Windows XP Flaw 'Extremely Serious'

scottott wrote to mention a Washington Post article with the news that the security hole we mentioned on Wednesday has widened. Computers can now be infected just by visiting infected web sites, or looking at images in the preview panel of older versions of Outlook. From the article: "At first, the vulnerability was exploited by just a few dozen Web sites. Programming code embedded in these pages would install a program that warned victims their machines were infested with spyware, then prompted them to pay $40 to remove the supposed pests. Since then, however, hundreds of sites have begun using the flaw to install a broad range of malicious software. SANS has received several reports of attackers blasting out spam e-mails containing links that lead to malicious sites exploiting the new flaw, Ullrich said."

Sorry to say it got me

[aka_big_wurm]

I needed a bit of underground info(cd key) and went to the best site for that and with out thinking I used IE -- couldent have shut my browser down fast enough.

Spent the next few hours removing all the junk that installed, I was lucky no root kits were installed.

Re:Solution

[blowdart]

Except FireFox 1.0 also opens the files automatically, by default, in the vunerable application.

In 1.5 the behaviour changed, and for some reason .WMF was associated in FireFox with Windows Media Player. So 1.5 is secure against this flaw, by lucky accident.

Re:Is it IE or Windows?

[Secrity]

Windows has the vulnerability. Web browsers and some versions of Outlook are the means that the malicious .wmf files are introduced into the operating system. Firefox and Opera can also be used to introduce malicious .wmf files, the difference is that Firefox and Opera ASK the user for confirmation before they download the files. I understand that newer versions of Firefox are misconfigured and do not handle .wmf files as Microsoft intended, this may be a case where a configuration error is actually a security feature.

Firefox?

[freg]

Could someone please elaborate on whether using Firefox browser will help avoid this security hole.

Cool Web Search?

[Chmcginn]

This has happened a lot in the spyware world - there's plenty of supposed "Spyware Removers" [spywarewarrior.com] that either contain or were marketed with spyware, or show false positives in the "demo" version, forcing you to pay for the real version, which then 'clears' it all up for you. Even though plenty of people spent the money & got nothing, I haven't seen any news reports of anyone being charged for fraud in relation to these products...

The CoolWebSearch [cwshredder.net] family of malware has been around forever... one of the major effects of many of the versions is to replace any IE entry of "search.msn.com" or "www.google.com" with "www.coolwebsearch.com", a rather shitty search engine.

A link would be nice

[NotFamous]

How come no-one ever includes a link to an infected site. I'm surfing with Firefox under Linux and I would just like to check out some of the infected sites so I can look at the source to see what they are doing. Links anyone? P.S., windoze users please don't click the link.

Re:Another /. dupe

[Paradise Pete]

Another dupe, and still no details on how to find out if you're infected.

How could you know? They can do pretty much whatever they want to your* computer. There's no one single indication to look for.

*assuming "your" computer is running Windows.

Re:Windows Major Foul-Up

[Anonymous Coward]

It reminds me of problems a long time ago with Display Postscript, which, in addition to drawing, was also a full-blown programming language that had access to the filesystem. There were some early exploits that took advantage of this (on the few systems that employed DPS), but the solution was simple -- keep the functionality there, in theory, but have a default context that disabled the filesystem functions and other insecure operations in any program which dealt with insecure data (e.g., e-mail or web browser). To get the functionality back (it was sometimes useful), you had to hand-code a different DPS context from what the OS provided as a standard, which meant a programmer had to go out of their way to be intentionally insecure.

Re:Windows Major Foul-Up

[Anonymous Coward]

Microsoft's biggest problem has never been 'lack of security' (although lack of security is a symptom of their biggest problem) regardless of what Linux/Mac fans seem to think; the problem with Microsoft is that they have become so large that one hand doesn't know what the other is doing. This is a problem because the effect of a set of changes that are designed to increase functionality (like adding Macros, plugins, etc.) are difficult to consider on a 'global' scale; everyone who was adding the WMF functionality could have told you that this could happen, but they probably never expected this data to be viewable from the web.

I have said it before and I will say it again, in the future more people are going to start to recognize that code re-use (and code theft) can become more costly than creating code from scratch because often you do not recognize the assumptions that were made when developing the code; WMF probably became web viewable because someone wanted a small portion of its functionality and re-used the code rather than starting from scratch.

Question

[Anonymous Coward]

Does this mean that, when Firefox renders JPGs on an HTML page normally (without asking for a downloading), the WMF file could be executed?

