A Very Dangerous Worm in Windows Metafile Images (WMF)
Mike Monett
Last night, a very dangerous computer worm was released on the
internet. It is carried on Windows Metafile images and automatically
executes with no user interaction. With Microsoft Explorer or
Outlook, you are automatically infected if you recieve infected
email or view a site with the worm. The problem is Windows WMF files
have the capability to execute external code. This is a virus
writer's dream. He can do anything he wants.
The structure of the worm means it will be difficult or impossible
to detect by antivirus programs, and it may be extremely difficult
or impossible to remove from your computer.
Microsoft has no patch at the moment, and the procedure they
currently recommend to reduce the hazard of infection may not work.
Here's more info:
------------------------------------------------------------------
Going back to the wmf vulnerability itself, we see number of sites
mention that shimgvw.dll is the vulnerable file.
This doesn't seem correct as it's possible to exploit a system on
which shimgvw.dll has been unregistered and deleted. The
vulnerability seems to be in gdi32.dll.
So while unregistering shimgvw.dll may make you less vulnerable,
several attack scenarios come to mind where the system can still
be compromised.
http://isc.sans.org/diary.php?storyid=992
------------------------------------------------------------------
This may be the worst worm that anyone could possibly invent. Here's
a portion of a summary by a Slashdot reader:
------------------------------------------------------------------
It's worse than that(Score:1, Insightful)
by Anonymous Coward on Sunday January 01, @01:11PM (#14374914)
[...]
This is looking truly horrible. On Tuesday morning zillions of
Windows desktops will be fired up for the first time in a week or
two. This thing's already in widespread use by a number of malware
distribution networks for the usual reasons. As such it's a
nightmare for network and system admins with Windows machines to
look after (and us security people trying to provide advice &
assistance for them...)
[...]
I will stick my neck out here and make a prediction. Virtually all
organisations with Windows machines are effectively wide open to
total compromise by a reasonably informed person. That means much
of the IT dept as well as significant numbers of the 'interested
poweruser' types, developers with a casual interest in security,
and anyone who's heard of this and is capable of running the
findingm, running and using the new exploit, basically. Of course
we're all tweaking our IDSes and antivirus, locking things down as
tight as possible in the 48 hours remaining, but... *shudder*.
For ten years I've been waiting for Microsoft's luck to run out.
This is about #3 on my list of catastrophic MS incidents. There
aren't many ways things could be worse.
url: http://it.slashdot.org/it/06/01/01/1550258.shtml
------------------------------------------------------------------
Other sites confirm the serious nature of the problem:
------------------------------------------------------------------
Re: WMF Vulnerability leads to compromised computers
*** ALL USES OF WINDOWS, PLEASE READ BELOW. ***
There is a very major security problem with Windows, all variants
back to Windows 98.
All systems are at risk. Many are already infected. There are few
options for an effective defense.
See our web page on this issue:
http://www.softprose.com/information/antivirus/wmf.shtml
Greetings,
This is an urgent advisory of a real-life threat to all Windows
computers.
The Windows Metafile Format (*.WMF) image format, developed by
Microsoft, has been shown to have a critical flaw that allows ALL
VARIANTS of Windows computers after and including Windows 98 to be
taken over by criminals SIMPLY BY VIEWING images on a web page or
images contained in Email- Including preview.
The WMF vulnerability is not a virus in itself- it is, instead,
known as an "Exploit", or a pathway that a Virus (or spyware, or
any number of malware variants) can use to be inserted into a
computer. Unfortunately, the bad guys found this hole before the
"white hats" got involved, so this problem is already showing up
on user's computers.
This is a SEVERE problem, that is already being exploited for
commercial and criminal gain. The spyware program "Winhound" is
the most common, and prominent, example using this security hole,
but many other programs have been found that are taking advantage
of it. Many of these programs use stealth techniques to hide on
your PC, and record keystrokes, logins, credit card, and all sorts
of other information of interest to criminal enterprises.
Other commercial programs using this security hole include
Winfixer and AVGold. There will probably be many more
Although Winhound is a very busy, obvious, and obnoxious
infestation, it is not the worst- the worst infestation is that
which you do not know about. There is no defense currently
available for this problem, and fully-patched systems are being
infected. No current antivirus software is defending against this
threat. As there is a direct financial incentive, the number and
variety of softwares using this security flaw are expanding
exponentially in number.
This has the capacity of being the single greatest security threat
ever discovered. The number of machines that are vulnerable
include every single Windows computer in the world. There is
currently no organized defense. The number and variety of attacks
are quite large, and they are not being addressed at this time by
security products.
The pictures DO NOT NECESSARILY have a *.WMF extension! WMF files
will execute just fine if they are called *.gif, *.jpg, *.bmp, and
other names! ANY GRAPHIC FILE can conceal the infection.
url: http://www.aota.net/forums/showthread.php?p=143053
------------------------------------------------------------------
Everyone recommends to stop using the Microsoft Explorer browser and
switch to Firefox. Firefox is still vulnerable, but at least it
requires you go through a user dialog to execute the worm. Here is
the Firefox url:
http://www.mozilla.com/firefox/
I use Opera 8.51, but I haven't found if it is vulnerable.
Now's the time to back up all your critical files on a separate
computer and keep it away from the web.
Best Wishes and Good Luck to All.
Mike Monett
Mike Monett
>
> To All,
>
> Last night, a very dangerous computer worm was released on the
> internet. It is carried on Windows Metafile images and automatically
> executes with no user interaction. With Microsoft Explorer or
> Outlook, you are automatically infected if you recieve infected
> email or view a site with the worm. The problem is Windows WMF files
> have the capability to execute external code. This is a virus
> writer's dream. He can do anything he wants.
[...]
Update: Opera is not vulnerable. You have to work hard to get infected.
Here is more information from Rijk van Geijtenbeek in the opera.general
newsgroup:
"Opera cannot display WMF files natively, so it is not vulnerable
in itself. With the default configuration Opera opens the download
dialog for such files. If you click 'Open' and the default handler
is the 'MS Picture and fax viewer', you can apparently be infected
by malicious WMF files. So treat WMF files with the same caution
as EXE and BAT etc files, I'd say. And don't change Opera's
settings to directly open such files..."
Go Opera! Beats the pants off MSIE and Firefox.
Mike Monett
Ken Smith
Someone could write a *.WMF worm that automatically downloads and installs
Linux on all the computers that it can infect.
--
--
kens...@rahul.net forging knowledge
John Larkin
<gqtacf...@spammotel.com> wrote:
>To All,
>
> Last night, a very dangerous computer worm was released on the
> internet. It is carried on Windows Metafile images and automatically
> executes with no user interaction. With Microsoft Explorer or
> Outlook, you are automatically infected if you recieve infected
> email or view a site with the worm. The problem is Windows WMF files
> have the capability to execute external code. This is a virus
> writer's dream. He can do anything he wants.
>
It took the genius of Bill Gates to design an os that allows worms to
be resident in viewable images. As I recall, Windows had the same
problem with true jpeg files once.
"When in doubt, execute it."
John
JeffM
>>was released on the internet.
>>It is carried on Windows Metafile images
>
>Update: Opera is not vulnerable. You have to work hard to get infected.
A patch for NT-based systems [1]
http://66.102.7.104/search?q=cache:G_h4wrg3BDYJ:www.grc.com/sn/notes-020.htm+Download-Ilfak's-Temporary-WMF-Patch+the-seriousness-of-the-WMF-vulnerability
.
.
[1] There is no patch for DOS-based Windoze.
Donald
>
> It took the genius of Bill Gates to design an os that allows worms to
> be resident in viewable images. As I recall, Windows had the same
> problem with true jpeg files once.
>
> "When in doubt, execute it."
Wasn't there a rumor that M$ had back doors for govm't snoops ??
Maybe it wasn't a rumor after all.
donald
John Perry
>
>
> It took the genius of Bill Gates to design an os that allows worms to
> be resident in viewable images. As I recall, Windows had the same
> problem with true jpeg files once.
>
> "When in doubt, execute it."
>
>
I'm sure Gates is one of the main sources of the mindset that generates
crap like this, but I really don't think he's done any serious
programming since Microsoft Basic (the only _good_ thing to originate in
Microsoft, by the way). He bought DOS from a Real Programmer, and
since, he's been a corporate bigwig.
Yeah, he may have been in on toplevel design and corporate design goals,
but...
John Perry
David Brown
I believe the MS Office clip art file format also has the option of
including macro viruses, though I never heard of any real exploits.
Windows font files can also have viruses, since they are at heart dll's.
Mike Monett
> A patch for NT-based systems [1]
http://66.102.7.104/search?q=cache:G_h4wrg3BDYJ:www.grc.com/sn/notes-020.htm+Download-Ilfak's-Temporary-WMF-Patch+the-seriousness-of-the-WMF-vulnerability
> .
> .
> [1] There is no patch for DOS-based Windoze.
