WMF Exploit!!!! Install this patch now!

Discussion in 'Computer Support' started by Jonny, Jan 3, 2006.

  1. Jonny

    Jonny Guest

    Will disabling the file extension's default program to open wmf files, to
    none do the job, along with deinstalling windows media player?

    --
    Jonny
    "Jim" <> wrote in message
    news:EKtuf.37300$...
    > In case you have been living under a rock for the last week or so, you may
    > not have heard about the WMF Windows exploit.
    >
    > For those rock dwellers, here's the scoop.....short and sweet. Reprinted
    > here without permission from SANS at
    > http://isc.sans.org/diary.php?storyid=994. Hope they don't mind.... ;).
    >
    > ---------------------------------------------
    >
    > WMF FAQ (NEW)
    > Published: 2006-01-03,
    > Last Updated: 2006-01-03 08:55:06 UTC by Johannes Ullrich (Version:

    3(click
    > to highlight changes))
    >
    > [a few users offered translations of this FAQ into various languages.
    > Obviously, we can not check the translation for accuracy, nor can we

    update
    > them. So use at your own risk: Deutsch and Deutsch (pdf), Catalan ,

    Español
    > , Italiana and Italiana, Polski, Suomenkielinen, Danish, Japanese,
    > Slovenian, Chinese, Norwegian and Nederlands (in progress) ]
    >
    >
    > a.. Why is this issue so important?
    > The WMF vulnerability uses images (WMF images) to execute arbitrary code.

    It
    > will execute just by viewing the image. In most cases, you don't have

    click
    > anything. Even images stored on your system may cause the exploit to be
    > triggered if it is indexed by some indexing software. Viewing a directory

    in
    > Explorer with 'Icon size' images will cause the exploit to be triggered as
    > well.
    >
    > a.. Is it better to use Firefox or Internet Explorer?
    > Internet Explorer will view the image and trigger the exploit without
    > warning. New versions of Firefox will prompt you before opening the image.
    > However, in most environments this offers little protection given that

    these
    > are images and are thus considered 'safe'.
    >
    > a.. What versions of Windows are affected?
    > All. Windows 2000, Windows XP, (SP1 and SP2), Windows 2003. All are

    affected
    > to some extent. Mac OS-X, Unix or BSD is not affected.
    >
    > Note: If you're still running on Win98/ME, this is a watershed moment: we
    > believe (untested) that your system is vulnerable and there will be no

    patch
    > from MS. Your mitigation options are very limited. You really need to
    > upgrade.
    >
    > a.. What can I do to protect myself?
    > 1.. Microsoft has not yet released a patch. An unofficial patch was made
    > available by Ilfak Guilfanov. Our own Tom Liston reviewed the patch and we
    > tested it. The reviewed and tested version is available here (now at v1.4,
    > MD5: 15f0a36ea33f39c1bcf5a98e51d4f4f6), PGP signature (signed with ISC

    key)
    > here. THANKS to Ilfak Guilfanov for providing the patch!!
    > 2.. You can unregister the related DLL.
    > 3.. Virus checkers provide some protection.
    > To unregister the DLL:
    >
    > a.. Click Start, click Run, type "regsvr32 -u

    %windir%system32shimgvw.dll"
    > (without the quotation marks... our editor keeps swallowing the
    > backslashes... its %windir%(backslash)system32(backslash)shimgvw.dll), and
    > then click OK.
    > b.. A dialog box appears to confirm that the un-registration process has
    > succeeded. Click OK to close the dialog box.
    > Our current "best practice" recommendation is to both unregister the DLL

    and
    > to use the unofficial patch.
    >
    > a.. How does the unofficial patch work?
    > The wmfhotfix.dll is injected into any process loading user32.dll. The

    DLL
    > then patches (in memory) gdi32.dll's Escape() function so that it ignores
    > any call using the SETABORTPROC (ie. 0x09) parameter. This should allow
    > Windows programs to display WMF files normally while still blocking the
    > exploit. The version of the patch located here has been carefully checked
    > against the source code provided as well as tested against all known
    > versions of the exploit. It should work on WinXP (SP1 and SP2) and Win2K.
    >
    > a.. Will unregistering the DLL (without using the unofficial patch)
    > protect me?
    > It might help. But it is not foolproof. We want to be very clear on this:

    we
    > have some very stong indications that simply unregistering the shimgvw.dll
    > isn't always successful. The .dll can be re-registered by malicious
    > processes or other installations, and there may be issues where
    > re-registering the .dll on a running system that has had an exploit run
    > against it allowing the exploit to succeed. In addition it might be
    > possible for there to be other avenues of attack against the Escape()
    > function in gdi32.dll. Until there is a patch available from MS, we
    > recommend using the unofficial patch in addition to un-registering
    > shimgvw.dll.
    > a.. Should I just delete the DLL?
    > It might not be a bad idea, but Windows File Protection will probably
    > replace it. You'll need to turn off Windows File Protection first. Also,
    > once an official patch is available you'll need to replace the DLL.
    > (renaming, rather than deleting is probably better so it will still be
    > handy).
    >
    > a.. Should I just block all .WMF images?
    > This may help, but it is not sufficient. WMF files are recognized by a
    > special header and the extension is not needed. The files could arrive

    using
    > any extension, or embeded in Word or other documents.
    >
    > a.. What is DEP (Data Execution Protection) and how does it help me?
    > With Windows XP SP2, Microsoft introduced DEP. It protects against a wide
    > range of exploits, by preventing the execution of 'data segements'.

