Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Windows XP Flaw 'Extremely Serious'

Zonk posted more than 8 years ago | from the escalation dept.

Worms 630

scottott wrote to mention a Washington Post article with the news that the security hole we mentioned on Wednesday has widened. Computers can now be infected just by visiting infected web sites, or looking at images in the preview panel of older versions of Outlook. From the article: "At first, the vulnerability was exploited by just a few dozen Web sites. Programming code embedded in these pages would install a program that warned victims their machines were infested with spyware, then prompted them to pay $40 to remove the supposed pests. Since then, however, hundreds of sites have begun using the flaw to install a broad range of malicious software. SANS has received several reports of attackers blasting out spam e-mails containing links that lead to malicious sites exploiting the new flaw, Ullrich said."

Sorry! There are no comments related to the filter you selected.

Late breaking news from the article: (5, Funny)

Anonymous Coward | more than 8 years ago | (#14364176)

"Mac and Linux computer users are not at risk with this attack, even if their computers run Microsoft programs such as Office or the Internet Explorer Web browser."

Amazing!

Re:Late breaking news from the article: (2, Informative)

Anonymous Coward | more than 8 years ago | (#14364189)

Er... Microsoft Office and Internet Explorer do run on Linux using wine.

Re:Late breaking news from the article: (2, Informative)

$RANDOMLUSER (804576) | more than 8 years ago | (#14364255)

Er.... Mac and Linux machines are no more succeptable to Windows XP exploits than you are to kennel cough or feline leukemia.

Re:Late breaking news from the article: (3, Funny)

operagost (62405) | more than 8 years ago | (#14364307)

I'm a cat, you insensitive clod! *cough*

Re:Late breaking news from the article: (-1, Troll)

Anonymous Coward | more than 8 years ago | (#14364367)

Well done! You win the prize; no wait, two prizes! First, your contribution to the discussion by restating the article and second missing the fucking point of the entire thread that you've replied in!

Tell us, did you have to practice much to get that stupid?

Nothing to see here. (-1, Troll)

Poromenos1 (830658) | more than 8 years ago | (#14364183)

Naw, it's not at all serious, as this picture [poromenos.org] shows.

Another /. dupe (5, Funny)

Anonymous Coward | more than 8 years ago | (#14364190)

Guys, you keep posting that same story about a serious security flaw in Windows.

Dupe? (0)

Anonymous Coward | more than 8 years ago | (#14364244)

Serious security flaw? Are you on CRACK [ytmnd.com] ? Joking, joking. But seriously. If they were forced to make their software OSS (which might actually happen in Europe), they would be pretty much forced to patch their software VERY quickly. They would also have to keep their software up to par and have fewer holes because it is concievable that OSS means that people are going to be looking for 'sploits.

Re:Another /. dupe (3, Informative)

Anonymous Coward | more than 8 years ago | (#14364332)

Since last time it has been reportet that this can also be exploited by renaming infected wmf files to other image formats like jpg, gif and tif:
http://www.securityfocus.com/archive/1/420378/30/0 /threaded [securityfocus.com]

Re:Another /. dupe (0)

Anonymous Coward | more than 8 years ago | (#14364350)

Another dupe, and still no details on how to find out if you're infected.

Is there a virus scanner that will detect the installed programs? Do they show up in the Task Manager process list? The only indication I have so far that my machines are clean is that I haven't been asked to pony up $40 for their cleanup.

Does anyone have a better way of finding out if you're infected?

Browser appliance (5, Informative)

QuaintRealist (905302) | more than 8 years ago | (#14364191)

If you use Windows, go get the vmware browser appliance and use it - connecting to the internet through a virtual machine is like wearing gloves in the OR - it's just common sense.

http://www.vmware.com/vmtn/vm/browserapp.html [vmware.com]

Re:Browser appliance (1)

the_humeister (922869) | more than 8 years ago | (#14364226)

are you able to download files to the host machine with that? the description doesn't give much info

Re:Browser appliance (0)

Anonymous Coward | more than 8 years ago | (#14364258)

AFAIK, you'd need to use SAMBA to access the host OS drive. Worse, the web browser app is GNOME based. I've got a DSL image running under VMWare player on my win2k box at work, it uses flux and is pretty responsive even if the startup times are still hideous.

Keydrive (1)

QuaintRealist (905302) | more than 8 years ago | (#14364268)

As another reply noted, you could use SAMBA, but the easiest way for me is to save them to a USB key drive.

Re:Browser appliance (0)

Anonymous Coward | more than 8 years ago | (#14364236)

Do you engage in unprotected web browsing?
You need trojan-linux(tm), a specially lubricated linux distro for VMWare Player(tm). Be safe, protect your Microsoft(tm) Windows(tm) install with Trojan-linux(tm)* today.

