J
Josh Einstein
Variations are coming out faster than AV vendors can keep up. Check out
f-secure's blog.
http://www.f-secure.com/weblog/
f-secure's blog.
http://www.f-secure.com/weblog/
R
Rashputin
Kerry Brown said:
Does deleting the .wmf file association solve the problem or am I
misunderstanding it?
tia,
Regards
D
DrJoel
I saw some where there is a program to test to see if your system isRichard said:
vulnerable to attack, where do I find it?
L
Leythos
And with firewalls that implement Proxy services you can filter 99% of
the exposure out.
K
Kerry Brown
Rashputin said:
It doesn't solve the problem. The file can be named with any valid graphics
extension e.g. jpg. Windows will try to open the file, realise it's a wmf
file not a jpg and open it appropriately. You would have to disable all
graphics associations recognised by Windows. Unregistering the Windows
Picture and Fax viewer will help but the problem is deeper than that file
alone.
Kerry
C
Chuck
Experts: Windows Flaw Can't Wait for Microsoft Fix
http://www.pcworld.com/news/article/0,aid,124142,tk,dn010306X,00.asp
Users should consider applying an unofficial security patch, researchers
say.
Peter Sayer, IDG News Service
Tuesday, January 03, 2006
Users of the Windows OS should install an unofficial security patch now,
without waiting for Microsoft to make its move, security researchers at The
SANS Institute's Internet Storm Center (ISC) advised this week.
Advertisement
Their recommendation follows a new wave of attacks on a flaw in the way
versions of Windows from 98 through XP handle malicious files in the WMF
(Windows Metafile) format. One such attack arrives in an e-mail message
entitled "happy new year," bearing a malicious file attachment called
"HappyNewYear.jpg" that is really a disguised WMF file, security research
companies including iDefense and F-Secure said. Even though the file is
labeled as a JPEG, Windows recognizes the content as a WMF and attempts to
execute the code it contains.
Microsoft advised on December 28 that to exploit a WMF vulnerability by
e-mail, "customers would have to be persuaded to click on a link within a
malicious e-mail or open an attachment that exploited the vulnerability."
Microsoft's advisory can be found online.
However, simply viewing the folder that contains the affected file, or even
allowing the file to be indexed by desktop search utilities such as the
Google Desktop, can trigger its payload, F-Secure's Chief Research Officer
Mikko Hypponen wrote in the company's blog.
More Attacks Possible
In addition, source code for a new exploit was widely available on the
Internet by Saturday, allowing the creation of new attacks with varied
payloads. The file "HappyNewYear.jpg," for example, attempts to download the
Bifrose backdoor, researchers said.
These factors exacerbate the problem, according to Ken Dunham, director of
the rapid response team at iDefense.
"Risk has gone up significantly in the past 24 hours for any network still
not protected against the WMF exploit," Dunham warned in an e-mail on
Sunday.
Alarmed by the magnitude of the threat, staff at the ISC worked over the
weekend to validate and improve an unofficial patch developed by Ilfak
Guilfanov to fix the WMF problem, according to an entry in the Handler's
Diary, a running commentary on major IT security problems on the ISC Web
site.
"We have very carefully scrutinized this patch. It does only what is
advertised, it is reversible, and, in our opinion, it is both safe and
effective," Tom Liston wrote in the diary.
"You cannot wait for the official MS patch, you cannot block this one at the
border, and you cannot leave your systems unprotected," Liston wrote.
In the diary, ISC provided a link to the version of the patch it has
examined, including a version designed for unattended installation on
corporate systems.
While ISC recognizes that corporate users will find it unacceptable to
install an unofficial patch, "Acceptable or not, folks, you have to trust
someone in this situation," Liston wrote.
Microsoft representatives could not immediately be reached for comment on
Monday morning.
Guilfanov published his patch on his Web site on Saturday. His introduction
to it can be found online.
