Please read this,THERE IS NOW A FIX..Windows 98, ME users left vulnerable to WMF bug?

Windows image flaw now 'extremely critical'
Crap... this is not good.

Users are being asked not to save, open or even preview any untrusted image files from e-mail, instant messages, folders or network shares in Internet Explorer after an exploit targeting Windows Metafile Format files spread yesterday on fully patched systems.

Numerous security vendors and US-CERT have issued warnings to users asking them to avoid any application that automatically displays a .wmf image, including older versions of Firefox and current versions of Opera, Outlook and all IE versions running on the Windows platform. "This is a zero-day exploit, the kind that give security researchers cold chills," according to the Sunbelt Software blog. "You can get infected by simply viewing an infected WMF image."

Microsoft Promises To Patch Worsening Zero-Day Flaw

In a security advisory posted on its Web site, Microsoft confirmed the vulnerability and the associated release of exploit code, but declined to give a timetable for its patch.

By Gregg Keizer
TechWeb News

Dec 29, 2005 01:02 PM

As bleaker details emerged Thursday about the threat posed by a zero-day vulnerability in Windows, Microsoft said it would produce a patch for the flaw but declined to put the fix on a timetable.

In a security advisory posted on its Web site, Microsoft confirmed the vulnerability and the associated release of exploit code that could compromise PCs, and listed the operating systems at risk. Windows 2000 SP4, Windows XP, Windows Server 2000, Windows 98, and Windows Millennium can be attacked using the newly-discovered vulnerability in WMF (Windows Metafile) image file parsing, said Microsoft.

"Upon completion of [our] investigation, Microsoft will take the appropriate action to help protect our customers," the advisory stated. "This will include providing a security update through our monthly release process or providing an out-of-cycle security update, depending on customer needs."

Microsoft rarely goes out-of-cycle to patch a vulnerability -- it's done so only three times since it began a once-a-month patch release schedule in October, 2003; the last time was over a year ago -- and didn't patch early in December when another zero-day bug surfaced, even after experts called on the Redmond, Wash.-based developer to fix fast.

One security vendor told its customers Thursday not to hold their breath waiting for a fix for the flaw.

"Further investigation by the DeepSight Threat Analyst Team has uncovered the possibility that this issue may actually occur according to the WMF file specification, and may therefore be difficult to fix," wrote Symantec in an alert to clients of its early warning service. "If this is the case, a fix for the problem may take some time to develop."

And other details began emerging Thursday that indicated the threat may be worse than originally believed.

"It's really easy to get this thing," said Shane Coursen, a senior technical analyst with Moscow-based Kaspersky Labs. "The exploit will even work through a DOS box."

Rival security firm F-Secure, which is based in Helsinki, Finland, explained how that happens, and pinned blame on Google's Desktop search tool in the process.

"You can get burned even while working in a DOS box!" wrote Mikko Hypponen, F-Secure's chief research officer, in an entry to the company's research blog. "This happened on one of our test machines where we simply used the WGET command-line tool to download a malicious WMF file. That's it, it was enough to download the file. So how on earth did it have a chance to execute?"

Hypponen explained that the test machine had Google Desktop installed; Like other desktop search applications, Google's tool automatically indexes the metadata of images -- including WMF files -- in real time. To do that, it issues an API call to the vulnerable DLL (shimgvw.dll) to extract the metadata. "This is enough to invoke the exploit and infect the machine," added Hypponen. The SANS Institute's Internet Storm Center also tossed in its two cents of bad news.

Although some security firms on Wednesday advised enterprises to block WMF files at the network edge, that may not be a decent defense for long.

"Windows XP will detect and process a WMF file based on its content, and not rely on the extension alone," wrote analyst Chris Carboni on the center's blog. "[That] means a WMF sailing in disguise with a different extension might still be able to get you."

Hackers could simply rename a malicious WMF file with, say, a .gif or .jpg file extension, attach it to an e-mail message, and assuming a user opens the file, infect a system.

At the moment, say the experts, exploits are "only" installing spyware and/or fake anti-spyware software. That's bad enough, said two security firms, including one that specializes in combating spyware.

"Now we're seeing many more using this to install bad stuff," said Alex Eckelberry, president of anti-spyware developer Sunbelt Software. "This is a really bad exploit. Be careful out there."

Websense, a San Diego-based content filtering firm, has posted a video that shows the infection process, and said that it was tracking "thousands" of sites distributing the exploit code from just one host site. Spyware now, said another security professional, but even more malicious software next.

