Free Republic
Browse · Search
News/Activism
Topics · Post Article

Skip to comments.

WMF (Windows meta file) exploit
The SANS Institute ^ | January 2, 2005 | Various

Posted on 01/02/2006 5:07:56 AM PST by KeyWest

Looking forward to the week ahead, I find myself in the very peculiar position of having to say something that I don't believe has ever been said here in the Handler's diary before: "Please, trust us."

I've written more than a few diaries, and I've often been silly or said funny things, but now, I'm being as straightforward and honest as I can possibly be: the Microsoft WMF vulnerability is bad. It is very, very bad.

(Excerpt) Read more at isc.sans.org ...


TOPICS: Miscellaneous; News/Current Events; Technical
KEYWORDS: backdoor; exploit; getamac; internetexploiter; lookoutexpress; lowqualitycrap; microsoft; securityflaw; trojan; trojans; virus; virusbait; windows; wmf
This is from just one of the articles at the link. If you go to some of the anti-virus sites they say they have the problem in hand but SANS disagrees. The info is fairly straight forward.

In essence, if you are using MSIE you are particularly vulnerable. Firefox and Moz give an intermediate step that can protect you if you know about the exploit, but most people do not and will open the "picture".

I have been around since 1998, and post infrequently, but this is a potential major problem. There has been one other post on the problem, but few saw it.

1 posted on 01/02/2006 5:07:56 AM PST by KeyWest
[ Post Reply | Private Reply | View Replies]

To: Admin Moderator
Moderator- OK, did something wrong to get the 404, but the links do work. Help!
2 posted on 01/02/2006 5:11:34 AM PST by KeyWest (Help stamp out taglines!)
[ Post Reply | Private Reply | To 1 | View Replies]

To: KeyWest

Foxnews.com had a story about this yesterday, I sent the link to my friends and family.

http://www.foxnews.com/story/0,2933,180244,00.html

You're right, this one is gonna be a major problem until they get a patch issued.

Don't you love MS development strategy? "Get it to market first, then finish programming."


3 posted on 01/02/2006 5:12:17 AM PST by wvobiwan (It's OUR Net! If you don't like it keep your stanky routers off it!)
[ Post Reply | Private Reply | To 1 | View Replies]

To: Admin Moderator

OK. I see it was the link to FR that showed up as a 404 and now works.


4 posted on 01/02/2006 5:13:07 AM PST by KeyWest (Help stamp out taglines!)
[ Post Reply | Private Reply | To 2 | View Replies]

To: Admin Moderator

Please change the date - it was not a year ago...

As I said, I post infrequently... :)


5 posted on 01/02/2006 5:16:10 AM PST by KeyWest (Help stamp out taglines!)
[ Post Reply | Private Reply | To 2 | View Replies]

To: KeyWest
I have been around since 1998, and post infrequently, but this is a potential major problem.

Shoot, fella- I know you-- haven't "talked" to you for a while, but you go back farther on this site than I do... you're an Oldtimer.

I have some links handy ( rummaging around old files hastily )...

John's Note:
 
I tried this-- seems OK on Win 2K:
 
Here's an update to the unofficial fix posted above. The folks at sans.org have taken the patch apart and modified it to work on WIN2K systems.. It's running on my system with no apparent ill effects. I'll be patching the other computers in the house shortly.
 
----------------------------------------------------------------------------------------
 
New exploit released for the WMF vulnerability - YELLOW (NEW)
 
Sites exploit Windows image flaw (New attacks for pc users)
 
Windows Security Flaw Is 'Severe'
 
 

For video players that can handle other formats, give your friends these links -

www.videolan.org

www.divx.com

Subnote: V-lan works fine on my home machines- others I know swear it "hosed my codecs"- so be advised I provide that and other links on a "use with caution" basis.

6 posted on 01/02/2006 5:27:31 AM PST by backhoe (-30-)
[ Post Reply | Private Reply | To 1 | View Replies]

To: backhoe; KeyWest

Thanks for the heads up. Once again this proves the worth of Free Republic and its posters.

I wouldn't know sans.org from Adam's housecat.