F-Secure's Hypponen highlighted Guilfanov's patch in the F-Secure company's
blog on Saturday night, and then on Sunday echoed the ISC's advice to
install the patch.
Not all computers are vulnerable to the WMF threat: those running
non-Windows operating systems are not affected.
According to iDefense's Dunham, Windows machines running Windows Data
Execution Prevention (DEP) software are at least safe from the WMF attacks
seen so far. However, Microsoft said that software DEP offered no protection
from the threat, although hardware DEP may help.
http://www.pcworld.com/news/article/0,aid,124142,tk,dn010306X,00.asp
Users should consider applying an unofficial security patch, researchers
say.
Peter Sayer, IDG News Service
Tuesday, January 03, 2006
Users of the Windows OS should install an unofficial security patch now,
without waiting for Microsoft to make its move, security researchers at The
SANS Institute's Internet Storm Center (ISC) advised this week.
Advertisement
Their recommendation follows a new wave of attacks on a flaw in the way
versions of Windows from 98 through XP handle malicious files in the WMF
(Windows Metafile) format. One such attack arrives in an e-mail message
entitled "happy new year," bearing a malicious file attachment called
"HappyNewYear.jpg" that is really a disguised WMF file, security research
companies including iDefense and F-Secure said. Even though the file is
labeled as a JPEG, Windows recognizes the content as a WMF and attempts to
execute the code it contains.
Microsoft advised on December 28 that to exploit a WMF vulnerability by
e-mail, "customers would have to be persuaded to click on a link within a
malicious e-mail or open an attachment that exploited the vulnerability."
Microsoft's advisory can be found online.
However, simply viewing the folder that contains the affected file, or even
allowing the file to be indexed by desktop search utilities such as the
Google Desktop, can trigger its payload, F-Secure's Chief Research Officer
Mikko Hypponen wrote in the company's blog.
More Attacks Possible
In addition, source code for a new exploit was widely available on the
Internet by Saturday, allowing the creation of new attacks with varied
payloads. The file "HappyNewYear.jpg," for example, attempts to download the
Bifrose backdoor, researchers said.
These factors exacerbate the problem, according to Ken Dunham, director of
the rapid response team at iDefense.
"Risk has gone up significantly in the past 24 hours for any network still
not protected against the WMF exploit," Dunham warned in an e-mail on
Sunday.
Alarmed by the magnitude of the threat, staff at the ISC worked over the
weekend to validate and improve an unofficial patch developed by Ilfak
Guilfanov to fix the WMF problem, according to an entry in the Handler's
Diary, a running commentary on major IT security problems on the ISC Web
site.
"We have very carefully scrutinized this patch. It does only what is
advertised, it is reversible, and, in our opinion, it is both safe and
effective," Tom Liston wrote in the diary.
"You cannot wait for the official MS patch, you cannot block this one at the
border, and you cannot leave your systems unprotected," Liston wrote.
In the diary, ISC provided a link to the version of the patch it has
examined, including a version designed for unattended installation on
corporate systems.
While ISC recognizes that corporate users will find it unacceptable to
install an unofficial patch, "Acceptable or not, folks, you have to trust
someone in this situation," Liston wrote.
Microsoft representatives could not immediately be reached for comment on
Monday morning.
Guilfanov published his patch on his Web site on Saturday. His introduction
to it can be found online.
F-Secure's Hypponen highlighted Guilfanov's patch in the F-Secure company's
blog on Saturday night, and then on Sunday echoed the ISC's advice to
install the patch.
Not all computers are vulnerable to the WMF threat: those running
non-Windows operating systems are not affected.
According to iDefense's Dunham, Windows machines running Windows Data
Execution Prevention (DEP) software are at least safe from the WMF attacks
seen so far. However, Microsoft said that software DEP offered no protection
from the threat, although hardware DEP may help.
C
Chuck
Microsoft Urges Users to Wait for Official Patch
http://www.pcworld.com/news/article/0,aid,124149,tk,dn010306X,00.asp
Software giant says fix for WMF flaw is coming, advises against installing
unofficial fixes.
