~ U P D A T E : P A T C H N O W. Official patch links inside for Windows MetaFile Exploit ~~~~~~

[yhelothar]

This bug was somehow automatically embedded to a company commerce website I worked on. Someone edited the main page and added a line of code that automatically downloads the file that opens up the picture viewer.

 

[WT]

Link to Mech's Limited account workarounds needs a /Build subfolder added to the link to make it work. Thanks for the info as well on a very thorough post.

 

[firewall]

Ah, so the thread is now in OT as a stickie. Good. This is a very important security lapse which has a great potential to spread.

 

[Pabster]

Might wish to add eSet's NOD32 to the Anti-Virus list.

Great info, BTW.

 

[mechBgon]

Thanks WT, got the link fixed

Thanks Pabster, NOD32 is now on the list, as is F-Secure :beer:

virtualgames0: yikes! :shocked: Great way to start the Monday, huh?!

TomH, I added the Windows Live Safety Center as a resource. Although it doesn't provide real-time protection, it gives people a second antivirus scanner to supplement their regular one if they're trying to disinfect a system after an attack.

 

[ViRGE]

Originally posted by: DaFinn
ATT:
New data seems to indicate, that shimgvw.dll is not the vulnerable file as systems where it has been unregistered and deleted have been infected.
The vulnerable file seems to be gdi32.dll.

That's already known. Shimgvw is unregistered because it's one of the easiest and most likely vectors of attack(i.e. you can't directly open a WMF file without it).

 

[harobikes333]

*waits for a cure* o please mr. gates won't you give us a cure!

 

[amol]

Argh, I think the next time I reformat, I'm going to install Linux.

Or how about a Linux/XP dual boot? I'll use Linux for everyday stuff and XP offline for games and other stuff.

 

[SagaLore]

Originally posted by: Amol
Argh, I think the next time I reformat, I'm going to install Linux.

Or how about a Linux/XP dual boot? I'll use Linux for everyday stuff and XP offline for games and other stuff.

Consider creating a restricted user account in XP that you use regularly, with a dedicated Admin account only for installs, patches, and setting changes.

 

[Medea]

Originally posted by: SagaLore
Consider creating a restricted user account in XP that you use regularly, with a dedicated Admin account only for installs, patches, and setting changes.

:thumbsup: This is how I've got it set up. For XPHome, you have to create a 2d administrative account since the default one is hidden except for Safe Mode. That way, you can switch back and forth for the installs, etc.

 

[SagaLore]

Originally posted by: Medea

Originally posted by: SagaLore
Consider creating a restricted user account in XP that you use regularly, with a dedicated Admin account only for installs, patches, and setting changes.

:thumbsup: This is how I've got it set up. For XPHome, you have to create a 2d administrative account since the default one is hidden except for Safe Mode. That way, you can switch back and forth for the installs, etc.

Actually, you don't have to switch, you can use RunAs on the fly.

 

[Chunkee]

anyone use the patch developed linked in this thread?

I have installed it without any issues

jC

 

[Medea]

Originally posted by: Chunkee
anyone use the patch developed linked in this thread?

I have installed it without any issues

Yep. Installed it yesterday - no problems, running fine.

 

[meltdown75]

Awesome post. Thanks mechBgon, I'll be reviewing this in detail when I get home later. :beer:

 

[isasir]

Any mirrors for Ilfak Guilfanov's site? It's timing out when I try and access it.

 

[SagaLore]

Originally posted by: isasir
Any mirrors for Ilfak Guilfanov's site? It's timing out when I try and access it.

I emailed him, I think I have the right address. Maybe he'll let me mirror it.

 

[firewall]

Microsoft Security Advisory (912840)

Just got it in my mailbox.

Vulnerability in Graphics Rendering Engine Could Allow Remote Code Execution.
Published: December 28, 2005 | Updated: January 3, 2006

On Tuesday, December 27, 2005, Microsoft became aware of public reports of malicious attacks on some customers involving a previously unknown security vulnerability in the Windows Meta File (WMF) code area in the Windows platform.

