URGENT!!! Security Recommendation

Ice Czar

Ice Czar

Inscrutable
Joined
Jul 8, 2001
Messages
27,174
the official patch is out now, so go get it ;)

http://www.microsoft.com/technet/security/Bulletin/MS06-001.mspx

>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
do to the serious nature of the WMF vulnerability and the very flexible tools designed to package various malware, I highly recommend you either employ the unofficial hotfix vetted by SANS http://isc.sans.org/diary.php?storyid=999 direct link > http://handlers.sans.org/tliston/wmffix_hexblog14.exe
or abandon Windows and use a LiveCD like Knoppix till an official patch comes out.


Warn your family and nieghbors
Good Luck ;)

PS hexblog has a vulnerability checker

its better to bust an ap or two than to get borged & botted
 
Thanks for the heads up!

As for alerting novice PC users of this matter, what might you think they can expect to occur if thispatch install causes them any problems?

Have you had any problems installing this on any machines thus far?
 
I just did that and while I havent started all my various aps, it hasnt crashed the system
and everything seems normal

to elaborate the danger, you could have all sorts of nastyness installed on your box just by trying to view the wrong picture

Malicious users can use this tool to exploit the vulnerability and distribute any type of malicious code; Trojans, worms or any other type of malware.

This tool allows malicious WMFs to be generated from any other code, which allows malware to be dropped on user's systems. It then exploits the critical vulnerability in the Windows Meta File process that has not yet been resolved. This vulnerability affects all Windows systems.
Click to expand...

Security researchers advise Windows users to install an unofficial patch
Users of the Windows OS should install an unofficial security patch now, without waiting for Microsoft to make its move, advise security researchers at The SANS Institute's Internet Storm Center (ISC).

Their recommendation follows a new wave of attacks on a flaw in the way versions of Windows from 98 through XP handle malicious files in the WMF (Windows Metafile) format. One such attack arrives in an email message entitled "happy new year," bearing a malicious file attachment called "HappyNewYear.jpg" that is really a disguised WMF file, security research companies including iDefense and F-Secure say. Even though the file is labelled as a JPEG, Windows recognises the content as a WMF and attempts to execute the code it contains.

Microsoft advised on 28 December that to exploit a WMF vulnerability by email, "customers would have to be persuaded to click on a link within a malicious email or open an attachment that exploited the vulnerability."

However, simply viewing the folder that contains the affected file, or even allowing the file to be indexed by desktop search utilities such as the Google Desktop, can trigger its payload, F-Secure's Chief Research Officer Mikko Hypponen writes in the company's blog.

In addition, source code for a new exploit was widely available on the internet by Saturday, allowing the creation of new attacks with varied payloads.The file "HappyNewYear.jpg," for example, attempts to download the Bifrose backdoor, researchers say.

These factors exacerbate the problem, according to Ken Dunham, director of the rapid response team at iDefense.

"Risk has gone up significantly in the past 24 hours for any network still not protected against the WMF exploit," Dunham warns.

Alarmed by the magnitude of the threat, staff at the ISC worked over the weekend to validate and improve an unofficial patch developed by Ilfak Guilfanov to fix the WMF problem, according to an entry in the Handler's Diary, a running commentary on major IT security problems on the ISC web site.

"We have very carefully scrutinised this patch. It does only what is advertised, it is reversible, and, in our opinion, it is both safe and effective," Tom Liston writes in the diary.

"You cannot wait for the official MS patch, you cannot block this one at the border, and you cannot leave your systems unprotected," Liston writes.

In the diary, ISC provides a link to the version of the patch it has examined, including a version designed for unattended installation on corporate systems.

While ISC recognises that corporate users will find it unacceptable to install an unofficial patch, "Acceptable or not, folks, you have to trust someone in this situation," Liston writes.

Due to public holidays in Europe, Microsoft representatives could not immediately be reached for comment.

F-Secure's Hypponen highlighted Guilfanov's patch in the F-Secure company's blog on Saturday night, and then on Sunday echoed the ISC's advice to install the patch.

Not all computers are vulnerable to the WMF threat: those running non-Windows operating systems are not affected.

According to iDefense's Dunham, Windows machines running Windows Data Execution Prevention (DEP) software are at least safe from the WMF attacks seen so far. However, Microsoft said that software DEP offered no protection from the threat, although hardware DEP may help.
Click to expand...

they are calling this the zero-day exploit D-day, the worse threat seen so far
 
Here's something I wrote up for another board, and modified a bit to e-mail to friends and family...steal at will:

I won't get into great detail to explain what the issue is, but a Windows Security hole that actually existed in its primary releases in the early 90s was exploited in late December, and is now circulating around the internet.

What it means to you:
This is similar to living in the ghetto and you having left a window opened for 15 years, and everyone has just found out about it.

Why you have to be concerned:
It is very possible for someone to "break in through that window and set your house on fire".

What can happen:
You may lose nothing, or you may lose everything. Decide whether or not you want to take the chance.

When you need not be concerned:
When all of your data is backed up or you do not care to lose all of your data, images, etc.

What you must do:
Download the patch from here (choose one on that page) or here (direct file), then install it. It's just an .exe file that you have to run, nothing that is very involved.