There is a vulnerability checker at
http://www.hexblog.com/2006/01/wmf_vulnerability_checker.html#more
Several people report their results on Win98. Apparently Win98 shows as
being vulnerable, but two people running Win98SE say their system reports
not vulnerable.
I am running Win98SE with the Final Update. The test report says it is
not vulnerable. A brief look at the source indicates it may not be able
to find the entry points in the Win98SE version of gdi32.dll.
Wishful thinking says maybe the virus writers could have the same problem
with Win98SE, and anyway they will be going after w2k and xp systems.
Somehow that doesn't make me feel better.
The author emphasizes he checks only one vulnerability and there may be
more. So it is not safe to assume that Win98SE or later OS's are
invulnerable to this problem even if the temporary patch is applied.
This is a very serious problem. Watch the internet melt tomorrow when
everyone comes back from XMas vacation.
Mike Monett
Frank Bemelman
news:43B906...@spammotel.com...
> This is a very serious problem. Watch the internet melt tomorrow when
> everyone comes back from XMas vacation.
Hahahahaha.....
--
Thanks, Frank.
(remove 'q' and '.invalid' when replying by email)
Mike Monett
[...]
> It took the genius of Bill Gates to design an os that allows worms to
> be resident in viewable images. As I recall, Windows had the same
> problem with true jpeg files once.
>
> "When in doubt, execute it."
>
> John
According to the CERT advisory, a wmf file can have many extensions:
------------------------------------------------------------------
"Please note that Windows Metafile data may be saved with an
extension other than WMF. A file with any extension that is
associated with Windows Picture and Fax Viewer can be used to
exploit this vulnerability. By default, Windows Picture and Fax
Viewer is associated with the following file extensions:"
"BMP DIB GIF EMF JFIF JPE JPEG JPG PNG TIF TIFF WMF"
http://www.kb.cert.org/vuls/id/181038
------------------------------------------------------------------
The IM worm that was released yesterday was "http://[snip]/xmas-2006
FUNNY.jpg".
So we can't tell if an image file is safe by looking at the extension.
Pure chaos.
Mike Monett
Frank Bemelman
> Pure chaos.
Hahahahahaha.....
Winfield Hill
>
> Mike Monett wrote...
>
>> This is a very serious problem. Watch the internet melt
>> tomorrow when everyone comes back from XMas vacation.
>
> Hahahahaha.....
Most of us don't visit malicious web pages. And hopefully
by now most of us have our email program set not to display
email links or images. Wait, I don't know, is that feature
available yet in Microsoft's Outlook and Outlook Express?
Hmm, wait, what about web-based email programs, do they let
you set a default to preview the contents of a spam email
without showing the embedded images?
--
Thanks,
- Win
John Devereux
> Frank Bemelman wrote...
>>
>> Mike Monett wrote...
>>
>>> This is a very serious problem. Watch the internet melt
>>> tomorrow when everyone comes back from XMas vacation.
>>
>> Hahahahaha.....
>
> Most of us don't visit malicious web pages.
<SNIP>
It might only takes an external graphics ad on an otherwise
"respectable" site.
--
John Devereux
Pooh Bear
Winfield Hill wrote:
> Most of us don't visit malicious web pages.
It's easy to redirect you there.
> And hopefully
> by now most of us have our email program set not to display
> email links or images. Wait, I don't know, is that feature
> available yet in Microsoft's Outlook and Outlook Express?
I've just been looking and can't find anything relevant to turn
on/off.
> Hmm, wait, what about web-based email programs, do they let
> you set a default to preview the contents of a spam email
> without showing the embedded images?
Dunno mate. Good luck. Put a condom on your PC ! ;-)
Graham
Frank Bemelman
news:dpb1t...@drn.newsguy.com...
> Frank Bemelman wrote...
> >
> > Mike Monett wrote...
> >
> >> This is a very serious problem. Watch the internet melt
> >> tomorrow when everyone comes back from XMas vacation.
> >
> > Hahahahaha.....
>
> Most of us don't visit malicious web pages. And hopefully
> by now most of us have our email program set not to display
> email links or images. Wait, I don't know, is that feature
> available yet in Microsoft's Outlook and Outlook Express?
Outlook Express has that choice. I read my email as plain text.
> Hmm, wait, what about web-based email programs, do they let
> you set a default to preview the contents of a spam email
> without showing the embedded images?
I suppose some folks may catch this new virus. But if the internet
is going to melt down tomorrow, I'd expect to hear more about
it, other than a worried post from Mike Monett.
Winfield Hill
>
> Winfield Hill wrote:
>
>> Most of us don't visit malicious web pages.
>
> It's easy to redirect you there.
Right, but I can be fairly confident NSC and Linear Technology
aren't going to do that. And I won't be visiting Porn-R-Us or
Internet-Gambling-Winner-Now, etc.
>> And hopefully
>> by now most of us have our email program set not to display
>> email links or images. Wait, I don't know, is that feature
>> available yet in Microsoft's Outlook and Outlook Express?
>
> I've just been looking and can't find anything relevant to
> turn on/off.
That could mean you don't have it. Mozilla's Thunderbird email
program has its shields up by default, which is easily seen as
your email displays with empty boxes where images are intended,
along with a "show images" button, which you can activate once
you're completely confident that specific email is from a safe
source. The next email you examine once again has block images.
>> Hmm, wait, what about web-based email programs, do they let
>> you set a default to preview the contents of a spam email
>> without showing the embedded images?
>
> Dunno mate. Good luck. Put a condom on your PC ! ;-)
Indeed.
--
Thanks,
- Win
Pooh Bear
Frank Bemelman wrote:
> "Winfield Hill" <Winfiel...@newsguy.com> schreef in bericht
> news:dpb1t...@drn.newsguy.com...
> > Frank Bemelman wrote...
> > >
> > > Mike Monett wrote...
> > >
> > >> This is a very serious problem. Watch the internet melt
> > >> tomorrow when everyone comes back from XMas vacation.
> > >
> > > Hahahahaha.....
> >
> > Most of us don't visit malicious web pages. And hopefully
> > by now most of us have our email program set not to display
> > email links or images. Wait, I don't know, is that feature
> > available yet in Microsoft's Outlook and Outlook Express?
>
> Outlook Express has that choice. I read my email as plain text.
I saw that option too. I didn't reckon it was related to the preview
pane though.
My Windows is fully patched, so I may not have the vulnerability in OE
anyway.
> > Hmm, wait, what about web-based email programs, do they let
> > you set a default to preview the contents of a spam email
> > without showing the embedded images?
>
> I suppose some folks may catch this new virus. But if the internet
> is going to melt down tomorrow, I'd expect to hear more about
> it, other than a worried post from Mike Monett.
It has to start somewhere. I was initially sceptical but investigated
it. As time passed I saw that the alerts were increasing in severity.
This is a real one.
I've finally installed Opera ( after years of my IT friends saying I
should ) as my default browser. It's better than IE anyway ! Page
rendering is blisteringly fast. It is essentialy unaffected by this
current issue. I recommend it.
" Opera 8.x with all vendor patches installed and all vendor
workarounds applied, is currently affected by one or more Secunia
advisories rated Not critical "
http://secunia.com/product/4932/
Graham
Pooh Bear
Winfield Hill wrote:
> Pooh Bear wrote...
> >
> > Winfield Hill wrote:
> >
> >> Most of us don't visit malicious web pages.
> >
> > It's easy to redirect you there.
>
> Right, but I can be fairly confident NSC and Linear Technology
> aren't going to do that. And I won't be visiting Porn-R-Us or
> Internet-Gambling-Winner-Now, etc.
If you're a 'safe surfer' I'm sure that's true. I never fail to be
amazed by the pop-ups that some 'serious' sites have though.
> >> And hopefully
> >> by now most of us have our email program set not to display
> >> email links or images. Wait, I don't know, is that feature
> >> available yet in Microsoft's Outlook and Outlook Express?
> >
> > I've just been looking and can't find anything relevant to
> > turn on/off.
>
> That could mean you don't have it.
I suspect that's the case. My Windoze ( 98SE ) is fully patched and up
to date with all the Microsoft security issue fixes installed.
I 'passed' the current online test for this exploit btw. It's not
*guaranteed* but helps put my mind at rest.
> Mozilla's Thunderbird email
> program has its shields up by default, which is easily seen as
> your email displays with empty boxes where images are intended,
> along with a "show images" button, which you can activate once
> you're completely confident that specific email is from a safe
> source. The next email you examine once again has block images.
>
> >> Hmm, wait, what about web-based email programs, do they let
> >> you set a default to preview the contents of a spam email
> >> without showing the embedded images?
> >
> > Dunno mate. Good luck. Put a condom on your PC ! ;-)
>
> Indeed.
Btw - I finally installed Opera as my default browser ( after
seemingly years of being told by my IT friends that it's the 'dog's
bollocks' ) because it's unaffected by this issue. . I'd recommend it
! Page rendering is way faster than IE for starters. I don't think
I'll be going back.
Graham
Winfield Hill
>
> Winfield Hill writes:
>
>> Frank Bemelman wrote...
