New Windows exploit in the wild - can infect PC's by viewing an imbedded image - UPDATE - PATCH OUT NOW!

[MrBond]

Microsoft has issued the offical patch 5 days early!

Go here to download it:

http://www.microsoft.com/technet/security/bulletin/ms06-jan.mspx

I posted this in OT earlier - the Mods suggested I also post it here:

Link here:

http://www.securityfocus.com/brief/89

Basicly it uses files with the Windows Metafile format to infect a computer. All you have to do is view a webpage with the image on it or access an infected image on your computer. For IE users, it will infect them automatically, since IE displays the images nativly. Firefox will not display the image but will cache it, so if you mouseover/click/open the image from the cache, you will be infected.

There are reports of it downloading spyware, trojans, etc. There is no fix available from MS at this time.

Virus scanners should be updating themselves to detect this threat. NOD32 trial version already can, so if you don't have a virus scanner, get it here:

http://www.eset.com/download/trial.htm

Other things you can do are to avoid shady websites that might exploit this (although there are reports of it showing up on ebay auctions and myspace pages). Run an alternative browser, such as Firefox or Opera. Turn off programs such as Google's Desktop search, that index files on your computer. An infected WMF file just being index by such programs is enough to infect your PC. Avoid image searching. Update windows regularly. This one is bad enough that MS should patch it pretty quick - but you never know.

I'll also link the SomethingAwful forums thread about this - I'm not sure if the Software forum there is open for public viewing or not (someone tell me if it isn't), but there's some good info there about this exploit as well:

http://forums.somethingawful.com/showthread.php?s=&threadid=1759573

-----------------------------------
I will leave this as a sticky for a while or until Microsoft issues a patch

AnandTech Moderator


Edit: Here's a good thread with more info from mechBgon:

http://forums.anandtech.com/messageview.aspx?catid=38&threadid=1770474

 

[JackBurton]

Good info. Thanks for the heads up!

 

[mechBgon]

Also, if you have WindowsXP with Service Pack 2, enable Data Execution Prevention for all software. Right-click My Computer, choose Properties, and do this: http://www.mechbgon.com/build/DEP.gif Microsoft's initial bulletin says this will mitigate the threat.

And yeah, update antivirus signatures. If you haven't done so already, enable your antivirus software's Heuristic detections. Symantec/Norton products apparently detect this stuff heuristically with the latest definitions, if you've got Heuristics enabled on your real-time protection. To update Symantec/Norton antivirus with today's defs, run the Intelligent Updater found on this page.

 

[MrBond]

Here is something posted in F-Secure's Web blog:

Un-register the Windows Picture and Fax Viewer (Shimgvw.dll)

1. Click Start, click Run, type "regsvr32 -u %windir%\system32\shimgvw.dll"
(without the quotation marks), and then click OK.

2. A dialog box appears to confirm that the un-registration process has succeeded.
Click OK to close the dialog box.

Impact of Workaround: The Windows Picture and Fax Viewer will no longer be started
when users click on a link to an image type that is associated with the Windows Picture and Fax Viewer.

To undo this change, re-register Shimgvw.dll by following the above steps.
Replace the text in Step 1 with ?regsvr32 %windir%\system32\shimgvw.dll? (without the quotation marks).

This workaround is better than just trying to filter files with a WMF extension. There are methods where files with other image extensions (such as BMP, GIF, PNG, JPG, JPEG, JPE, JFIF, DIB, RLE, EMF, TIF, TIFF or ICO) could be used to exploit a vulnerable machine.

I just did this as a precaution.

 

[mechBgon]

I enabled full DEP (well, ok, I did that a long time ago ), am using a Limited user account, and set a Software Restriction Policy which defaults to Disallowed except for Admins.

And up-to-date antivirus software of course. Bad guys, take your best shot. :evil:

 

[xtknight]

Everyone should have had full DEP on to start with. You can add exceptions if certain badly-coded software you need to run crashes.

 

[Czar]

marked

 

[Unkno]

Reading this post just made me more happy....good old NOD32, beats norton anyday!

 

[n7]

And once again, avoiding use of IE = teh win, or at least somewhat...

 

[mechBgon]

Originally posted by: n7
And once again, avoiding use of IE = teh win, or at least somewhat...

This is a Windows vulnerability. People can be infected with no browser at all, or with Opera, or with older versions of Firefox (the newer ones have a bug that makes WMF files open in Windows Media Player, or they'd probably be vulnerable too). Save the anti-IE stuff for a better time

 

[Unkno]

actually, according to an article, firefox users won't get infected, they only get infected if they save/download the image onto the pc, but not by viewing it unlike IE

 

[mechBgon]

Originally posted by: Unkno
actually, according to an article, firefox users won't get infected, they only get infected if they save/download the image onto the pc, but not by viewing it unlike IE

It's always great fun to sling mud at one's least-favorite browser, but it's not the real solution here. How will Firefox or any other browser defend you when this gets adapted into an IM worm, or a P2P worm? Eh? How about if we address the problem.

