Skip to comments.Microsoft To Patch Windows on January 10th; Attack Spreads
Posted on 01/03/2006 11:42:23 AM PST by HAL9000
NEW YORK -(Dow Jones)- Microsoft Corp. (MSFT) plans to release a patch for a new security flaw at its next scheduled update release on Jan. 10, leaving users largely unprotected until then from a rapidly spreading computer virus strain.
"Microsoft's delay is inexcusable," said Alan Paller, director of research at computer security group SANS Institute. "There's no excuse other than incompetence and negligence."
"It's a problem that there's no known solution from Microsoft," said Alfred Huger, senior director of engineering at Symantec Corp.'s (SYMC) security response team.
SANS Institute, via its Internet Storm Center, has taken the unusual step of releasing its own patch for the problem until a Microsoft-approved fix is available. "It's not something we like to do," said Paller.
The Internet Storm Center, which tracks viruses and other outbreaks on the Web, increased the threat level to "yellow" - a warning that means a significant new threat is developing.
(Excerpt) Read more at nasdaq.com ...
Just a suggestion, but 64 bit computers, like the AMD64 are not vulnerable, assuming you have XP SP2.
I was thinking, well, it's still safe to go to FreeRepublic, they're only text. Then I realized anyone can link to any image here.
Perhaps we should disable this feature for now?
See phrack #62 for details.
At least we don't still have the Clinton DOJ going after Microsoft while ignoring terrorists.
I'm a Mac user, so I can be smug. Perhaps you should join me :-).
Other than buying a Macintosh or Linux-based computer, I think I would simply turn off images in my browser when viewing FR.
Someone else posted this fix from GRC:
There's also a third party fix but I'm leery about using it.
UNTIL THIS IS REPAIRED BY MICROSOFT, ANY ATTEMPT
TO DISPLAY A MALICIOUS IMAGE IN WINDOWS COULD
INSTALL MALICIOUS SOFTWARE INTO THE COMPUTER.
This is a so-called "0-day vulnerability" because exploits for the vulnerability appeared before any updates or patches were available.
Although NOT a complete solution, Microsoft has recommended temporarily disabling the automatic display of some images by the operating system and web browser. This can be done, as detailed below, by "unregistering" the "SHIMGVW.DLL" Windows DLL. THIS IS NOT A COMPLETE SOLUTION, but it significantly lowers the risk from this vulnerability from web surfing.
For Windows 2000, XP, 64-bit XP and 2003 server
The temporary patch described above is a FAR superior
solution. ONLY use the de-registration approach below if
you are unable to use Ilfak's temporary patch.
Do not open any "WMF" Windows Metafiles you receive by eMail, and reports are that other file types may also be dangerous.
Anti-virus companies have responded to this, so update your anti-virus signature files for updated protection.
You should IMMEDIATELY disable Windows' use of this
vulnerable DLL until patches from Microsoft are available.
Note that this WILL temporarily disable the "Thumbnail" view
in Windows Explorer and Window's Image and FAX viewer. This is
by design, since these viewers are no longer safe to use until a
non-vulnerable file has been produced by Microsoft and installed.
To immediately disable the vulnerable Windows component:
1) Logon as a user with full administrative rights.
2) Click the Windows "Start" button and select "Run..."
3) Enter the following string into the "Open" field:
regsvr32 -u shimgvw.dll
(You can copy/paste from this page using Ctrl-C/Ctrl-V)
4) Click "OK" to unregister the vulnerable DLL.
If all goes well, you will receive a confirmation prompt, and your system is now safe. No need to reboot, but you might want to just to be sure that any possible currently loaded instance is flushed out.
To eventually re-enable the "SHIMGVW.DLL" component:
Logon as a user with full administrative rights.
Click the Windows "Start" button and select "Run..."
Enter the following string into the "Open" field:
1) regsvr32 shimgvw.dll
(You can copy/paste from this page using Ctrl-C/Ctrl-V)
Same as the one above, but no "-u" for "uninstall".
Click "OK" to re-register the (hopefully) non-vulnerable DLL.
As of last night, I put on my RED HAT, went ROOT, and tipped my FEDORA and left the windows world far behind.
Life is nice.
I disagree. FreeRepublic is already doing it's part to improve security by running on a Linux server. Microsoft is responsible for getting Windows fixed. Good luck to all of the Microsoft customers.