>>>
>>> Mike Monett wrote...
>>>
>>>> This is a very serious problem. Watch the internet melt
>>>> tomorrow when everyone comes back from XMas vacation.
>>>
>>> Hahahahaha.....
>>
>> Most of us don't visit malicious web pages.
>
> <SNIP>
>
> It might only takes an external graphics ad on an otherwise
> "respectable" site.
Yes. But the keyword is "respectable" - So, I'd say even if
you install Ilfak Guilfanov's WMF-Exploit patch (on W2000 sr4
and XP sr2 systems only, SFAIK) - I have done so - be careful
to only visit *very* safe well-known websites.
Ilfak's patch blocks WMF files from executing any internal code
they might carry (this was a MS Windows design feature intended
to implement a "SETABORT escape sequence," but able to do more).
http://www.hexblog.com/2006/01/wmf_vulnerability_checker.html#more
http://blog.ziffdavis.com/seltzer/archive/2005/12/31/39650.aspx
http://www.grc.com/sn/notes-020.htm
http://www.f-secure.com/weblog/
http://ipadventures.com/
Once Microsoft eventually offers a fix, and it's installed, and
after a few days (weeks?) multiple ALL CLEARs have been issued,
Ilfak's patch can be removed (using Add/Remove Programs). Then
we can begin random web-exploring once more. :-) Sheesh!
--
Thanks,
- Win
John Devereux
I would rather suggest using another browser (I use firefox), at least
for your general use. It has been months since I had to fire up IE,
and then it was just to check if some web site malfunction was browser
related or not.
--
John Devereux
Pooh Bear
John Devereux wrote:
> Winfield Hill <Winfiel...@newsguy.com> writes:
< snip >
> > Once Microsoft eventually offers a fix, and it's installed, and
> > after a few days (weeks?) multiple ALL CLEARs have been issued,
> > Ilfak's patch can be removed (using Add/Remove Programs). Then
> > we can begin random web-exploring once more. :-) Sheesh!
>
> I would rather suggest using another browser (I use firefox), at least
> for your general use. It has been months since I had to fire up IE,
> and then it was just to check if some web site malfunction was browser
> related or not.
This event motivated me to finally get round to installing the Opera
browser www.opera.com . It's good. Page rendering is especially fast. I
don't think I'll be going back.
The last time I was impressed by a browser upgrade ( from Mosaic ! ) was
when I was downloading beta versions of Netscape 2 ! Full marks to Opera.
Graham
Winfield Hill
>
> I suspect that's the case. My Windoze ( 98SE ) is fully patched and
> up to date with all the Microsoft security issue fixes installed.
>
> I 'passed' the current online test for this exploit btw. It's not
> *guaranteed* but helps put my mind at rest.
I dunno, some sites I read say the test fails to properly see
the vulnerability on Win98. Others point out the WMF hole is
valid back to Windows 3.0 So I'd be very careful.
> Btw - I finally installed Opera as my default browser ( after
> seemingly years of being told by my IT friends that it's the
> 'dog's bollocks' ) because it's unaffected by this issue. I'd
> recommend it! Page rendering is way faster than IE for starters.
> I don't think I'll be going back.
Nice recommendation.
--
Thanks,
- Win
Frank Bemelman
news:43B92555...@hotmail.com...
> Frank Bemelman wrote:
>
> > I suppose some folks may catch this new virus. But if the internet
> > is going to melt down tomorrow, I'd expect to hear more about
> > it, other than a worried post from Mike Monett.
>
> It has to start somewhere. I was initially sceptical but investigated
> it. As time passed I saw that the alerts were increasing in severity.
Or are you hearing echoes of the same?
>
> This is a real one.
>
The real one, real soon now.
> I've finally installed Opera ( after years of my IT friends saying I
> should ) as my default browser. It's better than IE anyway ! Page
> rendering is blisteringly fast. It is essentialy unaffected by this
> current issue. I recommend it.
>
> " Opera 8.x with all vendor patches installed and all vendor
> workarounds applied, is currently affected by one or more Secunia
> advisories rated Not critical "
Ah, so it is just a big Opera spam! Clever!
If you don't mind, I'll wait until a small portion of the internet melts...
Frank Bemelman
> Pooh Bear wrote...
> >
> > I suspect that's the case. My Windoze ( 98SE ) is fully patched and
> > up to date with all the Microsoft security issue fixes installed.
> >
> > I 'passed' the current online test for this exploit btw. It's not
> > *guaranteed* but helps put my mind at rest.
>
> I dunno, some sites I read say the test fails to properly see
> the vulnerability on Win98. Others point out the WMF hole is
> valid back to Windows 3.0 So I'd be very careful.
I wonder where all this expertise suddenly comes from.
The only thing that running such online test proves is that there
are still folks around who trust and run software just like that,
on their computers that didn't show any signs of problems ;)
Now that is worth a 'Sheesh'.
I recommend installing MSDOS 2.0 before it is too late. Joerg
still has copies.
Pooh Bear
Frank Bemelman wrote:
DOS 2.0 was crap.
I have DOS 5.0 ( the only ever unpatched verion of DOS - i.e one that
worked out of the box ) on 5 1/4 floppies even ! and any number of versions
of DOS 6.xxxxxxxxxxxxx
Graham
Pooh Bear
Frank Bemelman wrote:
If someone told you a flood was coming would you wait til it was half way up
the walls of your house before acting ?
Graham
Winfield Hill
>
> John Devereux wrote:
>
>> I would rather suggest using another browser (I use firefox), at least
>> for your general use. It has been months since I had to fire up IE,
>> and then it was just to check if some web site malfunction was browser
>> related or not.
>
> This event motivated me to finally get round to installing the Opera
> browser www.opera.com . It's good. Page rendering is especially fast. I
> don't think I'll be going back.
The experts say it really doesn't matter what browser you're
using, you're vulnerable if Windows is asked to open a WMF file,
via any pathway. This one is said to be EXTREMELY DANGEROUS,
read http://isc.sans.org/diary.php?storyid=996 or 1/3 the way
down the Internet Storm Center page here, http://isc.sans.org/
--
Thanks,
- Win
Winfield Hill
>
> Winfield Hill wrote...
>> Pooh Bear wrote...
>>>
>>> I suspect that's the case. My Windoze ( 98SE ) is fully patched and
>>> up to date with all the Microsoft security issue fixes installed.
>>>
>>> I 'passed' the current online test for this exploit btw. It's not
>>> *guaranteed* but helps put my mind at rest.
>>
>> I dunno, some sites I read say the test fails to properly see
>> the vulnerability on Win98. Others point out the WMF hole is
>> valid back to Windows 3.0 So I'd be very careful.
>
> I wonder where all this expertise suddenly comes from.
>
> The only thing that running such online test proves is that there
> are still folks around who trust and run software just like that,
> on their computers that didn't show any signs of problems ;)
>
> Now that is worth a 'Sheesh'.
It did sound dangerous, so I went to a dozen trusted security
sites to see what they recommended, and after seeing each one
say, don't wait, get with it NOW, I acted. And posted here.
I also posted links to a few of the security sites earlier in
this thread, don't trust me, trust the experts on this subject.
E.g., "Trust us," http://isc.sans.org/diary.php?storyid=996
> I recommend installing MSDOS 2.0 before it is too late. Joerg
> still has copies.
:--|}
--
Thanks,
- Win
John Fields
<rabbitsfriend...@hotmail.com> wrote:
>Btw - I finally installed Opera as my default browser ( after
>seemingly years of being told by my IT friends that it's the 'dog's
>bollocks' ) because it's unaffected by this issue. . I'd recommend it
>! Page rendering is way faster than IE for starters. I don't think
>I'll be going back.
---
I just followed your lead. Nice browser, and since it doesn't have
the security problem, I installed it as default. Thanks for the
tip.
--
John Fields
Professional Circuit Designer
Pooh Bear
Winfield Hill wrote:
> Frank Bemelman wrote...
>
> > Now that is worth a 'Sheesh'.
>
> It did sound dangerous, so I went to a dozen trusted security
> sites to see what they recommended, and after seeing each one
> say, don't wait, get with it NOW, I acted. And posted here.
> I also posted links to a few of the security sites earlier in
> this thread, don't trust me, trust the experts on this subject.
> E.g., "Trust us," http://isc.sans.org/diary.php?storyid=996
With something like this is it worth taking a risk ? I think not.
Luckily my fully patched W98SE seems to be unaffected, yet I changed
browser to Opera anyway ( and didn't regret it ! ).
I also found the 'turn off preview pane' option in OE.
Go to View, Layout, and deselect 'Show preview pane'.
That fixes most of it for negligible effort. Give me a reason to *not* do
it if you can !
Graham
Frithiof Andreas Jensen
"Winfield Hill" <Winfiel...@newsguy.com> wrote in message
news:dpb1t...@drn.newsguy.com...
> Frank Bemelman wrote...
> >
> > Mike Monett wrote...
