Attackers Exploit New Zero-Day Windows Bug (Extremely CRITICAL flaw!)

Continued...
http://www.eweek.com/article2/0,1895,1906177,00.asp

More info here:
http://blogs.washingtonpost.com/securityfix/2005/12/exploit_release.html
http://www.informationweek.com/news/showArticle.jhtml?articleID=175700809
http://news.com.com/Trojan+delivers+unwanted+gift+to+Windows+PCs/2100-7349_3-6011406.html

:scared:

then check back and see if there's been a fix yet.
This looks pretty nasty, just fetching your mail can get you.

This was posted on one of the links AngryGirl gave,
you can try it if you want, but don't blame me if you still get infected.

http://blogs.washingtonpost.com/securityfix/2005/12/exploit_release.html

<snip>

Update, 12:30 p.m. ET:
<snip>

A Microsoft spokesperson said the company is investigating, though no official word from them yet. A couple of security firms, including Verisign's iDefense, have published workarounds that appear to mitigate the threat. According to iDefense, Windows users can disable the rendering of WMF files using the following hack:

1. Click on the Start button on the taskbar.
2. Click on Run...
3. Type "regsvr32 /u shimgvw.dll" to disable.
4. Click ok when the change dialog appears.

iDefense notes that this workaround may interfere with certain thumbnail images loading correctly, though I have used the hack on my machine and haven't had any problems yet. The company notes that once Microsoft issues a patch, the WMF feature may be enabled again by entering the command "regsvr32 shimgvw.dll" in step three above.

<snip>

thanks!

1. Click on the Start button on the taskbar.
2. Click on Run...
3. Type "regsvr32 /u shimgvw.dll" to disable.
4. Click ok when the change dialog appears.

To reverse, replace the text in line 3 with "regsvr32 shimgvw.dll".

solicited sites, you should be ok??????????? Seems to be differences of opinions on the risk buried in these various discussions :shrug:


from the first link you posted...

Although Secunia deemed the flaw highly critical, at least one security researcher was dismissive of the bug's severity. Pete Lindstrom, research director for Spire Security LLC, said that at this stage in the game, anything that requires user interaction is hardly worth notice.

"There's no such thing as 'extremely critical' when user interaction is required," Lindstrom said. "That's just silly." snip....

The sentence before the ones you quoted:
"The attack can also be triggered automatically when visiting malicious Web sites via Internet Explorer."

Here's some more from the f-secure website:
"All you need to do is to access an infected web site with IE or view a folder with infected files with the Windows Explorer.
You can get burned even while working in a DOS box!"

http://www.f-secure.com/weblog/archives/archive-122005.html#00000753

Wednesday, December 28, 2005
Be careful with WMF files Posted by Mikko @ 15:30 GMT

<snip>

Do note that it's really easy to get burned by this exploit if you're analysing it under Windows. All you need to do is to access an infected web site with IE or view a folder with infected files with the Windows Explorer.

You can get burned even while working in a DOS box! This happened on one of our test machines where we simply used the WGET command-line tool to download a malicious WMF file. That's it, it was enough to download the file. So how on earth did it have a chance to execute?

The test machine had Google Desktop installed. It seems that Google Desktop creates an index of the metadata of all images too, and it issues an API call to the vulnerable Windows component SHIMGVW.DLL to extract this info. This is enough to invoke the exploit and infect the machine. This all happens in realtime as Google Desktop contains a file system filter and will index new files in realtime.

So, be careful out there. And disable indexing of media files (or get rid of Google Desktop) if you're handling infected files under Windows.

Two nights ago, my computer began to work "autonomously" -- windows closing, controls on IE freezing, text disappearing from message windows (including one from DU! Egads!), and several instances of Notepad. I think e-Week has overplayed the "danger", but it was a major annoyance and ruined my night's mischief.

I shut down, scanned, re-booted, and repeated the process about four times until it went away. It may have been a piece of malware marked "Trojan Loader" in PestPatrol I found a short time later. When I opened IE, it popped right in, but I was unable to nail it.

I suspect the "cure" happened on about the fourth or fifth reboot when my ISP assigned me a different IP number, as it automatically does from time to time, but I am not certain about this. I'm going to have to get more comprehensive diagnostic software.

However, if you think that having a Mac or a Linux box will render you immune, you're only fooling yourself. Scan those suckers anyway.

--p!

Go to http://www.symantec.com/avcenter/venc/data/trojan.lodear.removal.tool.html

and download the removal tool. I had a computer on my network infected with this. It took me a few days to find it and get rid of it. Scan scan scan until it says it's gone.