* Also availiable in "Redmond Cherry"(tm) flavor.

Re:Browser appliance (2, Funny)

BushCheney08 (917605) | more than 8 years ago | (#14364264)

* Also availiable in "Redmond Cherry"(tm) flavor.

Dude, that cherry was popped a loooooong time ago. And it's been used repeatedly since then...

MOD PARENT UP (4, Informative)

brunes69 (86786) | more than 8 years ago | (#14364256)

If all you are doing is browsing the web, there is absolutely no reason to not do it in a sandbox. In fact, I don't get why all browsers run in sandboxes. Why do they *ever* need access to the host OS? If they need to save downloaded files, they can do so via a mounted share. At least in a sandbox they cannot execute privilidged code, at most they could infect executabes on said share.

Re:MOD PARENT UP (3, Insightful)

peragrin (659227) | more than 8 years ago | (#14364295)

Well if you run a real OS, then the browser runs only with the permissions of a particular user. Windows which has some security is designed to bypass that secuirty to give users an edge. So your screwed.

Take the number of *Nix viruses (included, BSD's, Linux, Unix, etc) and compare that to the number of windows viruses that showed up in the past 2 years alone.

MSFT doesn't care about security. Vista is a step in the right direction but they are keep way to much of the old code base for it to be useful for this decade.

Re:MOD PARENT UP (0)

toadlife (301863) | more than 8 years ago | (#14364356)

"Well if you run a real OS, then the browser runs only with the permissions of a particular user"

Internet Explorer does run with the permissions of the user.

"Windows which has some security is designed to bypass that secuirty to give users an edge. "

WTF are you talking about?

"Take the number of *Nix viruses (included, BSD's, Linux, Unix, etc) and compare that to the number of windows viruses that showed up in the past 2 years alone."

That would prove nothing as Unix OS's don't have near the Desktop marketshare of Windows, not do they have the same type of userbase.

Re:MOD PARENT UP (1)

Minwee (522556) | more than 8 years ago | (#14364381)

"Internet Explorer does run with the permissions of the user."

Most Windows users run with the permissions of "Administrator". Otherwise their programs don't work.

Re:MOD PARENT UP (0)

Anonymous Coward | more than 8 years ago | (#14364358)

Even on Windows it runs with the permissions of the current user. Users just tend not to restrict themselves enough for convenience reasons. Stop spreading anti-Windows FUD.

Uploads (4, Insightful)

jaredmauch (633928) | more than 8 years ago | (#14364311)

Well, ideally the browser has some hooks in place to protect the user somewhat, but the challenge becomes when you have a few million users where they want to upload digitial pics to granny and don't understand what a "share" is. There's also all those java apps that actually do fancy things. You really need to make it consumer friendly. That's what the Mozilla teams have done with their auto-importing of IE favorites, etc..

My browser touches all sorts of things in the host OS, from the sound card to files that I upload and download. Luckily when I get AIM spam for foo.exe or some other sillyness I don't get far unless I type 'wine foo.exe', then even then ;-)

The true challenge is how to dial in the security to a reasonable level. Problem is getting all the millions of programmers to adopt more secure standards combined with the users, IT managers, etc.. that deploy the apps on desktops. Then, getting that out across the millions of home users too. Daunting task.

Re:Browser appliance (1)

operagost (62405) | more than 8 years ago | (#14364321)

No, it's like wearing a condom-- it stinks.

Re:Browser appliance (0)

Anonymous Coward | more than 8 years ago | (#14364371)

Yeah, common sense if you use Windows to access stuff on the Internet. Personally I use Linux or OS X, neither of which require the overhead of running a VM.

Temporary Solution (5, Informative)

Hank Chinaski (257573) | more than 8 years ago | (#14364194)

run
regsvr32 -u %windir%\system32\shimgvw.dll
until a patch is released.

Re:Temporary Solution (1)

Bromskloss (750445) | more than 8 years ago | (#14364243)

You forget to tell us how to restore everything afterwards.

Re:Temporary Solution (4, Informative)

TrueBuckeye (675537) | more than 8 years ago | (#14364245)

Keep in mind that this will disable thumbnail previews. Some have experienced problems opening any image file after unregistering this dll.

It isn't a bad idea to do, but before you do it in an enterprise environment, be sure you test it and are ready for the calls it will cause.

Re:Temporary Solution (1)

Jaysyn (203771) | more than 8 years ago | (#14364306)

No problems here, other than I get a script error in "My Pictures"

Jaysyn

Well, Duh... (4, Funny)

creimer (824291) | more than 8 years ago | (#14364195)

When is a Windows flaw ever not extremely serious?