I installed the patch from GRC's recommendation on my XP machines a few days ago, and unregistered the DLL on my W2K machines, and have had no problems thus far.
I tend to trust Gibson fairly well.
I used that temp patch yesterday, and it is now showing my pc has no apparent vunerability.
Gibson (at GRC) is a very reliable source. He developed one of the early programs to 'set' hard drive parameters. He's an ancient sage -- in Internet years. lol.
Microsoft Security Advisory (912840)
Vulnerability in Graphics Rendering Engine Could Allow Remote Code Execution.
Published: December 28, 2005 | Updated: January 3, 2006
On Tuesday, December 27, 2005, Microsoft became aware of public reports of malicious attacks on some customers involving a previously unknown security vulnerability in the Windows Meta File (WMF) code area in the Windows platform.
Upon learning of the attacks, Microsoft mobilized under its Software Security Incident Response Process (SSIRP) to analyze the attack, assess its scope, define an engineering plan, and determine the appropriate guidance for customers, as well as to engage with anti-virus partners and law enforcement.
Microsoft confirmed the technical details of the attack on December 28, 2005 and immediately began developing a security update for the WMF vulnerability on an expedited track.
Microsoft has completed development of the security update for the vulnerability. The security update is now being localized and tested to ensure quality and application compatibility. Microsoft’s goal is to release the update on Tuesday, January 10, 2006, as part of its monthly release of security bulletins. This release is predicated on successful completion of quality testing.
The update will be released worldwide simultaneously in 23 languages for all affected versions of Windows once it passes a series of rigorous testing procedures. It will be available on Microsoft’s Download Center, as well as through Microsoft Update and Windows Update. Customers who use Windows’ Automatic Updates feature will be delivered the fix automatically.
Based on strong customer feedback, all Microsoft’s security updates must pass a series of quality tests, including testing by third parties, to assure customers that they can be deployed effectively in all languages and for all versions of the Windows platform with minimum down time.
Microsoft has been carefully monitoring the attempted exploitation of the WMF vulnerability since it became public last week, through its own forensic capabilities and through partnerships within the industry and law enforcement. Although the issue is serious and malicious attacks are being attempted, Microsoft’s intelligence sources indicate that the scope of the attacks are not widespread.
In addition, anti-virus companies indicate that attacks based on exploiting the WMF vulnerability are being effectively mitigated through up-to-date signatures.
Customers are encouraged to keep their anti-virus software up-to-date. The Microsoft Windows AntiSpyware (Beta) can also help protect your system from spyware and other potentially unwanted software. Customers can also visit Windows Live Safety Center and are encouraged to use the Complete Scan option to check for and remove malicious software that takes advantage of this vulnerability. We will continue to investigate these public reports.
If you are a Windows OneCare user and your current status is green, you are already protected from known malware that uses this vulnerability to attempt to attack systems.
Customers who follow safe browsing best practices are not likely to be compromised by any exploitation of the WMF vulnerability. Users should take care not to visit unfamiliar or un-trusted Web sites that could potentially host the malicious code.
Microsoft encourages users to exercise caution when they open e-mail and links in e-mail from untrusted sources. While we have not encountered any situation in which simply opening an email can result in attack, clicking on a link in an email could result in navigation to a malicious site. For more information about Safe Browsing, visit the Trustworthy Computing Web site.
Microsoft considers the intentional use of exploit code, in any form, to cause damage to computer users to be a criminal offense. Accordingly, we continue to work closely with our anti-virus partners and we are assisting law enforcement with its investigation of the attacks in this case. Customers who believe they have been attacked should contact their local FBI office or post their complaint on the Internet Fraud Complaint Center Web site. Customers outside the U.S. should contact the national law enforcement agency in their country.
We continue to encourage customers to follow our Protect Your PC guidance of enabling a firewall, applying software updates and installing antivirus software. Customers can learn more about these steps at the Protect Your PC Web site. The Microsoft Windows AntiSpyware (Beta) can also help protect your system from spyware and other potentially unwanted software.
Customers who believe they may have been affected by this issue can also contact Product Support Services. You can contact Product Support Services in the United States and Canada at no charge using the PC Safety line (1 866-PCSAFETY). Customers outside of the United States and Canada can locate the number for no-charge virus support by visiting the Microsoft Help and Support Web site.