Tore it out with my bare hands, I did. It's about the fourth trojan/trapdoor I've manually dispatched (to virus hell) since Win 3.1.

I'm also re-installing Win2k sometime in the next two or three days. In addition, I've begun moving over to Linux, and I've been looking at virus scanning for that. If I can get my few key Windows apps to run under Wine/Crossover, I may dispense with Windows entirely.

And I'd been a Microsoft Developer since 1997.

Then, there's the little matter of the virus in my sinuses. But that's another story... :)

--p!

Just close enough to immune that with an automatically updating virus tool you will NEVER have a problem.

First of all, Windows gets most of the viruses because most virus authors write for (and on) the most common platform. As Linux, MacOS, and other architectures emerge, viruses will be written for them, too.

Then, a lot of viruses target Windows because so many hackers hate Microsoft, since Microsoft is the Evil Empire. But the young'uns don't remember when Apple sued the writers of every GUI -- including Xerox Sparc, the original GUI -- and slowed the technology down by five years. At the time, Microsoft was a middle-sized software house, but it was writing for a command-line/character-based market.

Macintosh is adopting the Intel architecture pretty soon. Most malware that exploits machine codes will find the Mac to be "easy meat". That is going to provide a major boon for the cyberviral universe.

You'd think there would be a big push for hardware-independent OS architecture. Well, I would. But it's not happening.

Finally, a lackadaisical attitude toward security holes may allow particular weaknesses in OS architecture to proliferate; when the right virus comes along, it could easily produce a massive wipe-out, the same way a newly-mutated version of Bird Flu or an H9N1 flu could threaten a whole area, or even the entire human race.

Such disasters are exceedingly rare, and I'm sure both physicians and computer scientists are keeping tabs on the situation. But a little extra diligence can go a long, long way.

The "design selection" model (as an analogue of natural selection) also implies that Microsoft architecture is "evolving" the kind of viral resistance that MacOS and Linux have not had the chance to. The superior programming of MacOS and Linux provide a different kind of viral resistance, but will that prevail?

Scan that box, Baby, scan it! :)

--p!

They are just not smart enough to get it.

I agree that will change with the Intel platform as there will be very quickly a version of WINE for OSX that will let Windows programs run on the Mac.

At that time many Windows trojans will likely find something new to screw up unless people get into the virus scanning habit, because WINE has to use the same flawed API that allows them in the first place.

If the FOSS community really wants to torpedo Windows, it ought to undertake to clone WinXP or Win2k in an open-source form, like Linux did with Unix.

Between Wine and DarWine, much of the gut work appears to have been done. A free, open, high-performance clone of Windows that can be called from Linux or MacOS would give Microsoft its first real competition since the early 1990s.

--p!

I can't take this "today's critical flaw is worse than yesterday's critical flaw" mentality any more. If these flaws are so critical why doesn't the internets just shut down? Why doesn't business just stop and all of our computers start blaring the Mackarena out?

I make my living in IT. And to this day, I've never seen a bug that didn't involve some moron just taking the bait or surfing where they don't belong when their system gets fucked. I have one on my bench for the second time in three months because this captain of industry can't stay away from porn. But this time, he pays twice as much because he was warned on his last invoice. And the backup disk with his files and documents I gave him from last time?

Gone, can't find it, wants to know if I saved him a copy.

Back to bed. By tomorrow, there will be an exploit for the wax I put on my string that cause me to lose my hearing.:sarcasm:

has some suspect file attachments, an those are routed straight to my jumk mail folder :-) So no doubt alot of people have tried infecting my computer with these same viruses and attacks. I'll make sure I have the latest security update and keep the junk mail screener on full blast. And get your Firewalls up too people!

here at home, mine being the main computer. Can we have a firewall if we have a network and if so should each of the computers have a firewall or just mine or what?

Any help is appreciated.

Buy a cheap router ($60) this will offer you the additional protection of NAT.

protected or do I need to set something up?

Just use your preferred firewall on the host computers. While not perfect, it's a pretty healthy combination.

The best security is a layered approach. Use the router, a firewall on the actual machines, and anti-virus on each of the machines mixed with some common sense about downloading and running unknown programs and you'll be pretty safe. Of course, it doesn't look like any of those will prevent you from getting infected by this latest threat except that hopefully your anti-virus would find the virus before it does any damage and your common sense prevents you from running across an infected .wmf in the first place.