"The technique that is being used can and will be combined with traditional malware like Mytob or Bagle," Stefana Ribaudo, the director of Computer Associates eTrust Security told TechWeb in an e-mail. "We're concerned that in the absence of a patch or even readily followed steps to secure systems, that we could see additional delivery methods such as e-mailing the WMF file (especially with jokes and holiday greetings) and instant messaging.

"Once workers are back in the office after the holiday, we could see an increase [in the exploit],” warned Ribaudo.

(Editor's note: This related story examines how to protect PCs against the new zero-day bug.)

http://www.informationweek.com/story/showArticle.jhtml?articleID=175701152&cid=RSSfeed_IWK_All


How To Beat Back The New Zero-Day Windows Bug


Page 1 of 2


By Gregg Keizer, TechWeb News

With a patch for the worsening zero-day Windows vulnerability perhaps weeks -- or more -- away, security companies and Microsoft on Thursday recommended workarounds and other ad hoc defenses.

Several firms, Microsoft included, told users to disable the Windows Picture and Fax Viewer, the application that Internet Explorer automatically launches to display WMF image files. Microsoft's advisory instructed users to click the Start menu, choose Run, then enter "regsvr32 -u %windir%\system32\shimgvw.dll" (without the quote marks), and click OK. Doing so, however, breaks the viewer so that it won't display other associated image file formats, such as those with the .jpg extension, a popular format used by most digital cameras.

And it might not solve the problem. "Any application which automatically displays or renders WMF files is vulnerable," wrote Chris Carboni, an analyst with the Internet Storm Center, in a blog entry Thursday.

Another tactic, said some security vendors, is to block all WMF image files at the network perimeter. Symantec, for instance, listed that advice in its latest bulletin about the vulnerability. Unfortunately, hackers can simply rename a malicious WMF file with a different extension -- .gif or .jpg, for example -- to pass through an exploit. Windows parses WMF files based not on the extension it reads, but on the content of the file, making such blocking strategies ineffective.

How To Beat Back The New Zero-Day Windows Bug


Page 2 of 2


By Gregg Keizer, TechWeb News

On Wednesday, several security companies recommended that users and companies also block access to the sites known to be using the exploit. Sunbelt Software posted a list of some of the sites -- which included the most prominent, iFrameurl [dot] biz -- but with the exploit being used by an ever-increasing number of malicious and/or spyware sites, the technique will soon be impossible to implement manually.

"Yesterday only a few of the sites we monitor used this exploit," wrote Eric Sites, vice president of research at Sunbelt, "but now that number is exploding." (Another security vendor, San Diego-based Websense, said Thursday that "thousands of sites" were distributing exploit code from iFramecash [dot] biz.)

Users can also ditch Internet Explorer for Firefox or Opera. The vulnerability isn't within IE itself, but that browser does open WMF files automatically without asking permission from the user. Firefox and Opera at least put up a dialog box asking the user if he or she wants to open the file with Windows Picture and Fax Viewer. Using Firefox or Opera, however, doesn't guarantee that a PC is immune, since a malicious WMF file could still be introduced via e-mail.

Finally, said Microsoft, users should keep their anti-virus defenses up to date, since most are or soon will provide signatures for the exploits taking advantage of the vulnerability. As of mid-day Thursday, for example, all the major anti-virus vendors had released some signatures.

But that, too, may not completely defend against the threat. By late Wednesday, Sunbelt Software had detected more than 50 exploit variants.

 

Workaround, for WMF Exploit - Easy to Do!
Until MS can get a handle on this bug, a lot of people are recommending this workaround posted on eWeek.com.

This is a simple "cut and paste" into the Start - Run box. Don't worry, all you're doing is taking a DLL out of play for now. You can bring the DLL back into play with another simple "cut and paste" into the Start - Run box.

Personally I'm not doing the reg hacking part of this "workaround". I'm just pulling the DLL out of play for now since I don't use "thumbnails" in my Explorer View.

Folks, this is a really bad bug and I'm recommending you all seriously consider doing this until MS gets us a patch.

And a workaround has been posted by Jerome Athias to the Full-Disclosure security mailing list. The workaround disables WMF parsing in two different ways.

First, you can unregister the specific DLL that implements the vulnerable code from the system using a command line program. To disable the DLL click Start, then Run, then enter the following command:

regsvr32 /u shimgvw.dll

To re-enable the same DLL, click Start, then Run, then enter the following command:

regsvr32 shimgvw.dll

 

Workaround, Protections Emerge for WMF Exploit
By Larry Seltzer
December 28, 2005

1 comment posted
Add your opinion


Anti-virus and intrusion protection firms are reacting quickly to a new zero-day exploit for Windows, and a workaround has been devised by an independent researcher.
ADVERTISEMENT

According to AV-Test, an anti-virus research firm, numerous anti-virus firms were detecting some of the four exploits for the vulnerability that they had at that point. AntiVir, Avast!, BitDefender, Ewido, F-Secure, Fortinet, Ikarus, Kaspersky, McAfee and NOD32 detected all four.