> >
> >> This is a very serious problem. Watch the internet melt
> >> tomorrow when everyone comes back from XMas vacation.
> >
> > Hahahahaha.....
>
> Most of us don't visit malicious web pages.
"Knowingly" or maybe "Deliberately" lacking from that overly confident
assertion; There are relatively trivial and well known ways to send your
legitimate requests to any malicious web pages/content required!!
It is a design feature of IPv4 and also IPv6 that the local network segment
is implicitly trusted - as is DNS - so all it takes is for ONE person on the
same network segment as you to slip up (or for said person feeling the urge
to flash his laptop on a WiFi LAN in the Airport lounge and bringing it
inside the firewall loaded with "freebies").
The odds for that are good since "Most ..." != "All".
Rich Grise
> On Sun, 01 Jan 2006 16:18:43 -0800, Mike Monett
> <gqtacf...@spammotel.com> wrote:
>
>>To All,
>>
>> Last night, a very dangerous computer worm was released on the
>> internet. It is carried on Windows Metafile images and automatically
>> executes with no user interaction. With Microsoft Explorer or
>> Outlook, you are automatically infected if you recieve infected
>> email or view a site with the worm. The problem is Windows WMF files
>> have the capability to execute external code. This is a virus
>> writer's dream. He can do anything he wants.
>>
>
> be resident in viewable images. As I recall, Windows had the same
> problem with true jpeg files once.
>
> "When in doubt, execute it."
I seem to remember, when the internet was still a gleam in everyone's
eyes, a "dream" of all of the computers being able to execute anything,
and everyone sharing everything, and peace and harmony and parallel
processing and all sorts of grand dreams.
Apparently, it turns out, some people with computers are Not Nice.
So we get executable graphics and worms. And executable documents. Sigh.
The solution is so simple apparently Uncle Billy is overlooking it -
somebody should explain to him that under the GNU GPL, he could download
a free Linux kernel, or even a whole distribution, and set his
codemonkeys the task of writing windows-grade installers and drivers
and eye candy, and sell "Microsoft Linux" for whatever the market will
bear.
Totally legally.
Cheers!
Rich
Winfield Hill
>
>> I've finally installed Opera ...
Doesn't matter, it's picture links that get you, and Opera will
show a picture if asked to. Here's what happens, from a post
on Microsoft's Windows XP Security and Administration web page,
Encountered WMF Vulnerability in Windows XP
Sign in with your .NET Passport | Edit my Profile | Help
Jack 12/31/2005 11:36 PM PST
XPHome SP2, fully patched. Opened a picture link, it flashed up my
download manager trying to download the file eid6.wmf, which shut
before I could close it and flashed open the picture and fax viewer
which I closed and disconnected from the internet. The following
new process was running:
"rundll32.exe" C:\WINDOWS\System32\shimgvw.dll,ImageView_Fullscreen
C:\Documents and Settings\%username%\Local Settings\Temporary Internet
Files\Content.IE5\WTABCDEZ\eid6[1].wmf
Closed it and cleaned the IE cache and rebooted and it didn't restart.
Following files were created around this time and may or may not be
related:
C:\WINDOWS\Prefetch\CMD.EXE-034B0549.pf
C:\WINDOWS\Prefetch\FTP.EXE-06C55CF9.pf
C:\WINDOWS\Prefetch\RUNDLL32.EXE-6061F310.pf
C:\WINDOWS\system32\CatRoot2\tmp.edb
I removed the prefetch files, the catroot2 file was in use and could
not be moved and disappeared over a reboot. Then used SR to restore
to a point prior. Doesn't seem as if there is any obvious residual,
but does anyone know anything else I should do or look for. I had
not unregistered shimgvw.dll or applied Ilfak Guilfanov's temp patch:
http://www.grc.com/sn/notes-020.htm
--
Thanks,
- Win
Rich Grise
> The IM worm that was released yesterday was "http://[snip]/xmas-2006
> FUNNY.jpg".
Aww, c'mon! Post the whole URL, with warnings, so I can go look at it -
I'm running Linux, so I don't get worms. ;-P
And if a .jpg isn't a real .jpg, I'm sure The Gimp will let me know. :-)
(you can even break it up, so that the dozers can't click on it. I should
be able to reassemble a munged URL. :-) )
Thanks!
Rich
Rich Grise
I use Yahoo email, and it has several things - when I open an
email, I see all of the text (and full headers, which is kind
of annoying, but oh well), and links to the attachments. But
it's not links directly to the attachment(s), it's a link
to Yahoo's virus checker, which scans the file and then goes
to another page that says "virus was not detected" and lets
me download the attachment.
And even then, if I had Windows running, I'd hope it would
give me a save/execute/cancel dialog. With Linux, I can open
anything at all - it's _hard_ to get stuff to execute on a Linux
box!
I don't know if this answers your question; as far as previewing
a document, I'm itching to get ahold of one of these .wmf virus
files, and open it with Paint Shop Pro. I seriously doubt if
PSP 4.12 has a facility to execute macros - it can't even animate
an animated .gif.
So, you could download it, or possibly open it online with a
dedicated graphics program, like, e.g. Paint Shop Pro. It's
shareware, so here:
http://www.neodruid.net/psp412.exe
It's self-extracting. Download it, virus scan it, log out and
log in as administrator, run it, log out as administrator and
log back in as yourself, and you'll have Paint Shop Pro 4.12
installed, and can look at practically anything.
Cheers!
Rich
Pooh Bear
Rich Grise wrote:
Or they could simply remove the dumbfuck *features* of Windoze !
Graham
Pooh Bear
Winfield Hill wrote:
> Frank Bemelman wrote...
> >
> >> I've finally installed Opera ...
>
> Doesn't matter, it's picture links that get you, and Opera will
> show a picture if asked to. Here's what happens, from a post
> on Microsoft's Windows XP Security and Administration web page,
Version 8.51 is supposed to prompt you if it finds a wmf. If you think
you're viewing a pic like a jpg that should be warning enough.
Graham
Rich Webb
<Winfiel...@newsguy.com> wrote:
>Frank Bemelman wrote...
>>
>>> I've finally installed Opera ...
>
> Doesn't matter, it's picture links that get you, and Opera will
> show a picture if asked to.
Opera can be set to automatically download application/x-msmetafile
and .wmf file types. I've set mine to dump any that it comes across
into c:/null. As nearly as I can tell from testing here with self-made
wmf files, this works correctly as a quarantine measure.
The display of wmf images by Opera can also be affected by whether the
user has installed file viewers beyond the vanilla MS handlers. I use
IrfanView aka IView as a general-purpose viewer and it is the registered
system wmf viewer. I *do not* know whether IView passes wmf images to a
lower-level system DLL for decoding, though.
Quarantine seems to be the safest route. The wmf file types are (were)
very rare either as web images or in e-mail; mostly used to embed
graphic images in Word and such.
--
Rich Webb Norfolk, VA
Frank Bemelman
> Frank Bemelman wrote:
> > If you don't mind, I'll wait until a small portion of the internet
melts...
>
> If someone told you a flood was coming would you wait til it was half way
up
> the walls of your house before acting ?
I probably would, yes.
Pooh Bear
Rich Grise wrote:
> I'm itching to get ahold of one of these .wmf virus
> files, and open it with Paint Shop Pro. I seriously doubt if
> PSP 4.12 has a facility to execute macros - it can't even animate
> an animated .gif.
Try any of the following.....
toolbarbiz[dot]biz
toolbarsite[dot]biz
toolbartraff[dot]biz
toolbarurl[dot]biz
buytoolbar[dot]biz
buytraff[dot]biz
iframebiz[dot]biz
iframecash[dot]biz
iframesite[dot]biz
iframetraff[dot]biz
iframeurl[dot]biz
Graham
Dirk Bruere at Neopax
What about Mozilla, which I use? Same problem with that?
Also, under tools/folder options/file types in XP I don't see the .wmf listed?
--
Dirk
The Consensus:-
The political party for the new millenium
http://www.theconsensus.org
Terry Pinnell
>Mike Monett wrote:
>>
>> To All,
>>
>> Last night, a very dangerous computer worm was released on the
>> internet. It is carried on Windows Metafile images and automatically
>> executes with no user interaction. With Microsoft Explorer or
>> Outlook, you are automatically infected if you recieve infected
>> email or view a site with the worm. The problem is Windows WMF files
>> have the capability to execute external code. This is a virus
>> writer's dream. He can do anything he wants.
>
>[...]
>
>Update: Opera is not vulnerable. You have to work hard to get infected.
>
>Here is more information from Rijk van Geijtenbeek in the opera.general
>newsgroup:
>
> "Opera cannot display WMF files natively, so it is not vulnerable
> in itself. With the default configuration Opera opens the download
> dialog for such files. If you click 'Open' and the default handler
> is the 'MS Picture and fax viewer', you can apparently be infected
> by malicious WMF files. So treat WMF files with the same caution
> as EXE and BAT etc files, I'd say. And don't change Opera's
> settings to directly open such files..."
>
>Go Opera! Beats the pants off MSIE and Firefox.
