A SERIOUS new Windows Vulnerability

[andyP]

Gibson Research Corporation has reported on a new security threat to all windows OSs. They offer a workaround and Q & A at:

http://www.grc.com/default.htm

[dsvochak]

Link to the Microsoft Security Advisory on this issue:
http://www.microsoft.com/technet/securi ... 12840.mspx

[davidspalding]

Steve Gibson, pshaw.... Used to have some neat utilities and ideas, but after the "sky is falling" incidents of 2001, 2002, Chicken Little is more appropriate. Still has neat utilities that check for vulnerabilities, but his touting of each vulnerability as "severe" has worn thin for this boy.

Same old mantras apply, keep your AV current, don't respond to questionable or suspicious e-mails, and refrain from visiting questionable web sites without having a good recent backup (make one now while you're thinking of it).

[DavidNZ]

I've heard of that drama involving Mr Gibson back in the day, but have yet to fully investigate what the fuss was about. He is currently doing a security-related podcast with Leo Laporte (called Security Now) that is quite informative.

[davidspalding]

[tongue in cheek]After fending off a DDoS attack on his site, and documenting in excruciating detail how it was done and how it spelled the End of Days for the Internet, Mr. Gibson shrieked long and loud, without much humility, that the raw sockets capability of (then unreleased) Windows XP would be the sure and final doom of the Internet, and spell the decline and fall of tech-civilization as we know it. Sony BMG notwithstanding, the Net and personal computing are alive and well today.

Some semi-objective coverage can be found here:

http://forms.theregister.co.uk/search/? ... gibson+grc

And here's a favorite:

http://www.theregister.co.uk/2002/02/25 ... yncookies/

[/tongue in cheek]

[GomJabbar]

The sky is falling! The sky is falling!

Remember what happened to the villagers when they ignored the "Boy who cried Wolf"

From The Washington Post, Friday, December 30, 2005
Windows Security Flaw Is 'Severe'
PCs Vulnerable to Spyware, Viruses

Mike Reavey, operations manager for Microsoft's Security Response Center, called the flaw "a very serious issue."
-------------------------------
"The problem with this attack is that it is so hard to defend against for the average user," said Johannes Ullrich, chief research officer for the SANS Internet Storm Center in Bethesda.

At first, the vulnerability was exploited by just a few dozen Web sites. Programming code embedded in these pages would install a program that warned victims their machines were infested with spyware, then prompted them to pay $40 to remove the supposed pests.

Since then, however, hundreds of sites have begun using the flaw to install a broad range of malicious software. SANS has received several reports of attackers blasting out spam e-mails containing links that lead to malicious sites exploiting the new flaw, Ullrich said.

Dean Turner, a senior manager at anti-virus firm Symantec Corp. of Cupertino, Calif., said the company has seen the vulnerability exploited to install software that intercepts personal and financial information when users of infected computers enter the data at certain banking or e-commerce sites.
-----------------------------
Richard M. Smith, a Boston security and privacy consultant, said he was particularly worried that the vulnerability could soon be used to power a fast-spreading e-mail worm.

"We could see the mother of all worms here," Smith said. "My big fear is we're going to wake up in the next week or two and have people warning users not to read their e-mail because something is going around that's extremely virulent."

[DavidNZ]

Sony BMG notwithstanding, the Net and personal computing are alive and well today.

Sensational. Had a good laugh out loud at that one!

[dvorak]

Just use the latest version of Firefox and do not download any WMF files to your hard drive, as simple as that. Unregistering the Image Viewer DLL also disables viewing images on your computer via the convenient viewer, so that's no good.

[GomJabbar]

Unregistering the Image Viewer DLL also disables viewing images on your computer via the convenient viewer, so that's no good.

Well, I unregistered the Image Viewer DLL. It's true that you can't view images via Windows Picture and Fax Viewer, or see thumbnail views in Explorer. However, you can view images in Paint or any number of other programs. You can also view thumbnails with other picture managing software you may have, such as ArcSoft PhotoImpression.

