Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Exploit Released for Unpatched Windows Flaw

samzenpus posted more than 8 years ago | from the patch-it dept.

Windows 386

woodchuck writes "Washington Post reports that another Windows hole has been found and exploit code is now running lose that makes swiss cheese of current patches and security measures. From the article: "Security researchers have released instructions for exploiting a previously unknown security hole in Windows XP and Windows 2003 Web Server with all of the latest patches applied. Anti-virus company Symantec warned of the new exploit, which it said uses a vulnerability in the way Windows computers process certain image files (Windows Meta Files, or those ending in .wmf). Symantec said the exploit is designed to download and run a program from the Web that downloads several malicious files, including tools that attackers could use to control vulnerable computers via IRC.""

cancel ×

386 comments

Sorry! There are no comments related to the filter you selected.

OMG! (-1, Redundant)

McGiraf (196030) | more than 8 years ago | (#14355179)

OMG!

They call hackers researchers now? (1, Insightful)

Anonymous Coward | more than 8 years ago | (#14355180)

So they're researchers now? I'm sorry, but I have to disagree, they are computer hackers.

Re:They call hackers researchers now? (5, Informative)

dorkygeek (898295) | more than 8 years ago | (#14355199)

They're not hackers, they are crackers. Or intruders. Or black hats. Or fucking idiots. But not hackers. Linus Torvalds is a hacker. Alan Cox is one, and RMS definitely. Maybe even ESR.

Thank you.

Re:They call hackers researchers now? (2, Funny)

slavemowgli (585321) | more than 8 years ago | (#14355243)

ESR is not a hacker... he's a nut. :)

Re:They call hackers researchers now? (0)

Anonymous Coward | more than 8 years ago | (#14355278)

Re:They call hackers researchers now? (1, Funny)

Anonymous Coward | more than 8 years ago | (#14355250)

They're not hackers, they are crackers.

Nice...racist. And I suppose that if they were black, it wouldn't be okay to call them niggers.

mod parent up!! ^ (0)

Anonymous Coward | more than 8 years ago | (#14355284)

lmao, mod parent up!

Re:They call hackers researchers now? (1)

Mr Thinly Sliced (73041) | more than 8 years ago | (#14355316)

Hahaha I just pissed my pants.

Happy New Year Microsoft!

Re:They call hackers researchers now? (5, Insightful)

GaryPatterson (852699) | more than 8 years ago | (#14355273)

You're fighting a lost battle there. The common understanding of the word 'hacker' now implies criminal behaviour.

The whole 'white hat' and 'black hat' thing never made it to the media, so all hackers are 'black hats' now.

Re:They call hackers researchers now? (0)

Anonymous Coward | more than 8 years ago | (#14355282)

in soviet russia, media makes you

Re:They call hackers researchers now? (1)

liquidpele (663430) | more than 8 years ago | (#14355325)

yep... people like Linus are now called "gurus"
Damn office jargon...

Re:They call hackers researchers now? (3, Insightful)

Anonymous Coward | more than 8 years ago | (#14355290)

They can be called "hackers" all right. While I know that you and a handful of other language fascists would like to change how the rest of the world uses their language, it's a fact that "hacker" now means (in addition to the definition you want it to have -- there's nothing wrong about a word having several meanings which become apparent upon reflecting on the context in which they are used) what you mean by "cracker". What they can't be called is "researchers". Publishing a vulnerability can be considered research, POC code is highly doubtful in most cases, and a full-fledged app starting shit up connecting to an IRC server is just plain maliciousness. Thus, hacker or cracker -- take your pick. But researchers they ain't.

Submitter, stop helping these people feel legitimate. The parent poster and I agree on one thing: they're just assholes.

Re:They call hackers researchers now? (5, Informative)

ninja_assault_kitten (883141) | more than 8 years ago | (#14355305)

The exploit was published by HD Moore after reverse engineering some malware. HD Moore is absolutely a very prominent researcher and hacker. Secondly the person(s) who discovered the vulnerabilty and wrote the initial malware to exploit it are also hackers. Even by the historical definition. Intent has no bearing on the term. Skill does. And you can't tell me discoverying a 0day affecting any MS platform doesn't require skill. There are tens of thousands of researchers out there right now who can't.

Re:They call hackers researchers now? (0)

Anonymous Coward | more than 8 years ago | (#14355326)

not everybody is an asperger bin baby that needs everything to fit into neat tidy categories

the general population is quite capable of overloading word definitions and parsing the precise meaning from the context

Re:They call hackers researchers now? (0)

Anonymous Coward | more than 8 years ago | (#14355472)

I lol'd at your riposte!