>
>Mike Monett
Had several other similar alerts, and it clearly needs taking very
seriously.
On mine and my wife's PC (both XP Home) I've taken the basic steps
recommended in several places:
1. Run | regsvr32 /u shimgvw.dll to disable shimgvw.dll
2. Install the temporary patch wmffix_hexblog13.exe from
http://blogs.washingtonpost.com/securityfix/
...and rebooted.
One possible downside of the first is that it seems to prevent my
viewing photos (JPGs) in Thumbnail mode. I have re-instated it with
Run | regsvr32 shimgvw.dll
and immediately got thumbnails back. Anyone else able to confirm this
please?
There is also a Vulnerability Checker wmf_checker_hexblog.exe
available here:
http://www.hexblog.com/2006/01/wmf_vulnerability_checker.html#more
--
Terry Pinnell
Hobbyist, West Sussex, UK
Frank Bemelman
>
> It did sound dangerous, so I went to a dozen trusted security
> sites to see what they recommended, and after seeing each one
> say, don't wait, get with it NOW, I acted. And posted here.
> I also posted links to a few of the security sites earlier in
> this thread, don't trust me, trust the experts on this subject.
> E.g., "Trust us," http://isc.sans.org/diary.php?storyid=996
Yes, thanks. McAfee rates the risk as "low", both for the
home users and for the corporate users:
http://us.mcafee.com/virusInfo/default.asp?id=description&virus_k=137760
Symantec does not even bother to mention it.
I hereby cancel my earlier advice to install MSDOS 2.0.
Roger Johansson
Mike Monett wrote:
> The IM worm that was released yesterday was "http://[snip]/xmas-2006
> FUNNY.jpg".
>
> So we can't tell if an image file is safe by looking at the extension.
>
> Pure chaos.
It should be illegal to use false extensions, but it happens all the
time.
The browser doesn't care about extensions, it reads a file header which
tells it what kind of file it is. When Opera sees a wmf file it asks
the user what to do, download it, show it with windows built-in system
(dangerous), or ignore it. Opera does not execute/open it unless
specifically told so. Opera is not fooled by extensions because it
ignores them and trusts the file header, which says it is a wmf file.
Use a partition saving program, like norton ghost or the freeware
"Partition Saving"
http://damien.guibouret.free.fr/
Make a disk image of the C: partition, so you can restore your
operating system in the shape it had a month ago. Don't store data on
C:, only the operating system and the few programs that need to be
installed in windows. Keep all data on other partitions and back them
up.
I have two physical hard disks, and often make backups of the important
folder systems on the second hd. Once a year I burn the most important
data to CD.
Then you don't have to worry much about viruses. Whatever happens you
can quickly restore your system. I don't waste processor power on
antivirus programs running in the background, I know I can get my
system up and running again no matter if it is a virus or a technical
fault.
I also use this disk imaging software because I install a lot of
programs and try them, so it is good to be able to return to a clean
and fast system.
Opera is definitely the best browser, and it is so customizable that
you can set it up exactly as you like it. Download and install a bunch
of skins, so you can switch quickly between them.
--
Roger J.
John Larkin
<gqtacf...@spammotel.com> wrote:
>John Larkin wrote:
>
>[...]
>
>> It took the genius of Bill Gates to design an os that allows worms to
>> be resident in viewable images. As I recall, Windows had the same
>> problem with true jpeg files once.
>>
>> "When in doubt, execute it."
>>
>> John
>
> According to the CERT advisory, a wmf file can have many extensions:
>
> ------------------------------------------------------------------
>
> "Please note that Windows Metafile data may be saved with an
> extension other than WMF. A file with any extension that is
> associated with Windows Picture and Fax Viewer can be used to
> exploit this vulnerability. By default, Windows Picture and Fax
> Viewer is associated with the following file extensions:"
>
> "BMP DIB GIF EMF JFIF JPE JPEG JPG PNG TIF TIFF WMF"
>
> http://www.kb.cert.org/vuls/id/181038
>
> ------------------------------------------------------------------
>
> The IM worm that was released yesterday was "http://[snip]/xmas-2006
> FUNNY.jpg".
>
> So we can't tell if an image file is safe by looking at the extension.
>
> Pure chaos.
>
>Mike Monett
Isn't that astounding? Microsoft doesn't even respect filename
extensions. They deliberately take advantage of every opportunity to
be unsecure.
Pure crap.
John
Frank Bemelman
news:s4mir19tpg42cgckk...@4ax.com...
> Had several other similar alerts, and it clearly needs taking very
> seriously.
Since when do we need to take "low" risks very seriously?
McAfee says:
Risk Assessment
- Home Users: Low
- Corporate Users: Low
http://us.mcafee.com/virusInfo/default.asp?id=description&virus_k=137760
John Larkin
I have IBM's Dos2000.
John
Dirk Bruere at Neopax
> "Terry Pinnell" <terrypi...@THESEdial.pipex.com> schreef in bericht
> news:s4mir19tpg42cgckk...@4ax.com...
>
>
>>Had several other similar alerts, and it clearly needs taking very
>>seriously.
>
>
> Since when do we need to take "low" risks very seriously?
>
> McAfee says:
>
> Risk Assessment
> - Home Users: Low
> - Corporate Users: Low
>
> http://us.mcafee.com/virusInfo/default.asp?id=description&virus_k=137760
>
I assume that doesn't include users who browse Russian porn sites? :-)
BTW, are there any examples of this being used anywhere, yet?
Rich Webb
<dirk....@gmail.com> wrote:
[snip...snip...]
>What about Mozilla, which I use? Same problem with that?
>Also, under tools/folder options/file types in XP I don't see the .wmf listed?
IIRC, Firefox is set by default to use the Windows Media Player for wmf
files. Since WMP doesn't understand wmf, it fails without executing the
malware. An example of a teeny bug that turns out to be favorable. The
full-up Mozilla may work similarly.
However, the attack file is still possibly in the browser cache and, as
with the quarantine route mentioned above, if there's a background
indexing program that "touches" the file (either in cache or quarantine)
then the payload may be executed. I don't run any indexers and set up
the auto-download to quarantine just to see whether anything is caught.
To be safe, I'd recommend installing the hotpatch by Ilfak Guilfanov,
discussed at http://isc.sans.org, until MS gets their stuff together and
releases an official fix.
Rich Grise
Problem with that is, that if they removed all of the 'dumbfuck "features"',
there wouldn't be any Windoze left! ;-P
Cheers!
Rich
Maybe we should go back to CP/M! ;-D
Rich Grise
The whole thing could probably be nipped in the bud, and most viruses,
worms, and such, if people could be taught to not do their day-to-day
stuff while logged in as administrator, but to create user accounts
that don't have permission to install executable programs, and especially
that don't have permission to overwrite system files.
Or, run Linux. :-)
Cheers!
Rich
Rich Grise, but drunk
> Frank Bemelman wrote:
>> If you don't mind, I'll wait until a small portion of the internet
>> melts...
>
> If someone told you a flood was coming would you wait til it was half
> way up the walls of your house before acting ?
>
> Graham
I probably wouldn't care - My RV would probably float. ;-P
Cheers!
Rich
Rich Grise, but drunk
> Rich Grise wrote:
>
>> I'm itching to get ahold of one of these .wmf virus
>> files, and open it with Paint Shop Pro. I seriously doubt if
>> PSP 4.12 has a facility to execute macros - it can't even animate
>> an animated .gif.
>
> Try any of the following.....
>
> toolbarbiz[dot]biz
Unknown host toolbarbiz.biz
> toolbarsite[dot]biz
An error occurred while loading http://toolbarsite.biz:
Unknown host toolbarsite.biz
> toolbartraff[dot]biz
An error occurred while loading http://toolbartraff.biz:
Unknown host toolbartraff.biz
At this point, I gave up.
Thanks anyway!
Rich
Pooh Bear
Rich Grise wrote:
> Maybe we should go back to CP/M! ;-D
I still write PL/M code.
Graham
Pooh Bear
Dirk Bruere at Neopax wrote:
> are there any examples of this being used anywhere, yet?
" Some clown is spamming out "Happy New Year" emails which will infect Windows
machines very easily. These emails contain a new version of the WMF exploit,
which doesn't seem to be related to the two earlier Metasploit WMF exploits
we've seen.
The emails have a Subject: "Happy New Year", body: "picture of 2006" and
contain an exploit WMF as an attachment, named "HappyNewYear.jpg" (MD5:
DBB27F839C8491E57EBCC9445BABB755). We detect this as PFV-Exploit.D.
When the HappyNewYear.jpg hits the hard drive and is accessed (file opened,
folder viewed, file indexed by Google Desktop), it executes and downloads a
Bifrose backdoor (detected by us as Backdoor.Win32.Bifrose.kt) from
www[dot]ritztours.com. Admins, filter this domain at your firewalls.