Re:Well, Duh... (1)

thaerin (937575) | more than 8 years ago | (#14364296)

"A flaw is a flaw, of course, of course, And no one can exploit the flaw, of course, Unless, of course, the flaw, of course, Is from the folks at Microsoft!"

I was just thinking... (1)

User 956 (568564) | more than 8 years ago | (#14364378)

I was just thinking.. I could really use an operating system with serious, critical flaws in, say, a car. Current cars just don't get me from point A to point B well enough.

Maybe someone could make a car with embedded windows [industrial...king.co.uk] ? That would be *awesome*!


at work on a M$ machine (5, Funny)

Alchemar (720449) | more than 8 years ago | (#14364196)

Would someone tell me if the "just by visiting an infected site" link, is a link to an infected site, or an article about the infected sites?

Re:at work on a M$ machine (1)

tciny (783938) | more than 8 years ago | (#14364217)

Hovering your mouse over the link and having a look at the help bar will solve that mystery.

Re:at work on a M$ machine (1)

k0de (619918) | more than 8 years ago | (#14364341)

Call me a pedantic bastard, but I believe that's called the status bar.

Re:at work on a M$ machine (4, Funny)

J0nne (924579) | more than 8 years ago | (#14364384)

Call me a pedantic bastard...

Pedantic Bastard!

Is there anything else you want me to call you?

Real easy (temp) fix. (3, Informative)

Murphy Murph (833008) | more than 8 years ago | (#14364201)

Start-->Run-->regsvr32 /u shimgvw.dll

You lose thumbnail view, and a few other (minor) built-in-Windows-picture-viewing tools break, but you use IrfanView anyway, don't you?

Re:Real easy (temp) fix. (1)

elrous0 (869638) | more than 8 years ago | (#14364247)

Start-->Run-->regsvr32 /u shimgvw.dll

Good idea. But how do you "reactivate" this feature once a patch is released? I use Ifranview, but I also depend heavily on the thumbnail feature in explorer.

-Eric

Re:Real easy (temp) fix. (2, Informative)

discordja (612393) | more than 8 years ago | (#14364271)

just "regsvr32 shimgvw.dll" the DLL back in. the /u is merely a flag to unregister it.

Re:Real easy (temp) fix. (1)

BushCheney08 (917605) | more than 8 years ago | (#14364278)

you do the same thing except without the /u part. [no argument registers it, /u unregisters it]

Re:Real easy (temp) fix. (5, Informative)

value_added (719364) | more than 8 years ago | (#14364345)

Start-->Run-->regsvr32 /u shimgvw.dll

Good idea. But how do you "reactivate" this feature once a patch is released? I use Ifranview, but I also depend heavily on the thumbnail feature in explorer.


Sigh. I do wish people would offer some information with their click here/type-this instructions so people would understand WTF they're doing.
regsvr32 - This command-line tool registers .dll files as command components in the registry.
 
regsvr32 /u /s /n /i[:cmdline] dllname
 
/u unregister server
/s silent
/i call DllInstall passing it an optional cmdline, when
        used with /u calls dll uninstall
/n do not call DllRegisterServer; this option must be used
        with /i
To register (or re-register) the dll:
regsvr32 shimgvw.dll
To run the command, you can use a console window (cmd.exe), or the Run dialog box (accessible from the Start Menu).

Re:Real easy (temp) fix. (0)

Anonymous Coward | more than 8 years ago | (#14364380)

Don't be an ass.

Most people who would just type this in without doing EXACTLY what you did would not know what registering a DLL is. In fact I've never used this command, but if I were to use it, I'd sure as hell type it on a line without args to see if I got the simple help.

Re:Real easy (temp) fix. (1)

lolocaust (871165) | more than 8 years ago | (#14364302)

No, i use xnview, becuase Irfanview scrolls images very very slowly, and it hurts.

Hmmm... (1)

Fuzzypiggy (942221) | more than 8 years ago | (#14364204)

Another day, another flaw! Just another happy day in "paradise"! Call me when you wake up and smell the OSX/*nix brewing....

Re:Hmmm... (1)

the_humeister (922869) | more than 8 years ago | (#14364237)

So a flaw is discovered and if the user doesn't get the patch/workaround he'll potentially get infected. How does this differ from flaws in os x or other unixes?

Re:Hmmm... (0)

Anonymous Coward | more than 8 years ago | (#14364273)

Because there is no patch yet and it affects 95% of the world's internet users?

Sorry to say it got me (5, Interesting)

aka_big_wurm (757512) | more than 8 years ago | (#14364209)

I needed a bit of underground info(cd key) and went to the best site for that and with out thinking I used IE -- couldent have shut my browser down fast enough.

Spent the next few hours removing all the junk that installed, I was lucky no root kits were installed.

