PDA

View Full Version : F-Prot antivirus; security, alert


Jeff
January 2nd, 2006, 01:14 PM
This is a security alert for a variety of exploits taking advantage of a serious vulnerability in the handling of the Windows Metafile image format.

For more information on this threat and on recommended reactions please go to:
http://www.f-prot.com/news/vir_alert/wmf_vulnerability_060102.html

The latest versions of F-Prot Antivirus detect all known exploits of this vulnerability using virus signature files dated 1 January 2006 or later.

--
F-Prot Antivirus Alert Service
http://www.f-prot.com

From their report:

"Although the behaviour creating this vulnerability is currently causing serious problems, it was originally a important feature of the Windows operating system and appears to have been part of Windows since version 3.0 was first released 15 years ago. This vulnerability therefore affects a very large number of computer users."

Update your protection now!

- Jeff

Judy G. Russell
January 2nd, 2006, 09:32 PM
Sigh... fifteen years worth of vulnerability...

Jeff
January 3rd, 2006, 12:17 PM
Sigh... fifteen years worth of vulnerability...

Yeah. I think Gates... never mind. You already know.

- Jeff

ndebord
January 3rd, 2006, 11:16 PM
Yeah. I think Gates... never mind. You already know.

- Jeff

Jeff,

As my old friends at IBM have said: Bill Gates never met code he wasnt willing to ship when it was 80% ready.

And really, what can you reasonably expect from a man with a last name like his? His "gates" are always open...

<g>

sidney
January 4th, 2006, 04:52 AM
The article at F-Prot is factually correct, and one of the links it provides is to a more complete article at the SANS security website, but I think it is self-servingly misleading for them to say that their antivirus scanner detects "all known exploits of this vulnerability."

Here is what the vulnerability is: Microsoft in its infinite wisdom designed an image file format WMF that allows an image file to contain executable code that is run by Windows when it displays the file. That gives the creator of the image file the ability to design creative and non-standard things and have the code in the file "help" Windows display it.

So if you browse to a website with pictures, receive email with a picture attachment, click on a folder in Windows Explorer to open a directory that contains image files when thumbnail view is enabled... anything that leads to an image being displayed by Windows... if the image file has a .wmf extension it may contain arbitrary code, such as a virus, worm, or trojan horse installer. If it is a WMF file that has been renamed to something.gif or .jpg, Windows will detect that it is really WMF format and process it accordingly anyway.

That's why I think F-Prot is being disengenuous. They may detect all virus/worms/trojans that have been found in WMF files used by bad guys since this exploit was discovered in the wild, but they have no way of knowing what arbitrary programs will be inserted in the image files on the web site you are tricked into visiting during the next 7 days until Microsoft plans on releasing a Windows Update to patch this.

That's right, 7 days, because Microsoft does not want to see the headlines about them releasing an emergency patch before their monthly scheduled "patch Tuesday".

I'll give you some links, but first, here is how to patch your system right away:

The first step is to disable the DLL that is being exploited. This is not perfect because there are ways that malware can re-enable it, but this is step 1:

Open a command prompt or even simpler use the Start | Run menu and type the following command, all on one line. You can type %windir% as I did, or use the actual drive and directory of your Windows installation such as C:\Windows

%windir%\system32\regsvr32.exe -u %windir%\system32\shimgvw.dll

and type Enter. That should bring up an alert box confirming that the DLL has been unregistered (disabled).

Step 2 is to install the hotfix that you can get at the following URL at the SANS Institute, a leading Internet security organization:

http://isc.sans.org/diary.php?storyid=1010

After Microsoft releases its update on Jan 10 you can use the Add/Remove Software control panel to uninstall it, where it will be listed as WMFHotfix-1.4.

Once your machine is protected read the SANS Institute's scathing editorial on Microsoft's handling of this at http://isc.sans.org/diary.php?storyid=1011

This article contains a link to a PDF with a good slide presentation about the vulnerability, how it works, the unofficial patch, etc.:
http://isc.sans.org/diary.php?storyid=1012

And an FAQ that also has a link to an older PDF presentation:
http://isc.sans.org/diary.php?storyid=994

-- sidney

Remember: Run regsvr32 and install the hotfix NOW!

Judy G. Russell
January 4th, 2006, 10:11 AM
Thanks, Sidney! It sure is hard to get to the SANS Institute website but I'll keep trying...

Dan in Saint Louis
January 4th, 2006, 03:18 PM
Thanks, Sidney! It sure is hard to get to the SANS Institute website but I'll keep trying...
The good news is that once you get there it is only about a 60 KB file.

Judy G. Russell
January 5th, 2006, 12:31 AM
I finally did get it and installed it. Easy as pie.

sidney
January 5th, 2006, 05:09 PM
Microsoft caved in to customer pressure and released their patch early.

