Microsoft is supposed to move GDI to userspace in vista, which should cure atleast this problem of not being compartmentalized.
Printable View
Microsoft is supposed to move GDI to userspace in vista, which should cure atleast this problem of not being compartmentalized.
You mean put it back as it was in Windows NT 3.5?Quote:
Originally posted here by hogfly
Microsoft is supposed to move GDI to userspace in vista, which should cure atleast this problem of not being compartmentalized.
Anyway.. keep watching the skies. Next week could see an even more widespread exploitation I guess.
Could anyone provide some useful information/procedures, how I could go about testing this on a computer LAN'ed with me?
Testing what???
MLF
FYI - In case you have not seen it yet:
Link: http://isc.sans.org/
Updated Story:
So for now... back to the drinking and festivities! :DQuote:
Back to Green (NEW)
Published: 2005-12-29,
Last Updated: 2005-12-29 18:56:34 UTC by Chris Carboni (Version: 1)
As it has been 24 hours since we elevated the Infocon to yellow in response to the WMF 0-day exploit, we will be lowering the Infocon level to Green
An advisory has been released by Microsoft, working snort signatures are available and as a result of raising the Infocon to yellow yesterday, awareness of the issue has been raised appropriately.
Moving to greent signifies that no -new- significant threats are currently being tracked and is not intended to imply that the threat level today is any less than it was yesterday. See Infocon Levels for more information. Administrators and others responsible for system security are encouraged to act appropriately if no action or incomplete actions have been taken at this time.
It's all clear.. It's not a vulnerability (again) :p
And that fix is fun :)
So.. YEY more beer..
BTW: I've seen a please download this wmf pop up in konqueror for this one 'nasty' site I was visiting..
Perfect.... Here's my new "satellite office".... Built by my own hands and the reason I have been so "quiet" around here of late..... It doesn't slope like that..... I was "sloping" while I took the picture.... hic... ;)Quote:
So for now... back to the drinking and festivities!
Hmmm,
It'll look better when you get the optics and beer pumps installed :D
:drink:
The optics will be a problem since the bar was built to give the best view of the lake which isn't visible in the picture provided.... There is a fridge and a 32 bottle wine cooler built into the back though which works nicely for my "tinnies" and sweetie's wine.... ;) The tap may come in the future as will the flat screen TV between the left hand two windows.... :D
Here's a better view of the current setup.....
/* Completly off topic disregard this */
T_S //Puts on his best prisoner voice from monty python and the holy grail You lucky lucky bastard they must think the sun shines out of your fooking ass :D
The vuln could be spread easy P2P networks with an in apropriate file name :D
juuuuuust a thought...but....does AO verify file content of images in signatures? or in avatars? If I change my av to a linked image with a WMF file renamed to something else...where is the security there? I smell instant XSS amongs other fun tid-bits!
Soda, your ides is novel but won't work properly becuse IE tries to render the file if its been renamed aswell, so a gif/tif/png etc will all still render and exploit. This is thanks to MS's amazingly stupid idea of trying to be clever with error correction and try to assume that the file was named wrong. I have exploited IE machines by renaming a vbscript file to .png and it executed the commands without a hitch....well...not for me.
In sort, I see this as possably having a huge impact due to sneaky deployment on major sites.
- Noia
Just wondering, are you still vulnerable to this bug, if you turn all the settings to off on your browser, so that it blocks all Ad's, Pictures etc?
Forget it, gore gave me an idea. :rolleyes:Quote:
Testing what???
MLF
Man this is just getting worse...the websites serving up this exploit is growing quickly. Check these posts:
Quote:
http://sunbeltblog.blogspot.com/2005...otational.html
Ok, here is why this is bad. You don’t have to go to a crack site or a porn site. You got to any site that is using rotational popups from a third party ad network that is spawning Exfol popups, you get exploited.