Re:They call hackers researchers now? (1)

dorkygeek (898295) | more than 8 years ago | (#14355499)

the general population is quite capable of overloading word definitions and parsing the precise meaning from the context
No, it is not. What do you think would happen if I said in public I'd be a hacker. What do you think would my mother think about me then? OMG, my son's a criminal. No, I'm not!

Re:They call hackers researchers now? (2, Interesting)

hugzz (712021) | more than 8 years ago | (#14355346)

They're not hackers, they are crackers. Or intruders. Or black hats. Or fucking idiots. But not hackers. Linus Torvalds is a hacker. Alan Cox is one, and RMS definitely. Maybe even ESR.

Crackers are hackers*. You cant crack someone's system without being very skilled in toying with technology (ie a hacker).

However, hackers aren't nessearily (or usually) crackers.

*This excludes script kiddies et al, since they dont crack someone's system really. they just run someone elses' crack

Re:They call hackers researchers now? (1)

jack_csk (644290) | more than 8 years ago | (#14355358)

You are redefining hackers, just like those clueless (and hopeless) people who called all the attackers hackers.
I'm sure the rest of us can tell the difference between black hats, grey hats, and white hats (some people argue that purely white hat does not exist), as well as crackers, and clueless scriptkiddies.
Whoever modded the parent informative is actually quite un-informative.

Re:They call hackers researchers now? (1)

dorkygeek (898295) | more than 8 years ago | (#14355552)

You are redefining hackers, just like those clueless (and hopeless) people who called all the attackers hackers.
Ok, then thell me where exactly I redefine hackers?? When the term hacker was first used, it did not have the connotation of being malevolent, trying to harm other people. It was used for individuals who were extremely skilled in some area, or came up with ideas others weren't thinking about.

It was only later when the media started to pay attention to computer related threats. Assholes as these malevolent people were, they called themselves hackers, because they wanted to show off as people who were skilled. The media then quickly embraced the term because it sounded cool and a new term for a new phenomenon is fancy, and started to use it for all black hat people.

Re:They call hackers researchers now? (5, Informative)

Anonymous Coward | more than 8 years ago | (#14355368)

They're not hackers, they are crackers.

UUuummm no. Ever since the 1980's underground scene the word cracker has refered to a person who breaks the protection on copywritten software. It was that way for years until that ruddy faced blowhard "ESR" decided to start using the term "cracker" as a synonym for "computer criminal."

Talk about hypocrisy. ESR gets all pissed about the media misusing the word hacker so he turns around and starts misusing the word cracker. And because of his position as editor of "The Jargon File" he has influenced the web culture (newbies at least) that the word cracker is synonymous with cybercriminal even though anyone who was in the pirate scene back in the eighties can tell you that a cracker was by the following DEFINITION:

"Software cracking is the modification of software to remove encoded copy prevention. Distribution of cracked software (warez) is generally an illegal (or more recently, criminal) act of copyright infringement. Software cracking is most often done by software reverse engineering."

Re:They call hackers researchers now? (1)

ichin4 (878990) | more than 8 years ago | (#14355379)

This post is pure flaimbait. You understood perfectly well what the writer meant by "hacker", and so did everyone else. You also understand perfectly well that one very commonly used definition of "hacker" is "a person who makes unauthorized use of another's computer". And the author probably understands perfectly well that there is a another definition "hacker" that means "a clever and dedicated programmer", although that happens not to be the one he employed. Lots of words have multiple definitions. Your objection is pure posturing and does no one any good.

Re:They call hackers researchers now? (1)

Ucklak (755284) | more than 8 years ago | (#14355454)

Bill Gates is a hacker too.
He dropped out of college and programmed what he did with no training (before he started to buy programmers).
A hacker is an untrained person that has professional skills that profess in a certain area that should have taken them years, education, and experience to receive. They could also be enthusiastic about a diversion (music, sports, computing).

It could be music, sports, computers, driving, etc...

There are plenty of sport hacks and musician hacks. You hear it alot in music especially in piano and solo instruments.

It's kind of sad how the computer revolution has turned this word into implying something malicious.

Re:They call hackers researchers now? (1, Insightful)

Anonymous Coward | more than 8 years ago | (#14355332)

That this comment is modded -1, Troll shows how extremely intolerant Slashdot has become to dissenting views. It's funny that a community which is supposed to be so strongly against censorship is so quit to remove anyone who has a contrary opinion from view.

I agree with the parent. A researcher may perhaps publish code to prove that the exploit work, but no serious researcher writes a whole app that connects to an IRC server only as proof of concept. That is not research, it's clear malicious intent.

Moderator, if you're beef is with the parent's use of the word hacker: just grow the fuck up. You and ESR aren't going to be able to police the whole world's use of language anyway, so just give up already.