7 posted on 01/02/2006 5:36:40 AM PST by A.Hun (Democrats suck worse than ice storms.)
[ Post Reply | Private Reply | To 6 | View Replies]

To: backhoe; KeyWest

Amazing. This post has been up for almost an hour, and we haven't had anyone post "Free Republic isn't a computer forum, blah, blah, blah..."


8 posted on 01/02/2006 5:53:10 AM PST by Born Conservative (Chronic Positivity: http://www.livejournal.com/users/jsher/)
[ Post Reply | Private Reply | To 6 | View Replies]

To: A.Hun
I wouldn't know sans.org from Adam's housecat.

My late Mom's favorite variant of that was "wouldn't know him from a load of coal." ( She grew up in coal country )

9 posted on 01/02/2006 5:53:46 AM PST by backhoe (-30-)
[ Post Reply | Private Reply | To 7 | View Replies]

To: ShadowAce

Ping


10 posted on 01/02/2006 5:54:00 AM PST by Born Conservative (Chronic Positivity: http://www.livejournal.com/users/jsher/)
[ Post Reply | Private Reply | To 1 | View Replies]

To: Born Conservative
Amazing. This post has been up for almost an hour, and we haven't had anyone post "Free Republic isn't a computer forum, blah, blah, blah..."

Not surprisingly ( since we have so many people from different backgrounds ) some of the best and fastest computer advice I have gotten has been right here.

There are some very good computer forums- Geeks to Go, VirtualDr, and others- but we're pretty durn good, too.

11 posted on 01/02/2006 5:56:51 AM PST by backhoe (-30-)
[ Post Reply | Private Reply | To 8 | View Replies]

To: backhoe; KeyWest

Well, thank you both for the background. Not being in IT, it is hard to know who or what to trust. I downloaded the patch with (seemingly) no ill effects.

What is it with mother's sayings? That one is straight from mine's lips! LOL


12 posted on 01/02/2006 6:02:26 AM PST by A.Hun (Democrats suck worse than ice storms.)
[ Post Reply | Private Reply | To 9 | View Replies]

To: Born Conservative
This post has been up for almost an hour, and we haven't had anyone post "Free Republic isn't a computer forum

They know they'd get their asses handed to them. ;-)

13 posted on 01/02/2006 6:10:13 AM PST by an amused spectator (Bush Runner! The Donkey is after you! Bush Runner! When he catches you, you're through!)
[ Post Reply | Private Reply | To 8 | View Replies]

To: A.Hun
Not being in IT, it is hard to know who or what to trust. I downloaded the patch with (seemingly) no ill effects.

I'm going to think about it for a while before I do anything with it.

The unofficial patch seems to revolve around the desire to show images whilst Netting. I've de-registered, and I'm only allowing images from the originating site (FireFox). I'm thinking about disallowing images totally, until the official patch comes out, but who knows how long Redmond is going to take.

14 posted on 01/02/2006 6:14:32 AM PST by an amused spectator (Bush Runner! The Donkey is after you! Bush Runner! When he catches you, you're through!)
[ Post Reply | Private Reply | To 12 | View Replies]

To: KeyWest

Looks like some EXCELLENT info, KW.


15 posted on 01/02/2006 6:15:24 AM PST by an amused spectator (Bush Runner! The Donkey is after you! Bush Runner! When he catches you, you're through!)
[ Post Reply | Private Reply | To 1 | View Replies]

To: wvobiwan
Don't you love MS development strategy? "Get it to market first, then finish programming."

I've been in the software development business for over 20 years. Trust me, MS is not the only company that this applies to.

But you are never really "finished programming". And at some point, you have to release or you will never get a product out the door.

If everything released was "finished", wouldn't everything be at version 1.0 - heck, version numbers wouldn't even be necessary.

Is Linux "finshed"? Oracle? etc. etc.

I'm not trying to absolve MS, but I don't hold them up to any higher standard than I would any other company because I've been on the other side of things, and there is NO major piece of software out there that is perfectly written.

But you'd think so if you read the various anti-MS blogs - you find all of the perfect programmers there who never have written code with a bug in their lives. :-)

16 posted on 01/02/2006 6:21:55 AM PST by Mannaggia l'America
[ Post Reply | Private Reply | To 3 | View Replies]

To: KeyWest

bump


17 posted on 01/02/2006 6:23:36 AM PST by satchmodog9 (Most people stand on the tracks and never even hear the train coming)
[ Post Reply | Private Reply | To 1 | View Replies]

To: KeyWest

Thanks Bump


18 posted on 01/02/2006 6:32:28 AM PST by irishfest
[ Post Reply | Private Reply | To 1 | View Replies]

To: KeyWest

Thank you. Fix seems to be running okay.