    However,
    > to work well, it requires hardware support. Some CPUs, like AMD's 64 Bit
    > CPUs, will provide full DEP protection and will prevent the exploit.
    >
    > a.. How good are Anti Virus products to prevent the exploit?
    > At this point, we are aware of versions of the exploit that will not be
    > detected by antivirus engines. We hope they will catch up soon. But it

    will
    > be a hard battle to catch all versions of the exploit. Up to date AV

    systems
    > are necessary but likely not sufficient.
    >
    > a.. How could a malicious WMF file enter my system?
    > There are too many methods to mention them all. E-mail attachments, web
    > sites, instant messaging are probably the most likely sources. Don't

    forget
    > P2P file sharing and other sources.
    >
    > a.. Is it sufficient to tell my users not to visit untrusted web sites?
    > No. It helps, but its likely not sufficient. We had at least one widely
    > trusted web site (knoppix-std.org) which was compromissed. As part of the
    > compromise, a frame was added to the site redirecting users to a corrupt

    WMF
    > file. "Tursted" sites have been used like this in the past.
    >
    > a.. What is the actual problem with WMF images here?
    > WMF images are a bit different then most other images. Instead of just
    > containing simple 'this pixel has that color' information, WMF images can
    > call external procedures. One of these procedure calls can be used to
    > execute the code.
    >
    > a.. Should I use something like "dropmyrights" to lower the impact of an
    > exploit.
    > By all means yes. Also, do not run as an administrator level users for

    every
    > day work. However, this will only limit the impact of the exploit, and not
    > prevent it. Also: Web browsing is only one way to trigger the exploit. If
    > the image is left behind on your system, and later viewed by an
    > administrator, you may get 'hit'.
    >
    > a.. Are my servers vulnerable?
    > Maybe... do you allow the uploading of images? email? Are these images
    > indexed? Do you sometimes use a web browser on the server? In short: If
    > someone can get a image to your server, and if the vulnerable DLL may look
    > at it, your server may very well be vulnerable.
    >
    > a.. What can I do at my perimeter / firewall to protect my network?
    > Not much. A proxy server that strips all images from web sites? Probably
    > wont go over well with your users. At least block .WMF images (see above
    > about extensions...). If your proxy has some kind of virus checker, it may
    > catch it. Same for mail servers. The less you allow your users to initiate
    > outbound connections, the better. Close monitoring of user workstations

    may
    > provide a hint if a work station is infected.
    >
    > a.. Can I use an IDS to detect the exploit?
    > Most IDS vendors are working on signatures. Contact your vendor for

    details.
    > Bleedingsnort.org is providing some continuosly improving signatures for
    > snort users.
    >
    > a.. If I get hit by the exploit, what can I do?
    > Not much :-(. It very much depends on the exact exploit you are hit with.
    > Most of them will download additional components. It can be very hard, or
    > even impossible, to find all the pieces. Microsoft offers free support for
    > issues like that at 866-727-2389 (866 PC SAFETY).
    >
    > a.. Does Microsoft have information available?
    > http://www.microsoft.com/technet/security/advisory/912840.mspx
    > But there is no patch at the time of this writing.
    >
    >
    > a.. What does CERT have to say?
    > http://www.kb.cert.org/vuls/id/181038
    > http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-4560
    >
    >
    > -----------------------------------------
    >
    > So run the patch, reboot and keep your fingers crossed!
    >
    > Jim
    >
    >
     
    Jonny, Jan 3, 2006
    #1
    1. Advertising

  2. Jonny

    Jim Guest

    In case you have been living under a rock for the last week or so, you may
    not have heard about the WMF Windows exploit.

    For those rock dwellers, here's the scoop.....short and sweet. Reprinted
    here without permission from SANS at
    http://isc.sans.org/diary.php?storyid=994. Hope they don't mind.... ;).

    ---------------------------------------------

    WMF FAQ (NEW)
    Published: 2006-01-03,
    Last Updated: 2006-01-03 08:55:06 UTC by Johannes Ullrich (Version: 3(click
    to highlight changes))

    [a few users offered translations of this FAQ into various languages.
    Obviously, we can not check the translation for accuracy, nor can we update
    them. So use at your own risk: Deutsch and Deutsch (pdf), Catalan , Español
    , Italiana and Italiana, Polski, Suomenkielinen, Danish, Japanese,
    Slovenian, Chinese, Norwegian and Nederlands (in progress) ]


    a.. Why is this issue so important?
    The WMF vulnerability uses images (WMF images) to execute arbitrary code. It
    will execute just by viewing the image. In most cases, you don't have click
    anything. Even images stored on your system may cause the exploit to be
    triggered if it is indexed by some indexing software. Viewing a directory in
    Explorer with 'Icon size' images will cause the exploit to be triggered as
    well.

    a.. Is it better to use Firefox or Internet Explorer?
    Internet Explorer will view the image and trigger the exploit without
    warning. New versions of Firefox will prompt you before opening the image.
    However, in most environments this offers little protection given that these
    are images and are thus considered 'safe'.

    a.. What versions of Windows are affected?
    All. Windows 2000, Windows XP, (SP1 and SP2), Windows 2003. All are affected
    to some extent. Mac OS-X, Unix or BSD is not affected.

