Huge Windows 2000/XP Vulnerability

[DonkeyKongerko]

http://www.grc.com/sn/notes-020.htm

 

This thing is reportedly pretty nasty and tons of machines are vulnerable. Visiting a website with one bad file on it can infect your machine with tons of spyware even if you dont click on anything. Microsoft isn't releasing a fix for this until next week and it's recommended that you install the WMF patch utility here before then.

 

I also found a video showing how easy it is to get.

[SoxFan1]

So what should we do?

[mr_genius]

http://www.grc.com/sn/notes-020.htm

 

This thing is reportedly pretty nasty and tons of machines are vulnerable. Visiting a website with one bad file on it can infect your machine with tons of spyware even if you dont click on anything. Microsoft isn't releasing a fix for this until next week and it's recommended that you install the WMF patch utility here before then.

 

I also found a video showing how easy it is to get.

 

 

wow

 

thanks for the warning

 

[zach23]

So what should we do?

 

Run and hide until it all blows over.

Or maybe that is for a hurricane.

[southsideirish71]

http://www.grc.com/sn/notes-020.htm

 

This thing is reportedly pretty nasty and tons of machines are vulnerable. Visiting a website with one bad file on it can infect your machine with tons of spyware even if you dont click on anything. Microsoft isn't releasing a fix for this until next week and it's recommended that you install the WMF patch utility here before then.

 

I also found a video showing how easy it is to get.

 

From the corporate side this sucks. I am less inclined to install a third party patch on my systems(yes they have published the source but I dont have time to take the binary apart to make sure its ok), so we have deregistered that dll via a login script and are blocking any wmf or emf files no matter the extension on the web and via email. This however has had another lovely side affect, I am enemy number one as f***ing with peoples image files and how they view them seems to have pissed off my entire company. Deregistering the DLL messes up how you see image files, so its not a popular thing with our user base. Microsoft has completed the patch, however they are doing extended testing and will release it next Tuesday. At that point those who use WSUS or Microsoft Automatic Updates will get the patch automatically.

 

So far we have seen the infection at my company through the MSN Instant Messenger. People clicking on a link that a anonymous sender sends them. Then basically the same thing happens as that video.

 

The good news on this is that I was denied a new IPS system, that magically got re-reviewed and approved due to this. Thanks Microsoft for blowing dog.

 

If you want to have a safe browsing environment until the patch comes out, go to vmware.com and download their browser appliance and the vmplayer. It is a free self contained linux environment that automatically launches a firefox browser and its all within a 256 meg image file. You can browse without having anything interact with your base OS. It runs under your windows OS.

Edited January 4, 2006 by southsideirish71

[DonkeyKongerko]

Yeah, the patch has been recommended by the Internet Storm Center and GRC.com so I think any individual can confidently install it. I fully understand how an organization would have its qualms about a 3rd party patch but calling this vulnerability severe is an understatement. This is the first time the ISC has ever recommended installation of a non-Microsoft patch for Windows and they don't hand out recommendations lightly. When MS finally releases theirs, you can always uninstall this one and install Microsoft's then.

 

For those interested, this vulnerability has been around since Windows 3.0, but perhaps ironically, Windows XP/2000/Server are the most vulnerable operating systems because of the Microsoft Image Previewer that pops up (you can see it in the video). Also, a file with any extension like .jpg or .gif can actually be a .wmf file in disguise that Windows will still be able to open so consider yourselves warned.

 

I got a weird IM the other day from someone I don't talk to linking to a random .jpg file. It was before I knew about this WMF vulnerability, but it may have been the same thing. Fortunately, I was using Firefox which was unable to open the image and just displayed a bunch of gibberish.

[Kid Gleason]

The patch seems to be an .exe file that you double click on, it installs, and then restarts your computer. I haven't found where the thing is so that I would need to do anything more with it. I'm still looking though...

[DonkeyKongerko]

The patch seems to be an .exe file that you double click on, it installs, and then restarts your computer. I haven't found where the thing is so that I would need to do anything more with it. I'm still looking though...

 

The patch has been examined by a number of security experts. That's the only reason I felt confident enough to run it. You shouldn't need to do anything else after you restart to be safe.

