There is a new unpatched exploit for Windows machines on the loose, ranging from DOS machines to XP Pro SP2:
http://www.f-secure.com/weblog/
http://sunbeltblog.blogspot.com/2005/12/new-exploit-blows-by-fully-patched.html
The problem seems to be related to malformed WMF files that load malware onto PCs.

SANS site is overloaded but has additional information:
http://isc.sans.org/diary.php?rss&storyid=975
The vulnerability seems to be within SHIMGVW.DLL. Unregistering this DLL (type REGSVR32 /U SHIMGVW.DLL at the command prompt or in the "Start->Run" Window, then reboot) will resolve most of the vulnerability, but will also break your Windows "Picture and Fax Viewer", as well as any ability of programs like "Paint" and "Explorer" to display thumbnails of any picture and real (benign) WMF files.
Not that we didn't have enough "good" news already, but if you are relying on perimeter filters to block files with WMF extension from reaching your browser, you might have a surprise waiting for you. Windows XP will detect and process a WMF file based on its content ("magic bytes") and not rely on the extension alone, which means that a WMF sailing in disguise with a different extension might still be able to get you.

To Quote Sun-Belt Software:

Any application that automatically displays a WMF image will cause the user’s machines to get infected. This includes older versions of Firefox, current versions of Opera, Outlook and all current version of Internet Explorer on all versions of Windows.

What this says to me is current users of Firefox are safe again. What a huge surprise. The fox is mightier than the big blue E.

I hope that they fix this quickly, the hack in the quote from SANS is the only thing so far to slow it down.
Also may be advisable to add the following to HOST file for blocking:
Crackz [dot] ws
unionseek [dot] com
www[dot} tfcco [dot] com
Iframeurl [dot] biz
beehappyy [dot] biz

The SANS hack WILL BREAK applications, but is reversable when a fix occurs.
Be sure to update your AV manually several times a day while this is going on.
http://www.us-cert.gov/cas/techalerts/TA05-362A.html

Edit: KAV & NAV have detections to stop the exploit now, but there are 50 variants already, so many updates will be occurring over the next few days to chase down new versions.
IE Spyads is also updating to block this crud.

Microsoft Security Advisory (912840)
Vulnerability in Graphics Rendering Engine Could Allow Remote Code Execution.
Published: December 28, 2005

[excerpt]

Mitigating Factors:
•

In a Web-based attack scenario, an attacker would have to host a Web site that contains a Web page that is used to exploit this vulnerability. An attacker would have no way to force users to visit a malicious Web site. Instead, an attacker would have to persuade them to visit the Web site, typically by getting them to click a link that takes them to the attacker's Web site.
•

An attacker who successfully exploited this vulnerability could gain the same user rights as the local user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.
•

By default, Internet Explorer on Windows Server 2003, on Windows Server 2003 Service Pack 1, on Windows Server 2003 with Service Pack 1 for Itanium-based Systems, and on Windows Server 2003 x64 Edition runs in a restricted mode that is known as Enhanced Security Configuration This mode mitigates this vulnerability where the e-mail vector is concerned although clicking on a link would still put users at risk. In Windows Server 2003, Microsoft Outlook Express uses plain text for reading and sending messages by default. When replying to an e-mail message that is sent in another format, the response is formatted in plain text. See the FAQ section of this vulnerability for more information about Internet Explorer Enhanced Security Configuration.

Microsoft Security Advisory (912840) (http://www.microsoft.com/technet/security/advisory/912840.mspx)

.

Man, I watched that video. That is scary. Think of those who are sucked in.

F-SECURE
Thursday, December 29, 2005
WMF, day 2

---
And finally, you might want to start to filter these domains at your corporate firewalls too. Do not visit them.

toolbarbiz[dot]biz
toolbarsite[dot]biz
toolbartraff[dot]biz
toolbarurl[dot]biz
buytoolbar[dot]biz
buytraff[dot]biz
iframebiz[dot]biz
iframecash[dot]biz
iframesite[dot]biz
iframetraff[dot]biz
iframeurl[dot]biz

So far, we've only seen this exploit being used to install spyware or fake antispyware / antivirus software on the affected machines. I'm afraid we'll see real viruses using this soon.

---

http://www.f-secure.com/weblog/archives/archive-122005.html#00000754

.

Is it as simple as adding the below list to the bottom of the host file I have or do I add 127.0.0.1 before domain as in my host file ?

toolbarbiz[dot]biz
toolbarsite[dot]biz
toolbartraff[dot]biz
toolbarurl[dot]biz
buytoolbar[dot]biz
buytraff[dot]biz
iframebiz[dot]biz
iframecash[dot]biz
iframesite[dot]biz
iframetraff[dot]biz
iframeurl[dot]biz

You still need to have every line preceeded with localhost, 127.0.0.1, or some other IP that won't get out. This is probably obvious, but you need to replace the bracketed "dot" with an actual "." too. Works for me. Not sure if you need to reboot before the new HOSTS entries go into effect, but I always do.

Microsoft Security Advisory (912840): Vulnerability in Graphics Rendering Engine Could Allow Remote Code Execution.

http://www.microsoft.com/technet/security/advisory/912840.mspx

The FAQ section of this MS Security Advisory has been updated (29 Dec-05).

.