    Note: If you're still running on Win98/ME, this is a watershed moment: we
    believe (untested) that your system is vulnerable and there will be no patch
    from MS. Your mitigation options are very limited. You really need to
    upgrade.

    a.. What can I do to protect myself?
    1.. Microsoft has not yet released a patch. An unofficial patch was made
    available by Ilfak Guilfanov. Our own Tom Liston reviewed the patch and we
    tested it. The reviewed and tested version is available here (now at v1.4,
    MD5: 15f0a36ea33f39c1bcf5a98e51d4f4f6), PGP signature (signed with ISC key)
    here. THANKS to Ilfak Guilfanov for providing the patch!!
    2.. You can unregister the related DLL.
    3.. Virus checkers provide some protection.
    To unregister the DLL:

    a.. Click Start, click Run, type "regsvr32 -u %windir%system32shimgvw.dll"
    (without the quotation marks... our editor keeps swallowing the
    backslashes... its %windir%(backslash)system32(backslash)shimgvw.dll), and
    then click OK.
    b.. A dialog box appears to confirm that the un-registration process has
    succeeded. Click OK to close the dialog box.
    Our current "best practice" recommendation is to both unregister the DLL and
    to use the unofficial patch.

    a.. How does the unofficial patch work?
    The wmfhotfix.dll is injected into any process loading user32.dll. The DLL
    then patches (in memory) gdi32.dll's Escape() function so that it ignores
    any call using the SETABORTPROC (ie. 0x09) parameter. This should allow
    Windows programs to display WMF files normally while still blocking the
    exploit. The version of the patch located here has been carefully checked
    against the source code provided as well as tested against all known
    versions of the exploit. It should work on WinXP (SP1 and SP2) and Win2K.

    a.. Will unregistering the DLL (without using the unofficial patch)
    protect me?
    It might help. But it is not foolproof. We want to be very clear on this: we
    have some very stong indications that simply unregistering the shimgvw.dll
    isn't always successful. The .dll can be re-registered by malicious
    processes or other installations, and there may be issues where
    re-registering the .dll on a running system that has had an exploit run
    against it allowing the exploit to succeed. In addition it might be
    possible for there to be other avenues of attack against the Escape()
    function in gdi32.dll. Until there is a patch available from MS, we
    recommend using the unofficial patch in addition to un-registering
    shimgvw.dll.
    a.. Should I just delete the DLL?
    It might not be a bad idea, but Windows File Protection will probably
    replace it. You'll need to turn off Windows File Protection first. Also,
    once an official patch is available you'll need to replace the DLL.
    (renaming, rather than deleting is probably better so it will still be
    handy).

    a.. Should I just block all .WMF images?
    This may help, but it is not sufficient. WMF files are recognized by a
    special header and the extension is not needed. The files could arrive using
    any extension, or embeded in Word or other documents.

    a.. What is DEP (Data Execution Protection) and how does it help me?
    With Windows XP SP2, Microsoft introduced DEP. It protects against a wide
    range of exploits, by preventing the execution of 'data segements'. However,
    to work well, it requires hardware support. Some CPUs, like AMD's 64 Bit
    CPUs, will provide full DEP protection and will prevent the exploit.

    a.. How good are Anti Virus products to prevent the exploit?
    At this point, we are aware of versions of the exploit that will not be
    detected by antivirus engines. We hope they will catch up soon. But it will
    be a hard battle to catch all versions of the exploit. Up to date AV systems
    are necessary but likely not sufficient.

    a.. How could a malicious WMF file enter my system?
    There are too many methods to mention them all. E-mail attachments, web
    sites, instant messaging are probably the most likely sources. Don't forget
    P2P file sharing and other sources.

    a.. Is it sufficient to tell my users not to visit untrusted web sites?
    No. It helps, but its likely not sufficient. We had at least one widely
    trusted web site (knoppix-std.org) which was compromissed. As part of the
    compromise, a frame was added to the site redirecting users to a corrupt WMF
    file. "Tursted" sites have been used like this in the past.

    a.. What is the actual problem with WMF images here?
    WMF images are a bit different then most other images. Instead of just
    containing simple 'this pixel has that color' information, WMF images can
    call external procedures. One of these procedure calls can be used to
    execute the code.

    a.. Should I use something like "dropmyrights" to lower the impact of an
    exploit.
    By all means yes. Also, do not run as an administrator level users for every
    day work. However, this will only limit the impact of the exploit, and not
    prevent it. Also: Web browsing is only one way to trigger the exploit. If
    the image is left behind on your system, and later viewed by an
    administrator, you may get 'hit'.

    a.. Are my servers vulnerable?
    Maybe... do you allow the uploading of images? email? Are these images
    indexed? Do you sometimes use a web browser on the server? In short: If
    someone can get a image to your server, and if the vulnerable DLL may look
    at it, your server may very well be vulnerable.

    a.. What can I do at my perimeter / firewall to protect my network?
    Not much. A proxy server that strips all images from web sites? Probably
    wont go over well with your users. At least block .WMF images (see above
    about extensions...). If your proxy has some kind of virus checker, it may
    catch it. Same for mail servers. The less you allow your users to initiate
    outbound connections, the better. Close monitoring of user workstations may
    provide a hint if a work station is infected.

    a.. Can I use an IDS to detect the exploit?
    Most IDS vendors are working on signatures. Contact your vendor for details.
    Bleedingsnort.org is providing some continuosly improving signatures for
    snort users.

    a.. If I get hit by the exploit, what can I do?
    Not much :-(. It very much depends on the exact exploit you are hit with.
    Most of them will download additional components. It can be very hard, or
    even impossible, to find all the pieces. Microsoft offers free support for
    issues like that at 866-727-2389 (866 PC SAFETY).

    a.. Does Microsoft have information available?
    http://www.microsoft.com/technet/security/advisory/912840.mspx
    But there is no patch at the time of this writing.


    a.. What does CERT have to say?
    http://www.kb.cert.org/vuls/id/181038
    http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-4560


    -----------------------------------------

    So run the patch, reboot and keep your fingers crossed!

