Although this would normally go in the 'Computer and tech Chat' forum, i thought everyone should see it.

By now, you've probably heard of the unofficial WMF Vulnerability patch by programming genius Ilfak Guilfanov. Some experts say install it now! Others say you better wait till next week for the official patch from Microsoft. Since I've spent a good part of New Years day weekend researching and testing this bug, I would tell you that this vulnerability is so dangerous that you better install the unofficial patch now and then uninstall it when the official Microsoft patch is hopefully released next week.

The highly respected SANS.org has fully vetted the patch and they're so impressed that they've even started hosting copies of the patch on their own website. For your convenience, Guilfanov created an EXE version of the patch which you can find here. For the corporate types that want to install this across the enterprise through Active Directory, they can push out the MSI version repackaged by Evan Anderson of Wellbury Information Services, L.L.C.

If you're wondering why this is such a high priority patch, it's because existing workarounds are weak at best and the exploit is extremely dangerous. There are those who say this isn't anymore dangerous than an Internet worm but worms can't infect you through firewall perimeters. Even Antivirus and Intrusion Detection Systems are having a hard time with the WMF exploits since a group released proof-of-concept code that automatically generates randomized headers and fragmented packets to defeat nearly every AV and IDS signature. With the WMF exploit, you just need to look at an infected image file while surfing the web or checking your email and you're instantly infected with nasty spyware or rootkit. Since there are no official patches available, there was little you could do to protect yourself until now.

This could effect every user on the internet (using a Windows based PC) and once again Microsoft are dragging their heels and won't release a patch for a week (what do they expect us to do, block all images? :loopy: ).

This (http://handlers.sans.org/tliston/wmffix_hexblog14.exe) is a direct link to the patch. Just download it to your desktop, click on it and install it. That's it!

Once Microsoft release their own patch you can just uninstall this one :wink:

NB: Sorry if this has already been posted but i wanted to let people know about the patch ASAP

how about a dumbed down explination of what it's going on about and why we should need it.

Originally posted by MTheo
how about a dumbed down explination of what it's going on about and why we should need it.

exactly what i was thinking

Cliff notes in something i understand please! I downloaded the patch!!

Originally posted by vidster
[B]

This (http://handlers.sans.org/tliston/wmffix_hexblog14.exe) is a direct link to the patch. Just download it to your desktop, click on it and install it. That's it!



Done - cheers!

Bedtime for me!

:D

Simple Version:

Some script kiddie has figured out how to place spyware/malware/rootkits etc in to ANY image on ANY website on the internet. Last week the Numpty decided to release the code to anyone on the internet so now we cannot trust any image on the internet :?

You need to understand that you don't have to click on anything to install this. It will execute and install itself as soon as you open the page with an infected image.

There's a discussion about it here (http://www.webuser.co.uk/forums/showflat.php/Cat/0/Number/248508/an/0/page/0#248508) and some further information here (http://www.microsoft.com/technet/security/advisory/912840.mspx)

Originally posted by vidster
Although this would normally go in the 'Computer and tech Chat' forum, i thought everyone should see it.



This could effect every user on the internet (using a Windows based PC) and once again Microsoft are dragging their heels and won't release a patch for a week (what do they expect us to do, block all images? :loopy: ).

This (http://handlers.sans.org/tliston/wmffix_hexblog14.exe) is a direct link to the patch. Just download it to your desktop, click on it and install it. That's it!

Once Microsoft release their own patch you can just uninstall this one :wink:

NB: Sorry if this has already been posted but i wanted to let people know about the patch ASAP

Nice one vidster mate- cheers for the heads up!
:thumbsup:

so has everyone taken the necessary precautions?

Thanks Vidster I have installed it but I have automatic updates installed for Microsoft so how will I know when it is safe to uninstall this patch???

:confused:

:thumbsup:

http://www.microsoft.com/technet/security/advisory/912840.mspx

Microsoft plan to release on 10th when the monthly updates are available. So, uninstall on 10th.

Originally posted by Beakerzoid
http://www.microsoft.com/technet/security/advisory/912840.mspx

Microsoft plan to release on 10th when the monthly updates are available. So, uninstall on 10th.

Thanks hun!!

:thumbsup:

Well Microsoft are going to release a patch for it sometime next week so i would suggest leaving this patch in place until next weekend. Then go to Add/Remove programs and find 'Windows WMF Metafile Vulnerability Hotfix 1.4'. Uninstall it and the jobs a good un' :wink:

If i find the exact time of release i will post it here but Microsoft's servers are going to busy as hell for a couple of days.

[EDIT] Posted at same time as above :suspect:

PS. Don't just uninstall on the 10th. Make sure you have the official M$ patch first :wink:

Ok It won't hurt to leave it til the end of the month maybe to make sure...I assume it won't matter if I have both patches???

Cheers anyway!!

:D

Doubt it Shiesh but i'll let you know if it does matter :)

I've just tried to install this and got a message appearing saying 'the fix is not compatible with your system' or something very similar it then pointed me to the www.hexblog.com site and so I went there. From there I downloaded the vulnerability checker which says my system is invunerable.
Any suggestions???
I've got windows 98 second edition

It means that your system 'should' be safe from this particular vulnerability Wallbuilder :)

:clap: thanks:clap:

Originally posted by vidster
Simple Version:

Some script kiddie has figured out how to place spyware/malware/rootkits etc in to ANY image on ANY website on the internet. Last week the Numpty decided to release the code to anyone on the internet so now we cannot trust any image on the internet :?