Peter Sayer, IDG News Service
Tuesday, January 03, 2006
Some security researchers are advising Windows users to rush to install an
unofficial patch to fix a vulnerability in the way the OS renders graphics
files, but Microsoft wants customers to wait another week for its official
security update, it announced Tuesday.
Advertisement
The problem is in the way various versions of Windows handle graphics in the
WMF (Windows Metafile) format. When a vulnerable computer opens a
maliciously crafted WMF file, it can be forced to execute arbitrary code.
Microsoft published a first security advisory on December 28, saying it had
received notification of the problem on December 27 and was investigating
whether a patch was necessary.
On Tuesday, Microsoft updated the advisory to say it has completed
development of its own patch, and is now testing it for release next week.
"Microsoft recommends that customers download and deploy the security update
for the WMF vulnerability that we are targeting for release on January 10,
2006," said the advisory, the full text of which can be found online.
The company says it carefully reviews and tests its security updates, and
offers them in 23 languages for all affected versions of its software
simultaneously. It "cannot provide similar assurance for independent
third-party security updates," it says.
Threat Level
The number of users potentially at risk is high, with all versions of
Windows exhibiting the vulnerability, but the number actually affected so
far is relatively low, researchers say.
However, the chance of running into a malicious WMF file is climbing, and
with it the danger of running an unpatched system. Already, one security Web
site has had to warn its readers to stay away: the owners of the
knoppix-std.org site warned in a forum posting that hackers had modified the
site so as to attempt to exploit the vulnerability on site visitors'
machines.
There is "a lot of potential risk" associated with the vulnerability,
according to Jay Heiser, a research vice president with Gartner and the
company's lead analyst on information security issues. "If it can be
exploited in any significant way, it would be an extremely big risk."
"It's a race between Microsoft and the exploit community," he says.
The bad guys had a head start in that race. Security researchers at Websense
first spotted malicious Web sites using the exploit on December 27, but
those sites may have been doing so as early as December 14, the company
says.
On December 28, Microsoft ambled out of the starting blocks with its first
security advisory acknowledging a potential problem.
Over the weekend, it updated this to suggest a way in which users could
reduce the risk by disabling an affected part of the OS, called shimgvw.dll.
Microsoft warned that the fix has the side effect of stopping the Windows
Picture and Fax Viewer from functioning normally. Others report that it also
stops Windows Explorer from showing thumbnails for digital photos.
Unofficial Fix
Security researchers outside Microsoft had other ideas: rather than disable
shimgvw.dll, they would modify it so that only the functionality considered
dangerous was blocked. By December 31, programmer Ilfak Guilfanov had
developed an unofficial patch to reduce the danger of attack, without
impairing Windows' graphics functions.
His patch quickly won the support of security researchers including The SANS
Institute's Internet Storm Center (ISC) and F-Secure.
Mikko Hypponen, chief research officer at F-Secure, feels safe recommending
the Guilfanov patch for several reasons.
"We know this guy. We have checked the code. It does exactly what he says it
does, and nothing else. We've checked the binary, and we've checked that the
fix works," he says.
He has one final vote of confidence: "We've installed it on all our own
computers."
Sophos PLC's Senior Security Consultant Carole Theriault advises businesses
not to install the unofficial patch. "We wouldn't recommend it, for testing
reasons," she says.
One of the hidden dangers of the WMF vulnerability is that things are not
always what they appear. Usually, WMF files can be identified by their .WMF
file extension, and blocked as a precaution, but attackers may choose to
disguise malicious files simply by giving them another image file suffix,
such as .JPG, because the Windows graphics rendering engine attempts to
identify graphics files by their content, not their name. That was the case
with a file with the title "happynewyear.jpg" that began circulating in
e-mail messages on December 31: If opened on a Windows machine, the file
attempts to download and install a backdoor called Bifrose.