Below you will find a quote from eEye digital security and a link ot their site for more info.
Dec 29, 2005
eEye Digital Security Research Team Vulnerability Alert

Please Note: While this vulnerability is found in the same component as one patched by Microsoft in Security Bulletin MS05-053, which was discovered by eEye Digital Security and described in a detailed vulnerability analysis, it is not the same issue and currently there is no patch or mitigation steps available. Microsoft has released a Security Alert, available on their website.

What eEye Customers Should Know
Windows 98, Windows ME, Windows 2000, Windows XP, and Windows 2003 are all affected, with no patch being made available yet. The Windows Graphics Rendering Engine is vulnerable, exploitable via a malicious website or other HTML document that contains a maliciously crafted WMF file that, if successful, will run arbitrary commands on a remote system. When the system is exploited, it will run arbitrary commands in the context of the logged-in user.

Users of Internet Explorer can be exploited in an automated fashion. Users of Mozilla Firefox, while still at risk, are less vulnerable, as they would need to download and execute a malicious WMF file.

It has been reported that this vulnerability is being used to distribute spyware. As always, users should take precautions to not click on web links sent to them in unsolicited emails and take note of what websites they are visiting.

Protection from this Flaw
eEye Digital Security's Research Team, after a detailed analysis of this flaw, has confirmed that eEye's Blink® Endpoint Vulnerability Prevention protects from the potential exploitation of this flaw, without requiring invasive firewalling, which could limit system functionality. Additionally, Blink does not require the killing of services or applications as a means of protection. The result is 100% protection, with zero downtime or impact to operations.

Current Blink customers aren't required to do anything to realize the protection from this flaw. No updates or policy changes are required.

If you are interested in protecting your systems with Blink, an evaluation version is available for download on eEye's website:
http://www.eeye.com/blink

I think this article makes interesting and possibly helpful reading:

Days after the revelation of a flaw in Windows' handling of WMF graphics files, dozens of exploits are being spread from thousands of adware sites. But good protection is available.


At the same time, further testing confirms that a workaround issued by third parties and endorsed by Microsoft Corp. is effective in most regards, and in the most important circumstances, but not in all. Also, the workaround has side effects that could prove troublesome.

AV-Test, which tests anti-malware products, has been tracking the situation closely and has, so far, analyzed 73 variants of malicious WMF files. Products from the following companies have identified all 73:

* Alwil Software (Avast)
* Softwin (BitDefender)
* ClamAV
* F-Secure Inc.
* Fortinet Inc.
* McAfee Inc.
* ESET (Nod32)
* Panda Software
* Sophos Plc
* Symantec Corp.
* Trend Micro Inc.
* VirusBuster

These products detected fewer variants:

* 62 — eTrust-VET
* 62 — QuickHeal
* 61 — AntiVir
* 61 — Dr Web
* 61 — Kaspersky
* 60 — AVG
* 19 — Command
* 19 — F-Prot
* 11 — Ewido
* 7 — eSafe
* 7 — eTrust-INO
* 6 — Ikarus
* 6 — VBA32
* 0 — Norman

The difference for the more effective products is likely to be heuristic detection, tracking the threat by identifying the basic techniques of the exploit, rather than looking for specific patterns for specific exploits.

The latter technique leaves users vulnerable to threats that the vendor has not yet identified and protected against. Mikko Hypponen of F-Secure, when asked about the matter, said, "Heuristic detection rocks."

After some concern was expressed about the efficacy of the workaround proposed by third parties and endorsed by Microsoft, it appears that it is basically effective at preventing exploitation in the most common circumstances, but not in all.

Anti-Virus Protection for WMF Flaw Still Inconsistent (http://www.eweek.com/article2/0,1895,1907131,00.asp)

.

The number of infections that this thing loads is increasing at an alarming rate... Please tell everyone you know to get their PCs armored up and be VERY careful about where they go on the internet...

Budfred, what is the best way to defend against this?

Budfred, what is the best way to defend against this?

DON'T use Internet Explorer

Use one of the following AV programs:

* Alwil Software (Avast)
* Softwin (BitDefender)
* ClamAV
* F-Secure Inc.
* Fortinet Inc.
* McAfee Inc.
* ESET (Nod32)
* Panda Software
* Sophos Plc
* Symantec Corp.
* Trend Micro Inc.
* VirusBuster

Be careful where you go.

Disable the DLL as described in many of the links above.

Do you know if any of those AVs have a free trial?

Is this the right thing:
They also list the REGSVR32 workaround. It's a good idea to use this while waiting for a patch. To quote Microsoft's bulletin:

Un-register the Windows Picture and Fax Viewer (Shimgvw.dll)

1. Click Start, click Run, type "regsvr32 -u %windir%\system32\shimgvw.dll"
(without the quotation marks), and then click OK.

2. A dialog box appears to confirm that the un-registration process has succeeded.
Click OK to close the dialog box.

Impact of Workaround: The Windows Picture and Fax Viewer will no longer be started
when users click on a link to an image type that is associated with the Windows Picture and Fax Viewer.

To undo this change, re-register Shimgvw.dll by following the above steps.
Replace the text in Step 1 with “regsvr32 %windir%\system32\shimgvw.dll” (without the quotation marks).
http://www.f-secure.com/weblog/

Avast (http://www.avast.com/eng/download-avast-home.html) free for home users.

