New IM Worm Exploiting WMF Vulnerability 360
An anonymous reader writes "After less than a four days after original mailing list posting there are reports about a new Instant Messaging worm exploiting unpatched Windows Metafile vulnerability. This worm is using MSN to spread, reports Viruslist.com."
temporary fixes (Score:5, Informative)
http://isc.sans.org/diary.php?rss&storyid=996 [sans.org]
http://www.f-secure.com/weblog/#00000760 [f-secure.com]
http://www.grc.com/sn/notes-020.htm [grc.com]
be aware the runnable patch is completely unofficial, the only action microsoft suggest is unregistering a vulnerable dll which only mitigates the most common method of exploitation while not fixing the underlying problem.
NFI how long it will take microsoft to have an official patch out, but from the sans site, it doesnt look promising that it will appear soon.
Re:How do I avoid it? Fixes? (Score:2, Informative)
Follow the suggested action in the Microsoft advisory linked right up there above.
Re:How do I avoid it? Fixes? (Score:4, Informative)
start->run
regsvr32 -u %windir%\system32\shimgvw.dll
http://www.microsoft.com/technet/security/advisor
Re:MSN? (Score:5, Informative)
Netherlands being the place where it first appeared, and being from Belgium myself, I can say that everybody here simply says 'MSN' when they mean 'MSN Messenger'.
It's more common in europe anyway to use MSN instead of other popular IM networks used thoughout the USA and other countries. IM was never popular with non-geek computer users here and when broadband internet (with a fixed price/month) arrived most teenagers (the primary group of users in europe) all started using MSN Messenger.
Re:How do I avoid it? Fixes? (Score:5, Informative)
http://www.aota.net/forums/showthread.php?p=14305
also check out FSecure's blog:
http://www.f-secure.com/weblog/ [f-secure.com]
Most importantly: THERE IS A FIX (Score:5, Informative)
http://www.hexblog.com/2005/12/wmf_vuln.html [hexblog.com]
Re:Developers, stop using ... (Score:4, Informative)
Re:How do I avoid it? Fixes? (Score:5, Informative)
Re:How do I avoid it? Fixes? (Score:5, Informative)
There is now a "Windows WMF Metafile Vulnerability HotFix" available from Ilfak Guilfanov. Have a look here http://www.hexblog.com/2005/12/wmf_vuln.html [hexblog.com]
The problem - and the fix - has been discussed also at GRC.com's Security Now podcast. Check out this link http://www.grc.com/sn/notes-020.htm [grc.com]
Re:Great.. (Score:2, Informative)
Pointing the finger at gdi32.dll is like running a malicious script that executes "rm -fr
Re:It's worse than that (Score:5, Informative)
I have seen in the past week our work increase 5 fold because of this exploit. What is normally a very slow time of the year for us has become very busy for us and it's making me nervous myself.
We had a few customer that bought brand new computers and laptop and are bringing them back the same day with this exploit. A quick check reveals that their Norton was up-to-date, yet this stuff still slipped in. Other customers are getting this thing left and right. Unfortunately I have not much to tell them except to keep updating all your security products daily as it's only going to get worse before it gets better. Hand them a copy of Norton and Sunbelt Counterspy and tell them good luck.
I do believe there is a bit a social engineering planned into this. Customers with year-end financials, tax season starting up, holiday credit card payments and statements coming through. Very ripe time to plucking financial and personal data. And with this being an extended holiday weekend, this exploit has a bit of time to fester and refine itself before the big trojan/virus with a major payload slips past the AV and Adware detections and onto millions of computers. What happens when someone combines with exploit with a backgood into a major ad server network? Imagine the damage then.
I'm doing the best I can at my house against this thing, but looking at the 7+ Windows boxes I'm now worrying about updating, installing, patching and unregistering, and the 1 Apple laptop I haven't had to restart in 6 months, and I wonder if this is going to be the big one that really gives Microsoft the black eye it can't recover from.
Do. This. Now. (Score:5, Informative)
All the necessary information and explanation (plus q/a) is here. This is the only hope at present. Good luck to everyone on Jan 2 when this thing takes over the world.
Re:Is this the exploit reported back in November? (Score:5, Informative)
VBS in WMF? WTF?! (Score:2, Informative)
Re:Most importantly: THERE IS A FIX (Score:3, Informative)
Re:so... (Score:5, Informative)
Does your website have an image on it? It can be exploited that way. Does your email render html, even with scripting turned off? It can be exploited that way. A few trusted sites have been compromised with this exploit. Some seedier as networks (with hundreds or thousands of affiliates) are using this to generate cash. There is no patch for Windows ME, 98, or 95 and there will never be as these OSes are unsupported. These systems will ALWAYS have this vulnerability.
Imaginine if someone uploaded this to MySpace (http://www.alexa.com/data/details/traffic_details ?q=&url=www.myspace.com/ [alexa.com]), as they allow full html formatting, embed, iframes and all kinds of crazy crap. One exploit on a popular blog will cause A LOT of damage.
I'm doing the best I can... (Score:4, Informative)
If you're an IT pro and you're running Windows at home, you should have your boxes imaged so you can just unhook from the net, image, apply the fix, take a new image and hook back up to the net. Seven boxen shouldn't take you more than a couple hours -- less if you use a standard image.
If you're setting this up for the first time, don't forget to redirect "My Documents" to a different partition, or better yet a server with a backup regime. Oh, yeah, and choose the "Activate Windows over the phone" option before you make your first image so you don't have to re-activate each time.
If you're an IT pro and you're not using Windows at home, take the extra hours and spend some holiday time with your friends and family. Life is short.
Re:Fearmongering (Score:1, Informative)
There is a real possibility that the shit is going to hit the fan big time with this one.
