Forgot your password?
typodupeerror
This discussion has been archived. No new comments can be posted.

New IM Worm Exploiting WMF Vulnerability

Comments Filter:
  • by Ruff_ilb (769396) on Sunday January 01, 2006 @01:52PM (#14374812) Homepage
    These would be good things to know...
    • Perhaps the reason they posted it on Slashdot was that they were hoping that one of the thousands of programmers there would be able to fix it. ;-)
    • How do I avoid it? Fixes?

      Follow the suggested action in the Microsoft advisory linked right up there above.
    • by Maroulis (467300) on Sunday January 01, 2006 @01:59PM (#14374851)
      Microsoft suggests to unregister the problem dll.
      start->run
      regsvr32 -u %windir%\system32\shimgvw.dll

      http://www.microsoft.com/technet/security/advisory /912840.mspx [microsoft.com]
    • by Lehk228 (705449) on Sunday January 01, 2006 @01:59PM (#14374856) Journal
      use gaim, the image support is terrible you will be safe
      • by jZnat (793348) on Sunday January 01, 2006 @04:50PM (#14375515) Homepage Journal
        Funny as that might be, we're already talking about how the current mandatory support for MSN custom smilies is both an annoyance and a security hazard (either 2.0.0beta1 or CVS, I forget which version). If the infected WMFs are even cached anywhere and a program like Picasa sniffs it out and uses the win32 GDI library, you still get fucked. Lovely!
    • I'm avoiding it by, you know, not using a messenger client hard-wired to the operating system...

    • by SheeEttin (899897) <sheeettin@nospAm.gmail.com> on Sunday January 01, 2006 @02:30PM (#14375004) Homepage
      Ah, Slashdot... where the first post is modded "redundant".
  • by Pedals (758888) on Sunday January 01, 2006 @01:56PM (#14374834)
    Well that didn't take long.
    • It took long enough to make the rounds on every other board before it made it here. I heard about this from a post on another non-technology-related board like 3 days ago. Hell, my future father-in-law knew about this yesterday, and he can barely use a mouse.
  • temporary fixes (Score:5, Informative)

    by Phil246 (803464) on Sunday January 01, 2006 @01:57PM (#14374839)
    There is information available on temporary fixes from the following sites
    http://isc.sans.org/diary.php?rss&storyid=996 [sans.org]
    http://www.f-secure.com/weblog/#00000760 [f-secure.com]
    http://www.grc.com/sn/notes-020.htm [grc.com]

    be aware the runnable patch is completely unofficial, the only action microsoft suggest is unregistering a vulnerable dll which only mitigates the most common method of exploitation while not fixing the underlying problem.
    NFI how long it will take microsoft to have an official patch out, but from the sans site, it doesnt look promising that it will appear soon.
  • by IAAP (937607) on Sunday January 01, 2006 @02:03PM (#14374874)
    POP-UP windows!

    From MS' site: [microsoft.com] 4: Block pop-up windows in your browser

    My credit union requires that I allow pop-ups! I don't know how many times I've gone to legitimate websites and scratched my head for a while trying to figure out why I wasn't seeing anything - all because I'm blocking pop-ups! Firefox tells you with that little message on top of the window, but you know how it is, after a while, you don't notice it anymore.

    • by Anonymous Coward on Sunday January 01, 2006 @02:17PM (#14374942)
      Block popups on the internet security zone and allow them in the trusted zone then add your credit union to the list of sites you trust and refresh the page for the settings to take effect. Basically you need to create a white list of trusted sites while blocking all the riff raff. It doesn't matter what version of IE you use install the IE5.5 power toys which will add two settings to the tools menu called add to restricted zone and add to trusted zone. It ain't rocket science.
    • If you use Firefox and NoScript, you can enable scripting for white sites.
    • Don't blame us, blame the information architects, designers and (occasionally) clients that mandate their use.

      Pop up windows, like modal dialogues, have legitmate uses, but again like modal dialogues, they're overused.
    • You can allow a popup to be shown in IE on a per instance basis, whether the site is trusted or not, by holding down the CTRL button while clicking the link that launches the popup window. If the site uses javascript to automatically launch popups and you absolutely must use it then you can also add the site to your list of trusted sites under Tools->Internet Options->Security Tab. It makes sense add your online banking portal to the list of trusted sites anyway.
  • There needs to be... (Score:4, Interesting)

    by Caspian (99221) on Sunday January 01, 2006 @02:08PM (#14374897)
    ...a dedicated, well-written, well-publicized effort to educate the general public about this sort of thing. We need to establish a meme among the Joe Sixpacks, Moms and Dads, and Grandma Sues of this country that they're foolish if they don't read stories on [whatever].com each week. And on that site, we need to explain, in plain English, [A] what the flaw could do to their computer, [B] what they can do to temporarily/permanently fix the flaw, and [C] what the flaw is due to (99% of the time, this will be 'due to Microsoft software').