I use AVG, so I'll get that up as well.

You of course woud have to uninstall AVG and install AVAST. You can't have 2 AV's running at the same time.

I'll just disable AVG. While you are on this topic, which do you think is better? AVG or AVAST?

I personally use AVAST. And after seeing this report, my sentiments have been confirmed.

I've been using Firefox and Avast for a long time, but I am still not totally reassured by the claims the Firefox isn't vulnerable. Mainly this is because a lot of sites, myspace comes to mind, allow you to embed windows video files into html. Even though I am using FF, it still loads the little WMP player to display the file.

I have seen another fix mentioned that changes a registry entry. The info that I am pasting contains some details that were already posted here, but I chose to leave the text in it's entirety.

First, you can unregister the specific DLL that implements the vulnerable code from the system using a command line program. To disable the DLL click Start, then Run, then enter the following command:

regsvr32 /u shimgvw.dll

To re-enable the same DLL, click Start, then Run, then enter the following command:

regsvr32 shimgvw.dll

The same effect may be obtained with a registry change. In the Regedit program go to the key:

HKEY_LOCAL_MACHINE\SOFTWARE\Classes
\SystemFileAssociations\image
\ShellEx\ContextMenuHandlers
\ShellImagePreview

Then delete the default value. To re-enable the feature, go to the same key and set the default value as a REG_SZ to "{e84fda7c-1d6a-45f6-b725-cb260c236066}". You may download .REG files that perform these tasks from Athias's message.

The workaround has been confirmed by iDEFENSE as effective in preventing the current versions of the exploit, with a caveat. Previous vulnerabilities in the parsing of WMF files have led to additional vulnerabilities in EMF files, a later version of the metafile format. iDEFENSE warns that this workaround may not be effective against such future attacks.

Athias warns that if you unregister shimgvw.dll, Windows Explorer will not display thumbnails anymore. So the registry operation is a much better way.

I think the main thing right now is to be VERY careful about what you click on... Add the other tips here to that...

For instance, the various sites that people post in After Hours may be best to pass up until MS properly patches this (if they do...)...

Or you could just switch to Linux. . .I'm going to run off my Live CD till things get more under control.

The best thing I can say is to make sure you have recent backups until this is resolved. Make one now just in case. ;) I made one a couple hours ago and have one from a week ago and so on.

The problem is the exploit is using the graphics engine in Windows. Other applications are also affected in ways you won't see until the infection takes place and forensics are done to see how it all went down after the fact.

The AV detections are a good step forward but AV signatures are always a little behind the malware writers newest versions, so during the lag time between release and new signatures, you are completely vunerable.

MSPaint is not affected by the earlier registry hack and opening a graphic there WILL allow infection, so avoid opening images in Paint until the problem is resolved, this may also be a problem with other image editing programs!
See day 3 of this:
http://www.f-secure.com/weblog/

Sorry for my ignorance, but I have a simple question about the proposed fix of unregistering the dll. I looked through every link I could find, but they didn't answer my question.

What is the impact of a reboot? Will I have to execute the unregistering command every time I restart? Thanks.

My take from when that was proposed was that a reboot after the command line action locked that value into the Registry, so it should hold.

The latest info on graphics editors gives one pause if you have editing programs on the PC, perhaps physically isolating that PC from the Web may be a good idea if you earn your living by using something like that.

I'll be doing some research on Google, but wanted to ask a followup in case anyone knows off the top of their head. Is there a command I can run to see if a given dll is currently registered within Windows? Running the unregister command after every reboot isn't too difficult, I was just hoping to know the answer for sure. Thanks again for entertaining these simplistic questions.

For those of us using Avast, I just stumbled across a very important note. In retrospect it's obvious, but it hadn't occured to me. The default configuration of the web shield doesn't scan gifs and pngs. From the thread:
avast! has signature of this exploit and also scans HTTP traffic in real time (it scans almost all files downloaded via browser). If I'm not wrong, other graphic file type are scanned except *.gif, *.png but you can remove these two file type from Exception lists in Web Shield so it should also be scanned.

A third party hotfix seems to be stopping the payload:
http://www.f-secure.com/weblog/archives/archive-122005.html#00000756
This is from the primary author of "Interactive Disassembler Pro".
That author states this is just a temporary fix, and to remove the hotfix via Add/Remove Programs and apply the MS official patch when it is released.

Edit: This is for XP SP2/ XP 64 bit.

For those of us using Avast, I just stumbled across a very important note. In retrospect it's obvious, but it hadn't occured to me. The default configuration of the web shield doesn't scan gifs and pngs. From the thread:

Would you post the URL of the thread please.

.

How do you enable *.gif and *.png protection in AVAST? Aslo, what do you guys think of this:
http://www.hexblog.com/2005/12/wmf_vuln.html
I got to that from here:
http://www.f-secure.com/weblog/

F-Secure
Sunday, January 1, 2006
Bad behaviour Posted by Mikko @ 00:49 GMT

We are aware that a new exploit for the WMF vulnerability has been published. This one is much more advanced than the old one, and much more dangerous.