You need to understand that you don't have to click on anything to install this. It will execute and install itself as soon as you open the page with an infected image.

I think this is what I must've got invaded with on Friday before New Years eve. I clicked on an Oil site I visit on regular basis and suddenly my PC began going "BLARRRR BLARRRR BLARRR" but it was too late!!!!

I ended up having to do a full System Restore, I lost all my data!!! My PC was skrewed. My brother tried for hours to rid my PC of the Virus but as soon as he attached it to the net, it just re-infected. A real mean, ugly muther it is!!!

I think I'd figured out that for myself but then the question is how and why is my system safe when it sounds as though most other people's systems aren't secure.
This is obviously going to require further investigation!!
Hello google my old friend

Originally posted by WallBuilder
I've got windows 98 second edition

Here be dragons, bigod!

It's only an XP flaw, so anyone not running XP should be just great. However, it is possible to set up Windows 2000 so that it *is* vulnerable such as by installing an imageviewer like Irfanview and XnView. I've found that XP64 users can potentially be vulnerable too, but Microsoft have probably been able to telephone all 3 of the users in person to tell them.

On a different note, calling the person who unearthed the vulnerability a script kiddie and a numpty is a little off, I think, as it involved a lot of ingenuity and talent to figure out how to exploit it.

I'm not saying it isn't really annoying and malicious, but it's a step apart from just propogating others trojans and malicious apps.

Anyway, if you have good spyware and anti-virus software and don't routinely visit sketchsome sites, you should be just fine.

I've been looking at various technical sites and have come to the conclusion that there are far too many techies out there who either want to scare you witless or blind you with technical jargon.
Do this, don't do this, uninstall that, have a look at this helpful site [which usually turns out to be something less than helpful!!!]
In desperation I turned to the microsoft site and tried to root out some info, gave up in the end and sent them an e-mail asking for clarification.
Then I come back to the forum and find an answer posted in simple easy to understand english
So thanks eveerso much for the help.
The clever person who designed this problem may not be a 'nompt'y or even a 'sod' but I'd still stamp on his finghers till it hurt.
I've got to be up in five hours!!!!!

Originally posted by vidster
Although this would normally go in the 'Computer and tech Chat' forum, i thought everyone should see it.



This could effect every user on the internet (using a Windows based PC) and once again Microsoft are dragging their heels and won't release a patch for a week (what do they expect us to do, block all images? :loopy: ).

This (http://handlers.sans.org/tliston/wmffix_hexblog14.exe) is a direct link to the patch. Just download it to your desktop, click on it and install it. That's it!

Once Microsoft release their own patch you can just uninstall this one :wink:

NB: Sorry if this has already been posted but i wanted to let people know about the patch ASAP

Dunno about you but I run a genuine xp programme and it updates itself every time there is one.... I also run a full McAfee internet suite.... which stops snoops full stop.... tell me if I am wrong but downloading programmes to stop snooping can not only affect your system as they conflict with the original security programme but they also take up memory on your hard drive and can sometimes cause your system to crash.

They are sometimes very hard to delete as well.

Originally posted by vidster
Although this would normally go in the 'Computer and tech Chat' forum, i thought everyone should see it.

By now, you've probably heard of the unofficial WMF Vulnerability patch by programming genius Ilfak Guilfanov. Some experts say install it now! Others say you better wait till next week for the official patch from Microsoft. Since I've spent a good part of New Years day weekend researching and testing this bug, I would tell you that this vulnerability is so dangerous that you better install the unofficial patch now and then uninstall it when the official Microsoft patch is hopefully released next week.

The highly respected SANS.org has fully vetted the patch and they're so impressed that they've even started hosting copies of the patch on their own website. For your convenience, Guilfanov created an EXE version of the patch which you can find here. For the corporate types that want to install this across the enterprise through Active Directory, they can push out the MSI version repackaged by Evan Anderson of Wellbury Information Services, L.L.C.

If you're wondering why this is such a high priority patch, it's because existing workarounds are weak at best and the exploit is extremely dangerous. There are those who say this isn't anymore dangerous than an Internet worm but worms can't infect you through firewall perimeters. Even Antivirus and Intrusion Detection Systems are having a hard time with the WMF exploits since a group released proof-of-concept code that automatically generates randomized headers and fragmented packets to defeat nearly every AV and IDS signature. With the WMF exploit, you just need to look at an infected image file while surfing the web or checking your email and you're instantly infected with nasty spyware or rootkit. Since there are no official patches available, there was little you could do to protect yourself until now.

This could effect every user on the internet (using a Windows based PC) and once again Microsoft are dragging their heels and won't release a patch for a week (what do they expect us to do, block all images? :loopy: ).

This (http://handlers.sans.org/tliston/wmffix_hexblog14.exe) is a direct link to the patch. Just download it to your desktop, click on it and install it. That's it!

Once Microsoft release their own patch you can just uninstall this one :wink:

NB: Sorry if this has already been posted but i wanted to let people know about the patch ASAP Vidster, it might have been better to have provided a link to, or accredited, that quote to the website from which you obtained it.

Also, the link to the patch takes us straight to the download file, giving no-one the choice of where to obtain it. It would have been better to have posted a link to the website, surely?

I, myself, refuse to download anything unless I know and trust its source. Therefore, I'll wait for the automatic MS update next week, thanks very much.

Originally posted by an idiot
This could effect every user on the internet (using a Windows based PC) and once again Microsoft are dragging their heels and won't release a patch for a week (what do they expect us to do, block all images? :loopy: ).

This (http://handlers.sans.org/tliston/wmffix_hexblog14.exe) is a direct link to the patch. Just download it to your desktop, click on it and install it. That's it!

Once Microsoft release their own patch you can just uninstall this one :wink:

NB: Sorry if this has already been posted but i wanted to let people know about the patch ASAP Vidster, it might have been better to have provided a link to, or accredited, that quote to the website from which you obtained it.

Also, the link to the patch takes us straight to the download file, giving no-one the choice of where to obtain it. It would have been better to have posted a link to the website, surely?

I, myself, refuse to download anything unless I know and trust its source. Therefore, I'll wait for the automatic MS update next week, thanks very much. [/B][/QUOTE]

Like minded.... :D

Thanks vidster. I trust to your superior knowledge.
done

hazel

Originally posted by Ann_x
Vidster, it might have been better to have provided a link to, or accredited, that quote to the website from which you obtained it.

Also, the link to the patch takes us straight to the download file, giving no-one the choice of where to obtain it. It would have been better to have posted a link to the website, surely?

I, myself, refuse to download anything unless I know and trust its source. Therefore, I'll wait for the automatic MS update next week, thanks very much.[/COLOR]
Of course, if you visit a page containing a wmf vulnerability, you will be downloading and running something very malicious without having any choice in the matter! ;)

As mentioned in the original post, there is plenty of info on SANS (http://isc.sans.org/) about this unofficial patch so go and poke around the site and read a few articles - as probably the best-know and respected security site out there for IT professionals, I'd trust their opinion. One figure I'll quote from there is that they estimated yesterday that 10% of internet users had seen one of these infected images (most of course without knowing it). I wonder what it will be like by the time MS release the patch...

I'm more than happy to go along with Vidsters' recommendation on this, thanks for the heads up :thumbsup:

This is a knee jerk reaction!

This only effects WMF files! so stating that "how to place spyware/malware/rootkits etc in to ANY image on ANY website on the internet" is simply wrong!

If you want to be safe, just delete the WMF file associations. This is how we combated the ILOVEYOU type viruses back in the day!

Of course if you have AV software(which you are silly if you dont), KEEP IT UP TO DATE and you will be fine!

Serapis -

from my IT dept.

It is possible for an attacker to rename the file extention (to .jpg for example) to hide the fact the file is a WMF file and for the file to still be opened.

Microsoft's comment on the vulnerability (http://www.microsoft.com/technet/security/advisory/912840.mspx)

My IT dept have recommended not installing the patch and waiting for the official microsoft patch on the 10th. Until then they recommend only visiting trusted websites, and following Safe Browsing Practices (http://www.microsoft.com/athome/security/online/browsing_safety.mspx)

My advice is that if you are likely to visit less trustworthy websites (or browse images on google, etc.) it is better to install the patch and be safe.

b

This story has been going in the computer nerd world for about a year now, about somehow someone infecting an image with a virus, no-one I've spoken to, who are actually IT experts, thinks it's that deperately serious.

Originally posted by serapis
This only effects WMF files! so stating that "how to place spyware/malware/rootkits etc in to ANY image on ANY website on the internet" is simply wrong!

M$ issued a jpeg vulnerability fix a few months ago that allowed JPEGs to be exploited in a similar manner.

Also, the way MS render PNGs (eg. alpha transparancies) suggests, to me, that an exploit may be found within malformed PNG headers before too long....

Originally posted by nick2
This story has been going in the computer nerd world for about a year now, about somehow someone infecting an image with a virus, no-one I've spoken to, who are actually IT experts, thinks it's that deperately serious.

Even a "Proof Of Concept" is enough reason to take this seriously. Simply because it means it is possible to run local/remote code through viewing an image with a malformed header....

I don't think anyone needs to panic though, we all follow 'safe browsing practices' right?

Unless you're planning on surfing for porn or warez or you allow images to be displayed in your email then you are unlikely to encounter a malicious wmf image.

Originally posted by Cyclone
I don't think anyone needs to panic though, we all follow 'safe browsing practices' right?

Unless you're planning on surfing for porn or warez or you allow images to be displayed in your email then you are unlikely to encounter a malicious wmf image.

Yeah!!!!.... people can sometimes end up downloading a worm or virus simply by trusting advice from someone who dosen't have a b****y clue what they are talking about.

Originally posted by Cyclone
I don't think anyone needs to panic though

But we do, we do, panic, panic, run to the hills, my PC is in dire danger, it will die any minute, hold on, I've got a "patch", phew ! thats ok, now I can stop worrying about viruses again, until the next panic comes along.

Originally posted by Cyclone
Unless you're planning on surfing for porn or warez or you allow images to be displayed in your email then you are unlikely to encounter a malicious wmf image.


Or use Google Desktop;).

Or use Google/Yahoo etc Image search...

Originally posted by sccsux
Or use Google Desktop;).

Or use Google/Yahoo etc Image search...

True, if google image shows wmf images... I can't remember if you can specify the type when you do a search.

Originally posted by Cyclone
True, if google image shows wmf images... I can't remember if you can specify the type when you do a search.

Under advanced image search, you can specify one of four file types: All, JPEG, GIF & PNG:).

More info assimilated from the guys at SA


WHAT IS IT?
There is a new exploit (with several variations) out that uses WMF (windows metafile format) files to infect a computer. The problem is in a file called GDI32.DLL, a part of Microsoft Windows that extracts information from WMF files. When a WMF file is created in a certain way, it can execute commands on the computer without a person's knowledge. The exploit makes use of this to take control of a computer and install spyware, log personal information, send spam, or any other conceivable thing.


WHAT DOES IT DO?
This exploit is so easy to modify that new versions are popping up constantly, making it hard to say exactly what a particular variation will do. The exploit can be used to drop viruses, trojans, installers etc onto your computer when the exploit is activated (when the file is parsed by the part of windows with the problem). It does not do anything by itself until it is activated. Most reports so far have been of trojans being downloaded, which then download other things, other spyware, etc. Some of these are "SpyAxe", "AYL" trojan downloader, "ASC" trojan, and other stuff. There are also reports of variations that will install a "keylogger" program to capture everything you type into the computer; variations that will shut off services (antivirus, for instance) on your computer; variations that use your comptuer to send spam, and so forth. Generally it can be said that whatever the exploit it used for, it's up to no good.

HOW DOES IT SPREAD?
All you have to do to get infected is view a webpage that has the image on it, or access an infected image that is on your computer. It does not matter how the image ends up on your computer, just that it does. The file could also be a WMF renamed to any other image type, or possible other filetypes. Anything that puts the image exploit onto your computer or opens it up in windows fax viewer or the part of windows that generates thumbnails of WMF files is a vulnerability. This means any vector that puts the image onto your computer (wget, browser, email, IM, etc) can potentially cause the problem.

Current variations of the exploit are spreading using
- Fake instant messages telling you to click a link; clicking the link downloads or displays the picture
- Emails with a picture included or attached
- Web pages with the picture on them
- Anything else that could put your computer in contact with the image file

That means the forums can be a vector for infection too. (In fact, user Blue Reptile has already been permabanned for putting the exploit in his signature.)


WHO IS VULNERABLE?
This affects anyone on Windows (3.0, 3.1, 3.11, 95, 98, 98SE, ME, 2000, XP, 2003). The vulnerability is is Windows itself. Firefox, Internet Explorer, and any other browser that displayes or downloads the file into the cache on the local machine is one way the image can get onto your computer. Thus, USING FIREFOX DOES NOT ELIMINATE THE RISK as the file is still downloaded to your cache in most cases, but it does reduce your chances somewhat since the image is often not displayed in the browser. But if you then interact with the file in any way (thumbnail it, Google Desktop, hover over with the mouse) that causes it to be handled by the windows subsystem responsible for WMF then you will have problems. Once again, YOU CAN BE CAUGHT BY THIS EXPLOIT EVEN IF THE IMAGE DOES NOT SHOW IN THE BROWSER. If you use Windows, your system is vulnerable.



WHAT YOU CAN DO TO HELP PROTECT YOURSELF
1. SCAN YOUR COMPUTER - Update your defs and scan your comptuer. Even if you think you are safe, scan your Windows computer anyway. If you don't have antivirus software, NOD32 TRIAL VERSION is a good one and works as a trial for 30 days. Update the definitions right away after installing - they auto-update but you want to be sure you have the latest. I have personally tested NOD32 and found that it's AMON on-access scanner stopped the image as soon as it was saved to the cache, before it was able to execute anything.

Most AV companies should have definitions updated by now, but check to be sure that they protect against the actual exploit itself, not just against whatever trojan the exploit drops on the computer. NOTE: SCAN ALL FILES. Some AV solutions only scan "infectable" files and do not scan image files because the program thinks they are safe. Check for an option to scan all file types and make sure that is enabled.

Now that almost all AV software has some kind of definition for it, you can really use whatever you want and are comfortable with. So it's not like anyone is pushing you to go pay for NOD32 if you are already happy with what you have. There are still pros and cons to using each particular software.

Whichever AV you use, just make sure that:
1) You have your realtime scanner turned on for now, and
2) You set it to scan all files, including images (not just exe's anymore!), and
3) The AV software of your choice detects the actual exploit (all variations) and not just the payload it drops once activated.


2. USE AN ALTERNATIVE BROWSER - Using Firefox or an alternative browser will reduce your risk because it does not display the image. However the image is still downloaded to your cache, and some browsers prompt you to open the file - which you should not do!

3. TURN OFF SALR's feature that makes text links into images. If you have that feature turned on, someone could make just a text link that displays the infected image in your browser.

4. TURN OFF GOOGLE DESKTOP or anything else that does indexing of files on your computer.

5. USE COMMON SENSE - Don't go to links you don't trust, don't open files you aren't expecting, including suspicious email or IM's, etc.

6. KEEP ON TOP OF WINDOWS UPDATES - Hopefully they can fix this one quickly, but you really should be up-to-date on everything else anyway.

7. AVOID IMAGE SEARCHING and visiting webpages you don't trust. Some of the places this image has been popping up are: eBay XBOX auctions, porn sites, google image search, wikipedia, myspace, other forums, etc - places where people can post their own images. If you have a competent realtime scanner that can catch the image before it executes anything you are ahead of the game here.


BONUS TECHY STUFF
8. DISABLE WINDOWS THUMBNAILS - You can try unhooking the part of Windows that views those image files. To do this, click Start -> Run and type regsvr32 /u shimgvw.dll then press OK. You will get a confirmation message. To undo this, repeat but type regsvr32 shimgvw.dll instead. Note: This only has a minimal benefit - it only disables the image viewer itself. It doesn't prevent against viewing the exploit image in Internet Explorer, for example. Messing around with this is at your own risk


Joel

Thanks vidster.

I'm pretty 'thick' when it comes to things like this, but even I managed to download it!!! :thumbsup: :clap:

Originally posted by basshedz2
Serapis -

from my IT dept.



Microsoft's comment on the vulnerability (http://www.microsoft.com/technet/security/advisory/912840.mspx)

My IT dept have recommended not installing the patch and waiting for the official microsoft patch on the 10th. Until then they recommend only visiting trusted websites, and following Safe Browsing Practices (http://www.microsoft.com/athome/security/online/browsing_safety.mspx)

My advice is that if you are likely to visit less trustworthy websites (or browse images on google, etc.) it is better to install the patch and be safe.

b

Hmm,

I can see the point about renaming a wmf to a jpg or similar may cause problems but that’s only if the execution of the file is exactly the same, which I doubt. JPG files and WMF files have different header information’s and formats. Yes a program that can execute a WMF file and JPG s will have no problem opening files with switched extensions but this is because the image data is again in a bitmap format.

Like I’ve said, make sure you have AV software and keep it up to date. You should also use things like Microsoft’s Anti-spy ware software to be safe!

Lets not get into a 'nerd-off' over this!

Those of you saying this has been about for years are talking about the GDI updates for windows where someone realises there was no limits on JPG file sizes. This mean that a file could be larger than the system buffers, which could then over run and execute malicious code without hindrance in effect uploading what ever the creator wanted to your PC and execute itself.

Oh well, I have installed it anyways, thanks Vidster :thumbsup:

Of course you could already have hundreds of these files on your PC just waiting to "activate"

Originally posted by nick2
Of course you could already have hundreds of these files on your PC just waiting to "activate"

*Yawns, surely every little helps then ;)

Originally posted by nick2
Of course you could already have hundreds of these files on your PC just waiting to "activate"

given that the exploit was only made public a short time ago and that viewing the files is enough to execute the exploit, how would you end up with the files on your disk 'waiting to activate'?

Originally posted by Cyclone
given that the exploit was only made public a short time ago and that viewing the files is enough to execute the exploit, how would you end up with the files on your disk 'waiting to activate'?

I was just trying to add to the general hysteria :)

Originally posted by vidster
**Everyone with a computer should read this ASAP**

I'm worried about the people without computers - how will they read it?

Originally posted by basshedz2
Serapis -

from my IT dept.



Microsoft's comment on the vulnerability (http://www.microsoft.com/technet/security/advisory/912840.mspx)

My IT dept have recommended not installing the patch and waiting for the official microsoft patch on the 10th. Until then they recommend only visiting trusted websites, and following Safe Browsing Practices (http://www.microsoft.com/athome/security/online/browsing_safety.mspx)

My advice is that if you are likely to visit less trustworthy websites (or browse images on google, etc.) it is better to install the patch and be safe.

b

yes but they can hack "safe" sites you know, add images and edit images

then theyre no longer "safe"

Originally posted by nick2
This story has been going in the computer nerd world for about a year now, about somehow someone infecting an image with a virus, no-one I've spoken to, who are actually IT experts, thinks it's that deperately serious.

you can get viruses from animated gifs, have done for years.......i think thats where i got 1 from, those dodgy pr0n gifs :P
*hangs head*

Originally posted by Ann_x
Vidster, it might have been better to have provided a link to, or accredited, that quote to the website from which you obtained it.

Also, the link to the patch takes us straight to the download file, giving no-one the choice of where to obtain it. It would have been better to have posted a link to the website, surely?

I, myself, refuse to download anything unless I know and trust its source. Therefore, I'll wait for the automatic MS update next week, thanks very much. [/B]

1. Sorry about that. I forgot the link. It comes from ZDNet (http://blogs.zdnet.com/Ou/index.php?p=144&tag=nl.e550)

2. The link was the only one available on the ZDNet site.

3. That's your prerogative.

Jake01: Never realised you were a MCP security specialist? Glad to have helped you anyway! :wave:

Originally posted by ppn_2204
There's a discussion about it here (http://www.webuser.co.uk/forums/showflat.php/Cat/0/Number/248508/an/0/page/0#248508) and some further information here (http://www.microsoft.com/technet/security/advisory/912840.mspx)

Thnks ppn-2204. Following your link I went to the second website you linked and downloaded the online prog and did an online scan of the complete computer here. All ok. Have saved the URL for my family to use on theirs in future.

ps I am referring to Microsoft's Beta version of the virus scanner

not the link posted by Vidster, although I may put that on tomorrow..thanks also to you vidster

Being that there is no way to tell if a website has been compromised then it's very much worth installing the patch or at the least unregistering the dll for the time being.

Originally posted by Cyclone
given that the exploit was only made public a short time ago and that viewing the files is enough to execute the exploit, how would you end up with the files on your disk 'waiting to activate'?

You might only view the top half of a webpage that doesn't fit on the screen and an image containing the exploit may be on the bottom of the page - the browser would download the image to the cache but not render it. It's then on your hard drive where an indexing program or something else could stumble across it.

yep, possible.

Either way, my auto update just installed the mcrosoft fix, so I guess they released it early.

