URGENT!!! Security Recommendation

[Ice Czar]

do to the serious nature of the WMF vulnerability and the very flexible tools designed to package various malware, I highly recommend you either employ the unofficial hotfix vetted by SANS http://isc.sans.org/diary.php?storyid=999 direct link > http://handlers.sans.org/tliston/wmffix_hexblog14.exe
or abandon Windows and use a LiveCD like Knoppix till an official patch comes out.


Warn your family and nieghbors
Good Luck

PS hexblog has a vulnerability checker

its better to bust an ap or two than to get borged & botted

 

[Ice Czar]

to elaborate the danger, you could have all sorts of nastyness installed on your box just by trying to view the wrong picture

Malicious users can use this tool to exploit the vulnerability and distribute any type of malicious code; Trojans, worms or any other type of malware.

This tool allows malicious WMFs to be generated from any other code, which allows malware to be dropped on user's systems. It then exploits the critical vulnerability in the Windows Meta File process that has not yet been resolved. This vulnerability affects all Windows systems.

Security researchers advise Windows users to install an unofficial patch
Users of the Windows OS should install an unofficial security patch now, without waiting for Microsoft to make its move, advise security researchers at The SANS Institute's Internet Storm Center (ISC).

Their recommendation follows a new wave of attacks on a flaw in the way versions of Windows from 98 through XP handle malicious files in the WMF (Windows Metafile) format. One such attack arrives in an email message entitled "happy new year," bearing a malicious file attachment called "HappyNewYear.jpg" that is really a disguised WMF file, security research companies including iDefense and F-Secure say. Even though the file is labelled as a JPEG, Windows recognises the content as a WMF and attempts to execute the code it contains.

Microsoft advised on 28 December that to exploit a WMF vulnerability by email, "customers would have to be persuaded to click on a link within a malicious email or open an attachment that exploited the vulnerability."

However, simply viewing the folder that contains the affected file, or even allowing the file to be indexed by desktop search utilities such as the Google Desktop, can trigger its payload, F-Secure's Chief Research Officer Mikko Hypponen writes in the company's blog.

In addition, source code for a new exploit was widely available on the internet by Saturday, allowing the creation of new attacks with varied payloads.The file "HappyNewYear.jpg," for example, attempts to download the Bifrose backdoor, researchers say.

These factors exacerbate the problem, according to Ken Dunham, director of the rapid response team at iDefense.

"Risk has gone up significantly in the past 24 hours for any network still not protected against the WMF exploit," Dunham warns.

Alarmed by the magnitude of the threat, staff at the ISC worked over the weekend to validate and improve an unofficial patch developed by Ilfak Guilfanov to fix the WMF problem, according to an entry in the Handler's Diary, a running commentary on major IT security problems on the ISC web site.

"We have very carefully scrutinised this patch. It does only what is advertised, it is reversible, and, in our opinion, it is both safe and effective," Tom Liston writes in the diary.

"You cannot wait for the official MS patch, you cannot block this one at the border, and you cannot leave your systems unprotected," Liston writes.

In the diary, ISC provides a link to the version of the patch it has examined, including a version designed for unattended installation on corporate systems.

While ISC recognises that corporate users will find it unacceptable to install an unofficial patch, "Acceptable or not, folks, you have to trust someone in this situation," Liston writes.

Due to public holidays in Europe, Microsoft representatives could not immediately be reached for comment.

F-Secure's Hypponen highlighted Guilfanov's patch in the F-Secure company's blog on Saturday night, and then on Sunday echoed the ISC's advice to install the patch.

Not all computers are vulnerable to the WMF threat: those running non-Windows operating systems are not affected.

According to iDefense's Dunham, Windows machines running Windows Data Execution Prevention (DEP) software are at least safe from the WMF attacks seen so far. However, Microsoft said that software DEP offered no protection from the threat, although hardware DEP may help.

they are calling this the zero-day exploit D-day, the worse threat seen so far

 

[figgie]

Well i will say this as i tell my 10000+ users here.

DO NOT OPEN ANYTHING EVEN IF IT IS FROM SOMEONE YOU KNOW WITHOUT FIRST CONFIRMING WITH THE SENDER THAT THEY DID SEND IT!!

Don't blindly double click on email messages and QUIT DOWNLOADING PR0N!!!!

 

[Ice Czar]

http://money.cnn.com/2006/01/03/technology/windows_virusthreat/

the latest vulnerability involves a flaw which allows hackers to infect computers using programs inserted into image files. The threat was discovered last week. But it mushroomed over the weekend, when a group of hackers published the source code they used to exploit the flaw.

What makes this threat particularly vicious, according to the Times, is that unwitting victims can infect their computers simply by viewing a web page, e-mail, or instant message that includes a contaminated image.

"The potential [security threat] is huge," Mikko Hypponen, chief research officer at F-Secure, an antivirus company, told the Times. "It's probably bigger than for any other vulnerability we've seen."

safe is now disconnect from the internet and not surf
at least with an unpatched Windows system

had I posted an infected image with this missive youd be toast
its that serious

when the SANS institute tell enterprise to install a borked together patch and just deal with the consequences, its bloody serious

 

[figgie]

btw if you don't have antivirus

http://www.avast.com/eng/avast_4_home.html
and
http://www.free-av.com/

both free so no excuses!!