It enables clueless newcomers to easily craft highly variable and hard-to-detect variations of image files. Images that take over computers when viewed. And do this on all common Windows platforms. With no vendor patch for the vulnerability available. Meaning that there are hundreds of millions of vulnerable computers in the net right now.

Making such tools publicly available when there's no vendor patch available is irresponsible. Plain and simply irresponsible. Everybody associated in making and publishing the exploit knows this. And they should know better. Moore, A.S, San and FrSIRT: you should know better.


http://www.f-secure.com/weblog/archives/archive-012006.html#00000758

.

hockey man
This is how I have it. Could someone tell me if I am correct.

Dbl click the icon in thetesk bar (next to clock)
Select WEB SHIELD
Now select CUSTOM
Go to EXCEPTIONS
REMOVE JPG & PNG from bottom (MIME types) box)

Also go to URL BLOCKING enable and paste the reccommended into it. Here is the list as I have found so far.
127.0.0.1 toolbarbiz[dot]biz
127.0.0.1 toolbarsite[dot]biz
127.0.0.1 toolbartraff[dot]biz
127.0.0.1 toolbarurl[dot]biz
127.0.0.1 buytoolbar[dot]biz
127.0.0.1 buytraff[dot]biz
127.0.0.1 iframebiz[dot]biz
127.0.0.1 iframecash[dot]biz
127.0.0.1 iframesite[dot]biz
127.0.0.1 iframetraff[dot]biz
127.0.0.1 iframeurl[dot]biz
127.0.0.1 Crackz[dot]ws
127.0.0.1 unionseek[dot]com
127.0.0.1 www.tfcco[dot]com
127.0.0.1 Iframeurl[dot]biz
127.0.0.1 beehappyy[dot]biz
127.0.0.1 Crackz [dot] ws
127.0.0.1 unionseek [dot] com
127.0.0.1 www.tfcco [dot] com
127.0.0.1 Iframeurl [dot] biz
127.0.0.1 beehappyy [dot] biz

[dot] to be replaced with "." (without quotes)
Using HJT open your HOSTS list and add these there as well.

could someone confirm my actions are correct

hockey man
This is how I have it. Could someone tell me if I am correct.

Dbl click the icon in thetesk bar (next to clock)
Select WEB SHIELD
Now select CUSTOM
Go to EXCEPTIONS
REMOVE JPG & PNG from bottom (MIME types) box)

Also go to URL BLOCKING enable and paste the reccommended into it. Here is the list as I have found so far.
127.0.0.1 toolbarbiz[dot]biz
127.0.0.1 toolbarsite[dot]biz
127.0.0.1 toolbartraff[dot]biz
127.0.0.1 toolbarurl[dot]biz
127.0.0.1 buytoolbar[dot]biz
127.0.0.1 buytraff[dot]biz
127.0.0.1 iframebiz[dot]biz
127.0.0.1 iframecash[dot]biz
127.0.0.1 iframesite[dot]biz
127.0.0.1 iframetraff[dot]biz
127.0.0.1 iframeurl[dot]biz
127.0.0.1 Crackz[dot]ws
127.0.0.1 unionseek[dot]com
127.0.0.1 [www]tfcco[dot]com
127.0.0.1 Iframeurl[dot]biz
127.0.0.1 beehappyy[dot]biz
127.0.0.1 Crackz [dot] ws
127.0.0.1 unionseek [dot] com
127.0.0.1 [www]tfcco [dot] com
127.0.0.1 Iframeurl [dot] biz
127.0.0.1 beehappyy [dot] biz

[dot] to be replaced with "." (without quotes) and agle brackets round www to be removed and replaced with the normal .
Using HJT open your HOSTS list and add these there as well.

could someone confirm my actions are correct

sis you add the 127.0.0.1 in there too?

The 127.0.0.1 is just for your hosts file.

The domains are for the avast settings

http://www.f-secure.com/weblog/archives/archive-012006.html#00000758
From SANS:
This is a bad situation that will only get worse. The very best response that our collective wisdom can create is contained in this advice - unregister shimgvw.dll and use the unofficial patch. You need to trust us. This is because it may be January 9 until Microsoft can get a official patch out to fix the problem.
We have very carefully scrutinized this patch. It does only what is advertised, it is reversible, and, in our opinion, it is both safe and effective.
The whole SANS article:
http://isc.sans.org/diary.php?rss&storyid=996

And finally, in the f-secure blog: A new exploit using the vunerability has come out using EMail to spread.

GRC [Gibson Research Corporation] believes Ilfak Guilfanov's temporary WMF patch completely eliminates the vulnerability.

Please Note: Unlike the "DLL unregister" recommendation offered by Microsoft (see RED box below) Ilfak's patch completely eliminates the vulnerability. Therefore, until Microsoft is able to update and repair their vulnerable GDI32.DLL, this is what you should use. You do NOT need to unregister the DLL as described in the RED box below.

http://www.grc.com/sn/notes-020.htm

.

Note they worked to get increased coverage of the patch to work with Windows 2003, and Windows 2000 as well as XP/ XP64.