It's going to get worse."
http://www.f-secure.com/weblog/
Graham
John Larkin
A wmf file can be renamed by the exploiter to .jpg, .gif, .bmp,
anything. Windows, stupid and voracious as it is, can be fed
"file.jpg" but will execute it as a wmf. So just dumping wmf files
isn't good enough. Such a file can merely be *in a folder*, not even
opened, and do its thing.
Install the patch!
Oh, I looked all over the Microsoft security site and can find no
mention of this exploit. How come some freelance blogger can write a
fix in hours, and Microsoft stays silent?
John
Winfield Hill
>
> When the HappyNewYear.jpg hits the hard drive ...
This is a .jpg or an .wmf masquerading as a .jpg?
I didn't know .jpgs could carry executable payloads!
And if it's an wmf file, how come a jpg viewer works
with it at all? Sheesh!!
--
Thanks,
- Win
Winfield Hill
>
> Oh, I looked all over the Microsoft security site and can find
> no mention of this exploit. How come some freelance blogger can
> write a fix in hours, and Microsoft stays silent?
I posted from a thread on a MS user board, but a half-week
into the exploit loose in the wild, MS is staying quiet.
Damn, I thought were were safe if the image file had a jpg
or gif extention. Sheesh!
I hate class-action lawsuits, but damn it, we need to hold
Microsoft's hand over the flames. The 0.5 to 1B settlements
they've been making every few months lately for their illegal
unfair competition, etc., have not had any noticable effect
on how they compete, nor on their lack of frank communication
with their users. They continue as if nothing was happening.
--
Thanks,
- Win
Ian Stirling
In 1997 (IIRC) I mentioned in a post, the possibility of a buffer
overflo in a properly malformed jpeg, causing code to be executed. IIRC,
though that was last weeks bug.
This one is due to the fact that the file viewer does not only do one
file type, but many.
The viewer does not assume that the file extension correctly reflects
the filetype, and looks inside the file to determine what it is.
Thus, if you have an appliaciton that deals with .jpg, .gif, .wmv, then
you save a .wmf as .jpg, it'll be opened by the application, and it'll
determine that it's really a .wmf, and deal with it that way.
Phil Hobbs
> Pooh Bear wrote...
>
>>John Devereux wrote:
>>
>>
>>>I would rather suggest using another browser (I use firefox), at least
>>>for your general use. It has been months since I had to fire up IE,
>>>and then it was just to check if some web site malfunction was browser
>>>related or not.
>>
>>This event motivated me to finally get round to installing the Opera
>>browser www.opera.com . It's good. Page rendering is especially fast. I
>>don't think I'll be going back.
>
>
> The experts say it really doesn't matter what browser you're
> using, you're vulnerable if Windows is asked to open a WMF file,
> via any pathway. This one is said to be EXTREMELY DANGEROUS,
> read http://isc.sans.org/diary.php?storyid=996 or 1/3 the way
> down the Internet Storm Center page here, http://isc.sans.org/
>
>
Yeah, using OS/2 I can go anywhere and do anything, like Conan the Barbarian.
If I weren't a middle aged married guy with kids in college I might get
dangerously excited....
Cheers,
Phil Hobbs
Pooh Bear
Winfield Hill wrote:
> Pooh Bear wrote...
> >
> > When the HappyNewYear.jpg hits the hard drive ...
>
> This is a .jpg or an .wmf masquerading as a .jpg?
A wmf renamed as a jpg .
> I didn't know .jpgs could carry executable payloads!
> And if it's an wmf file, how come a jpg viewer works
> with it at all?
That's Microsoft for you ! The application doesn't check that the file
is what it claims to be.
> Sheesh!!
Quite !
Graham
JeffM
> Graham (Pooh Bear)
Some folks may still think that Opera is adware/payware.
Since September 2005 it has been freeware.
The screen-area-using, bandwidth-wasting ad frame
that used to be in the non-payware version is gone.
JeffM
>> Winfield Hill
>
>It might only takes an external graphics ad
>on an otherwise "respectable" site.
> John Devereux
Google's text-only ads look better and better every day.
JeffM
>at least for your general use.
>It has been months since I had to fire up IE,
>and then it was just to check if some web site malfunction
> John Devereux
I usually feed the URL into the HTML Validator Service
offered by the folks who maintain the HTML standard:
http://validator.w3.org
.
It's a pretty good indicator that a page was "validated" with M$IE.
http://validator.w3.org/check?uri=http://castlecops.com/StartupList.html
.
IE Shines On Broken Code
http://66.102.7.104/search?q=cache:MPS64sO97MsJ:slashdot.org/article.sid=04/10/19/0236213%26threshold=5%26mode=nested+IE-Shines-On-Broken-Code+IE-was-dynamically-rewriting-my-JavaScript-replacing-the-incorrect-delimiters-with-the-correct-ones
.
OTOH, this page scans just fine, but caused Mozilla to choke:
http://validator.w3.org/check?uri=http://www.opera.com/
Bob Monsen
> On Mon, 02 Jan 2006 03:40:50 -0800, Mike Monett wrote:
>
>> The IM worm that was released yesterday was "http://[snip]/xmas-2006
>> FUNNY.jpg".
>
> Aww, c'mon! Post the whole URL, with warnings, so I can go look at it -
> I'm running Linux, so I don't get worms. ;-P
>
Nautilus whines if you try to open a WMF which has the wrong extension. It
only lets you do it by selecting the application, and the warning
indicates that the file can do damage.
I wouldn't trust linux to protect you on on this one, particularly if you
like to run as root.
--
Regards,
Bob Monsen
"Physiological experiment on animals is justifiable for real
investigation, but not for mere damnable and detestable curiosity."
-- Charles Darwin
John Devereux
Looked ok to me (on firefox 1.5).
It has just occurred to me that google could do the world a
service by "marking down" pages that fail these tests!
--
John Devereux
Frank Bemelman
> John Larkin wrote...
> >
> > Oh, I looked all over the Microsoft security site and can find
> > no mention of this exploit. How come some freelance blogger can
> > write a fix in hours, and Microsoft stays silent?
>
> I posted from a thread on a MS user board, but a half-week
> into the exploit loose in the wild, MS is staying quiet.
Quiet?
http://www.microsoft.com/technet/security/advisory/912840.mspx
> Damn, I thought were were safe if the image file had a jpg
> or gif extention. Sheesh!
C'mon, you're safe as ever and you're devaluating the word 'sheesh'
if you use it to often and without reason. McAfee says "low risk".
Trend Micro Antivirus says "low risk". Ha, Kapersky says "moderate
risk". Now make that backup and complain no more. If you want
something to worry about, there's always GWB and idiots like JT.
> I hate class-action lawsuits, but damn it, we need to hold
> Microsoft's hand over the flames. The 0.5 to 1B settlements
> they've been making every few months lately for their illegal
> unfair competition, etc., have not had any noticable effect
> on how they compete, nor on their lack of frank communication
> with their users. They continue as if nothing was happening.
Ah, that's where the shoe hurts. Fair enough ;)
Winfield Hill
>
> Winfield Hill schreef in bericht
> news:dpc1j...@drn.newsguy.com...
>> John Larkin wrote...
>>>
>>> Oh, I looked all over the Microsoft security site and can find
>>> no mention of this exploit. How come some freelance blogger can
>>> write a fix in hours, and Microsoft stays silent?
>>
>> I posted from a thread on a MS user board, but a half-week
>> into the exploit loose in the wild, MS is staying quiet.
>
> Quiet?
> http://www.microsoft.com/technet/security/advisory/912840.mspx
I stand corrected, and may I say I'm glad to be in this case.
Good find, John and I both searched and couldn't find anything.
I searched on the terms "WMF" and "exploit" and the MS search
engine responded there was nothing, despite those two terms
appearing in the first paragraph of your link. My fault: I
should have used Google to search Microsoft's site.
>> Damn, I thought were were safe if the image file had a jpg
>> or gif extention. Sheesh!
>
> C'mon, you're safe as ever and you're devaluating the word 'sheesh'
> if you use it to often and without reason. McAfee says "low risk".
> Trend Micro Antivirus says "low risk". Ha, Kapersky says "moderate
> risk". Now make that backup and complain no more. If you want
> something to worry about, there's always GWB and idiots like JT.
I think those sites are wrong, because there's a high motivation
for bad sites to use the exploit, given its easy use, which is
well understood by now, and its very powerful results. The email
delivery path is exceedingly dangerous to anyone who doesn't have
an appropriate browser with image display turned off. For example,
my wife is OK, just barely because I rebuilt her machine over the
holidays, but her sister, brother and mother are not. They erase
their spam by first inspecting it. Her sister now uses G-mail, so
she may be OK, if Google is on top of things. But my mother-in-law
uses an old version of I.E. Damn. There's no way I can fix that
for her -- she's in FL. I should have worked on it last October.
We can't count on Norton AV, they haven't updated their definitions
since Dec 30th (more than 48 hours), and they completely failed to
stop the exploit test when I tried it yesterday, before installing
Ilfak Guilfanov's patch. So I think these AV companies are off the
mark: right now they aren't doing anything about a dangerous active
exploit, so they say, hey, don't worry! Sheesh!