By the same token, many products, such as ClamAV and Trend Micro, had no protection. The situation is very fluid, so by the time you read this, more protection and more exploits will likely be available.

Many other companies are still in the process of implementing protection and have deployed it only for some of the available exploits.

And a workaround has been posted by Jerome Athias to the Full-Disclosure security mailing list. The workaround disables WMF parsing in two different ways.

First, you can unregister the specific DLL that implements the vulnerable code from the system using a command line program. To disable the DLL click Start, then Run, then enter the following command:

regsvr32 /u shimgvw.dll

To re-enable the same DLL, click Start, then Run, then enter the following command:

regsvr32 shimgvw.dll

The same effect may be obtained with a registry change. In the Regedit program go to the key:

HKEY_LOCAL_MACHINE\SOFTWARE\Classes
\SystemFileAssociations\image
\ShellEx\ContextMenuHandlers
\ShellImagePreview

eWEEK.com Special Report: Spyware

Then delete the default value. To re-enable the feature, go to the same key and set the default value as a REG_SZ to "{e84fda7c-1d6a-45f6-b725-cb260c236066}". You may download .REG files that perform these tasks from Athias's message.

The workaround has been confirmed by iDEFENSE as effective in preventing the current versions of the exploit, with a caveat. Previous vulnerabilities in the parsing of WMF files have led to additional vulnerabilities in EMF files, a later version of the metafile format. iDEFENSE warns that this workaround may not be effective against such future attacks.

Athias warns that if you unregister shimgvw.dll, Windows Explorer will not display thumbnails anymore. So the registry operation is a much better way.
http://www.eweek.com/article2/0,1895,1906211,00.asp

 

Security, Privacy & other Tech News
Malware Help.Org News - Features hand picked links to Security, Privacy and other Tech news articles updated several times daily.


MS: A few thoughts on the WMF vulnerability
binoBased on our investigation, this exploit code could allow an attacker to execute arbitrary code on a user’s system by hosting a specially crafted WMF image on a malicious Web site. We have determined that an attacker would have no way to force users to visit such a malicious Web site. Instead, an attacker would have to persuade someone to visit the Web site, typically by getting them to click a link that takes them to the attacker's Web site.

We have been asked a number of times whether this vulnerability can be exploited via email. I want to be very clear in the response so all users can understand the situation. In an e-mail based attack, customers would have to be persuaded to click on a link within a malicious e-mail or open an attachment that exploited the vulnerability. In both the web and e-mail based attacks, the code would execute in the security context of the logged-on user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.


Welcome to the Microsoft Security Response Center Blog! : A few thoughts on the WMF vulnerability



A few thoughts on the WMF vulnerability



Hi folks- this is Kevin Kean from the MSRC, writing what may just be my last MSRC blog entry for 2005. This morning we noticed that there are some people who are still looking for more information about the Windows Metafile (WMF) vulnerability that we issued a security advisory for on Wednesday. I thought it would be helpful to let you all know what we know about this and what we are doing to take care of it.



Since earlier this week, my team has been hard at work investigating this vulnerability. We take situations such as this one very seriously.



We are aware of publicly released, detailed exploit code that could be used to exploit this vulnerability. Based on our investigation, this exploit code could allow an attacker to execute arbitrary code on a user’s system by hosting a specially crafted WMF image on a malicious Web site. We have determined that an attacker would have no way to force users to visit such a malicious Web site. Instead, an attacker would have to persuade someone to visit the Web site, typically by getting them to click a link that takes them to the attacker's Web site.



We have been asked a number of times whether this vulnerability can be exploited via email. I want to be very clear in the response so all users can understand the situation. In an e-mail based attack, customers would have to be persuaded to click on a link within a malicious e-mail or open an attachment that exploited the vulnerability. In both the web and e-mail based attacks, the code would execute in the security context of the logged-on user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.



When we complete this investigation, we’ll do what is best to help protect our customers. We have determined that this vulnerability will be fixed through a security update, and we will release that either through the regular monthly release cycle or out-of-cycle, depending on customer needs.



Right now, we are working very closely with our anti-virus partners and aiding law enforcement with its investigation. We continue to recommend that customers follow our security guidance, including being careful where you browse, never accepting email attachments from unknown senders, keeping your anti-virus software up to date, enabling a firewall and staying current on security updates.