Would you post the URL of the thread please.
Sorry for the delay, WDGC. I was off doing other things last night. Welcome to 2006 everyone, may it be good to you. The thread I was quoting from can be found in the Avast support forum here (http://forum.avast.com/index.php?topic=18295.0). It's on the second page.

hockey man, you can ensure Avast scans gif and png files like this. Left click on the Avast icon in your system tray, which will pop up the little control panel. Make sure that you've already selected "Show More Detail." Next, highlight the "Web Shield" provider and click the "Customize" button. From here choose the "Exceptions" tab, and you'll see image/gif and image/png under the section labeled "MIME Types to exclude." Highlight and remove them. You may notice a minimal slowdown in Internet speeds, because Avast is scanning many more files. This is completely tolerable to me, considering the fact that I am a little bit safer.

Thank you for the link, pangea33.

.

I'm up and protected. Thanks guys.

For those who have applied Ilfak Guilfanov's Windows WMF Metafile Vulnerability HotFix, there is a checker utility linked from his home page.

http://www.hexblog.com/

.

I know that I have a tendency to be overly cautious, but running an executeable that "...works by injecting itself to all processes loading USER32.DLL" makes me a little apprehensive. Maybe I would be more comfortable if I realized who Ilfak Guilfanov is, but I don't. I know that F-Secure has given this fix their thumbs up, but I was just wanting to know what you all think. How many of you have run this thing?

This fix has been endorsed by a bunch of different people now and a number of people in security forums have endorsed the author of the fix... I am running it...

I meant no offense to anyone else posting in this thread, but after seeing how many times Budfred has fixed nasty malware infections for a mere thanks, his response means a lot. Thanks to everyone for all the great info on this thread!

F-Secure update:

Monday, January 2, 2006
It's not a bug, it's a feature Posted by Mikko @ 04:13 GMT

"The WMF vulnerability" probably affects more computers than any other security vulnerability, ever.

http://www.f-secure.com/weblog/archives/archive-012006.html#00000758

.

Meaning that there are hundreds of millions of vulnerable computers in the net right now.absolutely frightening

Maybe I would be more comfortable if I realized who Ilfak Guilfanov is, but I don't.

Just so, I'd never heard of the fellow until a couple of days ago.

Apparently he's very well known though, as a Google search of his name will soon reveal, including this entry:

Now, we wouldn’t normally blog about a security patch that is not coming from the original vendor. But Ilfak Guilfanov External Link isn’t just anybody. He’s the main author of IDA External Link (Interactive Disassembler Pro) and is arguably one of the best low-level Windows experts in the world.

http://www.pcdoctor-guide.com/wordpress/?m=2005


.

Yes Pangea33,
You have to trust somebody when something like this happens, to paraphrase SANS. If the fix works it is much better than nothing, and right now in a Windows world without that temporary patch, things start unravelling.
Ilfak Guilfanov, you did us all some good and bought us all some time to fix the problem this time.

I installed the patch yesterday and everything seems to be OK. No issues or faults.

I would reccomend that a full backup of the OS is made and then install the patch. Also do all that has been suggested re blocking (in your fiewall and hosts files).

Prior to installing the patch (and after making a full ghost image) I deliberately went to a site that is one of the ones know to install the exploite. Using OPERA (latest version). The result was that opera offered the file(s) as downloads (5 or 6 of them) as save or install, I refused them all and it seems that nothing was installed covertly. So is OPERA safe (I use the term loosly) from this exploit?

Just to be doubly safe I re-installed my ghost image.

I haven't heard that Opera is totally safe or that any program is... This thing is now being used to spread infections through email, so that just opening the email can infect a system... The browser really wouldn't matter in that case....

My understanding is that recent Opera (and also recent Firefox) browsers will give you a prompt before downloading/opening the current exploits unlike IE which opens the file automatically. If you choose to open/save the file in Opera or Firefox you manually choose to risk allowing the exploit. That means you can be infected with any of these browsers, no magic bullets, but safer on Opera and Firefox than the automatic actions of IE.

The transition to start sending these exploit files via email eliminates any browser choice protection. The unoffical patch helps in this case by preventing the execution.

This points to an another important piece of software we should maybe be using as well. Some form of E-Mail filtering program. I use an older freeware version of Mailwasher (which allows me to check hotmail account as well as pop)

By using a program simlar to this it should allow the user to view and delete any mails from unknown sources.

Or is this a futile way of trying to protect from this exploit via mail?

ErnieK,
The problem is the exploit files can have the extensions changed and still execute in Windows. The exploit is using a Function going back to Windows 95? and left enabled by MS to allow backwards compatability.
SetAbortProc is the current problem.
This function was designed to be called by Windows if a print job needed to be canceled during spooling.
The current struggle is to get the problem patched before something else is broken, like other possible flaws in the WMF structure.

The latest reported method was to get people to open the email by spoofing it as being from the US State Department.
http://www.f-secure.com/weblog/archives/archive-012006.html#00000758

PrntRhd
Ahh! So at the moment it really does not make any difference what we do (other than apply the patch supplied by Ilfak Guilfanov)?

From your link
"The WMF vulnerability" probably affects more computers than any other security vulnerability, ever.

It makes some difference if you watch where you surf and what emails you open, but yes that unofficial patch is pretty vital. If you get this file on the PC and simply roll your cursor over it, you will get infected if unpatched or unregistered for the dll.
This exploit is using a "feature" in WMF, so the real fix will have to come from MS.

Apparently some firewalls are now being set to detect and block this thing... MailWasher should be effective for email since it does not download anything but some basic text and deletes the stuff you reject before it can be fully downloaded onto your computer...