Upon learning of the attacks, Microsoft mobilized under its Software Security Incident Response Process (SSIRP) to analyze the attack, assess its scope, define an engineering plan, and determine the appropriate guidance for customers, as well as to engage with anti-virus partners and law enforcement.

Microsoft confirmed the technical details of the attack on December 28, 2005 and immediately began developing a security update for the WMF vulnerability on an expedited track.

Microsoft has completed development of the security update for the vulnerability. The security update is now being localized and tested to ensure quality and application compatibility. Microsoft?s goal is to release the update on Tuesday, January 10, 2006, as part of its monthly release of security bulletins. This release is predicated on successful completion of quality testing.

The update will be released worldwide simultaneously in 23 languages for all affected versions of Windows once it passes a series of rigorous testing procedures. It will be available on Microsoft?s Download Center, as well as through Microsoft Update and Windows Update. Customers who use Windows? Automatic Updates feature will be delivered the fix automatically.

Based on strong customer feedback, all Microsoft?s security updates must pass a series of quality tests, including testing by third parties, to assure customers that they can be deployed effectively in all languages and for all versions of the Windows platform with minimum down time.

Microsoft has been carefully monitoring the attempted exploitation of the WMF vulnerability since it became public last week, through its own forensic capabilities and through partnerships within the industry and law enforcement. Although the issue is serious and malicious attacks are being attempted, Microsoft?s intelligence sources indicate that the scope of the attacks are not widespread.

In addition, anti-virus companies indicate that attacks based on exploiting the WMF vulnerability are being effectively mitigated through up-to-date signatures.

Customers are encouraged to keep their anti-virus software up-to-date. The Microsoft Windows AntiSpyware (Beta) can also help protect your system from spyware and other potentially unwanted software. Customers can also visit Windows Live Safety Center and are encouraged to use the Complete Scan option to check for and remove malicious software that takes advantage of this vulnerability. We will continue to investigate these public reports.

If you are a Windows OneCare user and your current status is green, you are already protected from known malware that uses this vulnerability to attempt to attack systems.

Customers who follow safe browsing best practices are not likely to be compromised by any exploitation of the WMF vulnerability. Users should take care not to visit unfamiliar or un-trusted Web sites that could potentially host the malicious code.

Microsoft encourages users to exercise caution when they open e-mail and links in e-mail from untrusted sources. While we have not encountered any situation in which simply opening an email can result in attack, clicking on a link in an email could result in navigation to a malicious site. For more information about Safe Browsing, visit the Trustworthy Computing Web site.

Microsoft considers the intentional use of exploit code, in any form, to cause damage to computer users to be a criminal offense. Accordingly, we continue to work closely with our anti-virus partners and we are assisting law enforcement with its investigation of the attacks in this case. Customers who believe they have been attacked should contact their local FBI office or post their complaint on the Internet Fraud Complaint Center Web site. Customers outside the U.S. should contact the national law enforcement agency in their country.

We continue to encourage customers to follow our Protect Your PC guidance of enabling a firewall, applying software updates and installing antivirus software. Customers can learn more about these steps at the Protect Your PC Web site. The Microsoft Windows AntiSpyware (Beta) can also help protect your system from spyware and other potentially unwanted software.

Customers who believe they may have been affected by this issue can also contact Product Support Services. You can contact Product Support Services in the United States and Canada at no charge using the PC Safety line (1 866-PCSAFETY). Customers outside of the United States and Canada can locate the number for no-charge virus support by visiting the Microsoft Help and Support Web site.

Mitigating Factors:
?

In a Web-based attack scenario, an attacker would have to host a Web site that contains a Web page that is used to exploit this vulnerability. An attacker would have no way to force users to visit a malicious Web site. Instead, an attacker would have to persuade them to visit the Web site, typically by getting them to click a link that takes them to the attacker's Web site.
?

