An extremely nasty (probably the worst yet) Windows exploit has recently been discovered on the internet. (think rapidly mutating Bird Flu for the PC) “The part that's different about this attack is that it's designed to generate slightly different program code each time the exploit is run -- creating a new threat with a random file size, non-WMF file extension (like .jpeg) and other variable tricks.†http://blogs.washingtonpost.com/securityfi...xploit_for.html Infection rate McAfee announced on the radio yesterday they saw 6% of their customer having been infected with the previous generation of the WMF exploits. 6% of their customer base is a huge number. http://isc.sans.org/diary.php?storyid=992 Why is this issue so important? The WMF vulnerability uses images (WMF images) to execute arbitrary code. It will execute just by viewing the image. In most cases, you don't have click anything. Even images stored on your system may cause the exploit to be triggered if it is indexed by some indexing software. Viewing a directory in Explorer with 'Icon size' images will cause the exploit to be triggered as well. Is it better to use Firefox or Internet Explorer? Internet Explorer will view the image and trigger the exploit without warning. New versions of Firefox will prompt you before opening the image. However, in most environments this offers little protection given that these are images and are thus considered 'safe'. What versions of Windows are affected? All. Windows 2000, Windows XP, (SP1 and SP2), Windows 2003. All are affected to some extent. Mac OS-X, Unix or BSD is not affected. Note: If you're still running on Win98/ME, this is a watershed moment: we believe (untested) that your system is vulnerable and there will be no patch from MS. Your mitigation options are very limited. You really need to upgrade.</span> <a href=\'http://isc.sans.org/diary.php?storyid=994\' target=\'_blank\'>http://isc.sans.org/diary.php?storyid=994</a> "This is a first: the Internet Storm Center is recommending trustworthy computing. They want you to trust that the unofficial patch for the Windows Metafile Volunerability that is currently being exploited by an IM worm. No patch from Microsoft at this time, and the exploit is arranged in such a manner that it cannot be detected by most intrusion detection systems (the snort rule will peg the CPU on your router) nor filtered by packet-inspecting firewalls (it spans two or more ethernet frames). Not really a whole lot of choice about this one." <a href=\'http://it.slashdot.org/it/06/01/02/1153244.shtml?tid=201&tid=218\' target=\'_blank\'>http://it.slashdot.org/it/06/01/02/1153244...tid=201&tid=218</a> OMG!!! ISC is saying trust a third party patch to patch the Windows operating system and not to wait for Microsoft. If that doesn’t give you an idea of how serious the situation is . . . then just go right ahead and blindly surf away with Internet Explorer and an "it won't happen to me" ignorance. Porn site computer STD anyone??? If you are running an AMD 64 processor with Windows XP SP2, your computer is immune from all of these buffer overflow threats. <span style=\'color:green\'>" * What is DEP (Data Execution Protection) and how does it help me? With Windows XP SP2, Microsoft introduced DEP. It protects against a wide range of exploits, by preventing the execution of 'data segements '. However, to work well, it requires hardware support. Some CPUs, like AMD's 64 Bit CPUs, will provide full DEP protection and will prevent the exploit." http://isc.sans.org/diary.php?storyid=994 Protect yourselves folks!!! This can get nasty.
I have a windows box and a Mac. The windows box is loaded with security software, I keep it up to date with microsoft's security patches, I shut it off when I'm going to be away from it for more than a couple of hours and I don't engage in the things that put windows computers at risk anyway. That is, surfing questionable web sites, clicking on anything in emails sent by people that I don't know (actually, I delete those without opening them). If I do any surfing outside of websites known to me, I use the Mac. The biggest danger to most windows users is lack of awareness. I have many friends who treat their computers like a microwave oven or television; they think that all they have to do is plug it in and then they forget about it. They surf without any consideration to basic security and that's why they get their computers infected with every damn thing on the internet. The goofballs who write these exploits, along with adware, malware, etc. love people like that. And there are a lot of them.
That /. article and the isc site have to be the most annoying web pages in history. Everyone says how important it is to download and install the 3rd-party patch, yet nowhere does anyone LINK to it. It's weird. Almost like a gag, but no one's laughing.