Until a patch has been issued, it looks to me like the best defense is to unregister the vulnerable application (edit: if you have WinXP, anyway), at which point IE is going to be as safe from this threat as any other program you care to mention. To unregister it, click Start > Run and use this command:

regsvr32 -u %windir%\system32\shimgvw.dll

Once the vulnerability is patched, run this command to undo this change:

regsvr32 %windir%\system32\shimgvw.dll

 

[EagleKeeper]

^^^ Need a sticky

 

[Noid]

Thanks for the work around guys

 

[stash]

Unregistering the dll is not a valid mitigation for Windows 2000, and while it will mitigate on XP and 2003, it is pretty easy for the exploit to re-register it.

 

[mechBgon]

Originally posted by: STaSh
Unregistering the dll is not a valid mitigation for Windows 2000, and while it will mitigate on XP and 2003, it is pretty easy for the exploit to re-register it.

Suggested mitigation actions for Win2000, if any? Our antivirus software should handle it (famous last words) but I'd rather that's not the only line of defense. Also, there are conflicting reports as to whether the exploit gains just the user's privilege level, or SYSTEM-level.

 

[stash]

The exploit runs under the context of the user who executes the code. All other reports are false.

The only mitigation for 2000 that I'm aware of is to run with a regular user account. This of course also goes for the other OSs (except 98 and ME, unfortunately).

The latest revision of the Microsoft bulletin (version 3) was posted tonight: http://www.microsoft.com/technet/security/advisory/912840.mspx

 

[mechBgon]

Thanks STaSh, I was just reading that latest revision before heading home.

[aside]

It seems they still haven't quite got it right... an attacker would have no way to force me to visit an infectuous site, but what if I was already going to go there. If a normally-safe site has a rogue advertiser, as mentioned on Sunbelt's blog, then no luring is required. edit: admittedly, I wouldn't think of wallpapers4u dot com as a "normally-safe site" :Q

[/aside]


Anyway, all our users are Restricted Users, me included, so that's at least something. Kaspersky's blog claims that some exploits are being particularly targeted at Limited/Restricted users, and not to be overconfident. I have one user who has to fetch unfiltered, unscanned email from an outside server, and thanks to a tip here the other day regarding Software Restriction Policies, she now has a shiny new local SRP preventing execution of stuff from her profile :beer: and so do I. Now if only I had an AD domain so I could do this once, instead of 65 times...

 

[mechBgon]

Kaspersky Lab's blog notes that the first IM worms using the WMF exploit have arrived: http://www.viruslist.com/en/weblog

 

[mechBgon]

F-Secure reports on their blog that a new no-brainer tool has been made public so ANYONE can make their very own WMF exploit :roll:

McAfee reports that the new make-a-'sploit tool has been used to distribute a spam email containing the file HappyNewYear.jpg, which is really a .WMF. McAfee users need the 4664 DATs (available tomorrow around 10AM, at least for corporate users) and 4400 engine for detection of exploits made with the new tool. McAfee's updated info on Exploit-WMF is here.

 

[LuDaCriS66]

heres an unofficial patch from Ilfak Guilfanov on his hexblog
http://www.hexblog.com/2005/12/wmf_vuln.html

should install this until MS releases their official patch

 

[mechBgon]

Originally posted by: LuDaCriS66
heres an unofficial patch from Ilfak Guilfanov on his hexblog
http://www.hexblog.com/2005/12/wmf_vuln.html

should install this until MS releases their official patch

:thumbsup:

 

[xtknight]

Sweet. I'm thankful for benign hackers.

 

[stash]

Installing a 'patch' for a Microsoft vulnerability from some random 'good samaritan' on the Internet is incredibly stupid.

 

[mechBgon]

Originally posted by: STaSh
Installing a 'patch' for a Microsoft vulnerability from some random 'good samaritan' on the Internet is incredibly stupid.

I would usually think the same, but if F-Secure and the Internet Storm Center are saying they took it apart and checked it over under a microscope...? What do you see as the risk, that Windows computers on auto-update will patch themselves and have complications because the unofficial patch was not removed first?

F-Secure

Now, we wouldn't normally blog about a security patch that is not coming from the original vendor. But Ilfak Guilfanov isn't just anybody. He's the main author of IDA (Interactive Disassembler Pro) and is arguably one of the best low-level Windows experts in the world.

SANS

Note: Tom has taken this thing apart and looked at it very, very closely. It does exactly what it advertises and nothing more. The wmfhotfix.dll will be injected into any process loading user32.dll. It then will then patch (in memory) gdi32.dll's Escape() function so that it ignores any call using the SETABORTPROC (ie. 0x09) parameter. This should allow for Windows to display WMF files normally while still blocking the exploit. We want to give a huge thanks to Ilfak Guilfanov for building this and for allowing us to host and distribute it.

Other suggestions are certainly welcomed! Just unregistring the WP&FV doesn't do the job, according to firsthand reports from the security blogs. Hardware DEP doesn't always work, even if I magically had an all-WinXP Athlon64 fleet when I arrived at work. Antivirus signatures don't always work. Kaspersky Lab says that Limited/Restricted-User accounts alone won't always work. Microsoft's patch will undoubtedly work great, but it might be a bit like FEMA's response to Katrina/New Orleans. Throw me a life preserver, not an anchor.

btw I have a WinNT 4.0 domain with mostly Win2000 Pro workstations, no ability to use local Software Restriction Policy on them (although I did employ SRP for the few WinXP rigs I've got). The only DEP-equipped processor on the premesis is my personally-owned A64 X2. I'm making a fleet of custom VirusScan Enterprise 8.0i behavior-blocking rules to block the most obvious approaches.