As a consequence, says Theriault, businesses should keep existing antivirus
protection up to date and concentrate on blocking unsolicited mail while
waiting for the Microsoft patch, as this may help to screen out attacks.
They should encourage users to practice safe computing by only visiting
reputable Web sites and taking care with what they download, she says.
Jeremy Kirk of the IDG News Service contributed to this report.
http://www.pcworld.com/news/article/0,aid,124149,tk,dn010306X,00.asp
Software giant says fix for WMF flaw is coming, advises against installing
unofficial fixes.
Peter Sayer, IDG News Service
Tuesday, January 03, 2006
Some security researchers are advising Windows users to rush to install an
unofficial patch to fix a vulnerability in the way the OS renders graphics
files, but Microsoft wants customers to wait another week for its official
security update, it announced Tuesday.
Advertisement
The problem is in the way various versions of Windows handle graphics in the
WMF (Windows Metafile) format. When a vulnerable computer opens a
maliciously crafted WMF file, it can be forced to execute arbitrary code.
Microsoft published a first security advisory on December 28, saying it had
received notification of the problem on December 27 and was investigating
whether a patch was necessary.
On Tuesday, Microsoft updated the advisory to say it has completed
development of its own patch, and is now testing it for release next week.
"Microsoft recommends that customers download and deploy the security update
for the WMF vulnerability that we are targeting for release on January 10,
2006," said the advisory, the full text of which can be found online.
The company says it carefully reviews and tests its security updates, and
offers them in 23 languages for all affected versions of its software
simultaneously. It "cannot provide similar assurance for independent
third-party security updates," it says.
Threat Level
The number of users potentially at risk is high, with all versions of
Windows exhibiting the vulnerability, but the number actually affected so
far is relatively low, researchers say.
However, the chance of running into a malicious WMF file is climbing, and
with it the danger of running an unpatched system. Already, one security Web
site has had to warn its readers to stay away: the owners of the
knoppix-std.org site warned in a forum posting that hackers had modified the
site so as to attempt to exploit the vulnerability on site visitors'
machines.
There is "a lot of potential risk" associated with the vulnerability,
according to Jay Heiser, a research vice president with Gartner and the
company's lead analyst on information security issues. "If it can be
exploited in any significant way, it would be an extremely big risk."
"It's a race between Microsoft and the exploit community," he says.
The bad guys had a head start in that race. Security researchers at Websense
first spotted malicious Web sites using the exploit on December 27, but
those sites may have been doing so as early as December 14, the company
says.
On December 28, Microsoft ambled out of the starting blocks with its first
security advisory acknowledging a potential problem.
Over the weekend, it updated this to suggest a way in which users could
reduce the risk by disabling an affected part of the OS, called shimgvw.dll.
Microsoft warned that the fix has the side effect of stopping the Windows
Picture and Fax Viewer from functioning normally. Others report that it also
stops Windows Explorer from showing thumbnails for digital photos.
Unofficial Fix
Security researchers outside Microsoft had other ideas: rather than disable
shimgvw.dll, they would modify it so that only the functionality considered
dangerous was blocked. By December 31, programmer Ilfak Guilfanov had
developed an unofficial patch to reduce the danger of attack, without
impairing Windows' graphics functions.
His patch quickly won the support of security researchers including The SANS
Institute's Internet Storm Center (ISC) and F-Secure.
Mikko Hypponen, chief research officer at F-Secure, feels safe recommending
the Guilfanov patch for several reasons.
"We know this guy. We have checked the code. It does exactly what he says it
does, and nothing else. We've checked the binary, and we've checked that the
fix works," he says.
He has one final vote of confidence: "We've installed it on all our own
computers."
Sophos PLC's Senior Security Consultant Carole Theriault advises businesses
not to install the unofficial patch. "We wouldn't recommend it, for testing
reasons," she says.