Quote:
http://www.f-secure.com/weblog/archi....html#00000754
And finally, you might want to start to filter these domains at your corporate firewalls too. Do not visit them.
toolbarbiz[dot]biz
toolbarsite[dot]biz
toolbartraff[dot]biz
toolbarurl[dot]biz
buytoolbar[dot]biz
buytraff[dot]biz
iframebiz[dot]biz
iframecash[dot]biz
iframesite[dot]biz
iframetraff[dot]biz
iframeurl[dot]biz
A couple more reports on that too:
http://blogs.zdnet.com/Spyware/index.php?p=735
http://www.eweek.com/article2/0,1895,1906915,00.asp
If you cast your mind back to last year, there was a case where a major commercial ad network was serving up another exploit: http://www.theregister.co.uk/2004/11...server_attack/ - the fallout from that was pretty nasty.
Kevin Kean from Microsoft has posted comments on their security response center blog confirming that there WILL be a patch issued for this WMF image vuln...
See link http://blogs.technet.com/msrc/archiv...30/416694.aspxQuote:
When we complete this investigation, we’ll do what is best to help protect our customers. We have determined that this vulnerability will be fixed through a security update, and we will release that either through the regular monthly release cycle or out-of-cycle, depending on customer needs.
Right now, we are working very closely with our anti-virus partners and aiding law enforcement with its investigation. We continue to recommend that customers follow our security guidance, including being careful where you browse, never accepting email attachments from unknown senders, keeping your anti-virus software up to date, enabling a firewall and staying current on security updates.
apparently avast! antivirus detects this exploit already and removes it before it even reaches your computer at the moment. interesting, while i havent heard of any other AV's successfully doing so with ease.
EDIT: forgot to mention that i found this while browsing around the avast! av forums. here's the link to the thread if anybody is curious.Quote:
We're protected by the latest VPS 0552-1, avast! detects this exploit as Win32:Exdown [Trj] and other AVs do too but avast!'s users are more effectively protected by Web Shield as it scans HTTP traffic in real time so the exploit is stopped before it gets to our machine.
http://forum.avast.com/index.php?topic=18295.0
I just read a report on Kaspersky's Viruslist blog (Viruslist blog) that earlier reports that unregistering and deleting the SHIMGVW.DLL will NOT protect you - they claim the vuln is in the GDI32.DLL. :confused:
Also, F-Secure (source) is reporting that a well known low-level Windows expert, Ilfak Guilfanov, has written and published a fix for free that wont break image functionality that hapens when unregistering the SHIMGVW.DLL. According to F-Secure it injects itself into all processes loading USER32.DLL. Ilfak wrote the program Interactive Dissassembler Pro BTW.
You can download it here: http://www.hexblog.com/2005/12/wmf_vuln.html
I'm installing it now to check it out...try it at your own risk as I cant give any validity at this point in time.
Let's just hope MS gets that patch own SOON as I worry about my friends, family, and coworkers opening all those holiday greeting card emails ....with WMF exploit code. :mad:
interesting indeed, but thats only one company claiming that that is the vulnerability during a time where nobody know's for sure. by the way, a new update for a squared users gives them the detection for the windows wmf exploit (couldn't get the screenshot, it updated too fast for me). there aren't a lot of details about how a squared deals with it (not even in forums) so who knows for sure what it will do.
They prolly don't wanna put out a patch too soon.
It might break a lotta Adware. </snicker>.
:cool:
Claria anyone??? lolQuote:
Originally posted here by rcgreen
They prolly don't wanna put out a patch too soon.
It might break a lotta Adware. </snicker>.
:cool:
Cant find the mag but I read in Wired recently that one of the brainstormers/founders of Claria also founded Symantec....hrm, isnt Symantec touting themselves as a SECURITY company?!! lol Loved that one. :rolleyes:
Quote:
Originally posted here by rcgreen
I have a hint for those who might want to know why Windows
(which all the accredited experts have proven to be more
secure that linux) keeps tripping up on this stuff. Think
compartmentalization.
BTW, this is not a vulnerability. (you listening catch?)
The OS is only doing what was designed to do.
Your only fix is to deliberately break the OS
by disabling the dll that provides you with all this
rich functionality.
LMAO.
I think you don't really read what catch says, and instead inject your own thoughts into his comments. He has never said there are not vulnerabilities to Windows. He has said that there is not a single vulnerability that allows you to override the security policy of the system. This exploit does not give you anything but the ability to run code without the user being prompted. If you want to avoid a system being completely compromised, don't run IE or Firefox, or whatever as administrator, or with administrative privileges... Opening an infected .wmf file with only user permissions doesn't really do that much damage to the underlying OS.