Re:Sorry to say it got me (2, Insightful)

J0nne (924579) | more than 8 years ago | (#14364222)

I was lucky no root kits were installed

How can you tell?

RootKit Revealer (3, Informative)

aka_big_wurm (757512) | more than 8 years ago | (#14364270)

Re:RootKit Revealer (5, Informative)

GigsVT (208848) | more than 8 years ago | (#14364322)

You can't prove a rootkit doesn't exist on your system, unless you have a checksum database on read only media, and some sort of hardware (not firmware) method of computing those checksums.

You can't even be reasonably sure of it without at least some checksumming system like tripwire.

All you are doing is scanning for certain known rootkits. That's a weak strategy that's reactive and guaranteed to fail some of the time.

Re:Sorry to say it got me (1)

Anonymous Coward | more than 8 years ago | (#14364274)

I'm good!
C:\>dir "root kit" /s
  Volume in drive C has no label.
  Volume Serial Number is D08F-66C3
File Not Found
 
C:\>

Same thing (1)

Chmcginn (201645) | more than 8 years ago | (#14364282)

Although in my case, I was even dumber... I was surfing with firefox, but the web page that (apparently) had what I needed refused to render, so I grudingly started up IE, and... well, some of what it downloaded set off Norton, luckily. I was already late getting to bed that night, by the time I cleared out everything (including that irritating "Spyware blocker" ad they put on my desktop & kept re-spawning) I pretty much got no sleep that night. So I finally decided to lock out access to IE on my normal XP login, to protect me from my sleep-deprived self.

Re:Same thing (1)

fimbulvetr (598306) | more than 8 years ago | (#14364317)

http://ubuntulinux.org/ [ubuntulinux.org]

So you can sleep at night...

Re:Same thing (1)

$RANDOMLUSER (804576) | more than 8 years ago | (#14364331)

> So I finally decided to lock out access to IE on my normal XP login, to protect me from my sleep-deprived self

Excellent choice! Now only the administrator account can run IE!

Re:Sorry to say it got me (0)

Anonymous Coward | more than 8 years ago | (#14364288)

actually the current picture view flaw is still able to be done through firefox and the like, its still gonna use the same mime setitng to open the pictures in picture and fax viewer, but apparently firefox will pop up somethigna sking if you want it to open, so seems you jsut got hit with the normal spam and junk

Solution (0)

TheJavaGuy (725547) | more than 8 years ago | (#14364212)

Get another browser, such as Opera of Firefox.

Re:Solution (0)

Anonymous Coward | more than 8 years ago | (#14364249)

Get another browser, such as Opera of Firefox.

This branding is getting out of hand. Now the Mozilla foundation made an opera about Firefox?

Not a total solution... (4, Informative)

Chmcginn (201645) | more than 8 years ago | (#14364252)

Because the vulnerability exists within a faulty Windows component, security experts warn that Windows users who eschew Internet Explorer in favor of alternative Web browsers, such as older versions of Firefox and Opera, can still get their PCs infected if they agree to download a file from a site taking advantage of the flaw.
Agreeably, you shouldn't be downloading from websites you don't trust anyway... but as anyone who's ever had a computer-illiterate relative or spouse can tell you, sometimes... "But, I really wanted to play that 87th degree derivation of breakout!"

Okay, really, she said Arkanoid, but you get my point.

Re:Not a total solution... (5, Informative)

jafiwam (310805) | more than 8 years ago | (#14364355)

That's not enough.

The flaw can be used with a JPG file (read; the image of the button, or the site seal, or the photo) in the web page.

And since the flaw is in data in the header of the WMF file type, it can be executed even if the file extension is not WMF.

In other words, if you are seeing images on web pages with Windows, you can get this. No downloading is necessary even in other browsers. Until it's patched, the only true safe method is unregister the DLL or don't get on the internet with Windows at all.

As an FYI, I had to deal with this thing several weeks back when it was rare. (The bimbo doesn't remember what web site did it.) IF you do, just pull the drive, mount it on another machine, get your data, and wipe the damn thing. It's a really really tough infection to clean. It screwed the OS more ways than Courtney Love and ate so much CPU it was unusable. PLUS it downloaded other stuff and started to try to infect other machines on the network.

Shoot to kill this one guys, the patient is already dead.

Re:Solution (5, Informative)

KilobyteKnight (91023) | more than 8 years ago | (#14364269)

Get another browser, such as Opera of Firefox.

This is not an ie flaw. This is a Windows flaw. You can still be affected with other browsers, you just have to try harder. Anything using the Windows DLL that does the WMF processing will be affected.