--
Thanks,
- Win
qrk
<f.bem...@xs4all.invalid.nl> wrote:
>"Terry Pinnell" <terrypi...@THESEdial.pipex.com> schreef in bericht
>news:s4mir19tpg42cgckk...@4ax.com...
>
>> Had several other similar alerts, and it clearly needs taking very
>> seriously.
>
>Since when do we need to take "low" risks very seriously?
>
>McAfee says:
>
>Risk Assessment
> - Home Users: Low
> - Corporate Users: Low
>
>http://us.mcafee.com/virusInfo/default.asp?id=description&virus_k=137760
Kaspersky Labs has the opposite risk rating, calling it "extremely
critical". I have found that McAfee generally underates virus risks at
the onset. They will probably change their rating by mid week when
people go back to work.
http://www.viruslist.com/en/alerts?alertid=176701669
---
Mark
Jeff L
extremely stable, properly built OS, however spending about $320 CND on an
OS that does not support a lot of the programs I need seems excessive.
The common stuff like browsing, email (newsgroups?), pdf's, media, etc seems
to be well taken care of, although OOO office has it's good and bad points.
The real problems arise with stuff like an Assembler for Atmel AVR's, C
compilers for embedded processors, Gerber viewers, PCB Layout, typical
design tools etc. Drivers can be a issue too.
As an OS/2 user do you have many workarounds for these problems?
I should buy a copy one of these days to try it out, and at least support
decent software. I really am getting sick of MS's buggy bloatware that
forces you to upgrade every so often due to compatibility issues, forcing
the hardware to be updated with it, nasty marketing schemes, security
issues, viruses, rights issues, proprietary formats that keep changing, it's
phoning home capabilities and why, it's annoying "try to do everything for
you" and animations in XP, etc, etc. Maybe eCS will be my OS of choice once
win 2K is no longer useful.
"Phil Hobbs" <pcdhSpamM...@us.ibm.com> wrote in message
news:43B990B5...@us.ibm.com...
Phil Hobbs
AV, spyware removers, and so on....not to mention Office. My laptop has
3 OSes on it: XP, Fedora Core 4, and OS/2 4.52 plus many fixes (I work
for IBM, but even round there I'm considered a diehard [read, loonie]).
If you need to run all the latest Windows things, you're going to need
Windows. If there are other methods, e.g. open source SW, you can
usually use Linux or OS/2.
Cheers,
Phil Hobbs
Terry Pinnell
That opened fine here in FF 1.5.
--
Terry Pinnell
Hobbyist, West Sussex, UK
Terry Pinnell
>Had several other similar alerts, and it clearly needs taking very
>seriously.
>
>On mine and my wife's PC (both XP Home) I've taken the basic steps
>recommended in several places:
>
>1. Run | regsvr32 /u shimgvw.dll to disable shimgvw.dll
>
>
>2. Install the temporary patch wmffix_hexblog13.exe from
>http://blogs.washingtonpost.com/securityfix/
>
>...and rebooted.
>
>One possible downside of the first is that it seems to prevent my
>viewing photos (JPGs) in Thumbnail mode. I have re-instated it with
>Run | regsvr32 shimgvw.dll
>and immediately got thumbnails back. Anyone else able to confirm this
>please?
Anyone? With shimgvw.dll unregistered, if you open a My Computer or
Explorer folder containing JPGs and view it in Thumbnail View, do you
get proper thumbnails? Or just the large icon of whatever image
viewing program you have associated with JPGs? The latter applies
here, and also just had same result on my wife's PC.
>There is also a Vulnerability Checker wmf_checker_hexblog.exe
>available here:
>http://www.hexblog.com/2006/01/wmf_vulnerability_checker.html#more
Frank Bemelman
news:u6gjr15drhhcpl344...@4ax.com...
No, Kapersky rates it as "moderate risk":
http://www.viruslist.com/en/alerts?alertid=176701669
And:
"The vulnerability itself is regarded as extremely critical
(the highest possible rating). As yet, there is no patch
for this vulnerability."
Which is a different thing. The bare fact that people can download
and install software can be seen as a vulnerability too, and there
is nothing more critical than that. Hey, they can even remove software
from their PC's, deleting entire folders. Another 'vulnerability'.
I dare say that last night more PC's were damaged accidently by
deleting folders, than by this entire WMF thing.
David Brown
> On Mon, 02 Jan 2006 15:43:30 +0000, Rich Grise wrote:
>
>> On Mon, 02 Jan 2006 03:40:50 -0800, Mike Monett wrote:
>>
>>> The IM worm that was released yesterday was "http://[snip]/xmas-2006
>>> FUNNY.jpg".
>> Aww, c'mon! Post the whole URL, with warnings, so I can go look at it -
>> I'm running Linux, so I don't get worms. ;-P
>>
>
> Nautilus whines if you try to open a WMF which has the wrong extension. It
> only lets you do it by selecting the application, and the warning
> indicates that the file can do damage.
>
> I wouldn't trust linux to protect you on on this one, particularly if you
> like to run as root.
>
Why would a linux viewer run windows-specific code added to allow the
cancelling of print jobs in windows 3.x ? I would expect most viewers
to completely ignore the SetAbort commands, or at worst complain about
the file.
And why would someone running linux run as root?
Deefoo
"Jeff L" <levy...@hotmail.com> wrote in message
news:m4luf.148901$Ph4.4...@ursa-nb00s0.nbnet.nb.ca...
> I keep looking at OS/2 / ecomstation, as it looks like a excellent,
> extremely stable, properly built OS, however spending about $320 CND on an
> OS that does not support a lot of the programs I need seems excessive.
>
> The common stuff like browsing, email (newsgroups?), pdf's, media, etc
seems
> to be well taken care of, although OOO office has it's good and bad
points.
>
> The real problems arise with stuff like an Assembler for Atmel AVR's, C
> compilers for embedded processors, Gerber viewers, PCB Layout, typical
> design tools etc. Drivers can be a issue too.
>
> As an OS/2 user do you have many workarounds for these problems?
>
> I should buy a copy one of these days to try it out, and at least support
> decent software. I really am getting sick of MS's buggy bloatware that
> forces you to upgrade every so often due to compatibility issues, forcing
> the hardware to be updated with it, nasty marketing schemes, security
> issues, viruses, rights issues, proprietary formats that keep changing,
it's
> phoning home capabilities and why, it's annoying "try to do everything for
> you" and animations in XP, etc, etc. Maybe eCS will be my OS of choice
once
> win 2K is no longer useful.
I just ported Orcad to my cell phone ;-)
--DF
Winfield Hill
>
> We can't count on Norton AV, they haven't updated their definitions
> since Dec 30th (more than 48 hours), and they completely failed to
> stop the exploit test when I tried it yesterday, before installing
> Ilfak Guilfanov's patch.
Still true today, it's now nearly 96 hours since their last update.
--
Thanks,
- Win
Frank Bemelman
The experts at Norton don't panic, you mean ;) What did you expect?
Sheesh! Hahaha, unbelievable.
The internet is going to melt, hahahaha....
What a brilliant joke.
Terry Pinnell
OK, sorted. I have reliable confirmation elsewhere that loss's of
thumbnails *is* a consequence.
Dirk Bruere at Neopax
Which is one reason I don't worry too much about email.
However, suppose someone posted a malware .wmf here, on SED?
--
Dirk
The Consensus:-
The political party for the new millenium
http://www.theconsensus.org
Rich Grise, but drunk
> On Mon, 02 Jan 2006 15:43:30 +0000, Rich Grise wrote:
>> On Mon, 02 Jan 2006 03:40:50 -0800, Mike Monett wrote:
>>
>>> The IM worm that was released yesterday was "http://[snip]/xmas-2006
>>> FUNNY.jpg".
>>
>> Aww, c'mon! Post the whole URL, with warnings, so I can go look at it -
>> I'm running Linux, so I don't get worms. ;-P
>
> Nautilus whines if you try to open a WMF which has the wrong extension. It
> only lets you do it by selecting the application, and the warning
> indicates that the file can do damage.
>
> I wouldn't trust linux to protect you on on this one, particularly if you
> like to run as root.
Actually, I think one of the major problems with Windoze is that they
don't tell their customers _not_ to run as "ADMINISTRATOR". I know not to
run as root, but take a moment to consider - even if I did decide to
download a wmf file, and it had executable code, that code would only
execute on a Windoze box. In the first place, it doesn't have execute
permission. In the second place, it was written to interface to Windoze,
so its first system call would give a segment violation, and Linux would
let you know, and quietly shut it down and unload it from memory. (well,
'free()' the memory.) In the third place, even if it got through all of
those hoops, it wouldn't have write permission on system files, so it
wouldn't be able to do anything malicious even if it _could_ execute on a
Linux box.
So, of course, I stand behind my assertion that Bill Gates should clue
up, download a Linux, have his codemonkeys port the eye candy, drivers,
and easy install scripts (but smarten them up a bit - I'm available for
that task, BTW), and sell it as ***Microsoft Linux***! It's totally
legal! If I had his resources, I'd do it myself!