19 posted on 01/02/2006 6:56:36 AM PST by Woodstock
[ Post Reply | Private Reply | To 1 | View Replies]

To: KeyWest
From the linked article: "...Publishing exploit code such as this for an unpatched vulnerability on a holiday weekend is, without any doubt, a totally irresponsible act..."

This struck me as kind of a stupid thing to say. As if the people who distribute these damned things give a crap about whether it is going to deleteriously impact their victims!

That aside, I appreciate the work that was done by these people on a holiday weekend to fight it. I just thought that comment was naive and silly.
20 posted on 01/02/2006 7:22:43 AM PST by rlmorel ("Innocence seldom utters outraged shrieks. Guilt does." Whittaker Chambers)
[ Post Reply | Private Reply | To 1 | View Replies]

To: Born Conservative

Dang. You mean it ISN'T a computer forum?


21 posted on 01/02/2006 7:23:31 AM PST by rlmorel ("Innocence seldom utters outraged shrieks. Guilt does." Whittaker Chambers)
[ Post Reply | Private Reply | To 8 | View Replies]

To: rlmorel
>You mean it ISN'T a computer forum?

Well, if Forbin can
cut the Colossus links to
Guardian we can

get back to chatting
about news and politics.
Till then, it's tech stuff . . .

22 posted on 01/02/2006 7:29:22 AM PST by theFIRMbss
[ Post Reply | Private Reply | To 21 | View Replies]

To: wvobiwan
Don't you love MS development strategy? "Get it to market first, then finish programming."

What i naive comment. EVERY company releases software before it is finished: name one that doesn't.

No one who programs can say that their software is complete and bug-free. Hell, even if it's just 1 line of code you still can't be certain due to the code that runs under yours.

Program a little, put it in production, and see how much crap people find: it is truly astonishing. Do it without a profit motive and they will actually find more because you aren't as careful.

23 posted on 01/02/2006 7:48:01 AM PST by wireplay
[ Post Reply | Private Reply | To 3 | View Replies]

To: theFIRMbss

LOL!!!!


24 posted on 01/02/2006 8:18:56 AM PST by rlmorel ("Innocence seldom utters outraged shrieks. Guilt does." Whittaker Chambers)
[ Post Reply | Private Reply | To 22 | View Replies]

To: wireplay

I don't code, but I see lots of parallels to confirm the truth in that.

Humans (we) are monkeys with typewriters. If you want something broke or exploited, release it to the masses. As sure as God made little green apples, it is going to break.

I don't necessarily hold it against MS or Apple when they release an OS update and something doesn't work. That happens. I hold it against them when they don't fix it ASAP when it is discovered.

I am much more critical of software companies...they have a more focused approach, and testing can be much more rigorous. Their products should be cleaner and more functional on first releases, IMHO.


25 posted on 01/02/2006 8:24:20 AM PST by rlmorel ("Innocence seldom utters outraged shrieks. Guilt does." Whittaker Chambers)
[ Post Reply | Private Reply | To 23 | View Replies]

To: backhoe
I agree; this is a great place for computer advice.

Here is an example of someone complaining about using FR for computer help.

26 posted on 01/02/2006 8:37:27 AM PST by Born Conservative (Chronic Positivity: http://www.livejournal.com/users/jsher/)
[ Post Reply | Private Reply | To 11 | View Replies]

To: Born Conservative

I actually got more answers, faster, here than on VirtualDr a couple of years ago- we have around 233,000 members now, but even then, with so many different people, professions, hobbies, etc., you can get just about any question answered, or get pointed in the right direction.


27 posted on 01/02/2006 8:43:35 AM PST by backhoe (-30-)
[ Post Reply | Private Reply | To 26 | View Replies]

To: wvobiwan
Don't you love MS development strategy? "Get it to market first, then finish programming."