The big problem is all the people that are not using firewalls and other protections... There is no way they are going to be prepared, so this thing is going to be infecting huge numbers of people who have had the luck to avoid infection up to now... I just looked at a breakdown of what one of the infections will do... It turned the computer into a SPAMbot sending out hundreds of SPAM every few minutes and it installed a rootkit for some undetermined reason... Get ready for a major increase in SPAM traffic... :mad: :mad: :mad:

F-Secure

Monday, January 2, 2006

Targeted WMF email attacks Posted by Mikko @ 12:17 GMT

Our colleagues and business partners at Messagelabs have stopped a very interesting WMF attack today.

A new WMF exploit file was spammed to a targeted list of a few dozen high-profile email addresses.

The email urged recipients to open the enclosed MAP.WMF file - which exploited the computer and downloaded a backdoor from jerrynews.com.

What makes the case really interesting was the cloak-and-dagger language used in the email which was spoofed to originate from US State Department's security unit.

http://www.f-secure.com/weblog/archives/archive-012006.html#0000075

.

A new version - 1.4 - of Ilfak Guilfanov's Windows WMF Metafile Vulnerability HotFix is available.

The new version is suitable for automated setup (for example, in logon scripts).

Due to popular demand the new version of the setup can work in fully silent mode. If run without command line parameters, it will behave normally - display the welcome window, ask for confirmations, etc.

http://www.hexblog.com/2006/01/silent_wmf_hotfix_installer.html

.

Then updated version is not required if oyu already hane the first installed


If you already have any previous version of the fix installed, there is no need to reinstall. Old hotfixes are as good as the new one in protecting your computer.

Then updated version is not required if oyu already hane the first installed

Yes, I understand any version which satisfies the checker utility is effective.

http://www.hexblog.com/

.

Maybe things aren't so bad for users of older - before Win.XP - systems.

Larry Seltzer from eWeek has been doing additional testing against older versions of Windows and the WMF flaw.

...in a practical sense, only Windows XP and Windows Server 2003
(in all their service pack levels) are vulnerable to the WMF flaw.
...all versions of Windows back to 3.0 have the vulnerability in GDI32.
Except for Windows XP and Windows Server 2003, no Windows versions,
in their default configuration, have a default association for WMF files,
and none of their Paint programs or any other standard programs installed
with them can read WMF files...

http://blog.ziffdavis.com/seltzer/archive/2006/01/03/39684.aspx

.

Unless the file is renamed. In that case you get infected. Also MSPaint will open the file on all.
Safer, but not safe.

Microsoft Security Advisory (912840)
Vulnerability in Graphics Rendering Engine Could Allow Remote Code Execution.
Published: December 28, 2005 | Updated: January 3, 2006

Microsoft has completed development of the security update for the vulnerability. The security update is now being localized and tested to ensure quality and application compatibility. Microsoft’s goal is to release the update on Tuesday, January 10, 2006, as part of its monthly release of security bulletins. This release is predicated on successful completion of quality testing.

The update will be released worldwide simultaneously in 23 languages for all affected versions of Windows once it passes a series of rigorous testing procedures. It will be available on Microsoft’s Download Center, as well as through Microsoft Update and Windows Update. Customers who use Windows’ Automatic Updates feature will be delivered the fix automatically.

Based on strong customer feedback, all Microsoft’s security updates must pass a series of quality tests, including testing by third parties, to assure customers that they can be deployed effectively in all languages and for all versions of the Windows platform with minimum down time.

Microsoft has been carefully monitoring the attempted exploitation of the WMF vulnerability since it became public last week, through its own forensic capabilities and through partnerships within the industry and law enforcement. Although the issue is serious and malicious attacks are being attempted, Microsoft’s intelligence sources indicate that the scope of the attacks are not widespread.

In addition, anti-virus companies indicate that attacks based on exploiting the WMF vulnerability are being effectively mitigated through up-to-date signatures.

Customers are encouraged to keep their anti-virus software up-to-date. The Microsoft Windows AntiSpyware (Beta) can also help protect your system from spyware and other potentially unwanted software. Customers can also visit Windows Live Safety Center and are encouraged to use the Complete Scan option to check for and remove malicious software that takes advantage of this vulnerability. We will continue to investigate these public reports.

If you are a Windows OneCare user and your current status is green, you are already protected from known malware that uses this vulnerability to attempt to attack systems.

Customers who follow safe browsing best practices are not likely to be compromised by any exploitation of the WMF vulnerability. Users should take care not to visit unfamiliar or un-trusted Web sites that could potentially host the malicious code.

Microsoft encourages users to exercise caution when they open e-mail and links in e-mail from untrusted sources. While we have not encountered any situation in which simply opening an email can result in attack, clicking on a link in an email could result in navigation to a malicious site. For more information about Safe Browsing, visit the Trustworthy Computing Web site.


http://www.microsoft.com/technet/security/advisory/912840.mspx


.