Re:Solution (1)

ichigo 2.0 (900288) | more than 8 years ago | (#14364285)

Opera of Firefox

:)

Re:Solution (1)

$RANDOMLUSER (804576) | more than 8 years ago | (#14364359)

Kiww de wabbit!
Kiww de wabbit!
...
Oh Bwunhiwda, your so wovewy..
Yes I know it, I can't help it...

Re:Solution (3, Interesting)

blowdart (31458) | more than 8 years ago | (#14364309)

Except FireFox 1.0 also opens the files automatically, by default, in the vunerable application.

In 1.5 the behaviour changed, and for some reason .WMF was associated in FireFox with Windows Media Player. So 1.5 is secure against this flaw, by lucky accident.

Gotta love it... (5, Insightful)

Chmcginn (201645) | more than 8 years ago | (#14364215)

From the article:
Reavey encouraged users to update their anti-virus software, ensure all Windows security patches are installed, avoid visiting unfamiliar Web sites, and refrain from clicking on links that arrive via e-mail or instant message.
(Emphasis added by me) Three good pieces of advice, and... I mean, seriously, avoid visiting unfamiliar web sites? That's like saying "There's been lots of credit card scams recently, you shouldn't go into any store you haven't been to before."

Stupid submit button.... (1)

Chmcginn (201645) | more than 8 years ago | (#14364225)

Just "avoid visiting unfamiliar Web sites" was supposed to be bolded. D'oh.

Re:Gotta love it... (1)

GigsVT (208848) | more than 8 years ago | (#14364260)

Cut the writer some slack, this article is a huge improvement over most security reporting.

For example:
A previously unknown flaw in Microsoft Corp.'s Windows

This alone is better than most stories that refer to generic "security problems" without saying they only apply to windows.

Mac and Linux computer users are not at risk with this attack, even if their computers run Microsoft programs [like IE] and [Windows users of] Firefox and Opera, can still get their PCs infected if they agree to download a file.

This is good reporting too, it shows that it's not an application vuln alone but something system level that is made worse by flaws in applications.

I'd say this guy is pretty clueful and overall it's about the best computer security reporting we can hope for from mainstream newspapers.

Re:Gotta love it... (1)

Chmcginn (201645) | more than 8 years ago | (#14364299)

Cut the writer some slack, this article is a huge improvement over most security reporting.
I will give you that, I suppose we should be happy he didn't start ranting about hackers somewhere in there...

Whew (1, Funny)

Anonymous Coward | more than 8 years ago | (#14364219)

It's a good thing most savvy Windows users know not to ever visit web site links they don't trust. Hey look - it's a web site about goats! Neat!

Re:Whew (0)

Anonymous Coward | more than 8 years ago | (#14364251)

savvy Windows users

what.

Yet another reason to buy a Mac (1, Flamebait)

Enrique1218 (603187) | more than 8 years ago | (#14364221)

Sorry, it is a tradition.

Is it IE or Windows? (0)

Thaelon (250687) | more than 8 years ago | (#14364229)

TFA says "...Windows users who eschew Internet Explorer in favor of alternative Web browsers, such as older versions of Firefox and Opera, can still get their PCs infected if they agree to download a file from a site taking advantage of the flaw."

So is it IE or Windows that is home to the vulnerability?

Windows, definitely Windows... (1)

Svartalf (2997) | more than 8 years ago | (#14364246)

It's a misfeature of Windows itself. If you surf with ANY browser, you'll get zapped if you surf to a site set up to take advantage of this latest hole.

Re:Windows, definitely Windows... (1)

BushCheney08 (917605) | more than 8 years ago | (#14364304)

True. However, the other non-IE browsers at least ask you want you want to do with the .wmf file on the page. If you click the 'open' button, then, well, you get what you deserve...

Re:Is it IE or Windows? (3, Informative)

a_n_d_e_r_s (136412) | more than 8 years ago | (#14364253)

Its in one of Windows standard libraries - but using IE makes it more dangerous.

Using Firefox with Adblock installed one can stop all files of this dangerous type by adblocking them until a patch is available.

Re:Is it IE or Windows? (1)

Thaelon (250687) | more than 8 years ago | (#14364275)

And what type would that be, exactly?

Re:Is it IE or Windows? (1)

Hillgiant (916436) | more than 8 years ago | (#14364336)

*.wmf would be my guess...

Re:Is it IE or Windows? (3, Informative)

WhoDey (629879) | more than 8 years ago | (#14364286)

It's an exploit of functionality built into Windows (it allows you to view thumbnails in folders full of pictures, for example). The reason it's more dangerous with IE is that IE by default will open these files, while Firefox (or some other browsers) will give you the good old Open/Save box first. If you open at this point, you're still screwed.