    Jim
     
    Jim, Jan 3, 2006
    #2
    1. Advertising

  3. Jonny

    Jim Guest

    Jim, Jan 3, 2006
    #3
  4. Jonny

    Jim Guest

    No. The file type is launched by its internal header. The file extension
    really doesn't matter.

    Windows media player is only one app that can display the files. There are
    many more.

    The only way to minimize your risk is to run the patch.

    Jim

    "Jonny" <> wrote in message
    news:...
    > Will disabling the file extension's default program to open wmf files, to
    > none do the job, along with deinstalling windows media player?
    >
    > --
    > Jonny
    > "Jim" <> wrote in message
    > news:EKtuf.37300$...
    >> In case you have been living under a rock for the last week or so, you
    >> may
    >> not have heard about the WMF Windows exploit.
    >>
    >> For those rock dwellers, here's the scoop.....short and sweet. Reprinted
    >> here without permission from SANS at
    >> http://isc.sans.org/diary.php?storyid=994. Hope they don't mind.... ;).
    >>
    >> ---------------------------------------------
    >>
    >> WMF FAQ (NEW)
    >> Published: 2006-01-03,
    >> Last Updated: 2006-01-03 08:55:06 UTC by Johannes Ullrich (Version:

    > 3(click
    >> to highlight changes))
    >>
    >> [a few users offered translations of this FAQ into various languages.
    >> Obviously, we can not check the translation for accuracy, nor can we

    > update
    >> them. So use at your own risk: Deutsch and Deutsch (pdf), Catalan ,

    > Español
    >> , Italiana and Italiana, Polski, Suomenkielinen, Danish, Japanese,
    >> Slovenian, Chinese, Norwegian and Nederlands (in progress) ]
    >>
    >>
    >> a.. Why is this issue so important?
    >> The WMF vulnerability uses images (WMF images) to execute arbitrary code.

    > It
    >> will execute just by viewing the image. In most cases, you don't have

    > click
    >> anything. Even images stored on your system may cause the exploit to be
    >> triggered if it is indexed by some indexing software. Viewing a directory

    > in
    >> Explorer with 'Icon size' images will cause the exploit to be triggered
    >> as
    >> well.
    >>
    >> a.. Is it better to use Firefox or Internet Explorer?
    >> Internet Explorer will view the image and trigger the exploit without
    >> warning. New versions of Firefox will prompt you before opening the
    >> image.
    >> However, in most environments this offers little protection given that

    > these
    >> are images and are thus considered 'safe'.
    >>
    >> a.. What versions of Windows are affected?
    >> All. Windows 2000, Windows XP, (SP1 and SP2), Windows 2003. All are

    > affected
    >> to some extent. Mac OS-X, Unix or BSD is not affected.
    >>
    >> Note: If you're still running on Win98/ME, this is a watershed moment: we
    >> believe (untested) that your system is vulnerable and there will be no

    > patch
    >> from MS. Your mitigation options are very limited. You really need to
    >> upgrade.
    >>
    >> a.. What can I do to protect myself?
    >> 1.. Microsoft has not yet released a patch. An unofficial patch was
    >> made
    >> available by Ilfak Guilfanov. Our own Tom Liston reviewed the patch and
    >> we
    >> tested it. The reviewed and tested version is available here (now at
    >> v1.4,
    >> MD5: 15f0a36ea33f39c1bcf5a98e51d4f4f6), PGP signature (signed with ISC

    > key)
    >> here. THANKS to Ilfak Guilfanov for providing the patch!!
    >> 2.. You can unregister the related DLL.
    >> 3.. Virus checkers provide some protection.
    >> To unregister the DLL:
    >>
    >> a.. Click Start, click Run, type "regsvr32 -u

    > %windir%system32shimgvw.dll"
    >> (without the quotation marks... our editor keeps swallowing the
    >> backslashes... its %windir%(backslash)system32(backslash)shimgvw.dll),
    >> and
    >> then click OK.
    >> b.. A dialog box appears to confirm that the un-registration process
    >> has
    >> succeeded. Click OK to close the dialog box.
    >> Our current "best practice" recommendation is to both unregister the DLL

    > and
    >> to use the unofficial patch.
    >>
    >> a.. How does the unofficial patch work?
    >> The wmfhotfix.dll is injected into any process loading user32.dll. The

    > DLL
    >> then patches (in memory) gdi32.dll's Escape() function so that it ignores
    >> any call using the SETABORTPROC (ie. 0x09) parameter. This should allow
    >> Windows programs to display WMF files normally while still blocking the
    >> exploit. The version of the patch located here has been carefully
    >> checked
    >> against the source code provided as well as tested against all known
    >> versions of the exploit. It should work on WinXP (SP1 and SP2) and
    >> Win2K.
    >>
    >> a.. Will unregistering the DLL (without using the unofficial patch)
    >> protect me?
    >> It might help. But it is not foolproof. We want to be very clear on this:

    > we
    >> have some very stong indications that simply unregistering the
    >> shimgvw.dll
    >> isn't always successful. The .dll can be re-registered by malicious
    >> processes or other installations, and there may be issues where
    >> re-registering the .dll on a running system that has had an exploit run
    >> against it allowing the exploit to succeed. In addition it might be
    >> possible for there to be other avenues of attack against the Escape()
    >> function in gdi32.dll. Until there is a patch available from MS, we
    >> recommend using the unofficial patch in addition to un-registering
    >> shimgvw.dll.
    >> a.. Should I just delete the DLL?
    >> It might not be a bad idea, but Windows File Protection will probably
    >> replace it. You'll need to turn off Windows File Protection first. Also,
    >> once an official patch is available you'll need to replace the DLL.
    >> (renaming, rather than deleting is probably better so it will still be
    >> handy).
    >>
    >> a.. Should I just block all .WMF images?
    >> This may help, but it is not sufficient. WMF files are recognized by a
    >> special header and the extension is not needed. The files could arrive

    > using
    >> any extension, or embeded in Word or other documents.
    >>
    >> a.. What is DEP (Data Execution Protection) and how does it help me?
    >> With Windows XP SP2, Microsoft introduced DEP. It protects against a wide
    >> range of exploits, by preventing the execution of 'data segements'.