I suspect it's worse than that. Probably something more like. "Start coding, we'll design it later"

28 posted on 01/02/2006 10:31:02 AM PST by El Gato (The Second Amendment is the Reset Button of the U.S. Constitution)
[ Post Reply | Private Reply | To 3 | View Replies]

Bump


29 posted on 01/02/2006 11:35:58 AM PST by csvset
[ Post Reply | Private Reply | To 1 | View Replies]

To: rlmorel

You don't necessarily know what the issue is when a problem is discovered. I once spent 2 days tracking down a misplaced semicolon. You can bet the MS coders are pouring through it but even when you find it, you have to assess the impact on the other code for a fix. People act as if there is a behemoth behind all of this but my guess is that the load falls on a small number of coders to get it isolated and corrected.

Microsoft tests their code base on more than 10,000 software configurations and probably has a better QA department than any other software firm. That said, things get through. QA tests are only as good as who made the tests and they don't predict the real world use.

Imagine a machine where there are 200 million moving parts. You can work your tail off to isolate all possible failures but it is a bitch to get it 100% correct. Sure, we all want more stable software products but get into the code side and see how complex these things are. You have to realize that software is THE most complex thing ever created by human beings and we're are certainly not perfect.

Personally, I am suprised that Windows and its programs work as well as they do. I give Microsoft credit for making the best software available...period.


30 posted on 01/02/2006 4:33:29 PM PST by wireplay
[ Post Reply | Private Reply | To 25 | View Replies]

To: wireplay

I kind of give them credit for that as well. To put out releases that don't break hardware and software is a real feat.


31 posted on 01/02/2006 6:18:24 PM PST by rlmorel ("Innocence seldom utters outraged shrieks. Guilt does." Whittaker Chambers)
[ Post Reply | Private Reply | To 30 | View Replies]

To: rlmorel

I saw their next O\S (Vista) in alpha mode running a 1985ish program at the last TechEd. They really strive to make things work in today's world but not break what runs yesteryear. That takes feats of programming. As a coder, I respect that level of effort.


32 posted on 01/02/2006 6:24:31 PM PST by wireplay
[ Post Reply | Private Reply | To 31 | View Replies]

To: rlmorel
This struck me as kind of a stupid thing to say. As if the people who distribute these damned things give a crap about whether it is going to deleteriously impact their victims!

Dude, the people who PUBLISHED the "new and improved" version are supposed to be on OUR side. Or at least they CLAIM to be.

I have to agree with the author. What a bonehead move on somebody's part.

33 posted on 01/02/2006 8:22:40 PM PST by an amused spectator (Bush Runner! The Donkey is after you! Bush Runner! When he catches you, you're through!)
[ Post Reply | Private Reply | To 20 | View Replies]

To: Born Conservative

Yeah - but al baby put him in his place...


34 posted on 01/02/2006 8:25:10 PM PST by an amused spectator (Bush Runner! The Donkey is after you! Bush Runner! When he catches you, you're through!)
[ Post Reply | Private Reply | To 26 | View Replies]

To: wireplay
I once spent 2 days tracking down a misplaced semicolon.

Ain't it the truth?

What's worse is when you read the code, and your MIND sticks the semicolon in there...

That's usually another several hours, depending on how computer-melted your brain is by that time.

35 posted on 01/02/2006 8:29:36 PM PST by an amused spectator (Bush Runner! The Donkey is after you! Bush Runner! When he catches you, you're through!)
[ Post Reply | Private Reply | To 30 | View Replies]

To: KeyWest
In essence, if you are using MSIE you are particularly vulnerable.

(C) 1998. All Rights Reserved.

36 posted on 01/02/2006 8:33:41 PM PST by ReignOfError
[ Post Reply | Private Reply | To 1 | View Replies]

To: wireplay
Imagine a machine where there are 200 million moving parts.

If you have a machine with 200 million moving parts, the engineers aren't just addressing the problem. The engineers are the problem.

Personally, I am suprised that Windows and its programs work as well as they do. I give Microsoft credit for making the best software available...period.

Except for all the others.

37 posted on 01/02/2006 8:37:57 PM PST by ReignOfError
[ Post Reply | Private Reply | To 30 | View Replies]

To: KeyWest

I don't seem to see anything telling what the symptoms are.