Quoted from Ilfak Guilfanov, the guy who wrote the above patch:
Microsoft will certainly come up with a thouroughly tested fix for it in the future, but meanwhile I developed a temporary fix - I badly needed it.

The fix does not remove any functionality from the system, all pictures will continue to be visible

If for some reason the patch does not work for you, please uninstall it. It will be in the list of installed programs as "Windows WMF Metafile Vulnerability HotFix".

I recommend you to uninstall this fix and use the official patch from Microsoft as soon as it is available.


Quoted from here:
"You cannot wait for the official MS patch, you cannot block this one at the border, and you cannot leave your systems unprotected," Liston writes.

In the diary, ISC provides a link to the version of the patch it has examined, including a version designed for unattended installation on corporate systems.

While ISC recognises that corporate users will find it unacceptable to install an unofficial patch, "Acceptable or not, folks, you have to trust someone in this situation," Liston writes.


Quoted from here:
It is worth remembering that due to this vulnerability, the simple act of visiting a website could infect computers, if it contains a malicious WMF, opening the door to Trojans, worms and all types of threats. This vulnerability lies in the way Windows handles WMF (Windows Meta File), so all programs that can process this type of file are affected. These include Internet Explorer, Outlook and Windows Picture and Fax viewer.

In order to protect computers from this threat, as well as ensuring that a malware solution capable of blocking code that can exploit this vulnerability is installed, it is advisable to un-register the DLL associated to this attack, as described at Microsoft.com.

Similarly, although it is not usually recommended to install patches that are not released by the manufacturer of the product, users might want to install the patch released by Ilfak Guilfanov, a prestigious expert in Windows systems, until the Microsoft patch is available. This patch has been tested and recommended by SANS Internet Storm Center, and is available at: this link and this link.


Microsoft's release of the vulnerability

Here is where I initially discovered this.
 
Ok so what does this mean to the end user.

One.

Don't surf any sites that are not trusted. Even if a site IS trusted care must be taken as it always should.

Email,

do not open everything and anything that is sent to you without verifying the source. This is usually the primary means of virus infecting your systems.

Antivirus

UPDATE YOUR ANTIViRUS!! No antivirus??

http://www.free-av.com/
http://www.avast.com/eng/avast_4_home.html

both FREE!! so no excuses!!
 
Thanks for the excellent writeup, I've been making the rounds with my family and helping them over the phone to install the patch.
 
As expected, a lot of people are having issues accessing the site where the patch resides.

Does anyone have a mirror site?
 
DigitalMP said:
As expected, a lot of people are having issues accessing the site where the patch resides.

Does anyone have a mirror site?
Click to expand...

I'd like to know too please.
 
.308 bthp said:
http://www.grc.com/sn/notes-020.htm

Trusted site with no waiting.
Click to expand...

That links to the original file as well, but thanks. I was able to get it from it's original location last night, and then someone said the host was down for some reason. It could have been that he overshot his bandwidth, but that would take a whole lot of DLs.

Thanks for hosting it guys! Keep an eye on your bandwidth ;)
 
Ranma_Sao said:
The patch has been released:
http://www.microsoft.com/technet/security/Bulletin/MS06-001.mspx

This posting is provided "AS IS" with no warranties, and confers no rights.
Click to expand...

;) and reports Ive seen say it overwrites the "unofficial" patch without issues

when I started this thread this looked an awful lot like the "perfect storm" a low level and widespread vulnerability, the sudden appearence of malware in multiple versions and vectors and the tools to package most any malware to exploit it.

The security pundits have been describing such a perfect alignment for awhile, and forcasting more zeroday exploits. So when SANS issued such an unprecedented warning and recommendation, I took it very seriously, here is to hoping that the public gets patched up in short order.

The funny thing is that when pundits run around like Chicken Little screaming the sky is falling, people pay attention, get fixed up and it becomes a non-issue, which of course makes us Chicken Little's look like turkeys :p
 
hey anyone try their test to see if you are vulnerable?

http://sipr . net/test . wmf

when I do it, it asks me what I want to do with the file
I told it to open, and it just comes up with windows media player and says render failed
 
at this point its being intercepted by NOD32 for me as a recognized WMF trojan variant
 
the following message is from my brother:

I recently installed the unofficial patch onto my computer, i restarted and everything seeemed to be working fine. Today i get a notice from windows update telling me that i needed to update my files, i thought nothing of it and installed the new patch. I tried to restart the computer as directed and after passing the motherboard screen, the computer would hang. The last screen that the computer is on is a black screen, with a blinking cursor that appears to have be about 3 spaces down the screen. Thanks for your time, any help would be appreciated.


edit: He played around with his boot settings in the BIOS and got it working.
 
EnderW said:
the following message is from my brother:

I recently installed the unofficial patch onto my computer, i restarted and everything seeemed to be working fine. Today i get a notice from windows update telling me that i needed to update my files, i thought nothing of it and installed the new patch. I tried to restart the computer as directed and after passing the motherboard screen, the computer would hang. The last screen that the computer is on is a black screen, with a blinking cursor that appears to have be about 3 spaces down the screen. Thanks for your time, any help would be appreciated.


edit: He played around with his boot settings in the BIOS and got it working.
Click to expand...

hmmm...

Im working on the frontpage today, but that is news related so I'll see what I can find out

can you give me some specifics as to what he did?
 
You must log in or register to reply here.
Back
Top