[Kid Gleason]

Yeah, I bounced around my computer, tried another install, it said it was already there and nothing else needed to be done. Thanks!

 

Sad thing is that I forwarded all the info to my company headquarters, and they tell me that they would rather kill all internet use instead of using this patch. :headshake So we have all been told to stay away from the 'net. Our main comp. guy is out of town and in his place is a bit of an...ummm...yeah...so we just wait for the main guy to get back.

Edited January 5, 2006 by Kid Gleason

[Random]

I have faith in my Norton Anti-Virus. If i blocks a virus, the damn thing goes crazy for hours until i finally install the live updates, because it cannot do it itself due to the virus. So, no virus is getting in my computer.

 

that video is stupid, why would you go to a site knowing it will give you spyware :rolly

[southsideirish71]

I have faith in my Norton Anti-Virus.  If i blocks a virus, the damn thing goes crazy for hours until i finally install the live updates, because it cannot do it itself due to the virus.  So, no virus is getting in my computer.

 

that video is stupid, why would you go to a site knowing it will give you spyware :rolly

 

Your assesment of "I have anti-virus therefore no harm can happen to me" is short sighted and a good way your machine becomes a b**** of the botnets on the internet.

 

Your anti-virus engine scans memory and your systems for "known" pieces of malware. However someone crafting something that isnt "known" can get into your system. The WFM vulnerability is known, however techniques to exploit that in a code base are not known. As they are comming out the antivirus industry is doing a great job of "reacting" to this, however Anti-virus does not equal "protection" for your computer.

 

And that video is not stupid. Actually its a great video because it shows what a possible infection can look like. It shows you a person getting exploited on a website. With ad rotation, and misdirected URLs, are you absolutely positive that you are not going to get a piece of adware/malware dropped down on your system. You can surf and hit a very respectible website who sells add space on their website that drops cookies down on your system. These cookies can assist logic on the webpage or partner ad site, to redirect your "popups" and ads.

 

 

DonkeyKongerko:

I have installed the patch on a test system and took a look at what it does to the system, registry and files. It looks relatively safe. I still wont install it at my work, because the idea of deploying this via 5000 pcs without WSUS is not worth the risk. So far so good with the mitigation.

Edited January 5, 2006 by southsideirish71

[southsideirish71]

The official Patch is out

 

If you have automatic updates it should come down. But go to http://windowsupdate.microsoft.com and update your system manually is the best bet.

 

If you want to get the patches directly hit the microsoft site below.

 

Microsoft releases the patch

 

At least Mr. Bill finally figured out when you are trumping your new OS Vista at CES its probably not a good idea to have a huge hole in your existing OS and then try to trump the next version as oober secure. Just as they did with the last few versions of their OS>

[DonkeyKongerko]

Wow, MS doesn't really deserve props with the way they've handled this, but it's nice to see them not wait a whole 'nother week to release this thing.

[3 BeWareTheNewSox 5]

I have faith in my Norton Anti-Virus.  If i blocks a virus, the damn thing goes crazy for hours until i finally install the live updates, because it cannot do it itself due to the virus.  So, no virus is getting in my computer.

 

that video is stupid, why would you go to a site knowing it will give you spyware :rolly

 

 

Norton is crap, they invent their own viruses. This may not apply to you, but it's happened to both me and my friends. If you're update subsciription or trial is up and you don't reup, don't be surprised when trojan horses magically appear on your computer. I'm very happy with AVG, free program, free updates, and fixed the mess that Norton couldn't even find (which my conspiracy theory tells me they caused)

[SoxFan1]

Norton is crap, they invent their own viruses. This may not apply to you, but it's happened to both me and my friends. If you're update subsciription or trial is up and you don't reup, don't be surprised when trojan horses magically appear on your computer. I'm very happy with AVG, free program, free updates, and fixed the mess that Norton couldn't even find (which my conspiracy theory tells me they caused)

My Norton is set to expire on the 17th so I have to renew ASAP.

[DonkeyKongerko]

I second AVG here. Free antivirus and it's not a resource hog like Norton or McAfee especially.

 

http://free.grisoft.com