As for people (as one doofus who replied to this post apparently does) who thinks hackers should be called crackers -- what do you propose people who break copy protection should be referred to as then? You hack into a system, you crack a protection mechanism. If you people would have it your way, the scene would become very confusing very quickly.

Let people use those words however they want to, mmkay? If you don't like it, run home to mommy and cry if you want to, but stop using this forum to whine about it everytime someone doesn't use your non-standard definition of a word in common use.

Other platforms? (0, Redundant)

bigberk (547360) | more than 8 years ago | (#14355186)

What other platforms does this affect? Is the problem something in the windows kernel?

Re:Other platforms? (3, Interesting)

ninja_assault_kitten (883141) | more than 8 years ago | (#14355272)

No, it's a buffer overload in Windows Picture and Fax Viewer.

Re:Other platforms? (0)

Anonymous Coward | more than 8 years ago | (#14355355)

so you can only get infected if you download and open an image? or does windows use this code to draw all images?

Re:Other platforms? (0)

Anonymous Coward | more than 8 years ago | (#14355425)

No, it is a interger overflow in GDI32.DLL.

Cheers,
Eric

No kernel problem, but Winows only (3, Interesting)

Sycraft-fu (314770) | more than 8 years ago | (#14355304)

It's a Windows only format, or at least seems to be. I don't find any references of ports to other platforms. It's an old format for doing vector graphics in Windows 3.1.

Re:No kernel problem, but Winows only (2, Interesting)

AEton (654737) | more than 8 years ago | (#14355457)

It may be unfashionable, but I still rely on a clip art CD set that comes in WMF.

(Illustrator CS2 on OS X opens the things just fine.)

Re:No kernel problem, but Winows only (1)

whitehatlurker (867714) | more than 8 years ago | (#14355512)

There is an OpenSource [sourceforge.net] project which uses WMF. WMF is still the default format for a lot of graphics transfer under Windows.

I don't think libwmf is vulnerable though.

Easy workaround to avoid the exploit (4, Informative)

kawika (87069) | more than 8 years ago | (#14355190)

Unregister the dll that provides WMF viewing. Click Start, Run, and enter this:

    REGSVR32 /U SHIMGVW.DLL

Sunbelt has more detail here [blogspot.com] .

Re:Easy workaround to avoid the exploit (3, Informative)

LiquidCoooled (634315) | more than 8 years ago | (#14355229)

To add to this, the exploit may be in more than one image file viewer, it could be a common handling problem with WMF files in Windows.
If you can remove ALL associations to the fileformat (at least until the extent is known) this would be beneficial.

Users of webbrowsers (all) must be careful when saving image files of type WMF.
Once saved on your computer the associated image viewer is used to display the file.

Take care with IM and email attachments as well, because this is another possible vector.

Breaks thumbnails and Windows Picture Viewer (2, Interesting)

bogie (31020) | more than 8 years ago | (#14355426)

So I'm kind of curious why he states "though I have used the hack on my machine and haven't had any problems yet. " since it breaks basic XP functionaliry.

Anyway, losing thumbnails and that program is IMHO a very minor price to pay for not having your machine rooted. So just make sure and warn others before you tell them to use this temporary workaround.

I wonder how long we will have to wait for MS to fix this one? Oh well, more money for me if they don't.

how long? (2, Insightful)

Anonymous Coward | more than 8 years ago | (#14355192)

before MS starts using less-quick security patches as the reason to move from XP to vista?

The Fix (1, Informative)

Anonymous Coward | more than 8 years ago | (#14355193)

The important line filtered from the article, the fix:

"regsvr32 /u shimgvw.dll"

Virus company (0)

Anonymous Coward | more than 8 years ago | (#14355196)

I should RTFA but the virus companies let this one loose? How much information should they be able to release before their best intentions are corrupted by trojan coders.

Re:Virus company (3, Interesting)

BushCheney08 (917605) | more than 8 years ago | (#14355204)

From what I read about this earlier (sorry, don't have the link), this exploit was already in the wild and was being used before any of the security companies learned of it. So no, the AV companies did not "let this one loose".

Re:Virus company (1)

k00110 (932544) | more than 8 years ago | (#14355391)

Security companies are useless if they can't protect us. First the Sony Root Kit and now this in a short period of time. I wonder what else we probaly got and don't know about. Their attitude is to be questionned, they are waiting for people to report virus/trojan. What they should do is put up some "ghosts dormant computers" around the net and check if they get infected of any way. They should also browse porn/warez sites more often ;-)

Upside. (5, Funny)

grub (11606) | more than 8 years ago | (#14355208)


With Vista you'll be able to get this from the comfort of an RSS feed!