If the user is locked down from installing software, or if IE is properly locked down using the IEAK this is a non issue. A proper security policy keeps this from being an issue. Users surfing the web should not be able to install software, should not be administrators, and should only have NTFS permissions to their own files. This should in no way compromise the security of the box itself, unless you are foolish enough to run as administrator all of the time. Which it seems like a lot of people on here do exactly that.
We didn't do anything with this at my work except double check to make sure that we were filtering .wmf on all of our mailgateways(WMF was already a restricted file type), and then make sure to put .wmf into our AV extension blocks.
Also. If you unregister the shimgvw.dll it only breaks the microsoft picture and fax viewer. If you open pictures with software such as firefox, macromedia fireworks, or camera software such as the Fuji finepix viewer pictures open and work perfectly. Even the MS Office 2003 Photo Manager continues to work.
This is a truism that means nothing, because the system is designed to allow thisQuote:
He has said that there is not a single vulnerability that allows you to override the security policy of the system.
to happen. Windows wasn't designed to be an OS for end users, but to be a platform for adware.
They can't patch it, because it would cripple all those web designers who want access to
your hard drive. No, it's not a vulnerability at all. It is performing its intended function,
to fill your desktop with ads.
Quite true, but since the system doesn't ship that way by default, and most home usersQuote:
If the user is locked down from installing software, or if IE is properly locked down using the IEAK this is a non issue. A proper security policy keeps this from being an issue. Users surfing the web should not be able to install software, should not be administrators, and should only have NTFS permissions to their own files.
do not have professional system administrator to set up and maintain their systems,
and since M'soft tries to give us the impression that this is a plug'nplay world, and
your computer will work right out of the box....
Who is responsible for this, and who is going to pay to fix it?
Joe user, as usual.
:cool:
Uh, FYI,
SANS Infocon back to yellow!
Handler's Diary December 31st 2005
* New exploit released for the WMF vulnerability - YELLOW (NEW)
Happy New Year.Quote:
...
The exploit generates files:
* with a random size;
* no .wmf extension, (.jpg), but could be any other image extension actually;
* a random piece of junk in front of the bad call; carefully crafted to be larger than the MTU on an ethernet network;
* a number of possible calls to run the exploit are listed in the source;
* a random trailer
From a number of scans we did through virustotal, we can safely conclude there is currently no anti-virus signature working for it. Similarly it is very unlikely any of the current IDS signatures work for it.
Judging from the source code, it will likely be difficult to develop very effective signatures due to the structures of the WMF files. ...
I have never heard anything so ridiculous in all my life......Quote:
This is a truism that means nothing, because the system is designed to allow this
to happen. Windows wasn't designed to be an OS for end users, but to be a platform for adware.
They can't patch it, because it would cripple all those web designers who want access to
your hard drive. No, it's not a vulnerability at all. It is performing its intended function,
to fill your desktop with ads.
You never came across as dumb before but you excelled yourself with this post....
Placed firmly on moron list.....
:rolleyes:
Are you going to swear that they don't take the desires of web designersQuote:
I have never heard anything so ridiculous in all my life
(and advertisers) to heart when they design this stuff? Sure they designed it this way.
They just didn't think that anyone would use the feature for "malicious" purposes.
They were over-optimistic and naive and greedy. Many of the exploits of the
last ten years are based on this same thinking. Some feature that "seemed
like a good idea at the time" gets turned to evil purposes.
I've been here long enough. It's new year's eve, and I have a rightQuote:
Placed firmly on moron list
to be as much of a troll as anyone else on this forum.
Now I gotta go watch Hitchiker's Guide. Happy new year and
don't let the virus bite.
:cool:
Reality check please?
Windows has evolved? it can hardly be described as "new"............... I can recall using 14.4k and 28.8k dial-up connections....................no "adware" in those days?
My argument would be that it is the Internet that has changed, not the operating systems?
Just my thoughts :)
This thing is now being sent out in spam.
Source: http://www.isc.sans.org/diary.phpQuote:
When the HappyNewYear.jpg hits the hard drive and is accessed (file opened, folder viewed, file indexed by Google Desktop), it executes and downloads a Bifrose backdoor (detected by us as Backdoor.Win32.Bifrose.kt) from www[dot]ritztours.com.