Re:What about Microsoft's Nov 8 patch?

[bflong]

No. It's another exploit in the same system:
http://www.kb.cert.org/vuls/id/181038 [cert.org]

Re:MOD PARENT UP

[Thuktun]

At least in a sandbox they cannot execute privilidged code, at most they could infect executabes on said share.

Depends on your level of safety in the sandbox. Do not some versions of Windows have protected-mode device drivers--you know, for speed reasons? If you didn't have image-rendering and sound-playback also handled by the sandbox--also for speed reasons--then it might be possible to escape the sandbox given the right kind of vulnerability in the device driver.

I would hope VMWare fully simulates all hardware and wouldn't have this kind of vulnerability. It's slow, but it's safe.

Incidentally, that choice is one that Microsoft often appears to choose perceived speed at the expense of safety.

Re:MOD PARENT UP

[PenguiN42]

Yes, seriously. That old knee-jerk meme of "IIS vs Apache disproves the myth of exploits due to install base" has to die. Yet someone invariably posts it, and they invariably get modded up. I just hope a few rational mods find your post quickly.

Not to mention that the OP seems to have confused the issue of "exploits" with the issue of "user permissions" which is what was actually being talked about.

Re:Question

[shis-ka-bob]

If the image is a jpeg format, then no. If the file is a WMF file with a JPG extension, then I think the answer is Yes. Firefox 1.5 will ask you if you want to view the WMF file (at which point you had better say 'No'). With IE and Firefox 1.0, my understanding is that the wmf file (regardless of its extension) will be automatically viewed and this is enough to get your Windows PC infected.

HOSTS file?

[Monkeyfarmer]

F-secure mentions these as bad URLS:

"And finally, you might want to start to filter these domains at your corporate firewalls too. Do not visit them.

toolbarbiz[dot]biz toolbarsite[dot]biz toolbartraff[dot]biz toolbarurl[dot]biz buytoolbar[dot]biz buytraff[dot]biz iframebiz[dot]biz iframecash[dot]biz iframesite[dot]biz iframetraff[dot]biz iframeurl[dot]biz"

Why not just put them into a HOSTS file as a 127.0.0.1 and avoid it?

Re:Is the publicity from Slashdot to blame?

[dreamer-of-rules]

No, Slashdot isn't "to blame". Stop talking like Zonk.

Anti-virus and virus writers follow different websites that were already posting the details of the WMF vulnerability and the exploits. Slashdot did not have anything to do with that.

Thanks to Slashdot, I found out about this vulnerability in time to shut off our company's internet access before people came in to work, and find out what do (unregister shimgvw.dll, add rules to IDS, send alarmist email to everyone explaining what to look out for).. I'm sure that thousands of other admins found out about this within 24 hours, thanks to Slashdot, and were able to warn co-workers, friends, and family.

It's very different to ask "Is the publicity from Slashdot to blame?" vs. "I'm curious to know the effects that the media has on catalyzing the growth of exploits like this." I'm curious too, but *very* glad that Slashdot reported this exploit.

I'd believe that a few "prank" infections (IM) have occurred because of the publicity. I'm honestly surprised that no one seems to have posted these .wmf files to popular forums that I read. I'd guess that it's because the company exploiting this vulnerability the most -- Spyaxe -- is making a buck off of it, and mere pranksters won't.

What I'd like to know ...

[cpu_fusion]

What I'd like to know is -- how long has this exploit been "in the wild?"

If it has been there since WMFs began, that's a long, long time. We're talking Windows '95 or earlier. It all depends when the GDI callbacks feature was added.

So here's what you need to consider: since this exploitable code first "shipped" with Windows, anyone "in the know", e.g. potentially FOLKS AT MICROSOFT, the NSA, your neighbor, whomever ... they could have EASILY breached your Windows box, done whatever the hell they wanted, erased all their tracks ... and you'd have to convince a judge and jury it wasn't you.

If I build and sell a car that is advertised as having a security system, but that security system is defeatable by running a magnet over the car lock, and that information is "out in the wild" for years and years, maybe even by folks in my company... what is the legal liability?

The only three external things that will adjust Microsoft's behavior regarding security are: (1) customers switching to other products, (2) criminal justice investigations, and (3) lawsuits. I don't see #1 happening so long as customers remain locked in, #2 is a joke as we know, but #3 ... ?