Jump to content

New! Windows Malware Vulnerability


waldwolf

Recommended Posts

Within the last couple of days, a serious malware vulnerability effecting ALL windows systems, has been detected. This vulnerability may allow installation of virus's, spyware, keyloggers, etc on your system, simply by your viewing an infected website or via use of one of the "Messenger" utilities or through infected email.

All browsers, including IE, Firefox, Opera, etc. are effected.

This vulnerability involves exploitation of Microsoft's "Metafile" (wmf) file.

Yesterday, Microsoft released a temporary patch to disable the "Thumbnail" feature in Explorer, Viewer and Fax, however, a superior patch is now available on Steve Gibsons website, here.

Unfortunately, there is NO patch available yet for Windows 95/98/98SE/ME.

cheers

waldwolf

Edited by waldwolf
Link to comment
Share on other sites

hi'

news but incomplete ...

..Uncorrected critical vulnerability in Windows (28/12/05)

MAJ in 31/12/05: availability of an unofficial corrective

SUMMARY:

A new vulnerability was discovered in Windows. A defect of safety similar to a defect recently corrected (alert of 08/11/05) allows a hostile individual to take the remote control of the computer of his(her) victim or in a virus to run automatically during the preview or during the display of a multimedia .WMF file trapped in the Windows explorer or the browser Internet Explorer. This fault is already exploited in a hostile way by roguish Web sites.

SOFTWARE () CONCERNS (S):

Windows XP SP2 Microsoft

Windows XP SP1 Microsoft

Windows XP Microsoft

Windows 2000 Microsoft

Windows Me Microsoft

Windows 98 SE Microsoft

Windows Microsoft 98

Windows Microsoft 2003 Server

CORRECTIVE:

No official corrective is available for the moment because this fault was discovered while it was already exploited by a roguish site ( 0-day ). The risk of hostile exploitation is maximal because the detail of a code allowing to exploit this fault via the component Perceived by the images and the Windows faxes (Windows Picture and fax Viewer) SHIMGVW.DLL was made public. Besides the attentiveness towards hypertext links and not sure files, the concerned users can update their antivirus because certain publishers elaborated a signature intended to detect the booby-trapped files (Bloodhound. Exploit 56 to Symantec, Exploit-WMF at McAfee, TROJ_WMFIOO.A at Trend Micro, W32 / PFV-Exploit at F-Secure, Exploit. Win32. IMG-WMF at Kaspersky). The users of Internet Explorer can also configure the security level of their browser on "Raised" or use temporarily another browser to prevent an automatic exploitation via a roguish Web page (with an alternative browser, a dialog box can appear all the same to suggest to the Internaut downloading or running the booby-trapped file, what it is then necessary to refuse). It is finally possible to deactivate the component SHIMGVW.DLL to limit the risks of hostile exploitation using the code made public, whatever is the browser (the Internet users using their computer professionally should beforehand consult their computer or responsible service security):

* Click "Start menu";

* Click "Exécuter";

* Type or copy and paste " regsvr32 / u shimgvw.dll " (without quotation marks);

* Press the button "OK" or the key(touch) "Entrance"("Entry");

* Press the button "OK" in the dialog box of validation(confirmation).

His(Her,Its) deactivation returns the inalienable component in case of hostile attack via the Windows explorer or a browser, but also in case of normal use by a justifiable application. To reactivate this component once the available corrective or in case of disturbance excessive continuation(suite) to its deactivation:

* Open a Windows session as Administrator (if need be);

* Click "Start menu";

* Click "Exécuter";

* To type or copy and paste " regsvr32 shimgvw.dll " (without quotation marks);

* Press the button "OK" or the key(touch) "Entrance"("Entry");

* Press the button "OK" in the dialog box of validation(confirmation).

The last investigations indicate that the defect of safety(security) is not in the component SHIMGVW.DLL but in the function of the library GDI32.DLL, what explains that the fault is exploitable by the other means that the Preview of the images(frames) and the Windows faxes (among which the Paint applications and the Lotus Notes). Besides, it is possible to modify the extension of a .WMF booby-trapped file while preserving to him(her) its harmfullness (by opting for example by a .JPG extension), thus the attentiveness towards hypertext links and not sure files indispensable rest by waiting for the availability of a corrective, especially in this period of exchange of virtual boards and the other images.

31/12/05: A second exploit (code allowing the same programmer not specialist to design programs exploiting the fault) was made public in a irresponsible way by specialized contributeurs. He allows the creation of booby-trapped files more with difficulty detectable by antiviruses and would be already exploited in a hostile way under the shape of mails containing a trapped image (notably HappyNewYear.jpg) provoking the installation of a hidden door. An expert in security published from his part a temporary unofficial corrective unofficial patch for the recent versions of Windows: Contrary to the partial solution consisting in deactivating the component SHIMGVW.DLL, which protects only against the corresponding exploit, this corrective offers a more complete protection by preventing any use of the vulnerable function of the library GDI32.DLL without perturbing for all that significantly the functioning of the system, but it is not an official corrective thus it is suggested without any guarantee (installing by being Administrator and to uninstall via the Start menu > Control panel > Add / Delete of programs > deleting the " Windows WMF Metafile Vulnerability HotFix " program in case of problem or before installing the official corrective). Considering the gravity of the situation, we recommend the deactivation of the component SHIMGVW.DLL and the application of this unofficial corrective, by waiting for the availability of an official corrective.