    Microsoft obviously isn't interested in having an educated user base, or they'd make such a site themselves and advertise it extensively.

    Who's with me?
    • ...a dedicated, well-written, well-publicized effort to educate the general public about this sort of thing. We need to establish a meme among the Joe Sixpacks, Moms and Dads, and Grandma Sues of this country that they're foolish if they don't read stories on [whatever].com each week. And on that site, we need to explain, in plain English, [A] what the flaw could do to their computer, [B] what they can do to temporarily/permanently fix the flaw, and [C] what the flaw is due to (99% of the time, this will be
      • by W2k (540424) <.moc.liamg. .ta. .suilesnevs.mlehliw.> on Sunday January 01, 2006 @02:49PM (#14375089) Homepage Journal
        The problem isn't that the user base is completely uneducated - it's that for the majority of the educated users on Windows, they're not switching because THERE'S NOTHING BETTER TO SWITCH TO. I'm not trolling; I'd be off Windows in a heartbeat if I had the option. I've replaced pretty much everything else on my box with FSS/OSS alternatives. Windows remains because for the stuff I do with my computer and the expectations I place upon it, there's nothing else to use.
        • by HairyCanary (688865) on Sunday January 01, 2006 @04:06PM (#14375366)
          With the exception of games (and I don't play PC games anyway), my Mac does everything Windows can do, plus some. I've been a die-hard PC guy, anti-Mac for a long time. Until I decided that I was done with Windows, and looked for alternatives. Linux just isn't quite there yet as a good, usable, stable day-to-day desktop operating system. But MacOS X is. And I've even grown to appreciate some of the ways in which it is superior to both Windows and Linux from a usability standpoint, even ignoring the well known security advantages.
          • Just because you get everything you need from your Mac doesn't mean it can replace Windows for everyone else. It's a crummy world, but some of us still rely on software that is Windows-only. As long as certain vendors still publish Windows-only software and certain business still require their use, many users will be stuck on Windows. C'est la via. No amount of "Mac does everything I need it to" will change that.
          • by dbIII (701233) on Sunday January 01, 2006 @07:03PM (#14375996)
            With the exception of games (and I don't play PC games anyway), my Mac does everything Windows can do, plus some
            There is a lot of in house software out there - which is why MS Windows98 was installed on a few single purpose machines where I work this year. The current developers are making all new software as portable as they can - and not developing to the moving MS Windows target.

            The earlier poster was correct - some poeple have no choice but to use MS Windows - but the answer as it has been for years is not to let their machines onto the net without adult supervision. I completely block this MS windows clone of IRC and it doesn't bother anyone - using instant messaging for business communication is a braindead idea anyway unless everyone is tied to their desks and focuses on short term tasks, and luckily I don't work in such an environment.

        • by Black Parrot (19622) * on Sunday January 01, 2006 @04:12PM (#14375395)
          > Windows remains because for the stuff I do with my computer and the expectations I place upon it

          If people would aim their expectations at their software vendors rather than their computers, that problem would go away.
        • by HermanAB (661181)
          Well, by switching to Linux, you basically trade one head-ache for another, but I can assure you that the Linux head-ache is much smaller and infrequent. Most people who complain about Linux do so because they tried some 5 year old version or tried to use last year's Red Hat or Fedora. If you would install a current Mandriva or Suse however, then you won't look back. Anyhoo, my notebook PC is dual booting XP/Mandriva. I only use XP for deliberately infecting and trying out virus fixes before I go and fi
    • by tsa (15680)
      My ISP regularly sends me emails about new MS vulnerabilities and what to do about them. I chuck them immediately because I use Windows only for playing games, but the fact that they send these mails means that a lot of Joe Sixpacks get to know about the dangers and can do something about it. I think that the main reason Joe Sixpack doesn't use non-MS software is that when something on a computer is more difficult than 'click here', 90% of the people doesn't even try. And another thing: people stick to what
    • by Hosiah (849792) on Sunday January 01, 2006 @04:29PM (#14375455)
      Who's with me?

      We've all been trying this years ago. But just yesterday, I got my ass kicked down to troll and flamebait for daring to suggest that Linux/Open Source/OS X/BSD/Anything-but-Windows is anything but an utter turd. What hope is there to educate a public who cannot get past the idea that the internet is just AOL and Bill Gates invented the computer and a hundred other misconceptions? You're advocating college education for people who can't pass kindergarten.