Have a safe and happy New Year!
-Kevin



*This posting is provided "AS IS" with no warranties, and confers no rights.*



posted on Friday, December 30, 2005 9:38 PM by stepto
http://blogs.technet.com/msrc/archive/2005/12/30/416694.aspx

 

Windows WMF Metafile Vulnerability HotFix
This is NOT an official patch from MS so use at your own risk. However, I have tried it and my systems seem to work fine.

Browsing the web was not safe anymore, regardless of the browser. Microsoft will certainly come up with a thouroughly tested fix for it in the future, but meanwhile I developed a temporary fix - I badly needed it.

The fix does not remove any functionality from the system, all pictures will continue to be visible.

- Windows WMF Metafile Vulnerability HotFix
__________________


Windows WMF Metafile Vulnerability HotFix

This week a new vulnerability was found in Windows:

http://www.microsoft.com/technet/security/advisory/912840.mspx

Browsing the web was not safe anymore, regardless of the browser. Microsoft will certainly come up with a thouroughly tested fix for it in the future, but meanwhile I developed a temporary fix - I badly needed it.

The fix does not remove any functionality from the system, all pictures will continue to be visible. You can download it here:

http://www.hexblog.com/security/files/wmffix_hexblog13.exe

It should work for Windows 2000, XP 32-bit, XP 64-bit, and Windows Server 2003.

Technical details: this is a DLL which gets injected to all processes loading user32.dll.
It patches the Escape() function in gdi32.dll. The result of the patch is that the SETABORT escape sequence is not accepted anymore.

I can imagine situations when this sequence is useful. My patch completely disables this escape sequence, so please be careful. However, with the fix installed, I can browse files, print them and do other things.

If for some reason the patch does not work for you, please uninstall it. It will be in the list of installed programs as "Windows WMF Metafile Vulnerability HotFix". I'd like to know what programs are crippled by the fix, please tell me.

I recommend you to uninstall this fix and use the official patch from Microsoft as soon as it is available.

The fix can be applied in the automatic mode using the following command line:

wmffix_hexblog13.exe /VERYSILENT /SUPPRESSMSGBOXES

These switches do not suppress dialog boxes about installation errors.
The /LOG="file" switch can be added to the command line to create a log file.

The usual software disclaimer applies...

File: wmffix_hexblog13.exe (the source code is included)

UPD: more error checking
UPD: Version 1.1 with Win2000 support
UPD: Version 1.2: if the hotfix has already been applied to the system, inform the user at the second installation attempt.
UPD: Version 1.3: added support for Windows 2000 SP4
UPD: added information about silent mode

There is no need to reinstall anything!
Old hotfixes are perfectly ok.
http://www.hexblog.com/2005/12/wmf_vuln.html#more

 

SANS: WMF (Window Meta File) Vulnerability FAQ

windows

* Why is this issue so important?


The WMF vulnerability uses images (WMF images) to execute arbitrary code. It will execute just by viewing the image. In most cases, you don't have click anything. Even images stored on your system may cause the exploit to be triggered if it is indexed by some indexing software. Viewing a directory in Explorer with 'Icon size' images will cause the exploit to be triggered as well.

* Is it better to use Firefox or Internet Explorer?


Internet Explorer will view the image and trigger the exploit without warning. New versions of Firefox will prompt you before opening the image. However, in most environments this offers little protection given that these are images and are thus considered 'safe'.

* What versions of Windows are affected?


All. Windows 2000, Windows XP, (SP1 and SP2), Windows 2003. All are affected to some extent. Mac OS-X, Unix or BSD is not affected.



Note: If you're still running on Win98/ME, this is a watershed moment: we believe (untested) that your system is vulnerable and there will be no patch from MS. Your mitigation options are very limited. You really need to upgrade. SANS - Internet Storm Center - Cooperative Cyber Threat Monitor And Alert System

 

WMF: Major Revision In Vulnerable System List

bino.......Except for Windows XP and Windows Server 2003, no Windows versions, in their default configuration, have a default association for WMF files, and none of their Paint programs or any other standard programs installed with them can read WMF files. One ironic point to conclude is that not until their most recent operating system versions did Microsoft include a default handler - the Windows Picture and Fax Viewer - for what has been, for years, an obsolete file format. And now it comes back to bite them.

Therefore only consider applying the Guilfanov patch on Windows XP and Windows Server 2003. On other platforms, unless you have installed your own vulnerable default handler for WMF files, the likelihood of compromise even when a system is bombarded with malicious WMFs is low. Major Revision In Vulnerable System List



Major Revision In Vulnerable System List

I have been testing a lot tonight and it appears to me that iDEFENSE is right: In a practical sense, only Windows XP and Windows Server 2003 (in all their service pack levels) are vulnerable to the WMF flaw. Here's why.