Since this is only a temporary work-around, I can live with the inconvenience for a couple of weeks, or until Windows Update fixes the Security issue.

I am neutral regarding Steve Gibson, but I do commend him for listing an easy workaround for this security issue, and for listing the undo for the workaround.

[dvorak]

Well dosens of sites listed the easy fix way before Steve :)
It's always the first thing one can do, remove the DLLs with the hole.

Using Firefox should be the first thing to do these days, lot's of undocumented security holes with IE that get exploited quietly.

[GomJabbar]

Well dosens of sites listed the easy fix way before Steve
It's always the first thing one can do, remove the DLLs with the hole.

As it happens, I first read about this security problem on this thread.

Using Firefox should be the first thing to do these days, lot's of undocumented security holes with IE that get exploited quietly.

I agree - at least about the part regarding the use of Internet Explorer. I still do most of my web browsing with Netscape 7.2. I prefer its interface to Firefox. . Other times I use Opera. I like the features of Opera. I like how easy it is to zoom in and out on images (using the + & - keys), I like the tabs, and I like that when you close Opera and later reopen it; any pages that were open when it was closed appear immediately. I have Firefox on my ThinkPad as well, but I do not use it very often.

[dvorak]

Unfortunately all versions of Opera are still exploitable, apparently it uses the DLL to display the WMFs.

The reopening tabs thing can be added to Firefox with SessionSaver extension.

[GomJabbar]

http://www.f-secure.com/weblog/archives ... l#00000752

In our tests (under XP SP2) older versions of Firefox (1.0.4) defaulted to open WMF files with "Windows Picture and Fax Viewer", which is vulnerable. Newer versions (1.5) defaulted to open them with Windows Media Player, which is not vulnerable...but then again, Windows Media Player is not able to show WMF files at all so this might be a bug in Firefox. Opera 8.51 defaults to open WMF files with "Windows Picture and Fax Viewer" too. However, all versions of Firefox and Opera prompt the user first.

[davidspalding]

Me, too, Gom, since I stopped writing about such things, I just wait until I stumble across it. I don't do a lot of wandering on the Web anyway.

Be it noted, when SANS, CERT, or Richard Smith (a far more moderate security commentator, and One Smart Fellow indeed) chime in, then the danger is real. It's just that Gibson has but two settings on his volume meter: normal, and DEFCON 1. Rob Rosenberger has 2-3 very, very funny puns on his pages, if you Google for both their names, you'll find them.

[GomJabbar]

Well, I unregistered the Image Viewer DLL. It's true that you can't view images via Windows Picture and Fax Viewer, or see thumbnail views in Explorer. However, you can view images in Paint or any number of other programs. You can also view thumbnails with other picture managing software you may have, such as ArcSoft PhotoImpression.

After I wrote the above, I ran across the following information:

http://www.f-secure.com/weblog/archives ... l#00000752

The amount of trojans using the zero-day WMF exploit is increasing rapidly.

Many people have now used the REGSRV32 workaround to stop the immediate threat. Some users have come back to us after we quoted Microsoft on the workaround wondering if the workaround really works. The workaround will stop the exploit for Internet Explorer and Explorer - even though WMF images still show as normal.

What the workaround does not stop against is if you open an exploited file in MSPAINT (aka Paintbrush). And like always, renaming the file to any other image extension will not make a difference to MSPAINT. So our suggestion is to not open any pictures right now with MSPAINT whatsoever. Perhaps leaving image editors out completely for the rest of the year might be a good idea. [bolding added]

[davidspalding]

I'll be darned, in this case, Steve-o is running with a valid alarm. And my snarky response wasn't entirely appropriate. ,)

MOD ... might want to make a sticky or announcement for a week or so until MS has a patch. Your call, of course.