      From my ledge, I see it as counterproductive to call users "Joe Sixpack" and "Gramma". These are false stereotypes. Given the opportunity, anybody can learn. Nobody was born knowing Windows 20 years ago, but it caught on, didn't it? There's more "for Dummies" books where "DOS for Dummies" came from.

      But yeah, I do my part to post hints 'n' tips every other day on my geek blog, but it's more directed at people who've already found Linux. I tried in a past life to do similar for Windows users, and got nowhere: it's a hole with no bottom.

  • by jackb_guppy (204733) on Sunday January 01, 2006 @02:10PM (#14374906)
    IM is just a person private email system, period. Try using email, you can even use filters to pick your freinds messages out of the background noise, like inter-departmental mail.

    To fix the security risk of IM, either the you give up point to point email that it is to force it though filtering servers (sound like email there again). The Anti-Virus programs on every machine will have to start filtering all that traffic too (wait they are doing this for wmail today also!!)
    --
    When will people learn that NEW is not always GOOD.
    • by unity (1740) on Sunday January 01, 2006 @02:37PM (#14375029)
      My customers use IM. My coworkers use IM. I use IM.

      IM is potentially the most influential communication medium since email.
      I have had quite a few of my customers tell me that "The simple fact that I can reach you via IM, has made your company's service better than any other partner."

      IM is "instant", offers logging of communications and doesn't require somebody to check their email (it pops up on their screen). In many ways it is a better communication tool than other options: phone, email or fax. You can even use it to see if somebody is in the office yet, or out to lunch. I could go on and on...

      Feel free to not use it; the rest of the modern business world won't be joining you.
      • by S.O.B. (136083) on Sunday January 01, 2006 @03:05PM (#14375145)
        I am forced to use IM at work and all the benefits you list also have negatives associated with them.

        Being "instant" allows people to annoy you for any little thing. The dozen or so phone interruptions I used to get a day are now 20-30 IM interruptions.

        "Logging of communications" also means you have no privacy. And if you think your boss isn't tracking you by your IM status you're kidding yourself.

        Screen popups mean that you don't have to wait for the recipient to check their email/vmail but it also means that you just interrupted what they were doing. I don't know how many times I was trying to solve a problem and I got IMed by multiple people asking if I had solved the problem.

        The difference between IM and previous forms of communication is that I used to have a choice.
        • The dozen or so phone interruptions I used to get a day are now 20-30 IM interruptions.

          Doesn't your IM system support Do Not Disturb as a status?

          "Logging of communications" also means you have no privacy.

          Bosses who log IM probably also log email, so that's a wash.

          The difference between IM and previous forms of communication is that I used to have a choice.

          Interesting. I've never had a choice of whether to respond quickly to questions, regardless of how they arrived.

      • IM is "instant", offers logging of communications and doesn't require somebody to check their email (it pops up on their screen).

        That's what IRC is for.
    • IM is just a person private email system, period. Try using email, you can even use filters to pick your freinds messages out of the background noise, like inter-departmental mail. To fix the security risk of IM, either the you give up point to point email that it is to force it though filtering servers (sound like email there again). The Anti-Virus programs on every machine will have to start filtering all that traffic too (wait they are doing this for wmail today also!!)

      Ummm, not really. Half the peo

  • by Anonymous Coward on Sunday January 01, 2006 @02:11PM (#14374914)
    I do infosec stuff at a well-known corporation, including Incident Response, and I've been following this closely & working on our response.

    Since the first exploit came to light, H.D.Moore of the Metasploit project has reworked the original package they did. The new exploit spits out exploit WMF files [sans.org] that come:

    • with a random size;
    • no .wmf extension, (.jpg), but could be any other image extension actually;
    • a random piece of junk in front of the bad call; carefully crafted to be larger than the MTU on an ethernet network;
    • a number of possible calls to run the exploit are listed in the source;
    • a random trailer
    This makes it rather hard for antivirus and IDS sigs to detect it, though Snort and the A/V people are working late over their holidays to improve detection.

    SANS/ISC have provided excellent continued summaries of events around this. Here's their FAQ on the issue [sans.org].