Is anyone else still running win98? I have two win98 computers
and neither of them has the shimgvw.dll. I was threatening my wife that
if her box got infected, I was going to reformat and put Slackware on it.
I guess she has escaped that fate for now.
:cool:
Of course, both first and second editions.............good for legacy apps and old games. It works fine for older, casual users..........I also have 3 instances of Win ME that run just fine.Quote:
Is anyone else still running win98?
I also have DOS 3.0, Windows 2.03 onwards..........................
I run '86s, 286s, 386s, 486s................PI, PII, PIII.............etc
They all work
:D
We have 3 98's at work, use 2 for spares (something for the salesman to play with) and one with PC Anywhere on it, so they can access the program the company uses... from home. Also we have about 5 unopened Win 95's, not sure what to do with them ;)
I have windows 98 on one of my other boxes ... But I have temporaly put it to rest [ For the time being ] ... Too busy playing with Windows XP at the moment ...
Windows 95 ahhh the memories the multiple formats for my newbie mistakes ... :DQuote:
Also we have about 5 unopened Win 95's, not sure what to do with them
B.T.W. nihil just curious how many computers do you have ? and which is the oldest ??
i clicked on gores link and got bubkiss..... see... i was running the latest version of firefox with no toolbars...
chimed in alittle late on this thread... was busy for the holidays
From Castlecops
Quote:
There is a new danger floating around the Internet right now, a zero-day exploit taking advantage of the Windows Media Format (WMF) vulnerability. Its not limited to WMF files, it is taking the shape of images as well. This exploit is currently billed as the worst infection in history. It can hide rootkits, it can even hide itself.
This is not a joke.
Many antivirus companies can not discover this malware at present. Microsoft is not responding fast enough. Download a brand new WMF vulnerability checker to see if you are susceptible [Details. However, don't let this stop you from applying two specific workaround patches.
Read the following two articles and install the "Windows WMF Hotfix" followed by de-registering the file "shimgvw.dll". Then reboot. Now, wait with the rest of us for Microsoft and antivirus companies to officially patch this vulnerability and detect/clean it. Spread the word.
Interim WMF Exploit Savior
We've all been following the dramatic story of the whole wmf exploit and how it is easily spoofed into other image types. The last day of 2005 the wmf exploit exploded into other various venues such as instant messages, email, and more. Various tools have been setup to try and catch or filter out the wmf exploit, but last night it has mutated. Newest variations change the header and tail of the wmf exploit making its signature difficult to locate.
Drum roll please...
Ilfak Guilfanov who is being billed as one of the foremost experts in Windows low level technology has released a temporary/interim patch for Windows.
(check often for updates, this is version 1.3)
Technical details: "this is a DLL which gets injected to all processes loading user32.dll. It patches the Escape() function in gdi32.dll. The result of the patch is that the SETABORT escape sequence is not accepted anymore."
Once Microsoft releases an official patch, or if the above doesn't work, you can uninstall it from your Add/Remove Programs menu. It'll be listed as "Windows WMF Metafile Vulnerability HotFix".
The Internet Storm Center gives this patch its stamp of approval:
We have very carefully scrutinized this patch. It does only what is advertised, it is reversible, and, in our opinion, it is both safe and effective.
The word from Redmond isn't encouraging. We've heard nothing to indicate that we're going to see anything from Microsoft before January 9th.
The upshot is this: You cannot wait for the official MS patch, you cannot block this one at the border, and you cannot leave your systems unprotected.
So there you have it, don't trust the firewall filters, don't trust the antivirus vendors, don't wait for Microsoft. Install the patch immediately. If you are running a Windows operating system the patch doesn't support, time to shut it off and wait.
Temporary Patch
SANS has a nice article about this quick fix..
http://isc.sans.org/diary.php?storyid=996Quote:
We've received many emails from people saying that no one in a corporate environment will find using an unofficial patch acceptable.
Acceptable or not, folks, you have to trust someone in this situation.
