Thread: Off Topic: Windows users, severe danger possible

Unlike the vast majority of viruses, worms, trojans, etc. the newest threat does NOT require you to open an attachment, download something, etc.

You MUST read the info below. It is NOT a scare story!!!!!!!!!!!!

At the linked-to Web page is a link to an executable program that is supposed to protect you. I spent a couple hours today reading at many different sites about this problem. I installed the executable program on my Windows XP home service pack 2 system and have been running for several hours with no problems. That is not to say you will not have problems. However, after reading about the severe danger I decided to install the patch. THe creator says to uninstall it before installing the patch MicroSoft will release, eventually. Until then, you are in danger.

The greatest danger is that hackers/crackers can break into a Web site and use ANY of the pictures/visuals on that site to install a program on your computer. If you surf across an assortment of sites as I do.... well, read the stuff I did and consider your options.

YOU HAVE BEEN WARNED!!!!!!

http://isc.sans.org/diary.php?compare=1&storyid=994

Why is this issue so important?
The WMF vulnerability uses images (WMF images) to execute arbitrary code. It will execute just by viewing the image. In most cases, you don't have click anything. Even images stored on your system may cause the exploit to be triggered if it is indexed by some indexing software. Viewing a directory in Explorer with 'Icon size' images will cause the exploit to be triggered as well.

Is it better to use Firefox or Internet Explorer?
Internet Explorer will view the image and trigger the exploit without warning. New versions of Firefox will prompt you before opening the image. However, in most environments this offers little protection given that these are images and are thus considered 'safe'.

What versions of Windows are affected?
All. Windows 2000, Windows XP, (SP1 and SP2), Windows 2003. All are affected to some extent. Mac OS-X, Unix or BSD is not affected.

Note: If you're still running on Win98/ME, this is a watershed moment: we believe (untested) that your system is vulnerable and there will be no patch from MS. Your mitigation options are very limited. You really need to upgrade.

What can I do to protect myself?
Microsoft has not yet released a patch. An unofficial patch was made available by Ilfak Guilfanov. Our own Tom Liston reviewed the patch and we tested it. The reviewed and tested version is available here (now at v1.4, MD5: 15f0a36ea33f39c1bcf5a98e51d4f4f6), PGP signature (signed with ISC key) here. THANKS to Ilfak Guilfanov for providing the patch!!
You can unregister the related DLL.
Virus checkers provide some protection.
To unregister the DLL:

Click Start, click Run, type "regsvr32 -u %windir%\system32\shimgvw.dll" (without the quotation marks... our editor keeps swallowing the backslashes... its %windir%(backslash)system32(backslash)shimgvw.dll) , and then click OK.
A dialog box appears to confirm that the un-registration process has succeeded. Click OK to close the dialog box.
Our current "best practice" recommendation is to both unregister the DLL and to use the unofficial patch.

How does the unofficial patch work?
The wmfhotfix.dll is injected into any process loading user32.dll. The DLL then patches (in memory) gdi32.dll's Escape() function so that it ignores any call using the SETABORTPROC (ie. 0x09) parameter. This should allow Windows programs to display WMF files normally while still blocking the exploit. The version of the patch located here has been carefully checked against the source code provided as well as tested against all known versions of the exploit. It should work on WinXP (SP1 and SP2) and Win2K.

Will unregistering the DLL (without using the unofficial patch) protect me?
It might help. But it is not foolproof. We want to be very clear on this: we have some very stong indications that simply unregistering the shimgvw.dll isn't always successful. The .dll can be re-registered by malicious processes or other installations, and there may be issues where re-registering the .dll on a running system that has had an exploit run against it allowing the exploit to succeed. In addition it might be possible for there to be other avenues of attack against the Escape() function in gdi32.dll. Until there is a patch available from MS, we recommend using the unofficial patch in addition to un-registering shimgvw.dll.
Should I just delete the DLL?
It might not be a bad idea, but Windows File Protection will probably replace it. You'll need to turn off Windows File Protection first. Also, once an official patch is available you'll need to replace the DLL. (renaming, rather than deleting is probably better so it will still be handy).

Should I just block all .WMF images?
This may help, but it is not sufficient. WMF files are recognized by a special header and the extension is not needed. The files could arrive using any extension, or embeded in Word or other documents.

What is DEP (Data Execution Protection) and how does it help me?
With Windows XP SP2, Microsoft introduced DEP. It protects against a wide range of exploits, by preventing the execution of 'data segements'. However, to work well, it requires hardware support. Some CPUs, like AMD's 64 Bit CPUs, will provide full DEP protection and will prevent the exploit.

How good are Anti Virus products to prevent the exploit?
At this point, we are aware of versions of the exploit that will not be detected by antivirus engines. We hope they will catch up soon. But it will be a hard battle to catch all versions of the exploit. Up to date AV systems are necessary but likely not sufficient.

How could a malicious WMF file enter my system?
There are too many methods to mention them all. E-mail attachments, web sites, instant messaging are probably the most likely sources. Don't forget P2P file sharing and other sources.

Is it sufficient to tell my users not to visit untrusted web sites?
No. It helps, but its likely not sufficient. We had at least one widely trusted web site (knoppix-std.org) which was compromissed. As part of the compromise, a frame was added to the site redirecting users to a corrupt WMF file. "Tursted" sites have been used like this in the past.

