A SERIOUS new Windows Vulnerability

[GomJabbar]

I think that someone other than the technology reporters is uninformed. I guess the earlier post from f-secure.com wasn't bold enough. I'll make it more readable.

The amount of trojans using the zero-day WMF exploit is increasing rapidly.

Many people have now used the REGSRV32 workaround to stop the immediate threat. Some users have come back to us after we quoted Microsoft on the workaround wondering if the workaround really works. The workaround will stop the exploit for Internet Explorer and Explorer - even though WMF images still show as normal.

What the workaround does not stop against is if you open an exploited file in MSPAINT (aka Paintbrush). And like always, renaming the file to any other image extension will not make a difference to MSPAINT. So our suggestion is to not open any pictures right now with MSPAINT whatsoever. Perhaps leaving image editors out completely for the rest of the year might be a good idea. [bolding added]

[jdhurst]

The Microsoft patch is now out and I have installed it on my two machines. ... JD Hurst

[GomJabbar]

Great find jdhurst. I'll be over there shortly. Not all will benefit however.

From CNET: Windows 98, ME users left vulnerable to WMF bug?

By not fixing the older versions of Windows, Microsoft is leaving its customers out in the cold, Murray said. "In a way they are forcing customers to upgrade, saying that you can continue to use those older operating systems if you want to be vulnerable," he said.

[AndyL]

I think a patch for Win98 is likely, MS have said they will continue patching critical vulns until the middle of this year. They released a Win98 patch for MS05-054 in December, and that was of a similar severity.

Well it looks like I was wrong (as per GomJabbar's CNET link). Thanks a bunch Microsoft

Here's the link to the MS security bulletin containing the patches for 2000, XP and 2003.
http://www.microsoft.com/technet/securi ... 6-001.mspx

[davidspalding]

I think that someone other than the technology reporters is uninformed. I guess the earlier post from f-secure.com wasn't bold enough. I'll make it more readable.

Turn your flame-thrower OFF, little dude. Boldface and red type does not make your point of view any more valid ("right") than mine.

Well it looks like I was wrong (as per GomJabbar's CNET link). Thanks a bunch Microsoft

Here's the link to the MS security bulletin containing the patches for 2000, XP and 2003.
http://www.microsoft.com/technet/securi ... 6-001.mspx

I think I'd read that the patch was expected to be released 1/10. So if they upped the schedule due to public demand, the Win9x patches may be yet released in the near future. I think Win98 support is still active ... I know Win95 support was discontinued a while back.

[AndyL]

I think I'd read that the patch was expected to be released 1/10. So if they upped the schedule due to public demand, the Win9x patches may be yet released in the near future. I think Win98 support is still active ... I know Win95 support was discontinued a while back.

Little chance of a Win 98 patch I'm afraid - see the FAQ section of the MS bulletin. Only "critical" flaws get patched on Win98 these days, and they don't rate this one as "critical" on 98.

[GomJabbar]

I think that someone other than the technology reporters is uninformed. I guess the earlier post from f-secure.com wasn't bold enough. I'll make it more readable.

Turn your flame-thrower OFF, little dude. Boldface and red type does not make your point of view any more valid ("right") than mine.

Bunch of @#&(*#@)_$ing malarkey. If you unregister the .DLL like the advisory says, you're protected [edit]from most online exploits[/edit]. You don't to install a third-party fix, skip to my loo, or go round and round the mulberry bush. One line command in the Start ... Run dialog, and you're protected from the few, rare nasties there are to exploit this.

I haven't seen a WORD (haven't been looking, either) about who NEEDS to have the ability to see thumbnails in Explorer this week. So what's the big freakin' deal?

Just shows how uninformed most technology reporters are about security holes and Trojans.

Who turned the flame-thower on?
You can give your viewpoint without a (quote): "Bunch of @#&(*#@)_$ing malarkey."

[davidspalding]

Implying that "someone other than the technology reporters is uninformed" and reprinting text in colored boldface "to make it more readable," apparently meaning ME in both cases. In my lexicon, flaming is when you start attacking the person, not the issues.

I stand by my comment. Tech reporters arguing if a wide audience needs to install an unapproved (by MS) patch for the few days it took for MS to release a patch is IMHO malarkey. Symantec's claim that the wait for a patch "presents attackers with a 'seven-day window that attackers could exploit this issue in a potentially widespread and serious fashion'" is IMHO high-grade baloney. You can't get "attacked" by this ... you have to find a page that uses the exploit, or get sent unsolicited mail that uses the exploit. Have YOU gotten any mail like that?