38 posted on 01/02/2006 8:38:07 PM PST by BlessedBeGod (Benedict XVI = Terminator IV)
[ Post Reply | Private Reply | To 1 | View Replies]

To: KeyWest
I am so amazed that it works as well as it does, that I don't have any complaint if it messes up a little. We are in the beginning of understanding a technology that will ultimately prove itself smarter than all of us.
39 posted on 01/02/2006 8:40:17 PM PST by Bonafide (Everything is Simple When You Understand It!)
[ Post Reply | Private Reply | To 1 | View Replies]

To: BlessedBeGod
I don't seem to see anything telling what the symptoms are.

It's not a virus it's an exploit. A means of gaining access to your computer. A malicious person can do *anything* he wants using this exploit.

It looks pretty serious. I would suggest at the very least performing the Microsoft workaround mentioned on the various sites linked here.

Otherwise, I would suggest you not continue reading FR, since any hack DU clown could post a malicious image in a thread here and you are done.

As I understand it, anyway.

40 posted on 01/02/2006 9:03:12 PM PST by Royal Wulff
[ Post Reply | Private Reply | To 38 | View Replies]

To: BlessedBeGod
Potential new unpatched IE exploit ? ~ Yes...may affect other Browsers also...

Some screen shots here on this FR post.

41 posted on 01/02/2006 9:09:24 PM PST by an amused spectator (Bush Runner! The Donkey is after you! Bush Runner! When he catches you, you're through!)
[ Post Reply | Private Reply | To 38 | View Replies]

To: Royal Wulff
I have my Firefox configured to load images for the originating website only [two checked boxes in FF Tools].

Dulls the entire FR experience, but Safety Pup says...

42 posted on 01/02/2006 9:11:39 PM PST by an amused spectator (Bush Runner! The Donkey is after you! Bush Runner! When he catches you, you're through!)
[ Post Reply | Private Reply | To 40 | View Replies]

To: an amused spectator

I was referring to the comment in the article about the "irresponsibility" of the person(s) who wrote the virus and released it into the wild on a holiday weekend. The people writing the fix, or those of us who may have to get this fixed know that referring to people who write viruses as irresponsible is just plain wrong. Irresponsible indicates a capacity for responsibilty, and those people are defined simply by the lack of it.


43 posted on 01/03/2006 2:03:43 AM PST by rlmorel ("Innocence seldom utters outraged shrieks. Guilt does." Whittaker Chambers)
[ Post Reply | Private Reply | To 33 | View Replies]

To: Royal Wulff

Thanks for your help!


44 posted on 01/03/2006 3:23:05 AM PST by BlessedBeGod (Benedict XVI = Terminator IV)
[ Post Reply | Private Reply | To 40 | View Replies]

To: an amused spectator

Thanks for your help! I deregistered the .dll and increased my internet security in IE to high.


45 posted on 01/03/2006 3:24:09 AM PST by BlessedBeGod (Benedict XVI = Terminator IV)
[ Post Reply | Private Reply | To 41 | View Replies]

To: Royal Wulff
It's not a virus it's an exploit. A means of gaining access to your computer. A malicious person can do *anything* he wants using this exploit.

If I may venture an analogy, it's like discovering that you can't lock your doors. The point isn't to dust for prints or inventory what's missing; it's to tighten up before someone strolls in.

46 posted on 01/03/2006 10:37:05 AM PST by ReignOfError
[ Post Reply | Private Reply | To 40 | View Replies]

To: KeyWest

As mentioned before, this is an exploit and not a virus. It is a backdoor way into your computer. WMF (windows meta files) are pictures that can execute programs. This is similar to the problem of Windows Word DOC files that can execute macros or Outlook email messages that can execute scripts.

A malicious person can do all sorts of nasty things to your PC like formatting your C drive or simply using it to distribute child pornography via "zombie" bots. Most of those denial of service attacks on Google and Amazon come from compromised PCs. An enterprising individual can compromise and gain control of thousands of PCs. Imagine what you could do with a thousand PCs under your remote control.

You can access a WMF file via your browser or via an email message. There was a report of a contamination on a "trusted" website, so there is a significant risk.

Steve Gibson's website www.grc.com has a lot on exploits including this one.