Re:How do I avoid it? Fixes? (Score:3, Informative)
Re:There needs to be... (Score:4, Informative)
Re:How do I avoid it? Fixes? (Score:4, Informative)
Best WMF Mitigation Strategy (Score:4, Informative)
1. Microsoft has not yet released a patch. An unofficial patch was made available by Ilfak Guilfanov. http://handlers.sans.org/tliston/wmffix_hexblog13
2. You can unregister the related DLL.
3. Virus checkers provide some protection.
To unregister the DLL:
* Click Start, click Run, type "regsvr32 -u %windir%\system32\shimgvw.dll" (without the quotation marks), and then click OK.
* A dialog box appears to confirm that the un-registration process has succeeded. Click OK to close the dialog box.
Re:There needs to be... (Score:3, Informative)
Having used both, I stand by my comment that they're rough around the edges. Not hard to use, perhaps, but they have a number of odd behaviors that are not intuitive to anybody who isn't familiar with them. And Linux lacks the one big thing MacOS has -- easy support for the most comment media types, including Windows Media, and Quicktime. Trying to get Linux to support both of these is an exercise in futility. Sure it can be done, but not by Joe Schmoe. It's all in the little details, and these are just two little details among many.
Disclaimer: I am a professional Unix Systems Administrator with almost a decade of experience (and I've been playing with Linux since before it had Ethernet support ;-)). If I can see the potholes in the user experience, what do you think it's like for someone who doesn't have the background to understand why it is the way it is?
Re:Developers, stop using ... (Score:3, Informative)
Re:There needs to be... (Score:3, Informative)
Re:Seen this on porn sites (Score:2, Informative)
Re:VBS in WMF? WTF?! (Score:1, Informative)
Re:How do I avoid it? Fixes? (Score:5, Informative)
Re:How do I avoid it? Fixes? (Score:3, Informative)
Security researcher he isn't (really), but I do respect his ability to code. At any rate, for those who don't know why that's potentially laughable, see the GRC sucks [grcsucks.com] website.
Re:How do I avoid it? Fixes? (Score:2, Informative)
It's certainly not the cause of "low security", but it definitely makes Windows a target. This argument has been rehashed here and everywhere else a thousand times. The popularity of Windows makes it a target for more hackers. This says nothing about Microsoft's code quality, nor does it say anything about the quality of other OS's code bases. I'm just saying that it makes sense that the most used operating system would also be the most attacked. More attacks yield more results.
Shitty programmers with little or no Q/A, and a huge festering code base which is continually patched together with duck tape to keep it going
Why isn't this drivel modded as flamebait? Microsoft's coders are really any shittier than anybody else's coders, or at least I've seen no evidence of this. No Q/A? You have to be kidding me. If you have even a shallow knowledge of Microsoft's engineering practices you would know that their Q/A is probably the most intensive that any software company has on the planet, and it's getting more intensive every day.
Want an example? The ASP.NET team had 505,000 test scenarios [asp.net] for ASP.NET 2.0 that it had to pass 100% before they would lock it down as RTM.
along with a refusal to force 3rd party vendors to release software which runs properly (IE doesn't require local admin to run) causes security holes
Indeed, 3rd party software, and even Microsoft's own software (try developing an ASP.NET application with VS.NET 2k3 without admin privs), often fails to run correctly as non-admin. Microsoft has made a lot of changes to improve this, but 3rd party support is still lagging. Why? Because Windows is used by basically everybody, and if a patch or new version of Windows suddenly broke 75% of the applications out there nobody would upgrade.
This problem is an extremely difficult one to solve, and a lot of it has to do with Microsoft's failure to produce specs and guidelines from the start that let ISVs know what they needed to do to make sure software ran as non-admin. Microsoft's solutions in Vista [helpwithwindows.com] are a huge step in the right direction.
Windows doesn't have *bad* security, Windows has no security.
Baloney. The Windows security model is a solid one. Aside from the applications that don't like installing or running as non-admin (mostly ASP.NET development, really), I run Windows as non-admin 100% of the time. The security model in Windows is actually more extensive than the security model in most flavors of Unix, including Linux. (At least out of the box.) Regardless, Windows gets a bad rap for security not because of design of Windows is bad, but because there have been lots of high profile, highly damaging exploits for Windows over the years. With a few glaring exceptions, such as the WMF exploit, Microsoft has always had patches available for weeks if not months before the bastards out there released their worms or viruses.
Transparency between versions? How does that cause poor security?
As I explained earlier, Microsoft can't just break everybody's applications, even if they're insecure. That's not the way it works when you have 90% of the computer using world running your software.
Re:How do I avoid it? Fixes? (Score:3, Informative)
Re:Questions re: vulnerabilty (Score:1, Informative)
Using IE, you're fucked. You can write <img src="evil.wmf"> into an html file, and it'll display it clear as day. (And this means, that the exploit can be used.)
Firefox (without any WMF support) won't show up the picture inline.
I suggest that you try it yourself. Personally, I think this is an enormous unseen benefit to firefox. Even though you can be infected if you download and let explorer (or google desktop) see the file, this is still a big step from merely viewing it in a website!
Re:Questions re: vulnerabilty (Score:3, Informative)
Without actually knowing I'm pretty sure it'll work. The exploit can work through an image displayed on a webpage and work through a renamed image, so I don't see any reason it wouldn't work with both.
JPG, PNG, GIF etc. all have headers that should surely be checked before displaying the picture. Do IE not do this?
The mimetypethe webserver gave (which will presumably be application/x-wmf) should take priority over the extension anyway, and I believe IE's approach is "It claims to be an image of some sort, so call the image rendering library".
In short, do i have to actively click a "Open this file" dialog on the browser?
No.