 

[Ranma_Sao]

The Official Microsoft Security Advisory:

http://www.microsoft.com/technet/security/advisory/912840.mspx

This posting is provided "AS IS" with no warranties, and confers no rights.

 

[number69]

http://isc.sans.org/diary.php?storyid=999

That page is taking a really long time to load, they must be getting slammed.

 

[scottatwittenberg]

here is the patch in case the server to download it is getting too slammed:
www.scottsnyder.net/wmffix_hexblog14.exe

 

[Tiny]

can someone link to a LIVE CD for AMD users. I don't know enough about them, and I would rather not go around looking when I am not protected.

And does the unofficial patch conflict with the MS one that will come out?

 

[Ice Czar]

http://www.frozentech.com/content/livecd.php

but Id still recommend Knoppix
should autorecognize most all the hardware your likely to have

a reboot would cure most anything

 

[jonw757]

I also like ubuntu's live cd, http://www.ubuntulinux.org/download/ choose a mirror then find the live cd. Have them for intel, amd, power mac and 64-bit

 

[Tiny]

Danke!

I am running Knoppix on my machine and Ubuntu on my girlfriends machine that is here at my house.

Thanks!

 

[HHunt]

I wonder if this will create any new linux users.
(Patch installed on the windows PC, thanks.)

 

[USMC2Hard4U]

Im glad I <3 my iBook

 

[HHunt]

Im glad I <3 my iBook

ThinkPad + FreeBSD is as close as I'll get.

(IBM is involved in both, the OS is related, and both series of laptops have long and proud traditions. Shame the similarities end there, but at least my R50e was dirt cheap. )

 

[Ranma_Sao]

The patch has been released:
http://www.microsoft.com/technet/security/Bulletin/MS06-001.mspx

This posting is provided "AS IS" with no warranties, and confers no rights.

 

[scottatwittenberg]

this computer just installed something.. so i am assuming it was the patch..

 

[number69]

I wonder if this will create any new linux users.
(Patch installed on the windows PC, thanks.)

http://www.varbusiness.com/nl/insider/showArticle.jhtml?sssdmh=dm4.162492&articleId=175801167

Don't know if that's BS or not, they say in the article take it with a grain of salt.

 

[jonw757]

I believe thats a bit much, I thought I remembered someone mentioning things like some were 1 distro only, a fair comparison would be Red Hat vs Windows. Not all 2353454 distros vs 4 versions of windows or however you want to count it.

 

[HHunt]

The main reason those numbes look bad would be that the linux/unix numbers include several different OSes, several DEs, several different servers for each service, on a bunch of different architectures.
Also, there are probably more linux kernels released in a month than windows versions in a year.

A more interesting number would be something like "the number of vulnerabilities for a continuously updated redhat mail+web+dns server" compared to the same number for a windows server in the same roles, and another number for a desktop running some comparable set of programs (E.g. KDE on linux vs. windows+office, both kept updated.)

 

[Ice Czar]

The patch has been released:
http://www.microsoft.com/technet/security/Bulletin/MS06-001.mspx

This posting is provided "AS IS" with no warranties, and confers no rights.

and reports Ive seen say it overwrites the "unofficial" patch without issues

when I started this thread this looked an awful lot like the "perfect storm" a low level and widespread vulnerability, the sudden appearence of malware in multiple versions and vectors and the tools to package most any malware to exploit it.

The security pundits have been describing such a perfect alignment for awhile, and forcasting more zeroday exploits. So when SANS issued such an unprecedented warning and recommendation, I took it very seriously, here is to hoping that the public gets patched up in short order.

The funny thing is that when pundits run around like Chicken Little screaming the sky is falling, people pay attention, get fixed up and it becomes a non-issue, which of course makes us Chicken Little's look like turkeys

 

[MYSTic Jedi]

so what does this thing do to your computer exactly? i read ealier that it affected the whole system, but how? i did download and install the patch thought, thanks.

 

[Ranma_Sao]

WMF is a format kind of like EXE is a format. It's an image format from 1993, and in the clean up code for the image, you can have a function pointer to your cleanup code. Well, some people purposely made a malformed image, that would jump straight to the function pointer, and then run their own you script. It is equivalent to running OwnMe.exe with your credentials. If you were a limited user, it could only party on your files, but not the whole machine, if you were an administrator, it can party on the whole machine.

What the fix did was disable this behavior.

This posting is provided "AS IS" with no warranties, and confers no rights.

 

[Tex Arcana]

http://money.cnn.com/2006/01/03/technology/windows_virusthreat/


safe is now disconnect from the internet and not surf
at least with an unpatched Windows system

had I posted an infected image with this missive youd be toast
its that serious

when the SANS institute tell enterprise to install a borked together patch and just deal with the consequences, its bloody serious

This isn't truly new: a couple years ago, I had setup a system for a friend, using AntiVir as the antivirus, and had it set to report all contacts (to try to teach him how prevalent virii and such are), and we were trying to download something off dialup (the virus updates), and the damn JUNO dialup splashscreen was attempting to send trojans thru the jpgs on the window (IE based, of course), and AntiVir was catching each attempt.

This, however, is mighty nasty; I wonder if this is related to my problem in my thread?