Re:Is it IE or Windows? (2, Interesting)

Secrity (742221) | more than 8 years ago | (#14364326)

Windows has the vulnerability. Web browsers and some versions of Outlook are the means that the malicious .wmf files are introduced into the operating system. Firefox and Opera can also be used to introduce malicious .wmf files, the difference is that Firefox and Opera ASK the user for confirmation before they download the files. I understand that newer versions of Firefox are misconfigured and do not handle .wmf files as Microsoft intended, this may be a case where a configuration error is actually a security feature.

This week's Windows security hole article... (4, Insightful)

digitaldc (879047) | more than 8 years ago | (#14364231)

...is brought to you by http://update.microsoft.com/ [microsoft.com]

Programming code embedded in these pages would install a program that warned victims their machines were infested with spyware, then prompted them to pay $40 to remove the supposed pests.

Where do you send the money? And they aren't afraid of getting caught?

Cool Web Search? (2, Interesting)

Chmcginn (201645) | more than 8 years ago | (#14364383)

This has happened a lot in the spyware world - there's plenty of supposed "Spyware Removers" [spywarewarrior.com] that either contain or were marketed with spyware, or show false positives in the "demo" version, forcing you to pay for the real version, which then 'clears' it all up for you. Even though plenty of people spent the money & got nothing, I haven't seen any news reports of anyone being charged for fraud in relation to these products...

The CoolWebSearch [cwshredder.net] family of malware has been around forever... one of the major effects of many of the versions is to replace any IE entry of "search.msn.com" or "www.google.com" with "www.coolwebsearch.com", a rather shitty search engine.

Re:This week's Windows security hole article... (1)

99BottlesOfBeerInMyF (813746) | more than 8 years ago | (#14364388)

Where do you send the money? And they aren't afraid of getting caught?

My understanding is that this is anti-spyware software that is psuedo-legitimate, that is willing to pay others to get users to install it. It might come pre-installed on some computers, for example. It then runs periodically and asks for money to activate all the features. All of this is legal (if shady).

The deal is that crackers are either auto-installing it via this exploit and a cracked web server, or doing so on a legitimate web server. Thus the money goes to a "legal" software company. Whether it can be traced further than that, to the people that companies pays per install (who have broken the law) is the real question.

Come on, "editors", let's try to edit properly (5, Informative)

Anonymous Coward | more than 8 years ago | (#14364235)

scottott wrote to mention a Washington Post article with the news that the security hole we mentioned on Wednesday has widened. Computers can now be infected just by visiting infected web sites, or looking at images in the preview panel of older versions of Outlook.

There are two major factual errors here. One, the security hole has not "widened" - the scope of exposure is exactly what we read about Wednesday. Using shimgvw.dll to view a specially constructed WMF file results in system compromise (web site viewing of malicious WMF, previewing, opening w/MS picture and fax viewer, etc). The hole is exactly the same - exposure has increased, but the hole has not widened. Two: the web sites are not infected, they are malicious. The system is infected after visiting a malicious web site.

The full (well, as full as it is now) MS advisory is here [microsoft.com] . I'm not very pleased with how MS is handling this at all, but that does not excuse this shoddy "journalism". How hard is it to state facts correctly? All you had to do was change a few words, and it would have read much more accurately:

scottott wrote to mention a Washington Post article with the news that the security hole we mentioned on Wednesday is now affecting many more users. Computers can now be infected just by visiting malicious web sites, which are now rapidly increasing in number, or looking at images in the preview panel of older versions of Outlook.

For the last sentence, note that I sent mysefl WMF files win Outlook 2000 and 2003 while running Sysinternals process explorer and never saw shimgvw.dll called. Opening a WMF attachment called it, but not previewing, so there might be three errors, but I didn't test all versions that way, so I don't know...

What's the real lesson here? (4, Insightful)

Ed Avis (5917) | more than 8 years ago | (#14364241)

Those of us who use free operating systems shouldn't be too complacent. This exploit is serious because the WMF rendering library has full access to the user's data, and (at least on a 'home' setup where it's a single-user machine) access to the whole PC.

But it was really just bad luck that the bug happened to be found in the Windows WMF library and not, say, its Unix/X11 equivalent. Or libpng, or zlib, or whatever. Anyone who thinks otherwise is deluded. All software has bugs, and even if the quality of the free libraries is ten times higher (unlikely) there will still be plenty of memory tramplings and buffer overruns.

So, when the next vulnerability is found in a commonly used Unix library, will we be in any better position? Not really. Still the library is linked into the application and runs in the application's address space. It has access to all the files the app does, and traditionally on Unix that means everything the user has access too. Your email application may only need to read ~/.mail_settings and connect via IMAP to some host, but it runs with permission to overwrite any file owned by you and connect on any TCP/IP port it wants.