    This is looking truly horrible. On Tuesday morning zillions of Windows desktops will be fired up for the first time in a week or two. This thing's already in widespread use by a number of malware distribution networks for the usual reasons. As such it's a nightmare for network and system admins with Windows machines to look after (and us security people trying to provide advice & assistance for them...) But the stealth nightmare is that this is an absolute jackpot for the less visible targetted attacks, such as those emanating from China for the past couple of years (google around, Slashdot and Schneier have covered this as well as many other places.) There are also the opportunistic types who see an easy opportunity to pwn some key machines where they work, say. I will stick my neck out here and make a prediction. Virtually all organisations with Windows machines are effectively wide open to total compromise by a reasonably informed person. That means much of the IT dept as well as significant numbers of the 'interested poweruser' types, developers with a casual interest in security,.. anyone who's heard of this and is capable of running the findingm, running and using the new exploit, basically. Of course we're all tweaking our IDSes and antivirus, locking things down as tight as possible in the 48 hours remaining, but... *shudder*

    For ten years I've been waiting for Microsoft's luck to run out. This is about #3 on my list of catastrophic MS incidents. There aren't many ways things could be worse.

    It will be a good time to be running Linux on work machine, though :)

    • Yes, it's really really bad, but it's not anywhere near as bad as a real network worm and we've had several of those. At least these attacks do require user interaction and there is workaround that's usually effective.

      BTW, according to testing by AV-Test of 73 variants all of the major AV packages and most of the others are detecting all of them. You're right though that there will be holes in this coverage, especially in as much as some of them are doing exploit-by-exploit coverage as opposed to a true heu
    • by borderpatrol (942564) on Sunday January 01, 2006 @03:01PM (#14375130)
      I work for a major electronics retailer in the Service department. Most of our duties are simple PC repair, data backup, and virus/spyware removal.

      I have seen in the past week our work increase 5 fold because of this exploit. What is normally a very slow time of the year for us has become very busy for us and it's making me nervous myself.

      We had a few customer that bought brand new computers and laptop and are bringing them back the same day with this exploit. A quick check reveals that their Norton was up-to-date, yet this stuff still slipped in. Other customers are getting this thing left and right. Unfortunately I have not much to tell them except to keep updating all your security products daily as it's only going to get worse before it gets better. Hand them a copy of Norton and Sunbelt Counterspy and tell them good luck.

      I do believe there is a bit a social engineering planned into this. Customers with year-end financials, tax season starting up, holiday credit card payments and statements coming through. Very ripe time to plucking financial and personal data. And with this being an extended holiday weekend, this exploit has a bit of time to fester and refine itself before the big trojan/virus with a major payload slips past the AV and Adware detections and onto millions of computers. What happens when someone combines with exploit with a backgood into a major ad server network? Imagine the damage then.

      I'm doing the best I can at my house against this thing, but looking at the 7+ Windows boxes I'm now worrying about updating, installing, patching and unregistering, and the 1 Apple laptop I haven't had to restart in 6 months, and I wonder if this is going to be the big one that really gives Microsoft the black eye it can't recover from.
      • by symbolset (646467) on Sunday January 01, 2006 @03:35PM (#14375253) Journal
        I'm doing the best I can at my house against this thing, but looking at the 7+ Windows boxes I'm now worrying about updating, installing, patching and unregistering, and the 1 Apple laptop I haven't had to restart in 6 months, and I wonder if this is going to be the big one that really gives Microsoft the black eye it can't recover from.

        If you're an IT pro and you're running Windows at home, you should have your boxes imaged so you can just unhook from the net, image, apply the fix, take a new image and hook back up to the net. Seven boxen shouldn't take you more than a couple hours -- less if you use a standard image.

        If you're setting this up for the first time, don't forget to redirect "My Documents" to a different partition, or better yet a server with a backup regime. Oh, yeah, and choose the "Activate Windows over the phone" option before you make your first image so you don't have to re-activate each time.

        If you're an IT pro and you're not using Windows at home, take the extra hours and spend some holiday time with your friends and family. Life is short.

      • by mosel-saar-ruwer (732341) on Sunday January 01, 2006 @07:43PM (#14376162)

        I have seen in the past week our work increase 5 fold because of this exploit. What is normally a very slow time of the year for us has become very busy for us and it's making me nervous myself.

        I know next to nothing about IM/RSS software, so I am just speculating here.

        But suppose you had some IM/RSS client [MSN, AOL, Yahoo, whatever] that had an image rendering aspect to it. For example, suppose your IM/RSS client were capable of rendering the JPGs in an HTML message.

        Then it seems to me that if you had such an IM/RSS client running on your desktop, and if someone knew your IM/RSS handle, then they could send you an IM/RSS message with very elementary instructions for downloading the evil file:

        <img src="http://blackhats.com/evilfile.jpg">
        and you'd be hosed without ever having clicked on any link. And if the worm were really smart, it could then install "thttpd" trivial http daemons to spread itself internally on any corporate network [via each person's IM/RSS "address book"].