    > However,
    >> to work well, it requires hardware support. Some CPUs, like AMD's 64 Bit
    >> CPUs, will provide full DEP protection and will prevent the exploit.
    >>
    >> a.. How good are Anti Virus products to prevent the exploit?
    >> At this point, we are aware of versions of the exploit that will not be
    >> detected by antivirus engines. We hope they will catch up soon. But it

    > will
    >> be a hard battle to catch all versions of the exploit. Up to date AV

    > systems
    >> are necessary but likely not sufficient.
    >>
    >> a.. How could a malicious WMF file enter my system?
    >> There are too many methods to mention them all. E-mail attachments, web
    >> sites, instant messaging are probably the most likely sources. Don't

    > forget
    >> P2P file sharing and other sources.
    >>
    >> a.. Is it sufficient to tell my users not to visit untrusted web sites?
    >> No. It helps, but its likely not sufficient. We had at least one widely
    >> trusted web site (knoppix-std.org) which was compromissed. As part of the
    >> compromise, a frame was added to the site redirecting users to a corrupt

    > WMF
    >> file. "Tursted" sites have been used like this in the past.
    >>
    >> a.. What is the actual problem with WMF images here?
    >> WMF images are a bit different then most other images. Instead of just
    >> containing simple 'this pixel has that color' information, WMF images can
    >> call external procedures. One of these procedure calls can be used to
    >> execute the code.
    >>
    >> a.. Should I use something like "dropmyrights" to lower the impact of
    >> an
    >> exploit.
    >> By all means yes. Also, do not run as an administrator level users for

    > every
    >> day work. However, this will only limit the impact of the exploit, and
    >> not
    >> prevent it. Also: Web browsing is only one way to trigger the exploit. If
    >> the image is left behind on your system, and later viewed by an
    >> administrator, you may get 'hit'.
    >>
    >> a.. Are my servers vulnerable?
    >> Maybe... do you allow the uploading of images? email? Are these images
    >> indexed? Do you sometimes use a web browser on the server? In short: If
    >> someone can get a image to your server, and if the vulnerable DLL may
    >> look
    >> at it, your server may very well be vulnerable.
    >>
    >> a.. What can I do at my perimeter / firewall to protect my network?
    >> Not much. A proxy server that strips all images from web sites? Probably
    >> wont go over well with your users. At least block .WMF images (see above
    >> about extensions...). If your proxy has some kind of virus checker, it
    >> may
    >> catch it. Same for mail servers. The less you allow your users to
    >> initiate
    >> outbound connections, the better. Close monitoring of user workstations

    > may
    >> provide a hint if a work station is infected.
    >>
    >> a.. Can I use an IDS to detect the exploit?
    >> Most IDS vendors are working on signatures. Contact your vendor for

    > details.
    >> Bleedingsnort.org is providing some continuosly improving signatures for
    >> snort users.
    >>
    >> a.. If I get hit by the exploit, what can I do?
    >> Not much :-(. It very much depends on the exact exploit you are hit with.
    >> Most of them will download additional components. It can be very hard, or
    >> even impossible, to find all the pieces. Microsoft offers free support
    >> for
    >> issues like that at 866-727-2389 (866 PC SAFETY).
    >>
    >> a.. Does Microsoft have information available?
    >> http://www.microsoft.com/technet/security/advisory/912840.mspx
    >> But there is no patch at the time of this writing.
    >>
    >>
    >> a.. What does CERT have to say?
    >> http://www.kb.cert.org/vuls/id/181038
    >> http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-4560
    >>
    >>
    >> -----------------------------------------
    >>
    >> So run the patch, reboot and keep your fingers crossed!
    >>
    >> Jim
    >>
    >>

    >
    >
     
    Jim, Jan 3, 2006
    #4
  5. Jonny

    Trax Guest

    "Jonny" <> wrote:

    |>Will disabling the file extension's default program to open wmf files, to
    |>none do the job, along with deinstalling windows media player?

    No, just update your virus checker most will catch it now, I use NOD32
    and it does (I've seen it work)

    Not running I.E. helps as FireFox and Opera ask if you want to
    download the WMF file.

    And my favorite http://www.annoyances.org/exec/show/article03-201
    but I don't really know if this works as I've always stop'd the WMF
    from executing (NOD32)

    |>Jonny
    |>"Jim" <> wrote in message
    |>news:EKtuf.37300$...
    |>> In case you have been living under a rock for the last week or so, you may
    |>> not have heard about the WMF Windows exploit.


    --
    Time Wasting Sites on the Net
    http://freebies.about.com/od/710/tp/timewasting.htm
     
    Trax, Jan 3, 2006
    #5
  6. Jonny

    Jim Guest

    Not everybody's antivirus is up to the task....
    http://www.eweek.com/article2/0,1895,1907102,00.asp

    I didn't see NOD on the list......so I'll defer to your experience.