It is true, as F-Secure says, that all versions of Windows back to 3.0 have the vulnerability in GDI32. But most versions of Windows are not quite as vulnerable as they appear. Except for Windows XP and Windows Server 2003, no Windows versions, in their default configuration, have a default association for WMF files, and none of their Paint programs or any other standard programs installed with them can read WMF files. One ironic point to conclude is that not until their most recent operating system versions did Microsoft include a default handler - the Windows Picture and Fax Viewer - for what has been, for years, an obsolete file format. And now it comes back to bite them.

Therefore only consider applying the Guilfanov patch on Windows XP and Windows Server 2003. On other platforms, unless you have installed your own vulnerable default handler for WMF files, the likelihood of compromise even when a system is bombarded with malicious WMFs is low.
posted on Tuesday, January 03, 2006 12:49 AM
http://blog.ziffdavis.com/seltzer/archive/2006/01/03/39684.aspx

 

Microsoft Urges Users to Wait for Official Patch

Software giant says fix for WMF flaw is coming, advises against installing unofficial fixes.

Peter Sayer, IDG News Service
Tuesday, January 03, 2006

Some security researchers are advising Windows users to rush to install an unofficial patch to fix a vulnerability in the way the OS renders graphics files, but Microsoft wants customers to wait another week for its official security update, it announced Tuesday.


Advertisement




The problem is in the way various versions of Windows handle graphics in the WMF (Windows Metafile) format. When a vulnerable computer opens a maliciously crafted WMF file, it can be forced to execute arbitrary code. Microsoft published a first security advisory on December 28, saying it had received notification of the problem on December 27 and was investigating whether a patch was necessary.

On Tuesday, Microsoft updated the advisory to say it has completed development of its own patch, and is now testing it for release next week.

"Microsoft recommends that customers download and deploy the security update for the WMF vulnerability that we are targeting for release on January 10, 2006," said the advisory, the full text of which can be found online.

The company says it carefully reviews and tests its security updates, and offers them in 23 languages for all affected versions of its software simultaneously. It "cannot provide similar assurance for independent third-party security updates," it says.

Threat Level

The number of users potentially at risk is high, with all versions of Windows exhibiting the vulnerability, but the number actually affected so far is relatively low, researchers say.

However, the chance of running into a malicious WMF file is climbing, and with it the danger of running an unpatched system. Already, one security Web site has had to warn its readers to stay away: the owners of the knoppix-std.org site warned in a forum posting that hackers had modified the site so as to attempt to exploit the vulnerability on site visitors' machines.

There is "a lot of potential risk" associated with the vulnerability, according to Jay Heiser, a research vice president with Gartner and the company's lead analyst on information security issues. "If it can be exploited in any significant way, it would be an extremely big risk."

"It's a race between Microsoft and the exploit community," he says.

The bad guys had a head start in that race. Security researchers at Websense first spotted malicious Web sites using the exploit on December 27, but those sites may have been doing so as early as December 14, the company says.

On December 28, Microsoft ambled out of the starting blocks with its first security advisory acknowledging a potential problem.

Over the weekend, it updated this to suggest a way in which users could reduce the risk by disabling an affected part of the OS, called shimgvw.dll. Microsoft warned that the fix has the side effect of stopping the Windows Picture and Fax Viewer from functioning normally. Others report that it also stops Windows Explorer from showing thumbnails for digital photos.

Unofficial Fix

Security researchers outside Microsoft had other ideas: rather than disable shimgvw.dll, they would modify it so that only the functionality considered dangerous was blocked. By December 31, programmer Ilfak Guilfanov had developed an unofficial patch to reduce the danger of attack, without impairing Windows' graphics functions.

His patch quickly won the support of security researchers including The SANS Institute's Internet Storm Center (ISC) and F-Secure.

Mikko Hypponen, chief research officer at F-Secure, feels safe recommending the Guilfanov patch for several reasons.

"We know this guy. We have checked the code. It does exactly what he says it does, and nothing else. We've checked the binary, and we've checked that the fix works," he says.

He has one final vote of confidence: "We've installed it on all our own computers."

Sophos PLC's Senior Security Consultant Carole Theriault advises businesses not to install the unofficial patch. "We wouldn't recommend it, for testing reasons," she says.