47 posted on 01/03/2006 7:45:23 PM PST by IpaqMan
[ Post Reply | Private Reply | To 1 | View Replies]

To: BlessedBeGod

As mentioned on another site, a malicious program may be able to re-register that DLL or even a normal application may re-register that DLL in regular activities. There is a lot of criticism of that "workaround".

BTW, changing IE's security higher will not stop this exploit. Turning off the viewing of images will stop it temporarily.


48 posted on 01/03/2006 7:49:06 PM PST by IpaqMan
[ Post Reply | Private Reply | To 45 | View Replies]

To: IpaqMan

Thanks for the additional info. This is scary.


49 posted on 01/03/2006 9:20:11 PM PST by BlessedBeGod (Benedict XVI = Terminator IV)
[ Post Reply | Private Reply | To 48 | View Replies]

To: IpaqMan
People think that the most horrible thing about being hacked is that a Hijacker could format their harddrive or make their current system unstable. That is probably the best case scenario.

The worst case would be that they hacked a person's system and stayed hidden for well over a year.

My hacker stayed hidden and stole a wealth of information from me ,my family and everyone that used my computer; like the social security numbers and address information from me and others. I had programs that were from 01, 02, and 03 that did not need to be added but I added them anyway because of my new computer and for the reason that, sometimes, programs would not work correctly, if they did not have the previous programs to build on. These programs were not used by me after the new install, but a hacker had changed a blue and red background to a icky gray and yellow( with a strange smiley face and someone added my most personal information that I thought nobody knew to those never used programs).

My opinion is that some people are having problems with the workaround because their system has already been compromised by the newest exploit or most likely a previous one.

I found out in January 05 that I had been hacked and my hacker had been with me for well over a year.

Perhaps the hacker is able to "workaround" because they are able to edit the Windows Registry. My hacker was sophisticated enough to disable Microsoft's system pack 2 (installed on a fresh format)Zone Alarm Pro, Norton Internet Security, Spyware doctor, a SOHO fire box (exernal firewall) and the Linksys router.

The hacker was able to make registry changes to all of those software programs so that it looked like they were working but the machine was basically told to ignore all threats. The 2nd Edition updates were basically written to interpret the same thing, it was installed on my machine and I could go to the security center, but could not make any changes and if I clicked on start/right-click on my computer and properties and went to general information, it would show that I was running service pack 1. If my security software (Zone Alarm, Norton, SpywareDR were to find a virus/infection, they were told to run once and ignore and if I were to apply updates, they were told to ignore those as well.

My lesson out of all of this was that if you were having problems with windows and added a program to help get rid of a virus/infection, you could be at risk!

(1)Run in safe mode and find out how many accounts(administrator) there are and make sure all of them are for you. If you cannot get into an administrator account, you may have a problem and treat it as such.

(2) If you are on a router (Linksys for me) go and change the password, be especially aware of the address bar after you change the password and push the submit button (if you can see your administrative name and password you just typed on the address bar(mine went to a mozilla account), you have a hacker and a grave threat.

(3) If you have Microsoft home edition, you have full or no powers ( not good because you can only run programs if you are an administrator and if you have Microsoft Pro and have no idea how to use it you are at an even graver imposition. Do not misunderstand me here, I believe that Microsoft Pro would be the best choice, but you better know how to use it or the hackers will use it against you. I do not have a choice and must use windows for my programs and am installing Pro on 2 other computers (previously home edition, as there are more powers and it is better for security matters if I update to Pro for my computers that were running home before.


With Pro, you can make power users, which have more power than limited-users and can actually do a lot of work, if you have ever tried a limited user account then you know what I mean; and home edition users do not have any choices other than limited and administrative account privileges.

I want to give you a place to go, it is really for people running XP Pro, but will be a little bit helpful for people using Home Edition it is LabMice This is not my site, nor am I connected with it in any way. It works on basic security principles and was information that has proved helpful for me.
50 posted on 01/04/2006 12:20:51 AM PST by GeorgiaBushie (Undocumented freeper//)
[ Post Reply | Private Reply | To 48 | View Replies]

Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.

Free Republic
Browse · Search
News/Activism
Topics · Post Article

FreeRepublic, LLC, PO BOX 9771, FRESNO, CA 93794
FreeRepublic.com is powered by software copyright 2000-2008 John Robinson