One of the hidden dangers of the WMF vulnerability is that things are not
always what they appear. Usually, WMF files can be identified by their .WMF
file extension, and blocked as a precaution, but attackers may choose to
disguise malicious files simply by giving them another image file suffix,
such as .JPG, because the Windows graphics rendering engine attempts to
identify graphics files by their content, not their name. That was the case
with a file with the title "happynewyear.jpg" that began circulating in
e-mail messages on December 31: If opened on a Windows machine, the file
attempts to download and install a backdoor called Bifrose.
As a consequence, says Theriault, businesses should keep existing antivirus
protection up to date and concentrate on blocking unsolicited mail while
waiting for the Microsoft patch, as this may help to screen out attacks.
They should encourage users to practice safe computing by only visiting
reputable Web sites and taking care with what they download, she says.
Jeremy Kirk of the IDG News Service contributed to this report.
R
Richard Urban
You can get it here from Gibson Research.
http://www.grc.com/sn/notes-020.htm
Unfortunately the link to the site of the man who developed the site comes
back as the domain has been suspended.
Too much traffic? Or is there is more going on here than is apparent to the
naked eye.
BTW, you run the test "after" you apply the fix and reboot. The test tells
you if the fix took hold.
--
Regards,
Richard Urban
Microsoft MVP Windows Shell/User
Quote from George Ankner:
If you knew as much as you think you know,
You would realize that you don't know what you thought you knew!
http://www.grc.com/sn/notes-020.htm
Unfortunately the link to the site of the man who developed the site comes
back as the domain has been suspended.
Too much traffic? Or is there is more going on here than is apparent to the
naked eye.
BTW, you run the test "after" you apply the fix and reboot. The test tells
you if the fix took hold.
--
Regards,
Richard Urban
Microsoft MVP Windows Shell/User
Quote from George Ankner:
If you knew as much as you think you know,
You would realize that you don't know what you thought you knew!
R
Rosanne
Richard said:
Too much traffic. The site started as a simple blog, and was quickly
overwhelmed. The big-name mirrors I've seen so far, in addition to grc,
are:
http://castlecops.com/a6436-Newest_WMF_Exploit_Patch_Saves_the_Day.html
(http://castlecops.com/t143213-Hexblog_WMF_FAQ.html)
http://handlers.sans.org/tliston/wmffix_hexblog14.exe
(this is a direct link to the executable - there's nothing on his index
page)
http://sunbeltblog.blogspot.com/2006/01/alternate-download-for-unofficial.html
B
Bruce Chambers
Jim said:
No, you're the one trying to con people into downloading an unknown
patch from an unofficial source. What specific type of malware are you
trying to distribute.
--
Bruce Chambers
Help us help you:
You can have peace. Or you can have freedom. Don't ever count on having
both at once. - RAH
B
Bruce Chambers
Josh said:
Gibson may be well known, but he's a "security" expert in his own mind
only.
Gibson is a very poor source for computer security advice. Gibson
has been fooling a lot of people for several years, now, so don't feel
too bad about having believed him. He mixes just enough facts in with
his hysteria and hyperbole to be plausible. Despicably, Gibson is
assuming a presumably morally superior pose as a White Knight out to
rescue the poor, defenseless computer user, all the while offering
solutions that do no good whatsoever.
Perhaps you should read what real computer security specialists
have to say about Steve Gibson's "security" expertise. You can start here:
http://www.grcsucks.com/
--
Bruce Chambers
Help us help you:
You can have peace. Or you can have freedom. Don't ever count on having
both at once. - RAH
B
Bruce Chambers
Josh said:
Actually, if Gibson's recommending it, I'd avoid it like the plague.
--
Bruce Chambers
Help us help you:
You can have peace. Or you can have freedom. Don't ever count on having
both at once. - RAH
J
Jim
You would do well to heed your own advice... "Do some research first..."
I am not alone in proposing that people take the lead in preventing this
exploit by utilizing an "unofficial" patch.