Microsoft is still saying the exposure to the exploits is "limited" and will wait till Patch Tuesday for the release. New infection methods are trying to spread this via IMs and bots now:
http://www.informationweek.com/news/showArticle.jhtml;jsessionid=JBBOXQJTJV2BOQSNDBECK HSCJUMEKJVN?articleID=175800780

Of course that does not make the folks over at SANS very happy:
http://isc.sans.org/diary.php?storyid=1011
And
http://isc.sans.org/diary.php?storyid=1012

It's interesting (and scary) to read that the escape sequence which the patch blocks is something which mozilla relies on.(check the PDF or PPT availalbe from SANS)

I was wondering if MS would also release a patch for those that still run Win98/ME.

But as they (MS) now consider this OS obsolete and no longer support it are these (a heck of a lot of them) folks going to be left high and dry because they are using an OS that patches are no longer released for?

F-Secure

Wednesday, January 4, 2006

New trojan being distributed via WMF spam Posted by Mikko @ 12:44 GMT

There's a new trojan spam run underway, exploiting again the WMF vulnerability.

The exploit code is taken directly from the last Metasploit distribution. So the Metasploit exploit is assisting botnet herders and spyware distributors to take over the computers of users who still have no Microsoft patch to close the hole.

In this particular case the spammed message was a fake warning from Yale University professor about student vandalism that supposedly happened over the new year

When curious readers follow the link to a web server under comcast.net, they are hit with a WMF file that immediatly downloads a botnet client via tftp and runs it. This client will connect to a botnet hosted via several IRC servers.

F-Secure Anti-Virus detects the WMF exploit in question as Exploit.Win32.IMG-WMF and the downloaded trojan as Breplibot.Q. Abuse reports have been sent about the sites abused in this scam.

Administrators: you might want to block these at your gateways:
http access to playtimepiano[dot]home[dot]comcast[dot]net (do not visit this site)
tftp (ie. UDP) access to 86.135.149.130
IRC access to 140.198.35.85:8080
IRC access to 24.116.12.59:8080
IRC access to 140.198.165.185:8080
IRC access to 129.93.51.80:8080
IRC access to 70.136.88.76:8080

http://www.f-secure.com/weblog/archives/archive-012006.html#00000767

.

ErnieK,
The Windows 98 machine users are less likely to be affected by this unless it gets morphed into an automated worm. Picture and File Viewer is the opening where xp is being hit right now.
The black hats have 7 days left to hit with a worm before MS patches this. It could get really ugly this week.

PrntRhd
The black hats have 7 days left to hit with a worm before MS patches this. It could get really ugly this week.
You are the master of the understatement.

What will happen WHEN this is taken further by the (your phrase) black hats, (my phrase unprintable) because from what I undertand the avenue for infection is in all windows version frmm Win 3 onwards.

WMF FAQ from SANS.

http://handlers.dshield.org/jullrich/wmffaq.html

.

From the link above.
* What is DEP (Data Execution Protection) and how does it help me?

With Windows XP SP2, Microsoft introduced DEP. It protects against a wide range of exploits, by preventing the execution of 'data segements'. However, to work well, it requires hardware support. Some CPUs, like AMD's 64 Bit CPUs, will provide full DEP protection and will prevent the exploit.

Well this is good for those that have AMD64 CPU's. Does Intel EM64T CPU's have full DEP support as well?

I assume you need to turn on DEP for all programs and services for it to be most effective? Not the default "for essential programs and services"?

MS06-001: Microsoft releases WMF patch early

Microsoft Security Bulletin Advance Notification
Updated: January 5, 2005
Security Bulletin Advance Notification

Important Information for Thursday 5 January 2006

Microsoft announced that it would release a security update to help protect customers from exploitations of a vulnerability in the Windows Meta File (WMF) area of code in the Windows operating system on Tuesday, January 2, 2006, in response to malicious and criminal attacks on computer users that were discovered last week.

Microsoft will release the update today on Thursday, January 5, 2006, earlier than planned.

Microsoft originally planned to release the update on Tuesday, January 10, 2006 as part of its regular monthly release of security bulletins, once testing for quality and application compatibility was complete. However, testing has been completed earlier than anticipated and the update is ready for release.

In addition, Microsoft is releasing the update early in response to strong customer sentiment that the release should be made available as soon as possible.

Microsoft’s monitoring of attack data continues to indicate that the attacks are limited and are being mitigated both by Microsoft’s efforts to shut down malicious Web sites and with up-to-date signatures form anti-virus companies.

The security update will be available at 2:00 pm PT as MS06-001.

http://www.microsoft.com/technet/security/bulletin/advance.mspx

.

MS WMF fix download available now.


Microsoft Security Bulletin MS06-001
Vulnerability in Graphics Rendering Engine Could Allow Remote Code Execution (912919)
Published: January 5, 2006

Version: 1.0
Summary

Who should read this document: Customers who use Microsoft Windows

Impact of Vulnerability: Remote Code Execution

Maximum Severity Rating: Critical

Recommendation: Customers should apply the update immediately.

Security Update Replacement: None

http://www.microsoft.com/technet/security/bulletin/MS06-001.mspx

.

WDGC
You beat me to it, I was just going to post re the update. Please see the quote bleow pasted from MS security buletin


Summary
=======
Important Information for Thursday 5 January 2006

Microsoft announced that it would release a security update to help
protect customers from exploitations of a vulnerability in the
Windows Meta File (WMF) area of code in the Windows operating system
on Tuesday, January 2, 2006, in response to malicious and criminal
attacks on computer users that were discovered last week.