One of the hidden dangers of the WMF vulnerability is that things are not always what they appear. Usually, WMF files can be identified by their .WMF file extension, and blocked as a precaution, but attackers may choose to disguise malicious files simply by giving them another image file suffix, such as .JPG, because the Windows graphics rendering engine attempts to identify graphics files by their content, not their name. That was the case with a file with the title "happynewyear.jpg" that began circulating in e-mail messages on December 31: If opened on a Windows machine, the file attempts to download and install a backdoor called Bifrose.

As a consequence, says Theriault, businesses should keep existing antivirus protection up to date and concentrate on blocking unsolicited mail while waiting for the Microsoft patch, as this may help to screen out attacks. They should encourage users to practice safe computing by only visiting reputable Web sites and taking care with what they download, she says.

Jeremy Kirk of the IDG News Service contributed to this report.
http://pcworld.com/news/article/0,aid,124149,00.asp

 

Windows flaw spawns dozens of attacks
By Dawn Kawamoto
Staff Writer, CNET News.com
Published: January 3, 2006, 11:55 AM PST

A flaw in Microsoft's Windows Meta File has spawned dozens of attacks since its discovery last week, security experts warned Tuesday.

The attacks so far have been wide-ranging, the experts said, citing everything from an MSN Messenger worm to spam that attempts to lure people to click on malicious Web sites.

The vulnerability can be easily exploited in Windows XP with Service Pack 1 and 2, as well as Windows Server 2003, security experts said. Older versions of the operating system, including Windows 2000 and Windows ME, are also at risk, though in those cases the flaw is more difficult to exploit, said Mikko Hypponen, chief research officer at F-Secure.

"Right now, the situation is bad, but it could be much worse. The potential for problems is bigger than we have ever seen," Hypponen said. "We estimate 99 percent of computers worldwide are vulnerable to this attack."

The Windows Meta File flaw uses images to execute arbitrary code, according to a security advisory issued by the Internet Storm Center. It can be exploited just by the user viewing a malicious image.

Microsoft plans to release a fix for the WMF vulnerability as part of its monthly security update cycle on Jan. 10, according to the company's security advisory.

"We have seen dozens of different attacks using this vulnerability since Dec. 27," Hypponen said. "One exploits image files and tries to get users to click on them; another is an MSN Messenger worm that will send the worm to people on your buddy list, and we have seen several spam attacks."

He added that some of the spam attacks have been targeted to select groups, such as one that purports to come from the U.S. Department of State. The malicious e-mail tries to lure the user to open a map attachment and will then download a Trojan horse. The exploit will open a backdoor on the user's system and allow sensitive files to be viewed.

The WMF flaw has already resulted in attacks such as the Exploit-WMF Trojan, which made the rounds last week.

Although Microsoft has not yet released a patch, security vendors such as F-Secure and the Internet Storm Center are noting Ilfak Guilfanov, a Russian security engineer, has released an unofficial fix that has been found to work.
In other news:


"Ilfak Guilfanov has published a temporary fix which does not remove any functionality from the system," F-Secure noted in its daily security blog. "All pictures and thumbnails continue to work normally."

Security companies also are advising computer users to unregister the related "shimgvw.dll" portion of the Windows platform. Unregistering the dll, however, may also disable certain Windows functions and has not been thoroughly tested, according to a security advisory issued by Secunia.

Despite the potential for a large number of computer users to be affected by exploits related to this vulnerability, Hypponen said the chances of a widespread outbreak from a virus, as people return to work from the long holiday, are unlikely.

"We are still far away from a massive virus," he said. "Most people get attacked by this if they (search for something on the Internet) and get a million results. They may click on a link that goes to a malicious Web site or one that has been hacked, and then get infected."
http://news.com.com/Windows+flaw+spawns+dozens+of+attacks/2100-7349_3-6016140.html?tag=nefd.top

 

Update: Microsoft patch for WMF flaw to be released Jan. 10
..Well now we know when...

Microsoft Corp. said today it does not plan to release a fix for the Windows Metafile (WMF) flaw until Jan. 10, when a patch will be included as part of the company's scheduled monthly updates for January.

Full story ComputerWorld


Update: Microsoft patch for WMF flaw to be released Jan. 10
But security experts recommend installation of an unofficial patch now

News Story by Peter Sayer

JANUARY 03, 2006 (IDG NEWS SERVICE) - Microsoft Corp. said today that it does not plan to release a fix for the Windows Metafile (WMF) flaw until Jan. 10, when a patch will be included as part of the company's scheduled monthly updates for January.

Microsoft has completed development of a patch for the flaw and is now testing it for quality and application compatibility, the company said in an advisory updating an earlier advisory released last week.

The update will be available at Microsoft's Download Center in 23 languages for all affected versions of the Windows operating system.