        If that's true, and if lots of employees left their computers running and logged into windows with such "automatic" IM/RSS clients running on the desktop, then Tuesday or Wednesday morning [or whenever people decide to come back from their New Year's vacation], there could be literally MILLIONS of infected machines.

        So the question: Are there IM/RSS clients that can download files automatically?

    • I can understand spreading the fact that the exploit exists. I could maybe argue whether or not you should spread info on the exploit. I can barely see why one would make an example exploit.

      But why would someone make a program specifically designed to make an undetectable/untraceable version of the exploit?

      I can only see harm coming from this.

      And I'm sorry, but "because it's there" doesn't work when you know there's only negative outcomes of what you do.
      • They do it to show what can be done with a flaw such as this. The people who we really have to worry about can (and probably have) already come up with other ways of crafting exploits around this bug that we aren't likely to find out about until after the major exploits come out. And the people we really have to worry about aren't going to make major exploits at all, but use it to exploit machines with potentially sensitive information (such as your personal information).

        Until Micorosft fixes the problem,

  • Great.. (Score:3, Interesting)

    by wfberg (24378) on Sunday January 01, 2006 @02:12PM (#14374918)
    Microsoft recommends, for the time being to just

    regsvr32 -u %windir%\system32\shimgvw.dll

    BUT according to this analysis, the real fault lies with gdi32.dll ! How the hell do you get rid of that? It's about as deeply embedded in windows as, say, glibc is in Linux distributions..
    • Re:Great.. (Score:2, Informative)

      by Anonymous Coward
      The problem is not with gdi32.dll. The problem is with the way the WMF handler uses the SetEscape() API.

      Pointing the finger at gdi32.dll is like running a malicious script that executes "rm -fr /" and blaming the rm executable when your files disappear.
  • by Channard (693317) on Sunday January 01, 2006 @02:15PM (#14374932) Journal
    ... when Hulkamania runs wild on you? Oh, wait, WMF. Never mind.
  • by FhnuZoag (875558) on Sunday January 01, 2006 @02:15PM (#14374936)
    It's unofficial, but it works.

    http://www.hexblog.com/2005/12/wmf_vuln.html [hexblog.com]
  • I'm impressed at the timing on this one -- it hits during the slowest time of the year.

    I figure the exploiters, even if they aren't the fastest in the bunch, will have massive penetration by the time people start modifying their systems to protect themselves.

    So I'm wondering if the bad guys knew about this one for a while and just waited until now to spring it, or did the Microsoft customers just get profoundly unlucky.

    Steve Jobs is probably laughing away over this one.
  • Fearmongering (Score:4, Interesting)

    by eddy (18759) on Sunday January 01, 2006 @02:38PM (#14375036) Homepage Journal
    What we need now is for someone to find a remote exploit in a popular webserver and combine both exploits into a worm, 'cause then we're all really fucked.
  • I've noticed numerous TGP porn sites have been trying to get me to open a WMF file (Not that I uh.... would know about this first hand or anything ;p). Didn't think there was anything to it until seeing this article- my guess is it's being used to install crapware of some kind.

    lucky I'm using Linux.
  • by Animats (122034) on Sunday January 01, 2006 @03:06PM (#14375149) Homepage
    An exploit of "gdi32.dll" using a WMF file for the attack was documented back in November [securiteam.com]. Does this new exploit use the same attack approach?
  • VBS in WMF? WTF?! (Score:2, Informative)

    by void*p (899835)
    Why in the world would a WMF file need to be able to execute a script? And aren't most of Microsoft's vulnerabilities related to the wanton running of scripts without a user being aware that it's happening?
  • by Heembo (916647) on Sunday January 01, 2006 @05:03PM (#14375549) Journal
    From http://isc.sans.org/diary.php?rss&storyid=994 [sans.org] :

    1. Microsoft has not yet released a patch. An unofficial patch was made available by Ilfak Guilfanov. http://handlers.sans.org/tliston/wmffix_hexblog13. exe [sans.org] Our own Tom Liston reviewed the patch and we tested it. The reviewed and tested version is available here (now at v1.3, MD5: 14d8c937d97572deb9cb07297a87e62a). THANKS to Ilfak Guilfanov for providing the patch!!
    2. You can unregister the related DLL.
    3. Virus checkers provide some protection.


    To unregister the DLL:


    * Click Start, click Run, type "regsvr32 -u %windir%\system32\shimgvw.dll" (without the quotation marks), and then click OK.
    * A dialog box appears to confirm that the un-registration process has succeeded. Click OK to close the dialog box.

Real Programmers don't write in FORTRAN. FORTRAN is for pipe stress freaks and crystallography weenies. FORTRAN is for wimp engineers who wear white socks.

Working...