Purpose of Advisory: To provide customers with initial notification of the publicly disclosed and exploited vulnerability. For more information see the “Suggested Actions” section of the security advisory.
Advisory Status: Issue Confirmed, Security Update Planned
Recommendation: Review the suggested actions and configure as appropriate.
This advisory discusses the following software.
Note Microsoft Windows Server 2003 Service Pack 1 and Microsoft Windows Server 2003 x64 Edition also refer to Microsoft Windows Server 2003 R2.
What is the scope of the advisory?
Is this a security vulnerability that requires Microsoft to issue a security update?
What causes the vulnerability?
What is the Windows Metafile (WMF) image format?
What might an attacker use the vulnerability to do?
How could an attacker exploit the vulnerability?
I am reading e-mail in plain text, does this help mitigate the vulnerability?
I have DEP enabled on my system, does this help mitigate the vulnerability?
Does this vulnerability affect image formats other than Windows Metafile (WMF)?
Windows Metafile (WMF) images can be embedded in other files such as Word documents. Am I vulnerable to an attack from this vector?
If I block .wmf files by extension, can this protect me against attempts to exploit this vulnerability?
Does the workaround in this advisory protect me from attempts to exploit this vulnerability through WMF files with changed extensions?
It has been reported that malicious files indexed by MSN Desktop Search could lead to exploitation of the vulnerability. Is this true?
Is this issue related to Microsoft Security Bulletin MS05-053 - Vulnerabilities in Graphics Rendering Engine Could Allow Code Execution (896424) which was released in November?
Will my anti-virus software protect me from exploitation of this vulnerability?
In addition Microsoft is providing heuristic protection against exploitation of this vulnerability through Windows Metafile (WMF) files in our new Windows OneCare Live Beta.
When this security advisory was issued, had Microsoft received any reports that this vulnerability was being exploited?
What’s Microsoft’s response to the availability of third party patches for the WMF vulnerability?
Why is it taking Microsoft so long to issue a security update?
The information provided in this advisory is provided "as is" without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.
So all will be fine on the 10th...till then be careful..
Excellent timing Gator!
Publishing a novel in a thread is not considered wholesome.
Putting in a link to a page off the side, now that's considerate.
I wanted to catch the fullness of the MS arrongance before they pulled it from their website.......
His shields up is very cool as well.
""It's a problem that there's no known solution from Microsoft," said Alfred Huger, senior director of engineering at Symantec Corp.'s (SYMC) security response team."
But, But ... I thought Symantec's Internet Security was supposed to keep me safe ....
"FreeRepublic is already doing it's part to improve security by running on a Linux server. "
Linux servers won't pass the infected pictures ?
The problem is that the suffix doesn't matter. The Windows Media File nature of the file is embedded in the file header, not discerned via the extension. A snoopy application that decides for itself is going to find those WMF files. It if happens on an exploit, you pay the consequences.
ANY web server can pass the infected files. You will happily pull it right through your firewall via port 80. Once on the disk, your operating system/applications will dictate what happens next. The exploit wasn't targeted at Linux applications/shared libraries...yet. Given all the effort at compatibility to view multi-media files, it is just a matter of time before such an exploit happens. Windows is just a much bigger target.
Ha, does anyone see a parallel here: relying on Microsoft to provide the patch is like
- relying on the police to protect individual citizens
- relying on government to protect the border
You can disable showing images on your own PC, and it would govern all pictures on all sites. Open internet explorer, move your mouse pointer to TOOLS, INTERNET OPTIONS. Select the ADVANCED tab. Scroll down to MULTIMEDIA and deselect SHOW PICTURES.
When the threat of this virus has passed, you can reverse the procedure and reselect SHOW PICTURES.
They can - but it's unlikely that most of the images hosted on FR would contain a virus.
One potential problem area could be in FR's Caption This Image section, where anyone could upload an infected image. But I think John R. has coded some restrictions in that feature to prevent embedding of those images in other web pages.
Most images seen on FR are actually hosted on a different server, which may or may not be running Linux.
Ilfac Guilfanov, who wrote the patch, is somewhat well known as the author of Interactive Disassembler Pro. According to the f-secure weblog, Guilfanov is "arguably one of the best low-level Windows experts in the world."