As it is, the best we can do today is support, for example, Patrick
Volkerding, who put together the Slackware distribution. It was my
first Linux, back in the late 1990's, and I picked it because of the
name. http://www.slackware.com . I don't work for him or anything, I'm
just a satisfied customer. :-)
There's only about two things I still need windows for, and I'm kind of
working on narrowing that down if I can. ;-)
Cheers!
Rich
Bob Monsen
Who knows what evil lurks in the hearts of men? I pointed out that gnome's
nautilus file browser whines about these files, so it may actually be
possible for them to do some damage. The warning claims they can damage
your computer... However, I don't know the details. It would be nice to
trust linux, but you never know what is going to turn up. Be careful out
there...
> And why would someone running linux run as root?
Lots of reasons. Maybe they don't know any better. Maybe they like the
ability to whack any file they want without using sudo. Maybe it makes
them feel powerful and potent, and they lack that in their dull,
pointless, sedentary lives.
--
Regards,
Bob Monsen
"we can allow satellites, planets, suns, universe, nay whole systems
of universe[s,] to be governed by laws, but the smallest insect, we
wish to be created at once by special act"
-- Charles Darwin
Bob Monsen
Unfortunately, some win programs can't execute as anything but
administrator. I've tried to set the user accounts on my kids' windows
machine to something other than administrator, but 1 out of 3 programs
they use on a daily basis seem to fail. Sadly, it appears that application
writers assume they can have their evil way with c:\windows.
Regarding linux, you sure that the code is not some pseudocode? I know
these files can do things like access the internet.... perhaps they can
select which bits of nasty goo they download. If so, it might be possible
to have them determine the OS first. Sure was nice when you didn't need
armor plating on your computer.
> So, of course, I stand behind my assertion that Bill Gates
should clue
> up, download a Linux, have his codemonkeys port the eye candy, drivers,
> and easy install scripts (but smarten them up a bit - I'm available for
> that task, BTW), and sell it as ***Microsoft Linux***! It's totally
> legal! If I had his resources, I'd do it myself!
>
That is what Apple did (more or less) for OSX. By all accounts, it is
great to use. Sadly, they still are too stupid to a) figure out that their
stuff is better than windows, b) port it to intel, and c) price it in a
predatory way to eat Windows' market share. They are afraid of retribution
from the Word/Excel team, I'm guessing. I can't think of any other reason
why they wouldn't do this.
> As it is, the best we can do today is support, for example, Patrick
> Volkerding, who put together the Slackware distribution. It was my first
> Linux, back in the late 1990's, and I picked it because of the name.
> http://www.slackware.com . I don't work for him or anything, I'm just a
> satisfied customer. :-)
>
Slacker. I like Fedora Core 4, which appears to work, and has pretty much
everything you want available.
> There's only about two things I still need windows for, and I'm kind of
> working on narrowing that down if I can. ;-)
>
Wine keeps me going most of the time (hiccup!). Unfortunately, it doesn't
like graphics intensive games or the flying model simulator, so I have to
boot into windows for my fix of flying and pseudo-death. Also, sadly, the
Zilog C compiler doesn't run under wine. MPASM also fails, but I've got
linux tools for both dsPIC and the midrange series.
Boris Mohar
<terrypi...@THESEdial.pipex.com> wrote:
Account for domain hexblog.com has been suspended
Google has very little info on hexblog
WTF??
--
Boris Mohar
Pooh Bear
Bob Monsen wrote:
> That is what Apple did (more or less) for OSX. By all accounts, it is
> great to use. Sadly, they still are too stupid to .......b) port it to intel,
> and c) price it in a
> predatory way to eat Windows' market share.
Yes they have already. The new Macs coming out this year will use Intel CPUs. PCs
running OS X have already been demonstrated as a result of some guys tweaking
Apple's code to bypass a 'dongle like' requirement from the motherboard.
Graham
Daniel Lang
>
> Account for domain hexblog.com has been suspended
>
> Google has very little info on hexblog
>
> WTF??
It was suspended because it was too popular!
You can still get the patches from here:
http://www.grc.com/sn/notes-020.htm
Daniel Lang
Winfield Hill
>
> The whole thing could probably be nipped in the bud, and most
> viruses, worms, and such, if people could be taught to not do
> their day-to-day stuff while logged in as administrator...
I dunno, while XP home machines are used that way by default,
most W2000 and XP-pro machines are not, yet they're vulnerable
too. Perhaps that's because all execute the WMF code. BTW,
over-writing of system files isn't required to get infected.
--
Thanks,
- Win
qrk
<Winfiel...@newsguy.com> wrote:
[snippage]
> But my mother-in-law
> uses an old version of I.E. Damn. There's no way I can fix that
> for her -- she's in FL. I should have worked on it last October.
I installed TightVNC (remote control) on my parent's computer.
Periodically, I ask them to start up the VNC server on their machine
and I update various things, like this WMF issue, or help them out
with program usage remotely. I had to punch a hole in their firewall
for this to work.
http://www.tightvnc.org/
---
Mark
The Real Andy
<jjla...@highNOTlandTHIStechnologyPART.com> wrote:
>On Sun, 01 Jan 2006 16:18:43 -0800, Mike Monett
><gqtacf...@spammotel.com> wrote:
<snip>
>It took the genius of Bill Gates to design an os that allows worms to
>be resident in viewable images. As I recall, Windows had the same
>problem with true jpeg files once.
>
>"When in doubt, execute it."
>
>
>John
I am sure that bill is not responsible for this one. In fact, I doubt
that bill has much to do with the design of MS products these days.
John Larkin
As majority owner and head of technology development, he could say
1. Make it simple, make it right, ship it when it's correct
or
2. Load it with features, rush it to market, let the idiot customers
find the bugs, and charge them for the fixes. And talk about
"innovation" and "trusted computing" as much as possible.
Microsoft is, and always has been, full of successful thieves and
rotten programmers.
John
The Real Andy
<jjla...@highNOTlandTHIStechnologyPART.com> wrote:
<snip>
>
>Microsoft is, and always has been, full of successful thieves and
>rotten programmers.
That statement just goes to prove that you have no idea what you are
talking about.
>John
>
>
Pooh Bear
The Real Andy wrote:
He still deserves to carry the can though.
Graham
Pooh Bear
The Real Andy wrote:
Thieves > businessmen. That seems to fix it.
Graham
Winfield Hill
>
> Winfield Hill wrote...
>> Winfield Hill wrote...
>>>
>>> We can't count on Norton AV, they haven't updated their definitions
>>> since Dec 30th (more than 48 hours), and they completely failed to
>>> stop the exploit test when I tried it yesterday, before installing
>>> Ilfak Guilfanov's patch.
>>
>> Still true today, it's now nearly 96 hours since their last update.
>
> The experts at Norton don't panic, you mean ;) What did you expect?
> Sheesh! Hahaha, unbelievable.
> The internet is going to melt, hahahaha....
> What a brilliant joke.
The experts at Norton finally panicked, and raised their ThreatCon
to Level 3. "The ThreatCon has been raised to Level 3 in response to
issues related to the recently discovered Windows WMF vulnerability,
including publicly available exploits, malcode propagating using the
issue, and the lack of an official patch until January 10." Norton
says Microsoft's solution temporary solution doesn't work and they
direct you to NIST, who says you should install Ilfak Guilfanov's
patch, and that they have done so in all their computers.
Most of us will probably avoid an infection, but as for an Internet
meltdown, yes, this will mean many thousands of new computers added
to the existing hordes of machines that are just waiting and can be
silently commanded by criminal gangs to carry out their bidding at
any point. If any of the computer owners had played a Sony music CD,
then their computers can be infected via the rootkit Sony installed,
so the infection cannot be detected by malware or antivirus programs.
Properly done, such computers can be owned at any time by criminals,
terrorists, or whoever pays enough for the privilege, without your
advance knowledge. It's certainly one more giant step to a meltdown.
--
Thanks,
- Win
John Larkin
Are you suggesting that they are either ethical businesspeople or good
programmers? There's little evidence for either viewpoint.
John
John Larkin
<Winfiel...@newsguy.com> wrote:
Only of the Windows boxes!
John
Richard Henry
"John Larkin" <jjla...@highNOTlandTHIStechnologyPART.com> wrote in message
news:0qnnr1d01bdoqu5co...@4ax.com...
As in any large organization, those who do well at their jobs get promoted,
and eventually tend to get a job at which they are not competent. (after
Peter, 1969).
Therefore, many managers at MS used to be good programmers.
John Larkin
John Larkin
<Winfiel...@newsguy.com> wrote:
One of Bill's declared tenents of "trusted computing" was "safe by
default." Why does Windows default to executing .jpg files as wmf's?
Irfanview checks and warns me if the extension doesn't match the
header; Windows doesn't. Windows doesn't even allow me to turn on such
checking.
200 million lines of crap.
John