In an E-mail based attack involving the current exploit, customers would have to be persuaded to click on a link within a malicious e-mail or open an attachment that exploited the vulnerability. At this point, no attachment has been identified in which a user can be attacked simply by reading mail.
?

An attacker who successfully exploited this vulnerability could only gain the same user rights as the local user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.
?

By default, Internet Explorer on Windows Server 2003, on Windows Server 2003 Service Pack 1, on Windows Server 2003 with Service Pack 1 for Itanium-based Systems, and on Windows Server 2003 x64 Edition runs in a restricted mode that is known as Enhanced Security Configuration This mode mitigates this vulnerability where the e-mail vector is concerned although clicking on a link would still put users at risk. In Windows Server 2003, Microsoft Outlook Express uses plain text for reading and sending messages by default. When replying to an e-mail message that is sent in another format, the response is formatted in plain text. See the FAQ section of this vulnerability for more information about Internet Explorer Enhanced Security Configuration.

Use the advisory link to see the links in the actual article.

 

[amol]

Originally posted by: SagaLore

Originally posted by: Amol
Argh, I think the next time I reformat, I'm going to install Linux.

Or how about a Linux/XP dual boot? I'll use Linux for everyday stuff and XP offline for games and other stuff.

Consider creating a restricted user account in XP that you use regularly, with a dedicated Admin account only for installs, patches, and setting changes.

I am, I'm just sick of having to do this just because Windows has so many flaws in it that are easy for hackers to take advantage of. And they're not even going to have an official patch ready for a week, while this has already been going on for a week.

Meanwhile, I installed the patch already out and I'm using a limited account. I'm also downloading a torrent of Ubuntu Linux which I'll install on my laptop. If I like the look and feel of it, I'll install on my desktop.

edit: And before you call me an anti-Windows fanboy for the first sentence, first know that I have actually used Windows since 95 (owned 95, 98SE, Me, XP, XP SP2, XP 64-Bit and use 2000 at school) and have been heavily against using Linux. But I've been considering Linux for a few weeks now and this might just push me over the line into actually downloading Linux.

 

[SagaLore]

Originally posted by: Amol
I am, I'm just sick of having to do this just because Windows has so many flaws in it that are easy for hackers to take advantage of.

How many people stay logged in as root on a linux box though?

 

[mechBgon]

Results 1-10 of about 107 for Linux/Exploit from nai.com

Hey, OSes are OSes to a certain extent Amol, if your WinXP is XP Professional, do consider a Software Restriction Policy as a further reinforcement, at any rate. Easy to do.

 

[amol]

Originally posted by: mechBgon
Results 1-10 of about 107 for Linux/Exploit from nai.com

Hey, OSes are OSes to a certain extent Amol, if your WinXP is XP Professional, do consider a Software Restriction Policy as a further reinforcement, at any rate. Easy to do.

XP Pro SP2, found the info from MS

 

[harobikes333]

I'm just wondering, I have XP home and it seems just today as I as getting on the computer I was logged out<-- Donno why:\ and when I tried to log in well things were odd... anyway here is the link to my problem: http://forums.anandtech.com/messageview...&STARTPAGE=4&FTVAR_FORUMVIEWTMP=Linear

I'm just wondering what the symptoms are of this exploit. Do I have it? How do you know...?

 

[ISAslot]

http://www.grc.com/sn/notes-020.htm

This site has info and mirrors to the patch files.

 

[harobikes333]

Oooo Thank for the link!

Anyone else use that patch that ISAslot linked?

I'm just going to check before I install something that could mess up my computer

 

[Medea]

Originally posted by: harobikes333
Oooo Thank for the link!

Anyone else use that patch that ISAslot linked?

I'm just going to check before I install something that could mess up my computer

I installed the HotFix ver. 1.3. The updated version is 1.4, but there's no need to install a later version. Ver. 1.4 just added a component for network administrators.

The installation went smoothly (have XP Home) - plus, grc.com is a reputable site so, if I were you, I wouldn't worry about it.