These publications make money not from printing reliable information, but from selling advertising. Hotheaded articles which hype digital vulnerabilities attract more "eyeballs" (online advertising term) and generate more ad revenue.

AV companies like F-secure, Symantec, McAfee, et al, do not return value for their shareholders by being good Samaritans on the Internet; they do it by selling software. They have, for years, sold software with FUD, hype, etc. Think I'm off my rocker? Here's something you quoted from F-secure: "Perhaps leaving image editors out completely for the rest of the year might be a good idea." Ha! I should return my copy of Photoshop I just bought? ROFL.

Anyone who followed MS' suggested actions was undoubtedly 99% safe from harm. But Symantec can't sell their software by saying, "follow Microsoft's recommended actions and you're probably quite safe." If you found an exploit in the wild that used the MSPAINT vulnerability, fine. But I think that's a stretch, and anyone who can resist the impulse to open questionable e-mail attachments is probably quite safe. YMMV, but unsolicited attachments (and unsolicited messages in general) take a very short trip to the bit bucket on my systems. In fact, MS e-mail programs already have features that do this effortlessly.

Listen, if you're taking this whole topic personally, take heart because I'm done here. Frankly, I think it's just (yet another) online circus - MS announces a vulnerability before providing a fix, script kiddies start creating exploits "in the wild" that you a need a compass, flashlight and 4WD vehicle to find, and then the tech press starts screaming about how "serious" the vulnerability is, and how looooooong it's taking MS to release a fix (8 days, woah, an eternity!). Cue R.E.M., "It's the end of the world as we know it...." Vmyths.com is overflowing with past examples of this. I can cite duplicate episodes going all the way back to Michelangelo (virus).

FIN

[DavidNZ]

Steve Gibson has said he'll write a patch for 9x and ME if MS will not. That's awfully nice of him.

[GomJabbar]

AV companies like F-secure, Symantec, McAfee, et al, do not return value for their shareholders by being good Samaritans on the Internet; they do it by selling software. They have, for years, sold software with FUD, hype, etc. Think I'm off my rocker? Here's something you quoted from F-secure: "Perhaps leaving image editors out completely for the rest of the year might be a good idea." Ha! I should return my copy of Photoshop I just bought? ROFL.

If you would have looked at the date, Thursday, December 29, 2005, that f-secure.com posted the comment about not using image editors for the rest of the year, you would have realized they meant 2005 - not 2006. In other words for a couple of days.

You are right about not opening unsolicited e-mail from questionable sources. Also one needs to be careful where he points his browser. And that cool program, smiley or screen saver - don't touch. Works fine for you and me. But some of us have families with kids who don't always practice safe computing on the home PC. I try to keep my home PC as up-to-date and patched as possible. Furthermore, we should try to help those less PC literate to be safe and not have their system compromised.

True, most of these stories get blown out-of-proportion. Yet it is a fact that people get infected with viruses, trojans, worms, and spyware. I know of several personally. You don't?

It's kind of like hurricane preparedness. The prudent one will leave well ahead of the storm. Most of the time his trip will have been for nothing. But every once in a great while, the prudence pays off.

[GomJabbar]

From ABC News: Security Watch: WMF Crisis Recedes With Patch

Our top threat this week is actually the threat that wasn't. A potentially large attack was averted by concerted action.
-------------------------------
The episode of the WMF flaw in Windows may not be over, but the worst may have been averted, as Microsoft issued a patch to close the security hole.
-------------------------------
We have been tracking closely the test results from AV-Test for attacks using the WMF vulnerability. The last numbers we saw before the patch came from Microsoft reflected testing of 206 variants of the attack. These products detected all 206:
-------------------------------
Unfortunately some, including well-known ones, missed quite a few. The following list includes the products that missed a few and the number each respectively missed:

Read article to see if your AV software was up to snuff (at least in regards to the WMF exploit).

[davidspalding]

Don't know if anyone else has noticed this, but the Security Patch for this issue did NOT seem to restore all the graphics rendering doodads that were disabled when un-registering the .DLL.

Days after applying the patch, I've found on 1-2 computers that I had to run the command regsvr32 %windir%\system32\shimgvw.dll to bring back things like drop shadows on desktop fonts, etc. YMMV and the Windows OS being what it is, it probably will.

[GomJabbar]

I uninstalled the unofficial patch and ran regsvr32 %windir%\system32\shimgvw.dll to restore the .dll in the registry, before I ran Windows Update to get Microsoft's security patch. So far I haven't noticed any problems.