And, even if I were..... Norton Antivirus, McAfee antivirus, etc. are not
officially recognized or suggested by Microsoft. Should they be wiped from
users' aresenal of security applications?
Had you actually "done some reasearch first" (even as little as reading the
CNET article at
http://news.com.com/Wait+for+Window...window/2100-1002_3-6016747.html?tag=nefd.lede)
you would see that more outside eyes have looked over this patch than over
any Microsoft patches that we install without a second thought.
Curious that Microsoft doesn't make thier patches open source. After all,
the exploits are already open source and we all have access to those.
Hey, Bruce....before you post again...."Do some research first..."
Jim
I am not alone in proposing that people take the lead in preventing this
exploit by utilizing an "unofficial" patch.
And, even if I were..... Norton Antivirus, McAfee antivirus, etc. are not
officially recognized or suggested by Microsoft. Should they be wiped from
users' aresenal of security applications?
Had you actually "done some reasearch first" (even as little as reading the
CNET article at
http://news.com.com/Wait+for+Window...window/2100-1002_3-6016747.html?tag=nefd.lede)
you would see that more outside eyes have looked over this patch than over
any Microsoft patches that we install without a second thought.
Curious that Microsoft doesn't make thier patches open source. After all,
the exploits are already open source and we all have access to those.
Hey, Bruce....before you post again...."Do some research first..."
Jim
J
Josh Einstein
Well I don't tend to put much stock into any domain with the word "sucks" in
it cause it's usually pretty one sided.
Especially one that links to the
register.
I do admit Steve Gibson is quite paranoid and self serving about security,
but he is also not a hacker and I don't think anyone would ever accuse him
of irresponsibly linking to an unsafe patch. (Which of course has been
linked to by many others now as well.)
(By the way, I don't read Steve Gibson's stuff and I don't particularly care
for his anti-Microsoft attitude, but while searching for mirrors for the
file, I came across his site and knew that it could be trusted not to be
malicious.)
it cause it's usually pretty one sided.
Especially one that links to theregister.
I do admit Steve Gibson is quite paranoid and self serving about security,
but he is also not a hacker and I don't think anyone would ever accuse him
of irresponsibly linking to an unsafe patch. (Which of course has been
linked to by many others now as well.)
(By the way, I don't read Steve Gibson's stuff and I don't particularly care
for his anti-Microsoft attitude, but while searching for mirrors for the
file, I came across his site and knew that it could be trusted not to be
malicious.)
J
Jim
I'm outta here.
I have shown you what I know about the patch and protecting yourselves. I
have projects to get out and must concentrate on them at this time.
Ultimately (in PCs as in life), your seurity is in your hands. Do your
research. Listen to whom you trust.
I wish you all the very best in this new year.
Have fun and be safe.
Jim
I have shown you what I know about the patch and protecting yourselves. I
have projects to get out and must concentrate on them at this time.
Ultimately (in PCs as in life), your seurity is in your hands. Do your
research. Listen to whom you trust.
I wish you all the very best in this new year.
Have fun and be safe.
Jim
S
Sharkman
anyone know how to tell if you ARE infected?
Will the patch destroy the infection too?
Will the patch destroy the infection too?
In case you have been living under a rock for the last week or so,
you may not have heard about the WMF Windows exploit.
For those rock dwellers, here's the scoop.....short and sweet. Reprinted
here without permission from SANS at
http://isc.sans.org/diary.php?storyid=994. Hope they don't mind....
.
---------------------------------------------
WMF FAQ (NEW)
Published: 2006-01-03,
Last Updated: 2006-01-03 08:55:06 UTC by Johannes Ullrich (Version:
3(click to highlight changes))
[a few users offered translations of this FAQ into various languages.
Obviously, we can not check the translation for accuracy, nor can we
update them. So use at your own risk: Deutsch and Deutsch (pdf),
Catalan , Español , Italiana and Italiana, Polski, Suomenkielinen,
Danish, Japanese, Slovenian, Chinese, Norwegian and Nederlands (in
progress) ]
a.. Why is this issue so important?