Fix from article (5, Informative)

Rangsk (681047) | more than 8 years ago | (#14355211)

Here is the fix, from the linked article in case you DNRTFA:

----
According to iDefense, Windows users can disable the rendering of WMF files using the following hack:

1. Click on the Start button on the taskbar.
2. Click on Run...
3. Type "regsvr32 /u shimgvw.dll" to disable.
4. Click ok when the change dialog appears.

iDefense notes that this workaround may interfere with certain thumbnail images loading correctly, though I have used the hack on my machine and haven't had any problems yet. The company notes that once Microsoft issues a patch, the WMF feature may be enabled again by entering the command "regsvr32 shimgvw.dll" in step three above.
----

I'm not sure if you need to type this every reboot, or just once. Since it requires re-enabling, I'm hoping it's just once.

Only once (0)

Anonymous Coward | more than 8 years ago | (#14355280)

it's a COM dll

Re:Fix from article (4, Informative)

CargoCultCoder (228910) | more than 8 years ago | (#14355406)

I'm not sure if you need to type this every reboot, or just once. Since it requires re-enabling, I'm hoping it's just once.

regsvr32 registers a COM/ActiveX "server" by modifying Windows registry entries. So, in theory, you need only run it once.

It is possible, however, that if you later install other software, the installer may re-register the DLL in question, in which case you'd want to manually unregister it again.

(Hmm. I suppose it's only coincidence that this novel approach [thedailywtf.com] to registering appeared on thedailywtf yesterday...)

Re:Fix from article (1)

dtfinch (661405) | more than 8 years ago | (#14355543)

I'm pretty sure that disabling shimgvw.dll will disable more than WMF rendering.

so what else is new? (0, Troll)

EllynGeek (824747) | more than 8 years ago | (#14355214)

Trusted Computing in action. Yes, secuarity is Job One in Redmond. Well done, doodz!

Re:so what else is new? (1)

atari2600 (545988) | more than 8 years ago | (#14355241)

Actually it's security and they are trying. Go ahead and mod me down as flamebait but nothing is more ironic than "experts", who cannot spell security, ridicule another organisation for failing to be more secure.

Re:so what else is new? (2, Informative)

jp10558 (748604) | more than 8 years ago | (#14355268)

Also watch out for Google desktop search, as that caused a downloaded file to be run and exploited the machine.

Kye-U also has released a filter for proxomitron that will block wmf file downloads:

[HTTP headers]
In = FALSE
Out = TRUE
Key = "URL-Killer: Kill WMF Connection [Kye-U] (Out)"
URL = "(^*=(^http://./ [.] ^([a-z]+{2,4})(^/))))*.wmf(*)\1$TS T(\1=(^/))"
Match = "*&($CONFIRM(.WMF FILE EXTENSION FOUND\n\nAllow connection to the URL below?\n\n\u\n\1)|$SET(1=URL with .WMF Extension Killed\k))"
Replace = "\1"

[Patterns]
Name = "Kill .WMF [Kye-U]"
Active = TRUE
Bounds = ""
Limit = 256
Match = "*.wmf*"
Replace = "$ALERT(.WMF Extension Killed on:\n\n\u)"

Re:so what else is new? (1)

EllynGeek (824747) | more than 8 years ago | (#14355276)

Secuarity is absolutely the correct spelling, because Microsoft knows squat about security. Just like you know nothing about irony. But that's all right, I don't like you anyway.

Re:so what else is new? (0)

Anonymous Coward | more than 8 years ago | (#14355387)

OK, let's start counting the things that are wrong with your post here.

Secuarity is absolutely the correct spelling, because Microsoft knows squat about security.

Ridiculous blanket statement with no backing. Microsoft spends millions on security and releases patches faster than most other companies. The problem is mainly that people don't apply them. Every single large virus outbreak: Nimbda, Code Red, Blaster -- you name it, already had patches out.

Would you like to qualify what it is MS does so badly nowadays when it comes to security? Would you like to explain how you came to know that they don't know anything about it? No? Then just shut the fuck up, mmkay?

Also, if you can't spell, at least have the decency to admit you made a mistake instead of just digging the hole you've got yourself into even deeper.

Just like you know nothing about irony.

First of all, irony rarely impresses anybody above second grade. Secondly, the parent poster quite obviously understood that your post was ironic, as he replied defending MS. Third, the only possible reason to be ironic anyway is to somehow be amusing. Your initial post was just plain stupid (if nothing else, it clearly demonstrates that you have absolutely no idea what "Trusted Computing" is and how it relates to the security flaws of today), and not funny in any way.

But that's all right, I don't like you anyway.

The parent poster replied to you in a calm, sensible matter, disputing a point you made. He tried to have a civil conversation with you. Because of this, you don't like him? I wish I was as calm headed as he, but alas, I am not. People like you just piss me the fuck off.

You got a user ID that tells me you've been here for at most a year, you obviously know nothing about anything you're talking about, and you have no sense of humor. And you have the guts to lecture someone who actually has a point?

Just go fuck yourself, ok? Please, please, please do. Then go hide under a rock. Then die. We have a bunch of clones of people like you here anyway, so even the retards who find posts like yours insightful or amusing will still have plenty to read. /end rant.

Amazing (1)

k00110 (932544) | more than 8 years ago | (#14355218)

I read the article and realized it's the same trojan I got like 1 week ago. The first thing I did was a good old format. When stuff get messed, there is nothing better than a good old format. Now realizing they say they don't have a fix yet, I assume I did the right thing quickly.

Re:Amazing (0)

Anonymous Coward | more than 8 years ago | (#14355237)

why reformat? it would save you allot of time if you just removed it yourself.

Re:Amazing (2, Interesting)

k00110 (932544) | more than 8 years ago | (#14355264)

Because we never know what else can be installed and I lost all trust in Security companies since the Sony Root Kit. Removing it my-self implies searching infos over the internet and it's not a good idea to browse the web when your computer is compromised. I had nothing important installed so it did'nt matter. I had a new OS installed in a few minutes after that with ZoneAlarm and AVG(both free) and all the latest patches. I also just did the "REGSVR32 /U SHIMGVW.DLL" to not be infected again.

Re:Amazing (0, Troll)

Mr Thinly Sliced (73041) | more than 8 years ago | (#14355357)

Dude, you are clearly new here.

Stop by at the entrance, pick our free magazine 'Razzle', and just format that baby. Linux man. Then you can join us.

Re:Amazing (0, Troll)

FudRucker (866063) | more than 8 years ago | (#14355435)

if you format and re-install after every vulnerability that gets posted in the media you will wear out your PC just re-installing that --MS-Win-kludge, i suggest you learn to live without MS-Windows and give GNU/Linux or FreeBSD a spin, and actually take the time to learn it and not give up after half a day...

Re:Amazing (0)

Anonymous Coward | more than 8 years ago | (#14355551)

are you retarded? I SAID ARE YOU RETARDED!?

trojan infection -> reinstall

security alert -> patch or work around

apple drop -> apple fall

you as a baby -> head hits ground after your momma drops you

Broadband Reports' Security Forum Thread... (4, Informative)

antdude (79039) | more than 8 years ago | (#14355219)

Also, read Broadband Reports' security forum thread [broadbandreports.com] for discussions and what people observed.

Re:Broadband Reports' Security Forum Thread... (2, Interesting)

TubeSteak (669689) | more than 8 years ago | (#14355451)

I got tagged by a trojan using the same exploit on IRC.

I downloaded the wmf file to my desktop, but accidentally double clicked it when I was trying to submit it to trendmicro

I closed the connection with TCP View [sysinternals.com] , but it took out explorer.exe with it.

This is much worse than potential spyware, this exploit is silent and can easily be used to drop keyloggers, or in my case, it opened up a shell back to the guy i was chatting with.

(btw - I knew it was a trojan when i downloaded it)

Re:Broadband Reports' Security Forum Thread... (1)

antdude (79039) | more than 8 years ago | (#14355484)

Ouch! You should post in Broadband Reports' forum thread about this. I don't think anyone has mentioned this.

Just checking... (1, Insightful)

sootman (158191) | more than 8 years ago | (#14355231)

... there has not yet been a real, severe, in-the-wild exploit (like Sasser) since XP SP2, right? I hate to admit it as much as the next guy, but MS has been pretty tight for a while--unless there's something I've missed. Have I?

Re:Just checking... (-1, Flamebait)

Anonymous Coward | more than 8 years ago | (#14355244)

"I hate to admit it as much as the next guy"

Give it a rest clown.

Re:Just checking... (2, Insightful)

Anonymous Squonk (128339) | more than 8 years ago | (#14355275)

If a 100 security flaws exist but are never found, does this still make the OS tight?

If even only one unpatched security flaw exists, an OS should never be called "pretty tight". This flaw has always been there, even if it has only been exploited just now...

Re:Just checking... (2)

NaruVonWilkins (844204) | more than 8 years ago | (#14355448)

Give me a break. There are thousands of unpatched flaws in every OS on the market, they just haven't been found yet. So yes, if 100 security flaws exist but are never found, it does make the OS tight.

Not Previously Unknown (1, Informative)

Trick (3648) | more than 8 years ago | (#14355233)

This is hardly a "prevously unknown security hole." In fact, MS released a patch for it two weeks ago.

The exploit's new, but the vulnerability has been known for a while and is only still around because the patch doesn't work.

Re:Not Previously Unknown (3, Informative)

ninja_assault_kitten (883141) | more than 8 years ago | (#14355255)

Actually that's not true at all. This vulnerability was discovered by some analysis HD Moore performed on a spyware infection which broke through a completely patched XP SP2 system a couple days ago. It was reverse engineered and made into a Metasploit plugin. Get your facts straight.

Re:Not Previously Unknown (0, Troll)

Trick (3648) | more than 8 years ago | (#14355338)

From November 8th: http://www.securityfocus.com/bid/15352 [securityfocus.com]

New metasploit plugin = new exploit
New metasploit plugin != new vulnerability

Re:Not Previously Unknown (4, Informative)

Martin Blank (154261) | more than 8 years ago | (#14355494)

It's completely new. The WMF patch released before does not protect against this exploit.

http://www.securityfocus.com/bid/16074 [securityfocus.com]

Re:Not Previously Unknown (4, Informative)

Anonymous Coward | more than 8 years ago | (#14355513)

MS has released a patch for it...

so that explains why fully patched systems are still vulnerable, yes?

I guess you are really not doing your research. Read the Sunbelt article:
http://sunbeltblog.blogspot.com/2005/12/new-exploi t-blows-by-fully-patched.html [blogspot.com]

particular where it says: "We saw a new nasty exploit yesterday around 5:00 PM. This is a totally new exploit and is not the same one posted by FrSIRT back on 11/30/05."

The previous one they referred to is here:
http://www.frsirt.com/exploits/20051130.MS05-053.c .php [frsirt.com]

Microsoft Windows Metafile (WMF) "mtNoObjects" Header Remote Exploit (MS05-053)
Date : 30/11/2005

Advisory ID : FrSIRT/ADV-2005-2348
Rated as : Critical
Note : Proof of concept exploit (DoS) /*
* Author: Winny Thomas
* Pune, INDIA
*
* The crafted metafile (WMF) from this code when viewed in explorer crashes it.
* The issue is seen when the field 'mtNoObjects' in the Metafile header is set to 0x0000.
* The code was tested on Windows 2000 server SP4. The issue does not occur with the
* hotfix for GDI (MS05-053) installed.

This is the one that has been patched by Microsoft.

I guess you thought it's just not possible for there to be more than one hole per rendering engine, right?

I'd feign surprise if I felt it was worth it... (0)

Anonymous Coward | more than 8 years ago | (#14355240)

Yet another issue from our favourite OS. I really just wish they'd sit down, hack-attack the crap out of their os and not release it until it was reasonably safe. Other companies do the same with their product and are held liable if they don't, I think this should be implemented (to a reasonable point) with Operating Systems.

Here's to hoping for improvements with the next version...

Re:I'd feign surprise if I felt it was worth it... (3, Informative)

mumblestheclown (569987) | more than 8 years ago | (#14355388)

Your argument basically is that:
  • computer systems should not be released until they pass some theoretical threshold of security
  • and if the above is not done, then the authors of said systems shall be held (financially? criminally?) liable.
In other words, you have just basically killed off free (both as in beer and as in speech) software as we know it.

Not to mention about the fact that we're talking about an exploit in an older DLL that has gone unnoticed for years. Exactly how many years until your theoretical notion of "reasonably" safe is met? If you dont think (OS of your choice) has similar weaknesses, you are deluding yourself. And so what if it 'affects only one user, not the whole system?' To that user, that IS his world.

Re:I'd feign surprise if I felt it was worth it... (0)

Anonymous Coward | more than 8 years ago | (#14355455)

I really just wish they'd sit down, hack-attack the crap out of their os and not release it until it was reasonably safe.

Unfortunately that is not the accepted business practice with most software vendors. The idea is to get software out the door as fast as possible and let the public find the bugs for you.

And put in a click through EULA that releases the company from any liability whatsoever.

In other news... (3, Funny)

guruevi (827432) | more than 8 years ago | (#14355245)

Microsoft said in it's late night response on new years day that a patch is being made, the flaw is not critical since no-one actually uses WMF and the rest who do use them never should surf to porn and warez sites anyway. A patch will be available in Windows Shoehorn.

Re:In other news... (0, Troll)

circusfire (927644) | more than 8 years ago | (#14355433)

, the flaw is not critical since no-one actually uses WMF Microsoft did have the audacity make this statement! I am looking forward to the day when they make a press release "these flaws were never critical since no-one actually uses Windows"

Scary. (5, Funny)

Anonymous Coward | more than 8 years ago | (#14355254)

Surfing for porn with IE on Windows is like having unprotected anal sex with everybody on the internet.

