-
January 2nd, 2006, 11:44 PM
#91
Some instant messengers allow people to display pictures from their machines next to the chat window ( MSN Messenger springs to mind ). Does anybody know if this is vulnerable? I would guess it is, but would like to know for sure.
If everything looks perfect, then there is something you don\'t know
-
January 3rd, 2006, 01:03 AM
#92
qwertyman66
he new vulnerability makes it possible for users to infect their computers with spyware or a virus simply by viewing a web page, e-mail or instant message that contains a contaminated image.
“We haven’t seen anything that bad yet, but multiple individuals and groups are exploiting this vulnerability,” Mr Hyppönen said. He said that every Windows system shipped since 1990 contained the flaw.
from here
Bukhari:V3B48N826 “The Prophet said, ‘Isn’t the witness of a woman equal to half of that of a man?’ The women said, ‘Yes.’ He said, ‘This is because of the deficiency of a woman’s mind.’”
-
January 3rd, 2006, 01:38 AM
#93
the exploit still works if the .wmf files were renamed to other image extensions.. like .jpg or .bmp... so filtering .wmf wont 100% work
-
January 3rd, 2006, 06:14 AM
#94
No, it doesn't work because they are recognized and therefore executed based on their 'magic' If you filtered by the magic at the border you *may* have a chance of blocking them from the outside. No guarantees though.
Antionline in a nutshell
\"You\'re putting the fate of the world in the hands of a bunch of idiots I wouldn\'t trust with a potato gun\"
Trust your Technolust
-
January 3rd, 2006, 10:25 AM
#95
Hi,
One thing I haven't seen specifically discussed is whether there is a "minimum size" for one of these image files that potentially contains malicious code?
-
January 3rd, 2006, 11:00 AM
#96
On the Windows 2000 issue..
My desktop PC here is Windows 2000 running Outlook 2000. Outlook can render WMF files embedded in an email message just fine - i.e. not as an attachment, as part of the message body. I guess if you have autopreview then you can infect your PC without even opening the message.
You can also embed WMFs in things like Word documents and other office files. It's been a long time since I've seen DOC files used to carry a malware payload and I guess we're not used to it these days. That'll likely sail past your defences and infect anyone who opens the file.
The thing is that there are just TOO MANY ways that this can get onto your system.
If you are an admin, at the very least you should protect your own PC by deregistering the DLL and installing the unofficial patch. That means that if your organisation does get hit, at least you'll be able to coordinate some sort of response.
-
January 3rd, 2006, 12:22 PM
#97
It seems that 'older' windows versions are not vulnerable afterall..
http://blog.ziffdavis.com/seltzer/ar.../02/39680.aspx
Windows 2000, ME, and 98 are NOT vulnerable
...
They say this is based on actual testing. I have to admit that I have been taking the claims that earlier versions were affected for granted and have only been testing myself on XPSP2. Later tonight I hope to test something earlier.
http://www.hexblog.com/2006/01/wmf_v...y_checker.html
The nice people at hexblog have created a nice little vulnerability checker..
ASCII stupid question, get a stupid ANSI.
When in Russia, pet a PETSCII.
Get your ass over to SLAYRadio the best station for C64 Remixes !
-
January 3rd, 2006, 12:37 PM
#98
I ran the checker on a Windows 2000 SP4 PC and it came out as vulnerable. Also, a legacy NT4 box was also flagged as being vulnerable.
-
January 3rd, 2006, 01:17 PM
#99
Greeting's
I have not read all the 10 pages of the thread but If this is posted before please forgive me. Anyway both Microsoft and SANS have updated their information on the exploit.
SANS advisory is now version 3 (even the unofficial patch is now updated to version 1.3)
Microsoft updated their advisory today
Here are the links
1. http://www.microsoft.com/technet/sec...ry/912840.mspx
2. http://isc.sans.org/
I feel its a must read for all members.
Wishing all of you a very happy, prosperous and SAFE new year.
Parth Maniar,
CISSP, CISM, CISA, SSCP
*Thank you GOD*
Greater the Difficulty, SWEETER the Victory.
Believe in yourself.
-
January 3rd, 2006, 05:20 PM
#100
That isn't quite true. While only Windows XP and Server 2003 by default associate handlers with WMF files, in older systems (e.g. Windows 2000) applications may have easily associated WMF files with Windows handlers. For all we know, Microsoft Office may have done so. So it's quite possible that owners of Win2000 boxes are in danger.
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
|