The WMF vulnerability uses images (WMF images) to execute arbitrary
code. It will execute just by viewing the image. In most cases, you
don't have click anything. Even images stored on your system may
cause the exploit to be triggered if it is indexed by some indexing
software. Viewing a directory in Explorer with 'Icon size' images
will cause the exploit to be triggered as well.
a.. Is it better to use Firefox or Internet Explorer?
Internet Explorer will view the image and trigger the exploit without
warning. New versions of Firefox will prompt you before opening the
image. However, in most environments this offers little protection
given that these are images and are thus considered 'safe'.
a.. What versions of Windows are affected?
All. Windows 2000, Windows XP, (SP1 and SP2), Windows 2003. All are
affected to some extent. Mac OS-X, Unix or BSD is not affected.
Note: If you're still running on Win98/ME, this is a watershed
moment: we believe (untested) that your system is vulnerable and
there will be no patch from MS. Your mitigation options are very
limited. You really need to upgrade.
a.. What can I do to protect myself?
1.. Microsoft has not yet released a patch. An unofficial patch was
made available by Ilfak Guilfanov. Our own Tom Liston reviewed the
patch and we tested it. The reviewed and tested version is available
here (now at v1.4, MD5: 15f0a36ea33f39c1bcf5a98e51d4f4f6), PGP
signature (signed with ISC key) here. THANKS to Ilfak Guilfanov for
providing the patch!! 2.. You can unregister the related DLL.
3.. Virus checkers provide some protection.
To unregister the DLL:
a.. Click Start, click Run, type "regsvr32 -u
%windir%system32shimgvw.dll" (without the quotation marks... our
editor keeps swallowing the backslashes... its
%windir%(backslash)system32(backslash)shimgvw.dll), and then click OK.
b.. A dialog box appears to confirm that the un-registration process
has succeeded. Click OK to close the dialog box.
Our current "best practice" recommendation is to both unregister the
DLL and to use the unofficial patch.
a.. How does the unofficial patch work?
The wmfhotfix.dll is injected into any process loading user32.dll. The DLL
then patches (in memory) gdi32.dll's Escape() function so
that it ignores any call using the SETABORTPROC (ie. 0x09) parameter.
This should allow Windows programs to display WMF files normally
while still blocking the exploit. The version of the patch located
here has been carefully checked against the source code provided as
well as tested against all known versions of the exploit. It should
work on WinXP (SP1 and SP2) and Win2K.
a.. Will unregistering the DLL (without using the unofficial patch)
protect me?
It might help. But it is not foolproof. We want to be very clear on
this: we have some very stong indications that simply unregistering
the shimgvw.dll isn't always successful. The .dll can be
re-registered by malicious processes or other installations, and
there may be issues where re-registering the .dll on a running system
that has had an exploit run against it allowing the exploit to
succeed. In addition it might be possible for there to be other
avenues of attack against the Escape() function in gdi32.dll. Until
there is a patch available from MS, we recommend using the unofficial
patch in addition to un-registering shimgvw.dll.
a.. Should I just delete the DLL?
It might not be a bad idea, but Windows File Protection will probably
replace it. You'll need to turn off Windows File Protection first.
Also, once an official patch is available you'll need to replace the
DLL. (renaming, rather than deleting is probably better so it will
still be handy).
a.. Should I just block all .WMF images?
This may help, but it is not sufficient. WMF files are recognized by a
special header and the extension is not needed. The files could
arrive using any extension, or embeded in Word or other documents.
a.. What is DEP (Data Execution Protection) and how does it help me?
With Windows XP SP2, Microsoft introduced DEP. It protects against a
wide range of exploits, by preventing the execution of 'data
segements'. However, to work well, it requires hardware support. Some
CPUs, like AMD's 64 Bit CPUs, will provide full DEP protection and
will prevent the exploit.
a.. How good are Anti Virus products to prevent the exploit?