He is not making money from his patch, but if it causes problems, his reputation will certainly suffer. Steve Gibson of Gibson Research Center, a long time programmer and all-around old computer pro, has examined Guilfanov's code and even spoke with Guilfanov to help him modify the code for Windows 2000. Gibson is very impressed with the quality of the patch. Programmer/author Tom Liston of SANS says that he has gone through the patch and found that it does only what it is supposed to do.
Obviously Guilfanov's patch is riskier than Microsoft's patch will be, but if Microsoft is really going to wait until the 10th without even releasing even a beta patch...
Hmmmm. I'm not so sure.
expecting ANY vendor to honor a warranty on a product it has sold. Crispy fries from McDonalds. Fresh ice cream from Dairy Queen. Safe tires from Firestone.
- relying on the police to protect individual citizens
- relying on government to protect the border
Government is full of politicians. They are experienced weasels at avoiding responsibility. The courts have already ruled that police have no duty to protect citizens. The federal government has clearly failed in its responsibility to protect the U.S. border.
Gibson is a good guy, but his efforts to improve Windows are quixotic.
No, just don't look at the WMF files....point of posting it was that Microsoft was saying that you are OK as long as you don't use some of the facilities they have provided,,,till they finally get around to fixing the problem.....just trust them.
Lot of words for sure.
I'm not sure that Gibson is really "attempting to improve Windows" here, so much as doing what he usually does, saving people from computer disasters. His SpinRite program certainly saved me in the bad old computer days. I probably would have installed the patch on my Windows boxes even without his recommendation, but he made the decision easy.
I know. I read it a couple of days ago and got a cramp laughing so hard. I was just joshing you...
Welcome to the flock!!
Did I describe it accurately....?
What a piece of corporate BS....
Google's timing might be good:
Welcome to the club. FReedom is a wonderful thing. I haven't booted into winders in over a year, it's still on my HD and GRUB lists it as an option, but I haven't had the need.
I guess I could wipe it and use the space for something usefull.
Life is nice, isn't it. :-)
Oh man, I'm just lovin the s**t outta this!
ROOT just gave Billy the BOOT!
Puns definitely intended!
That's what I thought - which is why your original statement - "FreeRepublic is already doing it's part to improve security by running on a Linux server. " - adds nothing to the thread but might conversely give users a false sense of security.
If Free Republic was hosted on Windows servers, it would be a magnet for viruses and hackers. Thanks to Linux hosting, the main threat here seems to be operatives like MD4Bush.
The current problem must be resolved at the operating system level, and Microsoft is doing a lousy job getting it fixed.
I found some distributions of the text-only Lynx web browser for Win32. If I used Windows, I'd be testing that browser right now. It can't display images at all, so it ignores links to images.
"If I used Windows, I'd be testing that browser right now. It can't display images at all, so it ignores links to images."
Kind of a long way around just turning off images isn't it ?
"The current problem must be resolved at the operating system level, and Microsoft is doing a lousy job getting it fixed."
Yep - ... lousy job - but various quotes from the isc website -
"we can't vouch for any special software you might have in your own systems that could be disabled after the patch is installed."
"If you want to experiment with another file submitted to us..." EXPERIMENT ?
"We have pulled the .msi that we posted earlier due to some issues with the file. "
Seems to show that these guys just toss things out there - after all, it's YOUR system they are screwing with. How much can you sue them for if their patch burns your system ?
Has anyone downloaded and tried the 'Windows Live Safety Center' Beta? If so, what do you think of it?
We already have 'Microsoft AntiSpyWare' installed, so far it has not found a thing.
It's an alternative to the "Suggested Actions" listed above in the Microsoft Security Advisory. It avoids the need to un-register the Windows Picture and Fax Viewer (Shimgvw.dll) until the patch is issued.
Lynx is a good web browser for security and privacy purposes, or for low-bandwidth connections. It's not ideal for casual browsing, but it's a useful tool to have sometimes - like right now for Windows.
"It avoids the need to un-register the Windows Picture and Fax Viewer (Shimgvw.dll) until the patch is issued."
Actually that 10-second "fix" worked fine, and I never liked that thumbnail crap anyway - I'll leave it off.
I've installed Guilfanov's patch from grc.com on four XP Pro boxes so far, and not one of them has exploded.