Posted on 01/02/2006 9:57:45 AM PST by emiller
Quick Background:
The active exploitation of a very serious vulnerability in all versions of Windows was discovered in late December.
Word of this spread rapidly through the hacker community many of whom where presumably on Holiday vacation from school, bored, and looking for something to do.
So several days later nearly one hundred different instances of exploitation of this newly discovered vulnerability had been found.
Note that this is not a "new vulnerability" it (and perhaps other similar bugs) have been lying unknown in Windows since 1991. What's "new" is the discovery of this long-present vulnerability in WIndows' metafile processing.
Almost immediately there were reports of an MSN Messenger worm, and now F-Secure is reporting that "Happy New Year" SPAM eMail is carrying the exploit.
Anti-Virus vendors quickly updated and began pushing out their A-V signature files. This have been effective, but a new very flexible exploit generation tool has appeared that's able to create so many different variations of the exploit that A-V signatures are being bypassed.
Microsoft responded with an acknowledgement of the problem and a very weak workaround (the shimgvw.dll unregistration). But this is not
(Excerpt) Read more at grc.com ...
Thanks for the link; I'd not heard of Gibson before. Sorry it took all of four posts before the flamebait from Mac users came out.
Check to see if even you have the shimgvw.dll (Windows Picture and Fax Viewer Library) on your system. My two Windows 98 systems do not.
As I suspected, the wmf_checker_hexblog.exe file (which you'll find if you go to the linked article) reported that my Win98 systems are not susceptible to this exploit.
Here's a link to the file:
Download Ilfak's WMF Vulnerability Checker (3.6 kb)
ping to self
Thank you. The GRC site says that windows 98 is affected. The test says it is not.
What ever program views wmf files in win98 may still be vulnerable. It may be that these security companies are just ignoring telling us the details for windows98. Windows 98 is mentioned as being vulnerable in several places. I just can't find any details about it. Here is one link which lists all of the vulnerable operating systems.
http://www.securityfocus.com/bid/16074/info
No patch for Windows 98, 98 SE or ME.
grc.com is a highly recommended site.
"Gibson Research is more trustworthy than Microsoft on security issues."
LOL! I must agree.
Yes, but GRC lists win98 as vulnerable and then gives no details as to how. So how smart are they? It obviously is not vulnerable through the same DLL because win98 does not have that DLL. So why is GRC ignoring at least giving the details about windows 98?
According to my W98 help file, it uses "Kodak Imaging".
Note: Users of MSIE appear to be the most at risk. This Secunia Advisory states:
The vulnerability can also be exploited automatically when a user visits a malicious web site using Microsoft Internet Explorer.
This F-Secure advisory states:
Note that you can get infected if you visit a web site that has an image file containing the exploit. Internet Explorer users might automatically get infected. Firefox users can get infected if they decide to run or download the image file.
In our tests (under XP SP2) older versions of Firefox (1.0.4) defaulted to open WMF files with "Windows Picture and Fax Viewer", which is vulnerable. Newer versions (1.5) defaulted to open them with Windows Media Player, which is not vulnerable...but then again, Windows Media Player is not able to show WMF files at all so this might be a bug in Firefox. Opera 8.51 defaults to open WMF files with "Windows Picture and Fax Viewer" too. However, all versions of Firefox and Opera prompt the user first.,
So, it would appear that using Firefox, Mozilla, or Opera would be an effective first line of defense against this exploit.
"...and btw mac's do have plenty of virus's out there..."
I have to respectfully disagree.
I am an inveterate mac user (since 1985), web surfer and downloader. I do not run antivirus software. I have never had a virus on my Mac or had to work on a mac that had a virus except for once back in 1993 I think.
I am a systems admin and provide primary/secondary desktop support for approximately 200 PC's, and I can tell you that viruses/spyware/trojans are the biggest problem by far, bar none. They take up the vast majority of non-install/move types of issues.
We have around 20-30 Mac users and I have found the antivirus software to be more detrimental to the systems than ANYTHING else.
I am no Mac zealot (people ask me what kind of system to buy, and if it suits their needs I tell them to buy a PC) but there are nearly zero viruses out there in the wild infecting Macs. Are there vulnerabilities? Of course there are, every OS has them, even Linux (ESPECIALLY Linux in the hands of a novice)
It is kind of comical in a perverse kind of way, the twisted mindset of the morons that distribute this kind of thing.
I can just image one of them having this internal conversation...
"Ain't this great!!!! All these weenie users out there are getting infected because of ME!! ME!!! I'll just mosey on over and check out CNN to see what they are saying about my virus...arhhhgg...darnit, how come I can't get to the CNN website? And my email server seems to be down..."
"The really scary thing is someone could link an infected image file to one of the comments in this thread and you could become infected simply by viewing it."
Have been researching this issue for the last 3 hours or so and your statement above is absolutely correct. In fact, the user does not have to click on anything to get infected. All he has to do is visit a web site (any site) that has imbedded in it a .WMF file. Moreover, a renamed .WMF file to, say, .jpg or .gif, will also infect the user as the programs that execute these .WMF files do not execute the file based on its file extention, but rather based on the .WMF file's code.
I don't know if I made any sense. I ain't not (syntax intentional.) even a beginner. But this is what I understood. So, correct me if wrong anyone.
While MicroSoft is fixing this, maybe they can get with Dell and fix the power management problems, so I can plug my printer into the USB on the back of the box.
I am letting a friend try PCLinuxOS. It's a really nice live run distro.
Some other freeper posted exactly what you are saying, and some mentally defective moderator removed the thread with the explanation, "Nonsense."
That moderator obviously doesn't comprehend the severity of this exploit.
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.