    Jim


    "Trax" <> wrote in message
    news:...
    > "Jonny" <> wrote:
    >
    > |>Will disabling the file extension's default program to open wmf files,
    > to
    > |>none do the job, along with deinstalling windows media player?
    >
    > No, just update your virus checker most will catch it now, I use NOD32
    > and it does (I've seen it work)
    >
    > Not running I.E. helps as FireFox and Opera ask if you want to
    > download the WMF file.
    >
    > And my favorite http://www.annoyances.org/exec/show/article03-201
    > but I don't really know if this works as I've always stop'd the WMF
    > from executing (NOD32)
    >
    > |>Jonny
    > |>"Jim" <> wrote in message
    > |>news:EKtuf.37300$...
    > |>> In case you have been living under a rock for the last week or so, you
    > may
    > |>> not have heard about the WMF Windows exploit.
    >
    >
    > --
    > Time Wasting Sites on the Net
    > http://freebies.about.com/od/710/tp/timewasting.htm
     
    Jim, Jan 3, 2006
    #6
  7. Jonny

    Leythos Guest

    In article <qtyuf.37570$>,
    se says...
    > Not everybody's antivirus is up to the task....
    > http://www.eweek.com/article2/0,1895,1907102,00.asp
    >
    > I didn't see NOD on the list......so I'll defer to your experience.


    Note, that article was dated: December 31, 2005

    --


    remove 999 in order to email me
     
    Leythos, Jan 3, 2006
    #7
  8. Jonny

    Trax Guest

    Leythos <> wrote:

    |>In article <qtyuf.37570$>,
    |> says...
    |>> Not everybody's antivirus is up to the task....
    |>> http://www.eweek.com/article2/0,1895,1907102,00.asp
    |>>
    |>> I didn't see NOD on the list......so I'll defer to your experience.

    |>Note, that article was dated: December 31, 2005

    I didn't get the original post so have to piggy back on the reply.

    I post this to another message a few days ago:

    From: "David H. Lipman" <DLipman~nospam~@Verizon.Net>
    Newsgroups: microsoft.public.windowsxp.general

    Carey:

    Please don't post the following...

    Microsoft Live Safety Center
    http://safety.live.com/site/en-US/default.htm

    It is a Beta and on a scale from 1 to 10 it is a 2

    If you are going to ost a online scanner post one that actually has a
    high catch rate.

    Kaspersky:
    http://www.kaspersky.com/de/scanforvirus

    I have been in communication with Randy Treir and I have been testing
    the site. Straight
    talk -- it sucks !

    I gave it a zoo and it had a 22% catch rate.

    When I tested an "Exploit-WMF" sample Yesterday, these were the
    results...

    AntiVir 6.33.0.70 12.29.2005 TR/Dldr.WMF.Agent.D
    Avast 4.6.695.0 12.29.2005 Win32:Exdown
    AVG 718 12.29.2005 Downloader.Agent.13.AI
    Avira 6.33.0.70 12.29.2005 TR/Dldr.WMF.Agent.D
    BitDefender 7.2 12.29.2005 Exploit.Win32.WMF-PFV.C
    CAT-QuickHeal 8.00 12.29.2005 WMF.Exploit
    ClamAV devel-20051123 12.29.2005 Exploit.WMF.A
    DrWeb 4.33 12.29.2005 Exploit.MS05-053
    eTrust-Iris 7.1.194.0 12.29.2005 Win32/Worfo.C!Trojan
    eTrust-Vet 12.4.1.0 12.29.2005 Win32/Worfo
    Ewido 3.5 12.29.2005 Downloader.Agent.acd
    Fortinet 2.54.0.0 12.29.2005 W32/WMF-exploit
    F-Prot 3.16c 12.29.2005 security risk or a "backdoor" program
    Ikarus 0.2.59.0 12.29.2005 Trojan-Downloader.Win32.Agent.ACD
    Kaspersky 4.0.2.24 12.29.2005 Trojan-Downloader.Win32.Agent.acd
    McAfee 4662 12.29.2005 Exploit-WMF
    Microsoft ?? 12.29.2005 no virus found
    NOD32v2 1.1343 12.28.2005 Win32/TrojanDownloader.Wmfex
    Norman 5.70.10 12.29.2005 no virus found
    Panda 9.0.0.4 12.28.2005 Exploit/Metafile
    Sophos 4.01.0 12.29.2005 Troj/DownLdr-NK
    Symantec 8.0 12.29.2005 Download.Trojan
    TheHacker 5.9.1.064 12.28.2005 Exploit/WMF
    Trend Micro 135 12.29.2005 TROJ_NASCENE.D
    UNA 1.83 12.29.2005 no virus found
    VBA32 3.10.5 12.28.2005 no virus found


    Today however it is causght...

    Microsoft ?? 12.30.2005 Exploit:Win32/Wmfap

    Just because you are a Microsoft MVP, please don't suggest a low
    quality product wjhen there
    are high quality alternatives.
    Especially when it is a security related issue !


    --
    Time Wasting Sites on the Net
    http://freebies.about.com/od/710/tp/timewasting.htm
     
    Trax, Jan 3, 2006
    #8
  9. Jonny

    Rock Guest

    Jim wrote:

    > Not everybody's antivirus is up to the task....
    > http://www.eweek.com/article2/0,1895,1907102,00.asp
    >
    > I didn't see NOD on the list......so I'll defer to your experience.
    >
    > Jim
    >
    >
    > "Trax" <> wrote in message
    > news:...
    >
    >>"Jonny" <> wrote:
    >>
    >>|>Will disabling the file extension's default program to open wmf files,
    >>to
    >>|>none do the job, along with deinstalling windows media player?
    >>
    >>No, just update your virus checker most will catch it now, I use NOD32
    >>and it does (I've seen it work)
    >>
    >>Not running I.E. helps as FireFox and Opera ask if you want to
    >>download the WMF file.
    >>
    >>And my favorite http://www.annoyances.org/exec/show/article03-201
    >>but I don't really know if this works as I've always stop'd the WMF
    >>from executing (NOD32)
    >>
    >>|>Jonny
    >>|>"Jim" <> wrote in message
    >>|>news:EKtuf.37300$...
    >>|>> In case you have been living under a rock for the last week or so, you
    >>may
    >>|>> not have heard about the WMF Windows exploit.
    >>
    >>
    >>--
    >>Time Wasting Sites on the Net
    >>http://freebies.about.com/od/710/tp/timewasting.htm