For those too lazy to follow the links, here's Microsoft's suggested action as of 12/28:

Un-register the Windows Picture and Fax Viewer (Shimgvw.dll) on Windows XP Service Pack 1; Windows XP Service Pack 2; Windows Server 2003 and Windows Server 2003 Service Pack 1

Microsoft has tested the following workaround. While this workaround will not correct the underlying vulnerability, it helps block known attack vectors. When a workaround reduces functionality, it is identified in the following section.

Note The following steps require Administrative privileges. It is recommended that the machine be restarted after applying this workaround. It is also possible to log out and log back in after applying the workaround. However, the recommendation is to restart the machine.

To un-register Shimgvw.dll, follow these steps:

1. Click Start, click Run, type "regsvr32 -u %windir%\system32\shimgvw.dll" (without the quotation marks), and then click OK.
2. A dialog box appears to confirm that the un-registration process has succeeded. Click OK to close the dialog box.

Impact of Workaround: The Windows Picture and Fax Viewer will no longer be started when users click on a link to an image type that is associated with the Windows Picture and Fax Viewer.

To undo this change, re-register Shimgvw.dll by following the above steps. Replace the text in Step 1 with “regsvr32 %windir%\system32\shimgvw.dll” (without the quotation marks).

[GomJabbar]

From PC World: Extremely Critical Windows Security Hole

Secunia, Kaspersky and others have alerts up today about a new vulnerability in the way Windows handles Metafile files (*.wmf). It's a bad one: it has the highest possible risk rating, there aren't patches yet, and there are known exploits in the wild that take advantage of the hole.

[dvorak]

http://www.f-secure.com/weblog/archives ... l#00000752

In our tests (under XP SP2) older versions of Firefox (1.0.4) defaulted to open WMF files with...

Yes, well aware of that, and that's why I wrote exactly that:

Just use the latest version of Firefox and do not download any WMF files to your hard drive, as simple as that.

Not using 1.0.7/1.5 is bad anyways, there were some other security fault with the older ones anyway.

[GomJabbar]

Unfortunately all versions of Opera are still exploitable, apparently it uses the DLL to display the WMFs.

Opera 8.51 defaults to open WMF files with "Windows Picture and Fax Viewer" too. However, all versions of Firefox and Opera prompt the user first.

Newer versions (1.5) defaulted to open them with Windows Media Player, which is not vulnerable...but then again, Windows Media Player is not able to show WMF files at all so this might be a bug in Firefox.

It seems you left out some strategic parts of my previous quote from f-secure.com. My point was the both Opera and Firefox can be vulnerable. Also f-secure.com brings up an interesting point; why does Firefox 1.5 attempt to open WMF files with a program that can't open them? Maybe they had a premonition?

I don't want to get in a Firefox vs. Opera war. Both are very good browsers - each with their strengths and weaknesses. To each his own. As they say YMMV.

[dvorak]

Well, if neither of the browsers display the image through the DLL, then they're not vulnerable at all. Otherwise one would have to say that every browser is vulnerable to every simple .exe virus, because if you click on one, and then open one, it'll infect.

[GomJabbar]

Some updated info from The Washington Post.

New Exploit for Unpatched Windows Flaw

The part that's different about this attack is that it's designed to generate slightly different program code each time the exploit is run -- creating a new threat with a random file size, non-WMF file extension (like .jpeg) and other variable tricks. The folks over at the SANS Internet Storm Center have more detailed information about the new exploit if you're interested.
---------------------------------------
SANS said the random garbage added onto any attack code generated with the new exploit could make it very hard for anti-virus companies to develop signatures to detect the new threats.

[DavidNZ]

Well, according to Gibson, the Windows DLL patch isn't that great:

http://www.grc.com/sn/notes-020.htm

I've installed the patch he recommends (from http://www.hexblog.com/) and seems to be fine.