"Microsoft has been carefully monitoring the attempted exploitation of the WMF vulnerability since it became public last week, through its own forensic capabilities and through partnerships within the industry and law enforcement," the company said in its statement. " Although the issue is serious and malicious attacks are being attempted, Microsoft's intelligence sources indicate that the scope of the attacks are not widespread."

Corporate IT departments should do a risk assessment before deciding whether to wait for the official patch or not, officials at SANS Institute's Internet Storm Center (ISC) said in a note this morning. "What would be the cost to your company if you are compromised between now and January 10 if the update is released as mentioned?" the note said in direct language.

"Can you really afford to do nothing? Are you willing to gamble that unregistering the dll is sufficient or do you go with defense in depth and apply the unofficial patch? You make the choice," ISC officials said.

Yesterday, security researchers at the ISC urged Windows users to install an unofficial security patch now and not wait for Microsoft to make its move.

Their recommendation followed a new wave of attacks on a flaw in the way Windows 98 through XP versions of the operating system handle malicious files in the WMF format. One such attack arrives in an e-mail message titled "happy new year," bearing a malicious file attachment called "HappyNewYear.jpg" that is really a disguised WMF file, said security research companies including iDefense Inc. and F-Secure Corp. (see "Risk of Windows WMF attacks jumps 'significantly,' security firm warns").

Even though the file is labeled as a JPEG, Windows recognizes the content as a WMF and attempts to execute the code it contains.

Microsoft said in an advisory last week that to exploit a WMF vulnerability by e-mail, "customers would have to be persuaded to click on a link within a malicious e-mail or open an attachment that exploited the vulnerability."

However, simply viewing the folder that contains the affected file, or even allowing the file to be indexed by desktop search utilities such as Google Desktop, can trigger its payload, F-Secure Chief Research Officer Mikko Hypponen wrote in his company's blog.

In addition, source code for a new exploit was widely available on the Internet by Saturday, allowing the creation of new attacks with varied payloads.The file "HappyNewYear.jpg," for example, attempts to download the Bifrose back door, researchers said.

Alarmed by the magnitude of the threat, staff at the ISC worked over the weekend to validate and improve an unofficial patch developed by Ilfak Guilfanov to fix the WMF problem, according to an entry in the Handler's Diary, a running commentary on major IT security problems on the ISC Web site

"We have very carefully scrutinized this patch. It does only what is advertised, it is reversible, and, in our opinion, it is both safe and effective," Tom Liston wrote in the diary.

"You cannot wait for the official MS patch, you cannot block this one at the border, and you cannot leave your systems unprotected," Liston wrote.

In the diary, ISC provided a link to the version of the patch it has examined, including a version designed for unattended installation on corporate systems.

While ISC recognizes that corporate users will find it unacceptable to install an unofficial patch, "acceptable or not, folks, you have to trust someone in this situation," Liston wrote.

Microsoft representatives could not be reached for comment this morning.

Guilfanov published his patch on his Web site on Saturday. His introduction to it can be found at http://www.hexblog.com/2005/12/wmf_vuln.html.

F-Secure's Hypponen highlighted Guilfanov's patch in his company blog on Saturday night and yesterday echoed the ISC's advice to install the patch.

Not all computers are vulnerable to the WMF threat: Those running nonWindows operating systems are not affected.

According to Ken Dunham, director of the rapid response team at iDefense, Windows machines running Windows Data Execution Prevention (DEP) software are at least safe from the WMF attacks seen so far. However, Microsoft said that software DEP offered no protection from the threat, although hardware DEP may help.

http://www.computerworld.com/securitytopics/security/holes/story/0,10801,107420,00.html?source=x10

For more on this, see "How to protect against Windows WMF attacks".
http://www.computerworld.com/securitytopics/security/holes/story/0,10801,107420p2,00.html

 

Windows WMF flaw: How to protect against attacks
There is no vendor-sanctioned fix yet for the Windows Metafile vulnerability

News Story by Sharon Machlis

JANUARY 02, 2006 (COMPUTERWORLD) - With Microsoft promising a security update "upon completion of [an] investigation" of the WMF security flaw, there's currently no vendor-sanctioned fix for the Windows Metafile vulnerability (see "Risk of Windows WMF attacks jumps 'significantly,' security firm warns").

However, there are ways to protect your system and network from potential attack.

"If you are a Windows OneCare user and your current status is green, you are already protected from known malware that uses this vulnerability to attempt to attack systems," according to Microsoft. If not, there are several other defense strategies, including the following:

* Unregister the Windows shimgvw.dll file. The command regsvr32 -u %windir%\system32\shimgvw.dll at the command-line prompt should do this on an individual system. "This workaround is better than just trying to filter files with a WMF extension," according to security firm F-Secure Corp., since some malicious WMF files are being disguised with other file extensions.