At this point, we are aware of versions of the exploit that will not
be detected by antivirus engines. We hope they will catch up soon.
But it will be a hard battle to catch all versions of the exploit. Up
to date AV systems are necessary but likely not sufficient.
a.. How could a malicious WMF file enter my system?
There are too many methods to mention them all. E-mail attachments,
web sites, instant messaging are probably the most likely sources.
Don't forget P2P file sharing and other sources.
a.. Is it sufficient to tell my users not to visit untrusted web
sites? No. It helps, but its likely not sufficient. We had at least
one widely trusted web site (knoppix-std.org) which was compromissed.
As part of the compromise, a frame was added to the site redirecting
users to a corrupt WMF file. "Tursted" sites have been used like this
in the past.
a.. What is the actual problem with WMF images here?
WMF images are a bit different then most other images. Instead of just
containing simple 'this pixel has that color' information, WMF images
can call external procedures. One of these procedure calls can be
used to execute the code.
a.. Should I use something like "dropmyrights" to lower the impact
of an exploit.
By all means yes. Also, do not run as an administrator level users
for every day work. However, this will only limit the impact of the
exploit, and not prevent it. Also: Web browsing is only one way to
trigger the exploit. If the image is left behind on your system, and
later viewed by an administrator, you may get 'hit'.
a.. Are my servers vulnerable?
Maybe... do you allow the uploading of images? email? Are these images
indexed? Do you sometimes use a web browser on the server? In short:
If someone can get a image to your server, and if the vulnerable DLL
may look at it, your server may very well be vulnerable.
a.. What can I do at my perimeter / firewall to protect my network?
Not much. A proxy server that strips all images from web sites?
Probably wont go over well with your users. At least block .WMF
images (see above about extensions...). If your proxy has some kind
of virus checker, it may catch it. Same for mail servers. The less
you allow your users to initiate outbound connections, the better.
Close monitoring of user workstations may provide a hint if a work
station is infected.
a.. Can I use an IDS to detect the exploit?
Most IDS vendors are working on signatures. Contact your vendor for
details. Bleedingsnort.org is providing some continuosly improving
signatures for snort users.
a.. If I get hit by the exploit, what can I do?
Not much :-(. It very much depends on the exact exploit you are hit
with. Most of them will download additional components. It can be
very hard, or even impossible, to find all the pieces. Microsoft
offers free support for issues like that at 866-727-2389 (866 PC
SAFETY).
a.. Does Microsoft have information available?
http://www.microsoft.com/technet/security/advisory/912840.mspx
But there is no patch at the time of this writing.
a.. What does CERT have to say?
http://www.kb.cert.org/vuls/id/181038
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-4560
-----------------------------------------
So run the patch, reboot and keep your fingers crossed!
Jim
T
Tom Porterfield
Update your virus definitions and do a full scan. The patch will not
destroy the infection, but it should block the ability of the virus to
take control of your system.
--
Tom Porterfield
MS-MVP Windows
http://support.teloep.org
Please post all follow-ups to the newsgroup only.
G
Guest
Tom Porterfield said:
J
Juan I. Cahis
And the patch can be uninstalled later?
Juan I. Cahis
Santiago de Chile (South America)
Note: Please forgive me for my bad English, I am trying to improve it!
ThanksTom Porterfield said:
Juan I. Cahis
Santiago de Chile (South America)
Note: Please forgive me for my bad English, I am trying to improve it!
J
Jim
Yes. And, it should be uninstalled prior to installing Microsoft's patch.
Jim
And the patch can be uninstalled later?
Juan I. Cahis
Santiago de Chile (South America)
Note: Please forgive me for my bad English, I am trying to improve it!
Jim
And the patch can be uninstalled later?
ThanksTom Porterfield said:
Juan I. Cahis
Santiago de Chile (South America)
Note: Please forgive me for my bad English, I am trying to improve it!