What is the actual problem with WMF images here?
WMF images are a bit different then most other images. Instead of just containing simple 'this pixel has that color' information, WMF images can call external procedures. One of these procedure calls can be used to execute the code.

Should I use something like "dropmyrights" to lower the impact of an exploit.
By all means yes. Also, do not run as an administrator level users for every day work. However, this will only limit the impact of the exploit, and not prevent it. Also: Web browsing is only one way to trigger the exploit. If the image is left behind on your system, and later viewed by an administrator, you may get 'hit'.

Are my servers vulnerable?
Maybe... do you allow the uploading of images? email? Are these images indexed? Do you sometimes use a web browser on the server? In short: If someone can get a image to your server, and if the vulnerable DLL may look at it, your server may very well be vulnerable.

What can I do at my perimeter / firewall to protect my network?
Not much. A proxy server that strips all images from web sites? Probably wont go over well with your users. At least block .WMF images (see above about extensions...). If your proxy has some kind of virus checker, it may catch it. Same for mail servers. The less you allow your users to initiate outbound connections, the better. Close monitoring of user workstations may provide a hint if a work station is infected.

Can I use an IDS to detect the exploit?
Most IDS vendors are working on signatures. Contact your vendor for details. Bleedingsnort.org is providing some continuosly improving signatures for snort users.

If I get hit by the exploit, what can I do?
Not much . It very much depends on the exact exploit you are hit with. Most of them will download additional components. It can be very hard, or even impossible, to find all the pieces. Microsoft offers free support for issues like that at 866-727-2389 (866 PC SAFETY).

Does Microsoft have information available?
http://www.microsoft.com/technet/securi ... 12840.mspx
But there is no patch at the time of this writing.


What does CERT have to say?
http://www.kb.cert.org/vuls/id/181038
http://www.cve.mitre.org/cgi-bin/cvenam ... -2005-4560

Windows security glitch is grave

By Brian Krebs The Washington Post


A previously unknown flaw in Microsoft Corporation’s Windows operating system is leaving computer users vulnerable to spyware, viruses and other programmes that could overtake their machines and has sent the company scrambling to come up with a fix.

Microsoft said in a statement this week that it is investigating the vulnerability and plans to issue a software patch to fix the problem. The company could not say how soon that patch would be available.

Microsoft Security Response Centre Operations Manager Mike Reavey called the flaw “a very serious issue.�


Because the vulnerability exists within a faulty Windows component, security experts warn that Windows users who eschew Internet Explorer in favour of alternative Web browsers, such as older versions of Firefox and Opera, can still get their PCs infected if they agree to download a file from a site taking advantage of the flaw.

Security researchers revealed the flaw on Tuesday and posted instructions online that showed how would-be attackers could exploit the flaw.

Within hours, computer virus and spyware authors were using the flaw to distribute malicious programs that could allow them to take over and remotely control afflicted computers.

Unlike with previously revealed vulnerabilities, computers can be infected simply by visiting one of the Web sites or viewing an infected image in an e-mail through the preview pane in older versions of Microsoft Outlook, even if users did not click on anything or open any files. Operating system versions ranging from the current Windows XP to Windows 98 are affected.

An estimated 90 per cent of personal computers run on Microsoft Windows operating systems. Microsoft has found itself under attack on several instances and has been forced to issue a number of patches to keep computers running Windows safe. Mac and Linux computer users are not at risk with this attack, even if their computers run Microsoft programs such as Office or the Internet Explorer Web browser.

“The problem with this attack is that it is so hard to defend against for average user,� said SANS Internet Storm Centre Chief Research Officer Johannes Ullrich.

Anti-virus firm Symantec Corporation Senior Manager Dean Turner said the company has seen the vulnerability exploited to install software that intercepts personal and financial information when users of infected computers enter the data at certain banking or e-commerce sites. Anti-spyware firm Sunbelt Software Vice President (R&D) Eric Sites said he has spotted spyware being downloaded to a user’s machine by online banner advertisements
__________________________________________________ _______

Yesterday, while surfing, following link after link looking for news stories, suddenly, with no warning, that pop-up window Windows uses to indicate a download from the Web has started, suddenly appeared. Experience made me act immediately and I closed it then ran the full gamut of weapons: Nod32 anti-virus, Ad-Aware and Webroot Spy Sweeper. Nothing bad found but..... unless I specifically activate them, I have active scripting (Java script) and Active X turned off since having them on exposes one to hostile code. With both of those turned OFF I should NOT have seen that pop-up download box at all!!!!!!!!!!!!

Thus, something made it happen when it normally would not. Was it, perhaps, the exploit mentioned above? During 9 years of being on the Web I have NEVER had a pop-up "download going on at this time" box EVER appear unless I either clicked to allow it or if I had scripting and/or Active X turned on.

I believe it is possible I came across a Web site that either knowingly or, most likely, unknowingly, contained the exploit wherein merely having the Web site page on one's browser is enough to cause the exploit to activate.

Okay, felt it was my duty to warn y'all. Will leave it up to others to spread the word.