* Ilfak Guilfanov, "the main author of Interactive Disassembler Pro and ... arguably one of the best low-level Windows experts in the world," F-Secure says, has posted a temporary fix at hexblog.com. Security firm iDefense Inc. says it tested the patch and verified that it's effective and doesn't seem to include malicious code. But it notes that the patch "is still from an independent source and not the actual vendor, and should be treated as such." SANS Institute also says that it has "reverse engineered, reviewed and vetted" the fix. Guilfanov recommends uninstalling his workaround once Microsoft issues an official fix.

* "Configure Internet Explorer to a HIGH security level," iDefense suggests in a listing of several protection strategies.

* Block several IP addresses that have been associated with malicious activity in the past, according to Johannes Ullrich at SANS. Details are posted on the SANS Internet Storm Center diary.

"WMF exploitation has rapidly become a major threat, especially as the work week resumes after a long holiday weekend," iDefense spokesman Ken Dunham said in an e-mail advisory. "The situation is rapidly escalating now with hundreds of hostile sites purported, dozens confirmed, and more from public and private data shared to date. ...Traditionally, any rapid exploitation on a widespread basis within seven days or less has led to a major meta-event."

The following resources provide more information on the WMF vulnerability:

* F-Secure's blog

* Hexblog

* Steve Gibson's explainer of the fix on Hexblog

* SANS Internet Storm Center diary

* Microsoft's initial security advisory

For additional Computerworld coverage, see

* "WMF flaw can't wait for Microsoft fix, researchers say"

* "Risk of Windows WMF attacks jumps 'significantly,' security firm warns"

http://www.computerworld.com/securitytopics/security/holes/story/0,10801,107421,00.html

 

Because many people who might be affected are "newbies" or not overly computer literate, I have posted a free illustrated userguide on how to install the unofficial WMF flaw patch, as well as how to unregister the DLL.

It is located at http://www.helpprotectmycomputer.com/WMFflaw.html.

We should always be cognizant that protecting the Internet is all our responsibilities, and that the vast majority of the users are not "techies".

Happy New Year all, and thanks for your efforts.

Steve Freedman

 

Hi,
I don't get it, what's in danger? Viewing image files? what type of image files are we talking about here? From what sites?

Regards,
DiRect

 

read whats posted above by me,then ye will get it..

 

Microsoft has just posted an advisory that it will provide FREE help to anyone who thinks they have been attacked by the WMF Flaw.

Here's what Microsoft says:

"Customers who believe they may have been affected (http://www.microsoft.com/technet/security/advisory/912840.mspx) by this issue can also contact Product Support Services. You can contact Product Support Services in the United States and Canada at no charge using the PC Safety line (1 866-PCSAFETY). Customers outside of the United States and Canada can locate the number for no-charge virus support by visiting the Microsoft Help and Support Web site (http://support.microsoft.com/security/)."

For a FREE step-by-step guide to installing the unoficial patch, go to http://www.HelpProtectMyComputer.com/WMFflaw.html

 

this is a dead link ??

www.hexblog.com/security/files/wmffix_hexblog11.exe

 

The load on the servers has been tremendous.

A new link has been posted at http://www.HelpProtectMyComputer.com/WMFflaw.html

Steve
http://www.HelpProtectMyComputer.com
http://www.WebPagesThatWork.com

 

My Girlfriend is using a windows98 PC, the stop DLL command does not work on her PC nor does the unofficial patch.. Does this flaw even affect win98?? if so what can i do to protect my G/F win98 PC??

 

The offical patch is out now at Windows Update or
http://www.microsoft.com/technet/security/Bulletin/MS06-001.mspx

I had to manually reregister shimgvw.dll since I had unregistered it days ago when this exploit first appeared, but others said that they didn't have to reregister it afterwards even though they had did the same.

 

main page FOR THE FIX

Microsoft Security Bulletin MS06-001
Vulnerability in Graphics Rendering Engine Could Allow Remote Code Execution (912919)
Published: January 5, 2006
http://www.microsoft.com/technet/security/Bulletin/MS06-001.mspx

Security Update for Windows 2000 (KB912919)
Brief Description
A remote code execution security issue has been identified in the Graphics Rendering Engine that could allow an attacker to remotely compromise your Windows-based system and gain control over it.
http://www.microsoft.com/downloads/...BD-CB9A-4EF1-92A3-00FFE7B2AC74&displaylang=en