    >
    >
    >


    Nod32 is on the list as Eset (Nod32)

    --
    Rock
    MS MVP Windows - Shell/User
     
    Rock, Jan 3, 2006
    #9
  10. Jonny

    JP Guest

    JP, Jan 3, 2006
    #10
  11. Bruce Chambers, Jan 4, 2006
    #11
  12. Jonny

    CountryLover Guest

    On Tue, 03 Jan 2006 19:36:35 -0700, Bruce Chambers <3t>
    wrote:

    >Jim wrote:
    >
    >
    >
    > What kind of an idiot would install an "unofficial" patch. I can't
    >think of a more common way currently used to spread malware.


    Been living under a rock for the last week or so, eh?
     
    CountryLover, Jan 4, 2006
    #12
  13. Jonny

    Jim Guest

    This makes it look like I made this ignorant quote. I did not. It is
    Bruce's statement.

    Whether Bruce posted this through ignorance of his newsreader or with
    malicous intent I cannot say. Perhaps he will enlighten us as to why he
    would make it appear that i had said something that I did not (check the
    threads).

    Jim

    "CountryLover" <> wrote in message
    news:...
    > On Tue, 03 Jan 2006 19:36:35 -0700, Bruce Chambers
    > <3t>
    > wrote:
    >
    >>Jim wrote:
    >>
    >>
    >>
    >> What kind of an idiot would install an "unofficial" patch. I can't
    >>think of a more common way currently used to spread malware.

    >
    > Been living under a rock for the last week or so, eh?
     
    Jim, Jan 4, 2006
    #13
  14. Jonny

    Jim Guest

    I'm out...

    I'm outta here.

    I have shown you what I know about the patch and protecting yourselves. I
    have projects to get out and must concentrate on them at this time.

    Ultimately (in PCs as in life), your seurity is in your hands. Do your
    research. Listen to whom you trust.

    I wish you all the very best in this new year.

    Have fun and be safe.

    Jim
     
    Jim, Jan 4, 2006
    #14
  15. Jonny

    Toolman Tim Guest

    In news:p_Huf.11903$,
    Jim spewed forth:
    >
    > "CountryLover" <> wrote in message
    > news:...
    >
    >> On Tue, 03 Jan 2006 19:36:35 -0700, Bruce Chambers
    >> <3t> wrote:
    >>>
    >>> What kind of an idiot would install an "unofficial" patch. I can't
    >>> think of a more common way currently used to spread malware.

    >>
    >> Been living under a rock for the last week or so, eh?

    >
    > This makes it look like I made this ignorant quote. I did not. It is
    > Bruce's statement.
    >
    > Whether Bruce posted this through ignorance of his newsreader or with
    > malicous intent I cannot say. Perhaps he will enlighten us as to why
    > he would make it appear that i had said something that I did not
    > (check the threads).
    >
    > Jim
    >
    >

    I was going to jump in on Bruce's post and say I thought *he* was the idiot.
    Many security "patches" exist that are not generated by Microsoft. Can you
    say "firewall"? Or "antivirus"? Or adware/spyware blockers? These would not
    be the necessities of modern Windows computing they are today if the OS was
    written better (right, Mitch? <g>) While perhaps not direct "patches" to the
    OS, many are "add-ons" and in the form of services become integrated into
    the OS just like a patch would. And by following basic "safe hex" practices,
    there is little risk downloading that patch.

    --
    Whenever I think of the past, it brings back so many memories...
     
    Toolman Tim, Jan 4, 2006
    #15
  16. Jonny

    Leythos Guest

    In article <kCIuf.77$>, lid
    says...
    > I was going to jump in on Bruce's post and say I thought *he* was the idiot.
    > Many security "patches" exist that are not generated by Microsoft. Can you
    > say "firewall"? Or "antivirus"? Or adware/spyware blockers? These would not
    > be the necessities of modern Windows computing they are today if the OS was
    > written better (right, Mitch? <g>) While perhaps not direct "patches" to the
    > OS, many are "add-ons" and in the form of services become integrated into
    > the OS just like a patch would. And by following basic "safe hex" practices,
    > there is little risk downloading that patch.


    I'm not taking sides in this who said what/is what, but I can tell you
    that with our networks, that we won't be installing any patch, Microsoft
    or third party, until it's been tested on production clone systems to
    determine what it breaks before it's released into the customers
    networks.

    I would hazard a guess that it will take two days for most IT groups to
    implement the MS fix, and more for those implementing a third party fix.
    At the same time, many groups, where they don't have the hole that
    permits unrestricted workers access to the Internet, where they don't
    allow all attachments in email, won't have a problem waiting while they
    test.