Quick points, for someone digging in this thread: 1. This is *not* a buffer overflow exploit -- it's Windows allowing a WMF file to do exactly what it was designed to do. It was a bad *design* left over from 1990 that affects *all* versions of Windows from 3.x to XP and 2003. 2. It doesn't matter *how* careful you are on the Internet, you're still at risk because one of your "trusted" sites might get compromised. Have you viewed any images on PriusChat recently? Were they posted by a user? (Just making a point.) 3. The third-party patch is here: http://handlers.sans.org/tliston/WMFHotfix-1.4.msi 4. If you have an AMD 64-bit processor, which has support for hardware-DEP, make sure the feature is turned *on* (XP SP2 has a setting... right-click My Computer and choose properties)
Update coming today!!!!</span> Yep, it's that serious that Microsoft is pushing this update a quick as they can. UPDATE YOUR WINDOWS BOX NOW!!! <span style=\'color:green\'>Microsoft Security Bulletin Advance Notification Updated: January 5, 2005 Security Bulletin Advance Notification Important Information for Thursday 5 January 2006 Microsoft announced that it would release a security update to help protect customers from exploitations of a vulnerability in the Windows Meta File (WMF) area of code in the Windows operating system on Tuesday, January 2, 2006, in response to malicious and criminal attacks on computer users that were discovered last week. Microsoft will release the update today on Thursday, January 5, 2006, earlier than planned. http://www.microsoft.com/technet/security/...in/advance.mspx
1) My bad. I equated this to being associated with a buffer overflow because the of the AMD64 with Win SP2 being immune. :mellow: 4) It should be on by default . . . but it doesn't hurt to check. http://support.microsoft.com/kb/875352
Sorry if you find it objectionable, but the green color helps differentiate pasted information from my writings. That is why there is also a link below the green words. Not bolding the green makes the green too pale - light green on white or light blue backgrounds, yuck! Apparently you are not colorblind. :huh:
Well, Okay I *do* treat my computer like a microwave or a TV. I plug it in, turn it on and forget about it. I'm on a MAC. (Please don't throw things.) I rarely have to go beyond routine maintenance and mostly ignore all of the virus alerts. But I urge any and all PC users to get OFF Internet Explorer and use an alternate PC browser. I know not necessarily in this particular case, but many times it is specifically an IE problem coupled with Windows. There are plenty of PC browsers including FireFox and Opera. FireFox is free and by the same people that did Netscape and Mozilla. No, I don't own stock in the company. I've used Mozilla, then Netscape, then Mozilla again for over a decade. IE has always sucked and there have always been security issues. I'm worried with the MAC migrating to an Intel chip what that is going to do to my future invulnerability. I don't want to run virus scans and updates every time I log on to my computer.
Actually, Mac users are the ones who can pretty much afford to treat their computers like a TV. This particular problem, as with most viruses and whatnot that target Windows computers, doesn't affect Macs at all so you're usually safe from all the nonsense. You just have to log on as admin once in a while and let the automatic updates do their stuff. It's the Windows computer users who can't afford to think of their computers as if they were microwave ovens. They're usually the most vulnerable and the most unaware.
Hey Jack, I take issue with you stating that Windows users are the "most unaware". I think that's an unfair generalism. Thinking it through, Windows users are probably more typically aware, because they HAVE to be, than Apple users. God forbid a worm/virus targeted at Apples ever came out - talk about a group not used to security issues....
Well, no, not all windows users but most that I talk to every day are windows users and completely oblivious. I have a windows computer and a Mac and the Mac is the easiest one to deal with. My windows box has so much security software that I always seem to be upgrading or updating something. Windows users don't realize, generally, how much harder they have it than Mac users.
Very interesting -- they usually wait until the 2nd Tuesday of the month. They must either think this is serious, or that the public perceives it as serious.
That, and my anti-virus program, Avast, did a program update today, not just a daily virus def update. For security groups to be recommending a third party fix to the OS . . my guess is the threat is huge and not just theoretical. I forced the Windows Update. So far so good.