To the best of my knowledge, over the past 5 years, this rag-tag group of volunteers hasn't asked for your trust: we've earned it. Now we're going to expend some of that hard-earned trust:
This is a bad situation that will only get worse. The very best response that our collective wisdom can create is contained in this advice - unregister shimgvw.dll and use the unofficial patch. You need to trust us.
Hey Hey,
It's like being stuck between a rock and a hard place...
I work, essentially, for a graphics company... the emailing and viewing of images is quite common around here... Our business relies on it..
I can't set the email filter to strip all attachments because of that, I can't unregister the DLL because we rely on th ability to render images and I'm not sure about this unofficial patch... I trust them... but it's still unofficial... if it blows up... heads will roll...
In the end being in charge of IT... with an axe hanging over my head... it seems like waiting it out to see what MS will do is the more viable solution...
Scenerio 1: Install the Patch -- Everything blows up... I have to do clean installs... It's my fault for taking a risk with unofficial patch.
Scenerio 2: Wait it Out -- Someone gets infected, everything blows up... I have to do clean installs... I can pass blame because there was nothing else I could have done... MS left me open...
Peace,
HT
PS: Any Objections to one of us mods renaming the thread so it better represents the discussion?
Similar situation here. We do printing. I half way expect to arrive at workQuote:
I work, essentially, for a graphics company... the emailing and viewing of images is quite common around here... Our business relies on it..
and find the IT guys running up and down the halls from one disaster
to the next, and all work brought to a standstill.
:cool:
And there's no way they are going to use an unofficial patch.
CYA is the first lesson you learn in Kindergarten. Sad but
true. It's more important to assign blame than to "do the right thing".
:cool:
You know...
IMHO the most funny thing about this whole WMF thing is that I went t Microsoft.com and got to see a smirking Bill Gates with the words "What's the next big thing?" (jpg)
http://msdn.microsoft.com/library/de...tspol_0d6b.asp
http://msdn.microsoft.com/library/de...tspol_0883.asp
Well a vecor graphics renderer that allows for the vector graphics themselves to define the 'on error' behavior.. That's a big thing..
http://www.microsoft.com/technet/sec...ry/912840.mspxWhat law enforcement..Quote:
Microsoft’s investigation into this malicious act is ongoing. We are working closely with our anti-virus partners and aiding law enforcement in its investigation.
These 'mallicious' WMFs are just doing what they were supposed to be doing...
And what they should have been doing since 1990 !! (Windows 3.0)
It was just that most WMF software was to lazy to add any error handling in the images.. .. .. ..
here's a few unofficial patches that i found. however, since they are unofficial, things could be messed up, so i reccomend you just wait for the official one...
Quote:
I suggest you read the info at SANS:
http://isc.sans.org/diary.php?date=2006-01-01
and at SunbeltBLOG:
http://sunbeltblog.blogspot.com/ there are several posts about it.
SANS and Sunbelt are highly recommending this unofficial patch until Microsoft releases an official fix.
The patch can be downloaded here:
http://www.hexblog.com/2005/12/wmf_vuln.html
More info there as well.
Please feel free to copy this information to other forums and sites.
I spent a couple of hours testing the patch tonight on VMware, and in my tests, it did work. There is also a test to check your machine from the developer of the patch.
http://www.hexblog.com/2006/01/wmf_v...cker.html#more
I urge everyone to check this out and install the patch after you read all the information.
I'm in a similar situation except mine involves surfing the web: I cant stop my users from doing it. Further if we decide to apply 3rd party patch we have a lot of testing to perform BEFORE applying this patch...and if we break a business critical app we're toast.Quote:
Originally posted here by HTRegz
It's like being stuck between a rock and a hard place...
...
In the end being in charge of IT... with an axe hanging over my head... it seems like waiting it out to see what MS will do is the more viable solution...
Scenerio 1: Install the Patch -- Everything blows up... I have to do clean installs... It's my fault for taking a risk with unofficial patch.
Scenerio 2: Wait it Out -- Someone gets infected, everything blows up... I have to do clean installs... I can pass blame because there was nothing else I could have done... MS left me open...
I'm debating whether to install the 3rd party patch or wait for Microsoft. I'm leaning toward getting the login scripts ready and if MS doesnt come through tomorrow (Tue) deploy it...dunno.
This just sucks! I got over 2000 machines that could get infected... :(