I haven't had a chance to try this yet.
http://www.vmware.com/products/player/

I fart in the general direction of windows exploits!
:P:P:P:P

I can look at .wmf files but the OS ignores any .exe files. Happy Penguin to you, too.

EDIT: Courtesy of Slashdot (http://it.slashdot.org/comments.pl?sid=172399&cid=14355211)
1. Click on the Start button on the taskbar.
2. Click on Run...
3. Type "regsvr32 /u shimgvw.dll" to disable.
4. Click ok when the change dialog appears.

This may cause thumbnails for pictures and whatnot to fail to appear, but the problem DLL will be disabled and you cannot be exploited.

When a proper patch is released, do the same above but replace line 3 with "regsvr 32 shimgvw.dll" and it will go back to normal.

Don't worry about getting dressed ma'am...I'm from the Internets!

Hackers have created a range of Trojan programs which exploit a dangerous new Windows Meta File vulnerability. The vulnerability is rated critical, and so far, no patch has been issued.

The WMF vulnerability exists in computers running Microsoft Windows XP with SP1 and SP2, and Microsoft Windows Server 2003 and stems from a flaw in a utility used to view picture and fax files. The security flaw might be exploited by inducing victims to view maliciously constructed sites, particularly where IE is used as a browser, or when previewing *.wmf format files with Windows Explorer.

More at article, here:
http://www.theregister.co.uk/2005/12/29/wmf_trojan_alert/


More:
http://news.bbc.co.uk/1/hi/technology/4566504.stm

Un-register the Windows Picture and Fax Viewer (Shimgvw.dll) on Windows XP Service Pack 1; Windows XP Service Pack 2; Windows Server 2003 and Windows Server 2003 Service Pack 1

To un-register Shimgvw.dll, follow these steps:

1.
Click Start, click Run, type "regsvr32 -u %windir%\system32\shimgvw.dll" (without the quotation marks), and then click OK.

2.
A dialog box appears to confirm that the un-registration process has succeeded. Click OK to close the dialog box.


Impact of Workaround: The Windows Picture and Fax Viewer will no longer be started when users click on a link to an image type that is associated with the Windows Picture and Fax Viewer.

To undo this change, re-register Shimgvw.dll by following the above steps. Replace the text in Step 1 with “regsvr32 %windir%\system32\shimgvw.dll” (without the quotation marks).

http://www3.ca.com/securityadvisor/vulninfo/vuln.aspx?id=33721

Here's the command to undo the tempoary workaround once the hole is patched:

regsvr32 shimgvw.dll

being a mac user, my real question is whether the NSA illegal spy cookies also affected my machine.

much of which is in .wmf format.

So yeah, you can. This can happen with any affected WMV movie.

Some browsers are not vulnerable to auto-execution of the exploit, and it's not windows media movies but windows metafile format files.

Read this blog entry for details:

http://sunbeltblog.blogspot.com/2005/12/new-exploit-blows-by-fully-patched.html

Of course, as a Mac user I sit here and snicker. How many years did I put up with the crap that Redmond
calls an operating system.

The biggest mistake ever made in the computer business was when Jobs refused to license the Mac OS. If he had all those years ago no one would be bothered by the Microshaft Evil Empire now. We would all be useing a bulletproof system.

I've always been under the impression that viruses always target PCs rather than Macs because it's such a vastly more widespread platform.

All OS's have ways in which they can be exploited. I'm willing to bet that if 90% of the planet was using the Mac OS, most of the viruses would be targeting the Mac OS.

....that the unix system-which the mac os is based on-is far less susceptible to exploits and far more difficult to hack than the Windows system.

Mainframes run the unix system IIRC, and they are Sheldon effected by the things that windows systems.

Also, consider the fact that over a million windows users in the US have switched to Macs in the last nine months, and there's still no virus that will effect the mac OS. Of course, the truth will be known in '06 and '07 when the intel based macs will roll out. I expect many millions of windows users will then switch to macs as they will use the same boards on both systems then. Graphic handling in games will no longer be what separates them. At that point we will see if they are both effected by viruses.

We'd all be bothered by the Apple Evil Empire right now.

if mac's were the majority. you're underestimating the will of hackers.

this is from the eWeek article linked in the original post above:

According to the Sunbelt Software blog, "any application that automatically displays a WMF image" can be a vector for infection, including older versions of Firefox, current versions of Opera, Outlook and all current versions of Internet Explorer on all Windows versions.

SHOULD I GO UPGRADE RIGHT NOW? any thoughts?

better to be safe than sorry. But should I spread any spermicide on the router before having internets?

:sarcasm: