploits didn't even have that to begin with and look at what they've been able to come up with. The people ("attackers") who wrote the originally known exploit didn't need a simple explanation either.

    So now virus scan writers and IDS maintainers, etc, now have a LOT more information for how to defend against this particular threat. A simple explanation isn't sufficient. Now scanners and IDS can use these discovered methods to improve detection and prevention of exploitation of this flaw.

    Again, I just don't see why someone would need to make the most evil version of this possible and distribute the source code.

    Well, I can't explain it any clearer. You're using the "security through obscurity" argument that history has shown to be insufficient for protecting our computers and networks.

  32. Re:so... by borderpatrol · · Score: 2, Interesting

    Older versions of FF will open it natively. (pre 1.0 I believe) Newer versions of FF and Opera will pull it up but will ask if you'd like to open the image with MS Picture and Fax viewer or whatever associated program. If you click no, you should be safe. If you click yes, you're infected. If this thing gets stored on you HDD or your cache somewhere though, the mere act of single clicking on the file or even the folder in some cases can trigger it. And if you have Google Desktop Search installed, google will index and execute the code as soon as it hits the drive. Some DOS boxes are getting infected this way even.

    --
    Yeah I've been starving them, teasing them, singing off key. Me may mah mo, me mo ma me.
  33. Questions re: vulnerabilty by Anonymous Coward · · Score: 2, Interesting
    If i rename a malicious .WMF as a .JPG, and display it as an <IMG> on a website, will IE execute the WMF, or will the JPG just not work?

    JPG, PNG, GIF etc. all have headers that should surely be checked before displaying the picture. Do IE not do this?

    In short, do i have to actively click a "Open this file" dialog on the browser?

    1. Re:Questions re: vulnerabilty by m50d · · Score: 2, Informative
      If i rename a malicious .WMF as a .JPG, and display it as an on a website, will IE execute the WMF, or will the JPG just not work?

      Without actually knowing I'm pretty sure it'll work. The exploit can work through an image displayed on a webpage and work through a renamed image, so I don't see any reason it wouldn't work with both.

      JPG, PNG, GIF etc. all have headers that should surely be checked before displaying the picture. Do IE not do this?

      The mimetypethe webserver gave (which will presumably be application/x-wmf) should take priority over the extension anyway, and I believe IE's approach is "It claims to be an image of some sort, so call the image rendering library".

      In short, do i have to actively click a "Open this file" dialog on the browser?

      No.

      --
      I am trolling