Re:Scary. (1)

k00110 (932544) | more than 8 years ago | (#14355403)

You can get it with Firefox too.

Re:Scary. (0)

Anonymous Coward | more than 8 years ago | (#14355506)

Not by default with the current shipping version.

This is a Windows flaw. And since IE=Windows and Windows=IE the grandparent's statement is pretty much accurate. You would be freaking nuts to use IE to surf anything but well known sites like cnet.com etc.

Re:Scary. (1, Flamebait)

HermanAB (661181) | more than 8 years ago | (#14355507)

No you cannot get infected with FF. On Exploder, it is a true worm that installs automatically without user intervention. On FireFox, you have to click a button to allow the site to install the crapware. Granted, 99.999% of Windoze Doodz will probably click it, but at that point the browser has washed its hands of the problem and you cannot blame Firefox for user schtoopidity.

Re:Scary. (1)

squishybit (927776) | more than 8 years ago | (#14355422)

...as it were.

Re:Scary. (0)

Anonymous Coward | more than 8 years ago | (#14355511)

At least I can finally get laid...oh wait.

And the word I had to type in to validate this post is :

lustful

Can't beat that.

How/Why does thi skeep happening (3, Interesting)

Anonymous Coward | more than 8 years ago | (#14355313)

Can someone explain to me exactly how an image viewer
program running on my client computer can be
made to execute code? Honestly, I don't really understand
these exploits that supposedly take advantage of
a client buffer overflow (or some such thing) to execute
code on my local machine. What makes the instruction pointer in
the code that is reading (in this case) the wmf file suddenly
jump to code that is in the data segment? (Presumably embedded in
the wmf file itself).

Re:How/Why does thi skeep happening (4, Insightful)

HermanAB (661181) | more than 8 years ago | (#14355526)

It is a carefully crafted buffer overflow in the stack causing a return address to be overwritten. A subroutine return instruction then jumps to the exploit code, instead of the parent routine. This an old trick to implement dynamic jump tables, exploited for malicious purposes.

But ... (0)

Anonymous Coward | more than 8 years ago | (#14355365)

What the media and fanboys once again gloss over is that you have to actually be browsing sites with the INTENT to infiltrate your pc.

99% of the internet isn't "After You".

With SP2 and the big push for really making Automatic Update "automatic", Microsoft have secured the PC of the average user with average browsing habits.

If you're part of the sweet F.A. that is browsing sites which actually DO have the intent to compromise your pc, you should be employing far more security than just 'an operating system', regardless of which.

Re:But ... (4, Informative)

HermanAB (661181) | more than 8 years ago | (#14355548)

No, you just have to visit a porn site with Internet Exploder to get automatically infected by this worm. It doesn't require any user action, apart from clicking links in normal browsing.

If you are using Firefox, then what you say is true, since FF requires the user to confirm that he really wants to run the malicious program, so the user actually has to click a confirmation button. The infection is not automatic on FF.

Who cares (0, Troll)

JackieBrent (941944) | more than 8 years ago | (#14355372)

Who cares ......

A security hole? In WINDOWS? (0, Redundant)

kimvette (919543) | more than 8 years ago | (#14355385)

A security hole? In WINDOWS? Tell me it ain't so! Why, I've NEVER heard such outlandish claims!

(offended? Chill. Not trolling, just making the obligatory obvious joke)

Re:A security hole? In WINDOWS? (0)

Anonymous Coward | more than 8 years ago | (#14355421)

A security hole? In WINDOWS? Tell me it ain't so! Why, I've NEVER heard such outlandish claims!

(offended? Chill. Not trolling, just making the obligatory obvious joke)

HA HA HA you made a funny joke!!! Mod this technicakal wizard up!!! she 'really' has 'the pulse' on america's funy boen!!

why do I read slashdot anymore?

Stop the dupes! (1, Troll)

Skiron (735617) | more than 8 years ago | (#14355400)

Why doesn't somebody just *pin* a story (maybe the 1996 one) with the security issues with MS and/or IE and leave it there...

Then we don't need to read about it all over again every 20 days ;-)

I remember the days... (1, Interesting)

Anonymous Coward | more than 8 years ago | (#14355404)

I remember the days when only exe and com files were what you had to guard. The day word files became dangerous I thought - why did they put all the functionality in them? Idiots. At least image files and plain text files were safe.

I was eating crow shortly thereafter.
I miss the old days.