Why does the WMF rendering code need to run with any more permissions than: read a block of memory with the WMF file, and write a block with the rendered bitmap? (Or perhaps make display / GDI calls, if performance is a concern.)

What support is there in Unix operating systems for running common library code with only the privileges it needs? As far as I know Linux has no simple way to run a dynamically-linked library (.so file) in its own address space or without permitting it to make system calls. So when the next exploit is found in a common Linux library - and it will be found - the situation will be just as embarassing.

Re:What's the real lesson here? (1)

oztiks (921504) | more than 8 years ago | (#14364334)

What support is there in Unix operating systems for running common library code with only the privileges it needs? As far as I know Linux has no simple way to run a dynamically-linked library (.so file) in its own address space or without permitting it to make system calls. So when the next exploit is found in a common Linux library - and it will be found - the situation will be just as embarassing.



They are out there for example the bluetooth exploit in linux but the thing is though that linux also has systrace and systems that can be easily put in-place to stop these issues easily. Whereas MS doesnt. Its been over 48hrs and they still can't produce a patch.

The issue isnt "it can happen to linux so we shouldnt jinx ourselves" the real issue is "ms has problems writing patches that retain backward compatability"

Get Firefox NOW! (1, Funny)

kaos.geo (587126) | more than 8 years ago | (#14364242)

Come on people!!!
I do tech support for 60+ machines at work...
The one user that refused to use firefox...
called me a week ago.BEGGING..Her computer had started TALKING
(i.e. audio advertisements in english)
The people in the other cubicles were claiming for an EXORCIST for the biatch.

Re:Get Firefox NOW! (0, Troll)

WhatAmIDoingHere (742870) | more than 8 years ago | (#14364265)

Come on, people! Learn to properly format a comment!

Re:Get Firefox NOW! (1)

kaos.geo (587126) | more than 8 years ago | (#14364289)

I am sorry my poor english skills irritated your sensitive retina. I'll leave you now to continue writing whatever it is you write that will prolly get you the booker prize or the pulitzer. ;)

Can we get some non-shoot-from-hip news? (1, Funny)

WidescreenFreak (830043) | more than 8 years ago | (#14364281)

I dislike MS as much as anyone else on Slashdot; however, is this a Windows XP flaw or is it just an Internet Explorer/Outlook flaw? Unless I missed it when I read (okay, skimmed) TFA, the article implies that Windows XP is the problem. Looks more to me like it's an IE/Outlook flaw.

I run Firefox and Eudora on XP in addition to Zone Alarm, Ad-Aware, Spybot, and McAfee AV. My wife uses Firefox and Thunderbird. IE is used only on those web sites that require it (which are very, very, very, few) and I uninstall Outlook from every PC. Will I be infected just because I'm running XP? I highly doubt it. I'm not saying that it's impossible, but my doubt factor is nearly maximum. That does not downgrade the severity threat. After all, Firefox, Thunderbird, and Eudora are in a very small minority of Windows users' favorite applications. Believe me, I love to see Microsoft dragged through the mud when possible, but let's at least keep it realistic.

This clearly is a slow news week. The anti-Bush-administration people are making an issue over an NSA web cookie and now we're blaming an entire operating system for application flaws. (I know the whole argument about IE and Outlook being integrated into the operating system, but I still don't see this as an operating system issue if other apps on the same operating system are not vulnerable.)

Re:Can we get some non-shoot-from-hip news? (1)

Mikelikus (212556) | more than 8 years ago | (#14364325)

It's a windows flaw. You're vulnerable even with firefox/eudora.

Re:Can we get some non-shoot-from-hip news? (1)

Cyphertube (62291) | more than 8 years ago | (#14364338)

If you open the .wmf file at all on Windows XP, you will be infected.

Re:Can we get some non-shoot-from-hip news? (0)

Anonymous Coward | more than 8 years ago | (#14364347)

The flaw is in the WMF image decoding library, which is part of the operating system. You can still be infected if you are using browsers other than IE provided they attempt to render WMFs. In fact, if you are running Google Desktop Search it's possible to be infected should a nasty WMF somehow end up on your system (in a browser cache for example) as the exploit will be executed when Desktop Search attempts to index the file.

Re:Can we get some non-shoot-from-hip news? (0)

Anonymous Coward | more than 8 years ago | (#14364376)

I would even be careful running the software you've listed - McAfee AV has an interesting little habit of deleting less-than-legitimate applications and claiming that they are infected when they are not. My specific case - when I tried using McAfee AV when Comcast offered it for free, it deleted the setup file for DVDDecrypter claiming it was loaded with spyware. The deletion occured even though I had McAfee setup to quarantine files, not delete them. Neither current versions of Symantec AV nor Spybot nor Adaware tagged the file as having any spyware when I used them against a re-downloaded copy.