Microsoft will release the update today on Thursday, January 5, 2006,
earlier than planned.

Microsoft originally planned to release the update on Tuesday,
January 10, 2006 as part of its regular monthly release of security
bulletins, once testing for quality and application compatibility
was complete. However, testing has been completed earlier than
anticipated and the update is ready for release.

In addition, Microsoft is releasing the update early in response to
strong customer sentiment that the release should be made available
as soon as possible.

Microsoft's monitoring of attack data continues to indicate that the
attacks are limited and are being mitigated both by Microsoft's
efforts to shut down malicious Web sites and with up-to-date
signatures form anti-virus companies.

The security update will be available at 2:00 pm PT as MS06-001.

Enterprise customers who are using Windows Server Update Services
will receive the update automatically. In additional the update is
supported Microsoft Baseline Security Analyzer 2.0, Systems
Management Server, and Software Update Services. Enterprise
customers can also manually download the update from the Download
Center.

Microsoft will hold a special Web cast on Friday, January 6, 2006,
to provide technical details on the MS06-001 and to answer questions.
Registration details will be available at
http://www.microsoft.com/technet/security/default.mspx.
The patch/update can be downloaded NOW (10.00pm GMT) from the following link

http://www.microsoft.com/downloads/details.aspx?familyid=0C1B4C96-57AE-499E-B89B-215B7BB4D8E9&displaylang=en
It has taken them a couple of days but I feel I must say well done to MS for this early release.

Yep, got her today. . .I wonder how well it works.

Kudos to Microsoft for releasing the patch early!
:D :D

I appreciate that they opted to release the patch early, but I resent that they didn't decide to do that until there was a major uproar... They were willing to leave people hanging for a week to stay on their schedule until everyone made a fuss....

I completely support the sentiment that there are are extraordinary occasions that warrant special actions, and so did Microsoft in this case. As a software engineer, I am intimately aware of the risks involved in deploying code to your entire user base, especially when this code has not been subjected to the complete testing procedures dictated by your business process. Our biggest applications are only used by a few million people. Microsoft laughs hysterically at this cute little number. As much as I like to hate on M$, I can understand where they're coming from here.

*edit*
I am looking forward to the reports made available after someone decompiles the this and does a comparison with Ilfak Guilfanov's fix. Admittedly, I am also a nerd though.
*edit*

I have downloaded the patch but am waiting until Sat to see if there are any come-backs before installation. IG's fix will keep me covered until then.

But once again I say (and I don't often praise them) MS has done well in releasing this early, but I also accept that this is only because of the furore over their holding back. Eitherway they have relased the patch.

I completely support the sentiment that there are are extraordinary occasions that warrant special actions, and so did Microsoft in this case. As a software engineer, I am intimately aware of the risks involved in deploying code to your entire user base, especially when this code has not been subjected to the complete testing procedures dictated by your business process. Our biggest applications are only used by a few million people. Microsoft laughs hysterically at this cute little number. As much as I like to hate on M$, I can understand where they're coming from here.
MS said they had done all the testing and they were just sitting on the patch until next Tuesday because that is when their security patches are supposed to be released... They relented because of public pressure, not because they had completed testing...

Really, that is sick. MS's heart must be made of stone.

MS said they had done all the testing and they were just sitting on the patch until next Tuesday because that is when their security patches are supposed to be released... They relented because of public pressure, not because they had completed testing...
For some reason I thought I had read that they were holding back pending adequate testing, which struck me as acceptable. I was not aware of what you're referring to here. If that is indeed the case, then I retract all of my comments in support of M$'s actions.

MS said they had done all the testing and they were just sitting on the patch until next Tuesday because that is when their security patches are supposed to be released... They relented because of public pressure, not because they had completed testing...

For some reason I thought I had read that they were holding back pending adequate testing, which struck me as acceptable. I was not aware of what you're referring to here. If that is indeed the case, then I retract all of my comments in support of M$'s actions.

Peter Watson, chief security advisor for Microsoft Australia, doesn't exactly clear the water about this, but the cynic in me says his second statement is probably closer to the truth.


He said testing for the fix had been completed "earlier than anticipated," allowing Microsoft to release it last night (AEDT). The fix is available for download here.


Watson said while early completion of the testing process was one factor in allowing Microsoft to push out the fix earlier than it originally intended, it had also been prompted to do so by the large number of queries about the problem from enterprise customers worldwide, including Australia.


http://www.zdnet.com.au/news/security/soa/WMF_flaw_fails_to_spark_attacks_on_AU_users_Micros oft/0,2000061744,39231473,00.htm

.

Not sure how many have read Ilfak's most recent comments on hexblog, but I just did. I was very pleasantly suprised by his refusal to accept payment offered for his efforts. It doesn't seem like there are a lot of people who would do such a thing.


Best regards,
Ilfak Guilfanov

P.S. Normal blog activity will be resumed soon, stay tuned!
P.P.S. Some of you very kindly suggested to send me a donation.
If you really wish to donate something, consider the charity of your choice, thank you!

The WMF patch has been available over 10 days, but the vast majority of PCs have not been upgraded. A new phishing exploit using the WMF vector has now surfaced:
http://www.f-secure.com/weblog/archives/archive-012006.html#00000779