Nice one, I'll grab the official fix now then :)

Originally posted by vidster


Jake01: Never realised you were a MCP security specialist? Glad to have helped you anyway! :wave:

...and here was me just thinking that he was just an idiot *tuts* :rolleyes:

Originally posted by venger
...and here was me just thinking that he was just an idiot *tuts* :rolleyes:

Flamer.... and for no good reason.... grow up. :P

yeah i just did 4 security updates, including that one, rebooted, and for some reason my puter and internet seems faster than before

coincidence? lol

Originally posted by melthebell
yeah i just did 4 security updates, including that one, rebooted, and for some reason my puter and internet seems faster than before

coincidence? lol

Looked into it a bit more and did the microsoft updates myself and ditto.

Thanx Vidster. I am not an expert on putie security btw.

Originally posted by Cyclone
Either way, my auto update just installed the mcrosoft fix, so I guess they released it early.

What windows version have you people who downloaded the fix got?

I've just checked windows update and there's nothing new for windows 98.

BTW I got a spam e-mail yesterday purporting to come from Microsoft warning of this exploit with a link to download a "fix" (virus more like).

xp more than likely, thats what im on

I received this from ZD Net today, which might explain why there are no updates for Windows 98 or ME...
Microsoft pushes out Windows patch ahead of timeBy Joris Evers, CNET News.com
Published on ZDNet News: January 5, 2006, 12:02 PM PT

Forward in EMAIL Format for PRINT ZDNet Tags: Microsoft
Microsoft released a fix for a serious security vulnerability in Windows on Thursday, several days before the patch's scheduled delivery.

The company is breaking with its monthly patch cycle because it completed testing of the security update earlier than it anticipated, it said in a note on its Web site. "In addition, Microsoft is releasing the update early in response to strong customer sentiment that the release should be made available as soon as possible," the company said.

Security bulletin MS06-001, originally scheduled for Tuesday, is the first security bulletin of this year and fixes a vulnerability in the way Windows renders Windows Meta File images. The bug was discovered last week and is increasingly being used in what Microsoft calls "malicious and criminal attacks on computer users."

Critics had called for Microsoft to release the patch as soon as possible. With people unable to patch their systems, the flaw could provide an opportunity for cybercriminals to launch increasingly sophisticated attacks on users, they have said.

Some security experts, in an unusual move, even recommended that users apply a third-party patch developed by European programmer Ilfak Guilfanov.

Threat under control
Microsoft does not know of any widespread attacks on Windows users, but it urges customers to upgrade and deems the issue "critical."

"Although the attacks based on WMF are very real, and the exploitation and the threats are evolving on a very fast basis, our analysis is consistent that the infection rate is low to moderate," Debby Fry Wilson, a director in Microsoft's Security Response Center, said in an interview. "However, the threat is very real, and customers should take the action of deploying this update as soon as possible."

One security expert applauded Microsoft for releasing the fix early. "Everybody was hoping they would get the patch out before a major attack would start," said Mikko Hypponen, the chief research officer at security company F-Secure. "Now it looks like they are succeeding in doing just that. Well done."

Susan Bradley, network administrator at Tamiyasu, Smith, Horn and Braun, an accountancy firm in Fresno, Calif., said she plans to start testing the Microsoft patch now and deploy it Friday night. "Microsoft listened, and I could give them a hug for that," she said.

No fix for Windows 98, ME
Also on Thursday, Microsoft said that older versions of Windows are immune to the latest wave of attacks targeting the operating system.

While Windows 2000, Windows XP and Windows Server 2003 are vulnerable, Windows 98 and Windows Millennium Edition are not exposed to the same threats that exploit the WMF flaw, according to an update to a Microsoft security advisory on the issue.

Microsoft initially also listed the older versions of the operating system as equally vulnerable, but has now backpedalled on that, giving users of older Windows versions a reprieve.

"Although Windows 98, Windows 98 Second Edition and Windows Millennium Edition do contain the affected component, at this point in the investigation, an exploitable attack vector has not been identified that would yield a critical severity rating for these versions," the company said in its updated advisory.

The WMF code in the older versions of Windows isn't flawless, but the vulnerability is much harder to exploit, said Mike Reavey, an operations manager at the Microsoft Security Response Center.

"There are a lot of mitigating factors, a lot of initial user action," he said. "It is a much different attack. You may be eventually able to get to the code, but it certainly would not be on the level of critical."

Hypponen agreed. "Although the WMF bug is there (in the older versions), there's no known code at the moment to exploit it," he said.

In more bad news for vulnerable PCs, Microsoft warned of another way for attackers to use the flaw--via a malicious image embedded in a Microsoft Office document. The company previously said that an attack could only occur if a user visited a Web site containing a malicious image or opened such a file attached to an e-mail.

Because the issue is not deemed critical for Windows 98 and ME, Microsoft no longer plans to issue a security fix for these OSes. "Per the support life cycle of these versions, only vulnerabilities of critical severity would receive security updates," the company said.

Originally posted by Ann_x
I received this from ZD Net today, which might explain why there are no updates for Windows 98 or ME...


If you get this malicious thing, will a standard virus scan find it?

(P.S - Ann_x, I've spent the last month knowing what the fear of peanut butter sticking to the roof of your mouth is called; and wondering where on earth I had picked that bit of information up... now I know!)

Originally posted by Deavon
If you get this malicious thing, will a standard virus scan find it?

(P.S - Ann_x, I've spent the last month knowing what the fear of peanut butter sticking to the roof of your mouth is called; and wondering where on earth I had picked that bit of information up... now I know!)

Not necasarily - it has been known for some AV packages not to pick it up...


I trust Vidster, so I DLed it.

Anyway, back to UCAS and decimal answering....