Run Windows Update to get the patch, or if for some reason you don't want to, download the patch from here (http://www.microsoft.com/technet/security/Bulletin/ms06-001.mspx)

Here are the recommended steps from SANS (http://isc.sans.org/diary.php?storyid=1019) if you installed the earlier unofficial patch:


Reboot your system to clear any vulnerable files from memory
Download and apply the new patch
Reboot
Uninstall the unofficial patch, by using Add/Remove Programs on single systems.
If you used msi to install the patch on multiple machines you can uninstall it with this:
msiexec /X{E1CDC5B0-7AFB-11DA-8CD6-0800200C9A66} /qn
Re-register the .dll if you previously unregistered it (use the same command but without the "-u"):
regsvr32 %windir%\system32\shimgvw.dll
Reboot one more time for good measure


-- sidney

Judy G. Russell
January 5th, 2006, 11:20 PM
Thanks, Sidney. Now... is the MS patch good enough or should we all say to heck with MS and leave the SANS patch in place?

sidney
January 5th, 2006, 11:40 PM
is the MS patch good enough

According to SANS the MS patch does exactly what the unofficial patch did, except that where the unofficial patch had to jump through hoops to inject itself into the existing code, MS could just change the source code, recompile it, and release a new DLL.

This is a little belated, but here is one web comic's version of a Microsoft spokesman answering the question about what people should do while waiting the week until their patch was due to be released:

"Don't do anything that might cause your computer to become infected. But don't panic. But don't use your computer in any way that might possibly allow it to become infected. But don't panic. But don't open any files from unknown parties or from other computers that might already have been infected. But don't panic. And don't use Linux. That would be panicking."

-- sidney

fhaber
January 6th, 2006, 10:41 AM
I'm relieved. This one had the potential to be *really* bad - thus the excitement in security circles. It seems we've lucked out, so far. Let us, as usual, pray.

Note that 98 and ME have no patch. Microsoft says the threat to them is "not critical." Then they turn around and say that none of the current exploits work on these opsyses. This implies that others might. Industry sources say it's rather hard to get privileges with the facilities in the 98 gdi dll. All this is a little less confidence-inspiring than one would like, but so it goes.

NT4 has been rarely mentioned. I'd presume it's really badly at risk until further notice.

A small taste of what could have been is offered by a chart shown me by a friend who's an ISP's chief admin. He printed to PDF to show me the dip in traffic on the alleged Sober trigger date. (It picked up two hours later as though nothing had happened - strange.) Not worthy of mention was the fact that over the last two weeks **85-95%** of the incoming traffic to his mail servers was worm trash messages and spam (filterable). I asked - a couple of spot checks have shown that Sober variants are about half of the trash.

You just have to see the damage done by one of the recent pfishing exploits (CWS, Spy Sherreff, etc.) to appreciate how sneaky the bad guys have become, once they started getting paid for their noxious efforts.

Judy G. Russell
January 6th, 2006, 11:04 AM
Sigh... it's things like this that make me think seriously about Linux...

Gary Maltzen
January 6th, 2006, 11:22 AM
Sigh... it's things like this that make me think seriously about Linux......and any time you want some help...

Judy G. Russell
January 6th, 2006, 11:40 AM
Thanks, Gary! I may actually see if I can find some time in '06 to at least give it a try. The problem is that I still have a lot of programs I use regularly that are Windows programs and I have no idea how they would run on Linux.

Jeff
January 6th, 2006, 01:05 PM
I'm likely missing something, but wasn't there a possible "bad code in graphics" uproar several years ago?

- Jeff

Gary Maltzen
January 6th, 2006, 01:21 PM
Thanks, Gary! I may actually see if I can find some time in '06 to at least give it a try. The problem is that I still have a lot of programs I use regularly that are Windows programs and I have no idea how they would run on Linux.To check it out you can run Knoppix, a "LiveCD" Linux distribution; no install required.

Judy G. Russell
January 6th, 2006, 01:36 PM
Now that sounds very interesting indeed. Thanks, Gary!

Judy G. Russell
January 6th, 2006, 01:36 PM
Yup, but as I recall a different type of graphic file.

fhaber
January 6th, 2006, 04:07 PM
Jpeg, I think, last time (maybe more than once).

The trouble with WMF is that since Windows 3 at least, it's *deliberately* been a sort of program as much as it is a data file. And then they hand the error-handling code to the author, who can deliberately throw an error, then run heaven-knows-what. And if the user is running as admin, which he practically has to do to avoid terminal irritation fifty times a day --- boom.

Judy G. Russell
January 6th, 2006, 06:02 PM
JPG is what I remembered as well, but wasn't sure. But this WMF thing -- amazing. I had no idea it had been set up to "help" me by running any damned program it wanted!