What browser, Agent_Steal?
- X
Printable View
What browser, Agent_Steal?
- X
Hi there Xierox the browser that I use is :
Microsoft Internet Explorer Version 6.0.2900.2180.xpsp_sp2_gdr.050301-1519 ... Exactly what it says in the About Internet Explorer dialog box ...
Before I forget I clicked on that linked yesterday ...
B.T.W. before you decide to unleash this little beast on your computer make sure that you back up anything important .. Just curious has anyone else on here infected themselves yet ???
I hooked up a old box last night, and deliberatly infected the machine with it..Quote:
Just curious has anyone else on here infected themselves yet ?
I clicked on the link and I also went to the link, for **** and giggles of course, before I posted that .bmp image. I didn't notice anything happen to my system. ALL software is up-to-date web browser is 6.0.2800.1106 for windows 2000 pro.Quote:
Just curious has anyone else on here infected themselves yet ???
I believe I coined the name Hoss.... Based on the character from that cowboy show years ago....
Bleeding Snort has a sig for this for those of you with networks to defend..... www.bleedingsnort.org
Bonanza :D
http://bonanza1.com/hoss/
:)
Ahhh.... Your brain cell works better than mine..... Haven't finished my third coffee yet...... ;)
Just found another workaround posted here
http://www.eweek.com/article2/0,1895...05dtx1k0000599
Quote:
The same effect may be obtained with a registry change. In the Regedit program go to the key:
HKEY_LOCAL_MACHINE\SOFTWARE\Classes
\SystemFileAssociations\image
\ShellEx\ContextMenuHandlers
\ShellImagePreview
Then delete the default value. To re-enable the feature, go to the same key and set the default value as a REG_SZ to "{e84fda7c-1d6a-45f6-b725-cb260c236066}". You may download .REG files that perform these tasks from Athias's message.
MLF
Peeps.. this is NOT just an IE vulnerability - it's an OS vulnerability that is not browser dependent, so Firefox etc users are still potentially vulnerable.
Theoretically, any internet application could download the WMF file - browser, mail client, IM application, P2P client etc. From the reports I've seen, once the infected WMF file is anywhere on your system, there's a risk that Shimgvw.dll might fire up and execute the exploit. (Google Desktop has been cited as a culprit here too).
At the moment, it seems to be a few infected web sites but there are many other ways that the exploit could be used:
- Embedded in an email message (it doesn't need to be an attachment). If you have autopreview on, then the exploit would run automatically without having to do very much.
- In the past, legitimate advertising networks have been compromised to spread exploits. It seems that you can rename the WMF extension to something else, and it's STILL possible to infect the machine as the OS doesn't rely on the extension alone.
- Through network shares on a corporate network (because of the thumbnailing function).
- It must also be theoretically possible to infect a Windows-based web server by uploading an infected file to somewhere that the DLL will trigger. That site could then be used to serve up infected WMF files to visitors. We've seen exploits like this before.
I think the ONLY safe thing to do is de-register the DLL until there's a fix. At the moment, the threat is contained, but because the code is now available it's only going to be a matter of time before we see this becoming more widespread.
I guess in a corporate environment it should be possible to run REGSVR32 remotely using PSEXEC or AT.Quote:
Un-register the Windows Picture and Fax Viewer (Shimgvw.dll) on Windows XP Service Pack 1; Windows XP Service Pack 2; Windows Server 2003 and Windows Server 2003 Service Pack 1
To un-register Shimgvw.dll, follow these steps:
1. Click Start, click Run, type "regsvr32 -u %windir%\system32\shimgvw.dll" (without the quotation marks), and then click OK.
2. A dialog box appears to confirm that the un-registration process has succeeded. Click OK to close the dialog box.
Impact of Workaround: The Windows Picture and Fax Viewer will no longer be started when users click on a link to an image type that is associated with the Windows Picture and Fax Viewer.
To undo this change, re-register Shimgvw.dll by following the above steps. Replace the text in Step 1 with “regsvr32 %windir%\system32\shimgvw.dll” (without the quotation marks).
I have a hint for those who might want to know why Windows
(which all the accredited experts have proven to be more
secure that linux) keeps tripping up on this stuff. Think
compartmentalization.
Code and data, which ought to have been separated, are
hopelessly intertwined in everything Microsoft does.
Ask your favorite Windzz fanboy why a document
or image needs to have executable code in it.
Ask him why the OS obediently executes this embedded
code.
"It's a feature, not a bug" "It's there to give you a richer
web experience"
It is there to satisfy greedy web designers who want more
control over your web experience, and as long as this design
philosophy prevails, you can expect these magical features
to be a playground for lamers and crackers.
:cool:
BTW, this is not a vulnerability. (you listening catch?)
The OS is only doing what was designed to do.
Your only fix is to deliberately break the OS
by disabling the dll that provides you with all this
rich functionality.
LMAO.