    --


    remove 999 in order to email me
     
    Leythos, Jan 4, 2006
    #16
  17. Jonny

    Toolman Tim Guest

    In news:UFIuf.429$,
    Leythos spewed forth:
    > In article <kCIuf.77$>, lid
    > says...
    >> I was going to jump in on Bruce's post and say I thought *he* was
    >> the idiot. Many security "patches" exist that are not generated by
    >> Microsoft. Can you say "firewall"? Or "antivirus"? Or adware/spyware
    >> blockers? These would not be the necessities of modern Windows
    >> computing they are today if the OS was written better (right, Mitch?
    >> <g>) While perhaps not direct "patches" to the OS, many are
    >> "add-ons" and in the form of services become integrated into the OS
    >> just like a patch would. And by following basic "safe hex"
    >> practices, there is little risk downloading that patch.

    >
    > I'm not taking sides in this who said what/is what, but I can tell you
    > that with our networks, that we won't be installing any patch,
    > Microsoft or third party, until it's been tested on production clone
    > systems to determine what it breaks before it's released into the
    > customers networks.
    >
    > I would hazard a guess that it will take two days for most IT groups
    > to implement the MS fix, and more for those implementing a third
    > party fix. At the same time, many groups, where they don't have the
    > hole that permits unrestricted workers access to the Internet, where
    > they don't allow all attachments in email, won't have a problem
    > waiting while they test.


    Several days (and even longer) isn't uncommon in developing and implementing
    a fix. In fact, part of the delay on the part of MS is (hopefully) from
    their attempt to make a patch that doesn't crash something critical
    somewhere. There have been enough cases of the cure being worse than the
    disease...

    --
    Whenever I think of the past, it brings back so many memories...
     
    Toolman Tim, Jan 4, 2006
    #17
  18. Jonny

    Todd H. Guest

    Bruce Chambers <3t> writes:

    > What kind of an idiot would install an "unofficial" patch. I
    > can't think of a more common way currently used to spread malware.


    A desperate one who
    lacks official patch choices
    faces an extremely critical threat with attack vectors via web
    browsing (even trusted sites that might be defaced),
    IM, and email channels
    has an option for an unofficial patch coded by one of the best
    low level windows programmers on the planet
    and recommended by one of hte most respected security
    organizations on the planet (SANS)


    It's either that or disconnect your computer from the net until next
    Tuesday.

    Best Regards,
    --
    Todd H.
    http://www.toddh.net/
     
    Todd H., Jan 4, 2006
    #18
  19. Jonny

    Kerry Brown Guest

    Re: I'm out...

    Jim wrote:
    > I'm outta here.
    >
    > I have shown you what I know about the patch and protecting
    > yourselves. I have projects to get out and must concentrate on them
    > at this time.
    > Ultimately (in PCs as in life), your seurity is in your hands. Do
    > your research. Listen to whom you trust.
    >
    > I wish you all the very best in this new year.
    >
    > Have fun and be safe.
    >
    > Jim


    Thank you. Although many respected people here have disagreed with you it
    has been a valuable discussion. Personally I have seen enough of my
    customer's computers that have been compromised and done enough testing to
    prove to myself that the patch works to block the exploit that I have
    installed it. Yes, it may cause some unforeseen problems but it can be
    easily uninstalled if it does. I look forward to uninstalling it when
    Microsoft releases their patch. I agree with the way Microsoft is releasing
    their patch. Their patch has to work and has to be well tested before
    general release. I really take offence with the way Microsoft is downplaying
    the severity of the exploit and how prevalent it is. They are giving many
    people a false sense of security and causing untold damage to unsuspecting
    users by lulling them into a false sense of security. To anyone who doesn't
    believe this then try this. Build a clean machine. Update Windows. Install
    your favourite anti-virus and anti-spyware programs. Visit a few of the
    known bad sites. You will be infected. Fine you say. I just won't visit
    those sites. There has already been known legitimate sites that have been
    hacked and frames added with the exploit. Microsoft is right to test the
    patch completely. They are wrong to minimize the exploit's impact.

    Kerry
     
    Kerry Brown, Jan 4, 2006
    #19
  20. Jonny

    Barry OGrady Guest

    On Tue, 03 Jan 2006 19:36:35 -0700, Bruce Chambers <3t> wrote:

    >Jim wrote:
    >
    >
    >
    > What kind of an idiot would install an "unofficial" patch. I can't
    >think of a more common way currently used to spread malware.


    Rather suspicious.


    >
    >
    >--
    >
    >Bruce Chambers
    >
    >Help us help you:
    >http://dts-l.org/goodpost.htm
    >http://www.catb.org/~esr/faqs/smart-questions.html
    >
    >You can have peace. Or you can have freedom. Don't ever count on having
    >both at once. - RAH


    Barry
    =====
    Home page
    http://members.iinet.net.au/~barry.og
     
    Barry OGrady, Jan 4, 2006
    #20
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Shawn

    WMF exploit symptom?

    Shawn, Jan 22, 2006, in forum: Computer Information
    Replies:
    0
    Views:
    340
    Shawn
    Jan 22, 2006
  2. junkmail

    wmf exploit, what to do???

    junkmail, Dec 30, 2005, in forum: Computer Support
    Replies:
    27
    Views:
    804
    Blinky the Shark
    Jan 4, 2006
  3. Lookout
    Replies:
    1
    Views:
    396
    Beauregard T. Shagnasty
    Jan 7, 2006
  4. Charlie Russel - MVP

    WMF Exploit - Unregestering DLL

    Charlie Russel - MVP, Jan 2, 2006, in forum: Windows 64bit
    Replies:
    23
    Views:
    761
    Charlie Russel - MVP
    Jan 4, 2006
  5. Jud Hendrix

    WMF Exploit: Microsoft Security Advisory updated

    Jud Hendrix, Jan 3, 2006, in forum: Windows 64bit
    Replies:
    0
    Views:
    352
    Jud Hendrix
    Jan 3, 2006
Loading...

Share This Page