[davidspalding]

More from Chicken Little.... (sigh) Bears pointing out that this "patch" is neither official nor necessarily recommended. When in doubt, follow the accepted authority, in this case Microsoft. Update AV software, wait for security hotfix from MS, yadda yadda yadda.

Not that anyone cares, but the DLL that needs to be de-registered also contributes to some XP look and feel, including

• Desktop icon label drop shadows (reverts to old Windows behavior)
• Preview of images in Display Properties Themes and Desktop tabs

Took me a little time last night figuring out what I'd mucked up this time (The Muck-up Of The Week), until realizing that I was running in Band-Aid mode.

[GomJabbar]

From TECHWORLD: Don't wait for Microsoft to fix WMF flaw

Windows users should install an unofficial security patch now, without waiting for Microsoft to make its move, advised security researchers at The SANS Institute's Internet Storm Center (ISC).

Their recommendation follows a new wave of attacks on a flaw in the way versions of Windows from 98 through XP handle malicious files in the WMF (Windows Metafile) format.
------------------------------
In addition, source code for a new exploit was widely available on the Internet by Saturday, allowing the creation of new attacks with varied payloads.The file "HappyNewYear.jpg," for example, attempts to download the Bifrose backdoor, researchers said.

These factors exacerbate the problem, according to Ken Dunham, director of the rapid response team at iDefense.

"Risk has gone up significantly in the past 24 hours for any network still not protected against the WMF exploit," Dunham warned.

[DavidNZ]

Gibson vindicated, if only a little, seeing as SANS recommending the same thing?

Question will be whether MS patches 98 and ME. May mean I have to buy my mother a new Mac!

[AndyL]

I think a patch for Win98 is likely, MS have said they will continue patching critical vulns until the middle of this year. They released a Win98 patch for MS05-054 in December, and that was of a similar severity.

[dsvochak]

From the updated MS Security Bullitin (link in my original post in this thread):

Microsoft has completed development of the security update for the vulnerability. The security update is now being localized and tested to ensure quality and application compatibility. Microsoft’s goal is to release the update on Tuesday, January 10, 2006, as part of its monthly release of security bulletins. This release is predicated on successful completion of quality testing.
---------
Microsoft has been carefully monitoring the attempted exploitation of the WMF vulnerability since it became public last week, through its own forensic capabilities and through partnerships within the industry and law enforcement. Although the issue is serious and malicious attacks are being attempted, Microsoft’s intelligence sources indicate that the scope of the attacks are not widespread.

In addition, anti-virus companies indicate that attacks based on exploiting the WMF vulnerability are being effectively mitigated through up-to-date signatures.

Sometimes (most times) I think these threats are over-hyped.

[GomJabbar]

Whether it is over-hyped or underplayed, I think depends somewhat on the source - how it is benefitted or adversely affected. Just more politics, marketing, and damage control.

For my part, I intend to err on the side of caution. YMMV

[GomJabbar]

From: Information Week, Jan 4, 2006 01:00 PM Unauthorized Patch For Microsoft WMF Bug Sparks Controversy

EDIT: Another article from: The Washington Post, Wednesday, January 4, 2006 Experts Advocate Non-Microsoft Windows Patch

Another computer-security firm, Symantec Corp., said Microsoft's decision to delay the patch for another week presents attackers with a "seven-day window that attackers could exploit this issue in a potentially widespread and serious fashion." The Cupertino, Calif., company raised its threat alert to the highest level in 16 months.

[davidspalding]

Bunch of @#&(*#@)_$ing malarkey. If you unregister the .DLL like the advisory says, you're protected [edit]from most online exploits[/edit]. You don't to install a third-party fix, skip to my loo, or go round and round the mulberry bush. One line command in the Start ... Run dialog, and you're protected from the few, rare nasties there are to exploit this.

I haven't seen a WORD (haven't been looking, either) about who NEEDS to have the ability to see thumbnails in Explorer this week. So what's the big freakin' deal?

Just shows how uninformed most technology reporters are about security holes and Trojans.