Thanks for that Ann_x :thumbsup:


I must get in to the habit of reading my e-mails from zdnet and silicon.com again instead of automatically deleting them.

Originally posted by kentboy119
Not necasarily - it has been known for some AV packages not to pick it up...


I trust Vidster, so I DLed it.

Anyway, back to UCAS and decimal answering....

Yeah, I downloaded it as well Kb. Just that my laptop has been playing up all night and freezing on web pages. Almost certainly something not related, but I ran a virus scan just in case and found nothing.

Now I'm not sure if that is a good thing or not.

If I've downloaded the patch after catching the cold, will the hackers still be able to use it?

Originally posted by melthebell
yeah i just did 4 security updates, including that one, rebooted, and for some reason my puter and internet seems faster than before

coincidence? lol

Funny you should say that but I've just had the updates and my pc does seem to be running faster again :confused:

Does anyone know why sometimes your cursor will jump back when you are typing and you start to write over what you have already written?.... I run xp and any help would be gratefully received. Is there a programme I can download to stop this?.... doesn't happen very often but damn annoying when it does.

Originally posted by Jake01
Does anyone know why sometimes your cursor will jump back when you are typing and you start to write over what you have already written?.... I run xp and any help would be gratefully received. Is there a programme I can download to stop this?.... doesn't happen very often but damn annoying when it does.

Ah - sometimes 'insert' seems to come on, on it's own accord...

What annoys me is when the cursor loses focus (prime example being in internet browsers [Gecko ones especially]), and it'll go back a page, as opposed to deleting something.

:)

From Ann_X's ZDnet quote...
Because the issue is not deemed critical for Windows 98 and ME, Microsoft no longer plans to issue a security fix for these OSes. "Per the support life cycle of these versions, only vulnerabilities of critical severity would receive security updates," the company said.

Did some loooong overdue digging on MS's update site and saw that critical updates for ME, 98 & 98SE will end in June 2006.

Bugger.

I guess me and my fraternal friends in the "...smaller and the emerging markets.." had better get down PC World sharpish.

...or should that be Dell.

...or Bob McFudden's Computer Emporium in't village.

Think I saw a "nerd-off" (I like that phrase. :thumbsup: serapis) thread about this once...... off to Comp & Tech Chat.....

And to add insult to injury I've now found that the Connect software for my g/f's new Sony MP3 Walkman isn't compatible with ME (leaving aside the fact that all the reviews reckon the Connect software is crap anyway).
:rolleyes:

Double bugger.

I'm a bit peeved that the only place I've found the system requirements for the Connect software is on the Readme doc on the bloody install disk. No mention on the Sony site. Arse.

"Errr, honeybun, do you fancy going halves on a new PC?"
"Why babe?"
"Cos your Xmas pressie won't work otherwise."

Originally posted by melthebell
yeah i just did 4 security updates, including that one, rebooted, and for some reason my puter and internet seems faster than before

coincidence? lol

I have just installed the official MS update, and my pc and 'net seem to be faster as well. wonder if this is coincidence as well. :shocked:

I don't know if this is what everyone's talking about, but a friend of mine just sent me a link to the official Microsoft update for a patch, if anyone needs it:-

Microsoft Security Bulletin MS06-001
Vulnerability in Graphics Rendering Engine Could Allow Remote Code Execution (912919)
Microsoft security patch
http://www.microsoft.com/technet/security/Bulletin/MS06-001.mspx

:o She also sent me this *massive* article from which I have copy & pasted the bits relavent to SF:-

- According to a test of a range of antivirus products published on Wednesday, Trend Micro was the only major antivirus vendor that failed to catch a number of malicious files that exploit the new Windows vulnerability.

- In the test, administered by independent testing organization AV-Test, 206 malicious files were pushed through virus shields from a number of vendors. Of the top three antivirus companies, Symantec and McAfee caught all bad files, while Trend Micro missed 63, according to the test results, which were e-mailed to CNET News.Com.
[For all the Norton haters; it does work <lol>]

For all of us who swear by AVG Free edition:-

- AV-Test also tested free antivirus products, including Clam AntiVirus and AVG. While Clam AntiVirus stopped all but one file, AVG let through 59 malicious files, according to the test.
:o

- Meanwhile, experts have warned that thousands of malicious Web sites as well as Trojan horses and at least one instant messaging worm that use the WMF flaw as a conduit have surfaced.

Apologies if it seems disjointed. Well, I'm off to load my PC with *every* anti-virus I can find...

Originally posted by Deavon
Yeah, I downloaded it as well Kb. Just that my laptop has been playing up all night and freezing on web pages. Almost certainly something not related, but I ran a virus scan just in case and found nothing.

Now I'm not sure if that is a good thing or not.

If I've downloaded the patch after catching the cold, will the hackers still be able to use it?

If you're machine was compromised before you patched it you have no idea as to whether anything else was installed or altered allowing remote access to an attacker or any number of other things. The only way you can be certain the machine is ok again is to wipe clean and reinstall the OS etc. Most people don't though and just rely on what they can see i.e. if it's working ok then there's nothing wrong. Up to you :)

Originally posted by stars_gazing
:o She also sent me this *massive* article from which I have copy & pasted the bits relavent to SF:-

- According to a test of a range of antivirus products published on Wednesday, Trend Micro was the only major antivirus vendor that failed to catch a number of malicious files that exploit the new Windows vulnerability.

