Windows XP Flaw 'Extremely Serious' 630
scottott wrote to mention a Washington Post article with the news that the security hole we mentioned on Wednesday has widened. Computers can now be infected just by visiting infected web sites, or looking at images in the preview panel of older versions of Outlook. From the article: "At first, the vulnerability was exploited by just a few dozen Web sites. Programming code embedded in these pages would install a program that warned victims their machines were infested with spyware, then prompted them to pay $40 to remove the supposed pests. Since then, however, hundreds of sites have begun using the flaw to install a broad range of malicious software. SANS has received several reports of attackers blasting out spam e-mails containing links that lead to malicious sites exploiting the new flaw, Ullrich said."
Sorry to say it got me (Score:5, Interesting)
Spent the next few hours removing all the junk that installed, I was lucky no root kits were installed.
Re:Solution (Score:3, Interesting)
In 1.5 the behaviour changed, and for some reason .WMF was associated in FireFox with Windows Media Player. So 1.5 is secure against this flaw, by lucky accident.
Re:Is it IE or Windows? (Score:3, Interesting)
Firefox? (Score:5, Interesting)
Cool Web Search? (Score:3, Interesting)
The CoolWebSearch [cwshredder.net] family of malware has been around forever... one of the major effects of many of the versions is to replace any IE entry of "search.msn.com" or "www.google.com" with "www.coolwebsearch.com", a rather shitty search engine.
A link would be nice (Score:2, Interesting)
Re:Another /. dupe (Score:2, Interesting)
How could you know? They can do pretty much whatever they want to your* computer. There's no one single indication to look for.
*assuming "your" computer is running Windows.
Re:Windows Major Foul-Up (Score:1, Interesting)
Re:Windows Major Foul-Up (Score:1, Interesting)
I have said it before and I will say it again, in the future more people are going to start to recognize that code re-use (and code theft) can become more costly than creating code from scratch because often you do not recognize the assumptions that were made when developing the code; WMF probably became web viewable because someone wanted a small portion of its functionality and re-used the code rather than starting from scratch.
Question (Score:2, Interesting)
Re:What about Microsoft's Nov 8 patch? (Score:3, Interesting)
http://www.kb.cert.org/vuls/id/181038 [cert.org]
Re:MOD PARENT UP (Score:3, Interesting)
Depends on your level of safety in the sandbox. Do not some versions of Windows have protected-mode device drivers--you know, for speed reasons? If you didn't have image-rendering and sound-playback also handled by the sandbox--also for speed reasons--then it might be possible to escape the sandbox given the right kind of vulnerability in the device driver.
I would hope VMWare fully simulates all hardware and wouldn't have this kind of vulnerability. It's slow, but it's safe.
Incidentally, that choice is one that Microsoft often appears to choose perceived speed at the expense of safety.
Re:MOD PARENT UP (Score:4, Interesting)
Not to mention that the OP seems to have confused the issue of "exploits" with the issue of "user permissions" which is what was actually being talked about.
Re:Question (Score:4, Interesting)
HOSTS file? (Score:2, Interesting)
"And finally, you might want to start to filter these domains at your corporate firewalls too. Do not visit them.
toolbarbiz[dot]biz toolbarsite[dot]biz toolbartraff[dot]biz toolbarurl[dot]biz buytoolbar[dot]biz buytraff[dot]biz iframebiz[dot]biz iframecash[dot]biz iframesite[dot]biz iframetraff[dot]biz iframeurl[dot]biz"
Why not just put them into a HOSTS file as a 127.0.0.1 and avoid it?
Re:Is the publicity from Slashdot to blame? (Score:3, Interesting)
Anti-virus and virus writers follow different websites that were already posting the details of the WMF vulnerability and the exploits. Slashdot did not have anything to do with that.
Thanks to Slashdot, I found out about this vulnerability in time to shut off our company's internet access before people came in to work, and find out what do (unregister shimgvw.dll, add rules to IDS, send alarmist email to everyone explaining what to look out for).. I'm sure that thousands of other admins found out about this within 24 hours, thanks to Slashdot, and were able to warn co-workers, friends, and family.
It's very different to ask "Is the publicity from Slashdot to blame?" vs. "I'm curious to know the effects that the media has on catalyzing the growth of exploits like this." I'm curious too, but *very* glad that Slashdot reported this exploit.
I'd believe that a few "prank" infections (IM) have occurred because of the publicity. I'm honestly surprised that no one seems to have posted these
What I'd like to know ... (Score:4, Interesting)
If it has been there since WMFs began, that's a long, long time. We're talking Windows '95 or earlier. It all depends when the GDI callbacks feature was added.
So here's what you need to consider: since this exploitable code first "shipped" with Windows, anyone "in the know", e.g. potentially FOLKS AT MICROSOFT, the NSA, your neighbor, whomever
If I build and sell a car that is advertised as having a security system, but that security system is defeatable by running a magnet over the car lock, and that information is "out in the wild" for years and years, maybe even by folks in my company... what is the legal liability?
The only three external things that will adjust Microsoft's behavior regarding security are: (1) customers switching to other products, (2) criminal justice investigations, and (3) lawsuits. I don't see #1 happening so long as customers remain locked in, #2 is a joke as we know, but #3