I shouldnt say this but ... (1)

oztiks (921504) | more than 8 years ago | (#14364293)

If it can be embedded into webpage cant it also be embedded in actual emails? Its true that loads of email apps stop images from being viewed but there are a fair few that dont.

Older versions of Firefox doesnt help (2, Informative)

pissu_man (853656) | more than 8 years ago | (#14364318)

For those who are ranting about FF. Read the article, says that older versions of Opera and FF are vulnarable too - on Windows ofcourse.

Windows Major Foul-Up (5, Insightful)

spellraiser (764337) | more than 8 years ago | (#14364327)

Larry Seltzer has a concise column [eweek.com] about this exploit, where he doesn't exactly pull the punches on Microsoft. The most interesting piece of information there is this:

The problem with the WMF (Windows Metafile) file format turns out to be one of those careless things Microsoft did years ago with little or no consideration for the security consequences.

Almost all exploits you read about are buffer overflows of some kind, but not this one. WMF files are allowed to register a callback function, meaning that they are allowed to execute code, and this is what is being exploited in the WMF bug.

I find this mind-boggling to the point of absurdity. Regardless of any supposed benefit gained by this, allowing a data file to execute arbitrary code upon it being viewed is simply begging for an exploit like this. No matter whan spin Microsoft will try to put on this one, it makes them look bad. Extremely bad.

Why aren't computers allowed to have the flu? (0, Offtopic)

wysiwia (932559) | more than 8 years ago | (#14364348)

We humans have it, animals also, so why not computers? Lets the computers have the flu.

The computer liberation front!

IDS signatures (5, Informative)

Cally (10873) | more than 8 years ago | (#14364361)

The Microsoft advisory says:
** Are there any third party Intrusion Detection Systems (IDS) that would help protect against attempts to exploit this vulnerability?

While we don't know of specific products or services that currently scan or detect for attempts to render specially crafted WMF files, we are working with our partners through industry programs like VIA to provide information as we have it. . Customers should contact their IDS provider to determine if it offers protection from this vulnerability.

Snort sigs have been available from BleedingSnort [bleedingsnort.com] for some time now; I pushed them out to our corporate IDS yesterday morning.

(Warning, mangled by Slashcode - remove newlines)

#by mmlange alert tcp any any -> $HOME_NET any (msg:"BLEEDING-EDGE CURRENT WMF Exploit"; flow:established; content:"|01 00 09 00 00 03 52 1f 00 00 06 00 3d 00 00 00|"; content:"|00 26 06 0f 00 08 00 ff ff ff ff 01 00 00 00 03 00 00 00 00 00|"; reference: url,www.frsirt.com/exploits/20051228.ie_xp_pfv_met afile.pm.php; classtype:attempted-user; sid:2002734; rev:1;)

# By Frank Knobbe, 2005-12-28 alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"BLEEDING-EDGE EXPLOIT WMF Escape Record Exploit"; flow:established,from_server; content:"|01 00 09 00 00 03|"; depth:500; content:"|00 00|"; distance:10; within:12; content:"|26 06 09 00|"; within:5000; classtype:attempted-user; reference:url,www.frsirt.com/english/advisories/20 05/3086; sid:2002733; rev:1;)

Once again it looks like Microsoft are going to escape the 'perfect exploit' meltdown by the skin of their teeth. This is exploitable remotely, but Dr Evil can't sit at a console typing in arbitrary IP addresses to 0wn with the exploit. On the other hand you can get close to that sort of thing using Metasploit Framework [metasploit.org] .

Firefox? (5, Interesting)

freg (859413) | more than 8 years ago | (#14364362)

Could someone please elaborate on whether using Firefox browser will help avoid this security hole.

Missing Option (3, Funny)

$RANDOMLUSER (804576) | more than 8 years ago | (#14364366)

Windows XP Flaw 'Extremely Comical'

HOOORAY! (0, Flamebait)

ninja_assault_kitten (883141) | more than 8 years ago | (#14364374)

Let's hope there's something worse than Highly Critical! HOOORAY FOR SLASHDOT. WHAT A GLORIOUS WAY TO END 2005!

PS!
LINUX RULES!(*@(@^ #$

PPS!
I'M GOING TO SPEND NEW YEARS EVE ON IRC IF ANYONE WANTS TO JOIN ME!(@&

more serious (5, Informative)

spacemky (236551) | more than 8 years ago | (#14364377)

And not only does the exploit work with .WMF (Windows MetaFile), but if the attacker renames it to, say, .JPG, Windows will detect this a really being a .WMF, and STILL execute it. Pretty serious stuff. See this [securityfocus.com] bugtraq link for details.
Load More Comments
Slashdot Login

Need an Account?

Forgot your password?