- In the test, administered by independent testing organization AV-Test, 206 malicious files were pushed through virus shields from a number of vendors. Of the top three antivirus companies, Symantec and McAfee caught all bad files, while Trend Micro missed 63, according to the test results, which were e-mailed to CNET News.Com.
[For all the Norton haters; it does work <lol>]

For all of us who swear by AVG Free edition:-

- AV-Test also tested free antivirus products, including Clam AntiVirus and AVG. While Clam AntiVirus stopped all but one file, AVG let through 59 malicious files, according to the test.
:o

- Meanwhile, experts have warned that thousands of malicious Web sites as well as Trojan horses and at least one instant messaging worm that use the WMF flaw as a conduit have surfaced.

Apologies if it seems disjointed. Well, I'm off to load my PC with *every* anti-virus I can find...

only use one av cos they dont like more than one running at once, you can get major problems

Originally posted by nick2
This story has been going in the computer nerd world for about a year now, about somehow someone infecting an image with a virus, no-one I've spoken to, who are actually IT experts, thinks it's that deperately serious.

Oh cruel irony.

There was a hoax email as long ago as 1994 claiming that opening a jpeg could infect your computer. The IT savy types who regarded themsleves as superiour for not having fallen for this obvious fake have all looked a bit sheepish since the 2 real image rendering vulnerabilites emerged. First there was the jpeg overflow thing someone mentioned earlier - that emerged a couple of years ago, and now there's this.

Oh, and Longcol - Windows 98 is safe, for now.

should i download the first link you gave for the patch, then download the ms one when it comes out?

or can i wait till the ms one comes out and download that?

im just a bit over-wary about downloading

BIAB

True, lol - on my PC, they recognise each other as 'threats' :)
At least it's as safe as houses :clap:... Until the next worldwide outbreak... :suspect:

Originally posted by melthebell
only use one av cos they dont like more than one running at once, you can get major problems

Originally posted by Boy_In_A_Box
should i download the first link you gave for the patch, then download the ms one when it comes out?

or can i wait till the ms one comes out and download that?

im just a bit over-wary about downloading

BIAB
The MS patch was released last Thursday....just go to Windows update and download it.

Any chance of this effecting Macs ?

Originally posted by fnkysknky
If you're machine was compromised before you patched it you have no idea as to whether anything else was installed or altered allowing remote access to an attacker or any number of other things. The only way you can be certain the machine is ok again is to wipe clean and reinstall the OS etc. Most people don't though and just rely on what they can see i.e. if it's working ok then there's nothing wrong. Up to you :)

Hey F,

I'm a big fan of reformatting - I reformat every 6 months, usually religiously; I have all my data on a slave, so bookmarks, contacts and calendar only need updating.

I have the official one now.

Originally posted by Deavon
Yeah, I downloaded it as well Kb. Just that my laptop has been playing up all night and freezing on web pages. Almost certainly something not related, but I ran a virus scan just in case and found nothing.

Now I'm not sure if that is a good thing or not.

If I've downloaded the patch after catching the cold, will the hackers still be able to use it?

Just read your unrelated (unrelated to this WMF thing) - run Spybot - Search & Destroy - see if it picks anything up...

:)

Originally posted by carcrash
Any chance of this effecting Macs ?

No - I read somewhere that only XP is affected.

:)

We removed the patch after Microsoft released an official one earlier.
See http://isc.sans.org for details.

I went to download the patch and got the message above.
My comp just automatically installs updates.

Originally posted by playman
My comp just automatically installs updates. That doesn't mean that you can't go to Windows Update and install it manually!

Originally posted by vidster
This could effect every user on the internet (using a Windows based PC) and once again Microsoft are dragging their heels and won't release a patch for a week (what do they expect us to do, block all images? :loopy: ).

I didn't install the unofficial patch or disable the photo n' fax viewer, I just waited for the fix to come out for it to install - and I wouldn't recommend installing untested patches...

... theres a reason it takes Microsoft a week to release a patch like this - they have to make sure it won't open up wider vulnerabilities or create more problems in the process

But just use firefox and common sense and you'll be fine :-)

Originally posted by tslogf74
Oh, and Longcol - Windows 98 is safe, for now.

Thank you.:thumbsup:

Originally posted by Alex C.
I didn't install the unofficial patch or disable the photo n' fax viewer, I just waited for the fix to come out for it to install - and I wouldn't recommend installing untested patches...

... theres a reason it takes Microsoft a week to release a patch like this - they have to make sure it won't open up wider vulnerabilities or create more problems in the process

But just use firefox and common sense and you'll be fine :-)

The unofficial patch was tested by a large group of people including SANS. The reason Microsoft take longer is that as well as testing it has to be localised for all versions of Windows and then shoehorned into the update cycle. Just because MS have tested something doesn't mean it will work anyway - they've released patches on numerous occasions that have broken more than they've fixed.

I dont know if this is at all relevant but I've just tried to intall some new Microsoft security updates and got the following installation errors from Microsoft's Updates website: Error Code: 0x80200010
Error Code: 0x530. What is going wrong?

Anybody else heard/read Steve Gibson's take on the WMF "vulnerability"?

Transcript of podcast here (http://www.grc.com/sn/SN-022.htm).


He (SG) seems to think that this (WMF exploit) is a backdoor put in by somebody within MS (or rogue programmer)..

Hadn't heard of Steve Gibson before. Had to look him up, and found this. (http://www.grc.com/sn/notes-020.htm)

Looks like GRC are going to produce a WMF exploit fix for ME/98.