ADDITIONAL INFORMATION:

- > ms info page

leave IE sidely by now and use firefox, opera or else :o

and pay attention on what you click on :D

francois

Link to comment
Share on other sites

Within the last couple of days, a serious malware vulnerability effecting ALL windows systems, has been detected. This vulnerability may allow installation of virus's, spyware, keyloggers, etc on your system, simply by your viewing an infected website or via use of one of the "Messenger" utilities or through infected email.

All browsers, including IE, Firefox, Opera, etc. are effected.

This vulnerability involves exploitation of Microsoft's "Metafile" (wmf) file.

Yesterday, Microsoft released a temporary patch to disable the "Thumbnail" feature in Explorer, Viewer and Fax, however, a superior patch is now available on Steve Gibsons website, here.

Unfortunately, there is NO patch available yet for Windows 95/98/98SE/ME.

cheers

waldwolf

UPDATE

Ilfak Guilfanov (the patch author) has developed a "WMF Vulnerability Checker", which you may read about and download here.

waldwolf

Link to comment
Share on other sites

Oh I see !!!!!!!!

Can we get someone to translate all of the aboves into English please and give us all a fighting chance  :o

Hi:

Yes, these type "problems" can get quite complicated.

Basically, someone has found a way to utilize a component of windows, to install and run a piece of software on your computer, without your knowledge or permission, simply by your viewing an "infected" website, email, instant message, etc. In other words, you can become infected by just viewing a website, instant message or email. (As of yesterday, more than 100 different pieces of malware have been detected online, which use this windows "Metafile" (.wmf) vulnerability to infect computers.)

Using Firefox, Opera or any other browser vs. Internet Explorer does not prevent you from becoming infected.

For a full discussion of this malware, download the pdf transcript file here (70kb) or the vocal discussion (podcast) here (6.5mb). (NOTE: To save the aforementioned material for later viewing/listening, right click on the "here" link(s) and use your "Save Target As" function.)

cheers

waldwolf

Edited by waldwolf
Link to comment
Share on other sites

UPDATE (03-JAN-06)

For info, Microsoft has just announced they expect to release a patch to "fix" the WMF vulnerability in windows, on Tuesday, January 10th. 2006.

In the meantime, you may want to download and install Ilfak Guilfanov's patch, the link to-which is shown in an earlier post.

For more details on this nasty business, read the following ZDF online editorial at: http://blogs.zdnet.com/Spyware/?p=737

cheers

waldwolf

Link to comment
Share on other sites

Using Firefox, Opera or any other browser vs. Internet Explorer does not prevent you from becoming infected.

unless of course you are browsing only in text mode , as this vunerability uses the malicious metadata inside of an image file to manipulate windows into executing its code.

Link to comment
Share on other sites

That's right folks... to fix any problem on your system, simply go to such-and-such website, download an "unknown" executable, and install it on your system.

One would have to be completely naive to install suspect s/w apps from postings on a web forum. But, it seems like there are suckers born every minute in this world.

Link to comment
Share on other sites

That's right folks... to fix any problem on your system, simply go to such-and-such website, download an "unknown" executable, and install it on your system.

One would have to be completely naive to install suspect s/w apps from postings on a web forum.  But, it seems like there are suckers born every minute in this world.

Hi Gumball:

In general I would agree with your statement, however in this case the WMF "patch" was developed and is being distributed by two very well known and respected software developers/security experts, namely Ilfak Guilfanov and Steve Gibson.

One also has the option of turning off their computer until January 10th., when Microsoft is expected to release their "fix".

cheers

waldwolf

Link to comment
Share on other sites

That's right folks... to fix any problem on your system, simply go to such-and-such website, download an "unknown" executable, and install it on your system.

One would have to be completely naive to install suspect s/w apps from postings on a web forum. But, it seems like there are suckers born every minute in this world.

hi'

first, the grc site is THE SECURITY site and it's a reference of knowledge and efficiency!

S.Gypson is one of the most advanced engineer in security!

take a patch from his site is simply common sens when the mocrosh1t morons from redmond are unable to provide a patch to protect millions of their users!

don't throw things like this .... "such and such website" ...

some of us are expert too, and we always deliver alert and possibly correct patches when available ...

you aren't only talking about SG, but about us too .. a bit unfair, especialy when guys bring you an information which is very important.

ignore it, don't apply this patch and good luck!

francois

ps;even linux and *nix have some updates!

just that they are released faster ...

Edited by francois
Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Recently Browsing   0 members

    • No registered users viewing this page.



×
×
  • Create New...