Say it isn't so!! (0, Redundant)

Foofoobar (318279) | more than 8 years ago | (#14355427)

Windows Exploit? Isn't that redundant?

Genius Idiots. (4, Insightful)

mumblestheclown (569987) | more than 8 years ago | (#14355431)

The people who took advantage of this loophole did so with a clear economic motive. This is because the loophole is used basically to a) install spysherriff, a bogus anti-spyware program and try to get the user to pay for it with a credit card b) install surfsidekick and other idiot spyware programs c) install a spam sender, in order to make a few more billionths of a cent.

In other words, whatever asshat took advantage of this loophole did so because he thought he could make a buck. If his goal was simply to bring Windows to its knees, cause havoc, or make a political/economic statement of some sort, he would have chosen something else. Wiping out My Documents of all the infected machines, for example.

Whoever did this is obviously deluded. While some money will of course ultimately flow from this nonsense to the "see no evil" people who are the beneficiaries of spamvertisements, spyvertisements and so forth, the actual exploiter basically has little to know chance of getting it (even if he is in Russia, as I'd suspect is a good bet) as his affiliate commission links will be tracked, as will wherever the hell that credit card box for SpySherriff was pointing to and so forth.

So we have somebody smart enough (and make no mistake, it takes some smarts) to either discover or be in a small clique of people discovering a quite obscure loophole (it must be obscure, given just how old the affected .dll is), but have ABSOLUTELY NO FUCKING CLUE how to go about exploiting it other than in the most juvenile and unlikely way to fail imaginable. Furthermore, even though it is likely to fail, the guy has shown himself to basically be a psychopath, with little to no concern about the hundreds of thousands of hours (read: PEOPLE-LIFE-EQUIVALENTS) that will be spent agonizing over and fixing this.

Whoever that person is, they are human filth. But, there's a lot of human filth out there. The sad thing is that this person obviously has potential to do so much more but simply pisses it away intead. Pathetic.

Holy cats (0, Flamebait)

SilverspurG (844751) | more than 8 years ago | (#14355459)

For as much funding and resources as MS has: when are we going to hear of an exploit identified by MS before someone else gets to it first?

For cripes' sakes. Don't these people bug-test their own code? I know I do.

Smitfraud-C (1)

HermanAB (661181) | more than 8 years ago | (#14355462)

Isn't this just another incarnation of the Smitfraud extortion by the nice New Zealand company SpyAxe?

The tool to remove that crapware is called smitrem, available here: http://noahdfear.geekstogo.com/ [geekstogo.com]

WMF (1)

Omeger (939765) | more than 8 years ago | (#14355468)

People actually use that image file format? I've never used that file format in my life (and never even heard of it before), so no exploits for me! :-D

Re:WMF (1)

brain defrag (940949) | more than 8 years ago | (#14355485)

Oh well. It's best to stick to convention and standards when it comes to file formats anyway. Not to mention how much easier it is to send files cross-platform when the file extension doesn't have "Windows" in it.

Watch out for Google Desktop (5, Informative)

Repton (60818) | more than 8 years ago | (#14355480)

From F-secure's blog [f-secure.com] :

Do note that it's really easy to get burned by this exploit if you're analysing it under Windows. All you need to do is to access an infected web site with IE or view a folder with infected files with the Windows Explorer.

You can get burned even while working in a DOS box! This happened on one of our test machines where we simply used the WGET command-line tool to download a malicious WMF file. That's it, it was enough to download the file. So how on earth did it have a chance to execute?

The test machine had Google Desktop installed. It seems that Google Desktop creates an index of the metadata of all images too, and it issues an API call to the vulnerable Windows component SHIMGVW.DLL to extract this info. This is enough to invoke the exploit and infect the machine. This all happens in realtime as Google Desktop contains a file system filter and will index new files in realtime.

It's actually loose this time! (0)

Anonymous Coward | more than 8 years ago | (#14355497)

For once the correct word to use is loose and we get lose :-(

steps ahead (again) (3, Funny)

fihzy (214410) | more than 8 years ago | (#14355531)

Once again, as noted previously here [slashdot.org] and here [slashdot.org] :

10) find big remote vulnerability in product
20) perfect the exploit
30) have fun with it for months
40) find another big hole in same product
50) perfect exploit for hole
60) alert vendor about original hole
70) have fun with new hole
80) goto 40

Already being used by scumware sites? (2, Insightful)

allankim (558661) | more than 8 years ago | (#14355553)

Coincidentally I was browsing an ad-heavy lyrics site in another tab (Firefox, of course) and was prompted for an action to handle "track5.wmf" ... Geez, they don't waste any time, do they?
Load More Comments
Slashdot Login

Need an Account?

Forgot your password?

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>