Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

New IM Worm Exploiting WMF Vulnerability

CmdrTaco posted more than 8 years ago | from the happy-new-years-windows-users dept.

Worms 360

An anonymous reader writes "After less than a four days after original mailing list posting there are reports about a new Instant Messaging worm exploiting unpatched Windows Metafile vulnerability. This worm is using MSN to spread, reports Viruslist.com."

cancel ×

360 comments

Sorry! There are no comments related to the filter you selected.

How do I avoid it? Fixes? (4, Insightful)

Ruff_ilb (769396) | more than 8 years ago | (#14374812)

These would be good things to know...

Re:How do I avoid it? Fixes? (2, Funny)

hahafaha (844574) | more than 8 years ago | (#14374824)

Perhaps the reason they posted it on Slashdot was that they were hoping that one of the thousands of programmers there would be able to fix it. ;-)

Re:How do I avoid it? Fixes? (4, Funny)

Ruff_ilb (769396) | more than 8 years ago | (#14374840)

Perhaps the reason they posted it on Slashdot was that they were hoping that one of the thousands of programmers there wrote it. ;-)

Fixed ;)

Re:How do I avoid it? Fixes? (5, Informative)

R3NZ (858840) | more than 8 years ago | (#14375016)

There seems to be a first fix.

There is now a "Windows WMF Metafile Vulnerability HotFix" available from Ilfak Guilfanov. Have a look here http://www.hexblog.com/2005/12/wmf_vuln.html [hexblog.com]

The problem - and the fix - has been discussed also at GRC.com's Security Now podcast. Check out this link http://www.grc.com/sn/notes-020.htm [grc.com]

Re:How do I avoid it? Fixes? (0)

Anonymous Coward | more than 8 years ago | (#14375076)

Sure, once Microsoft releases their source code, they can count on the millions of eyeballs and everyone trying to fix their own itch model. Until then, flaws like this will continue to cause havoc. I'm not a big fan of having to reverse engineer a program to fix Microsoft's flaws.

Re:How do I avoid it? Fixes? (1)

hahafaha (844574) | more than 8 years ago | (#14375148)

I know, I was joking.

Re:How do I avoid it? Fixes? (2, Informative)

ergo98 (9391) | more than 8 years ago | (#14374844)

How do I avoid it? Fixes?

Follow the suggested action in the Microsoft advisory linked right up there above.

Re:How do I avoid it? Fixes? (0, Flamebait)

wombatmobile (623057) | more than 8 years ago | (#14374848)

How do I avoid it?

Use a non-Windows o/s.

Re:How do I avoid it? Fixes? (0, Insightful)

Anonymous Coward | more than 8 years ago | (#14374959)

Ignorance at it's finest. As soon as Windows is dead and "insert linux distro here" gets their market share we will still be hearing about the latest and greatest worms for that distro. Don't blame Windows lack of security, it's more its market share, transparency between versions to blame and the lack of brains on the end user's parts. But don't blame it on Windows, it owns you...

Re:How do I avoid it? Fixes? (3, Insightful)

gb506 (738638) | more than 8 years ago | (#14375040)

We non-MS users may be ignorant, but not having to deal with the constant parade of Windows security exploits makes our ignorance extraordinarily blissful... ;)

Straw Man, Mod Parent Down (2, Insightful)

Moth7 (699815) | more than 8 years ago | (#14375208)

No one said that using something other than Windows would solve all security problems, only this one. The grandparent was entirely correct in its observation.

Re:How do I avoid it? Fixes? (0)

Anonymous Coward | more than 8 years ago | (#14375015)

Not my decision.

How do I avoid it?

Re:How do I avoid it? Fixes? (0)

Anonymous Coward | more than 8 years ago | (#14375100)

Use Windows in text mode only and unplug the ethernet cable just in case.

Re:How do I avoid it? Fixes? (2, Funny)

cortana (588495) | more than 8 years ago | (#14375122)

Remove gdi32.dll until your vendor sees fit to provide you with a fix.

Re:How do I avoid it? Fixes? (4, Interesting)

nacturation (646836) | more than 8 years ago | (#14375120)

That's about as helpful as advising tsunami victims that they move.

For those who want actual advice: http://www.hexblog.com/ [hexblog.com] -- a fix which creates a hook to disable the affected code. The fix has been analyzed by Steve Gibson. [grc.com]
 

Re:How do I avoid it? Fixes? (0)

Anonymous Coward | more than 8 years ago | (#14375223)

It's more like telling people for 10 years that it's a bad idea to live in hurricane territory, below sea level, behind a flimsy patchwork of levees. It's no fault but their own when the hurricane comes along, blows down their levees, and the sea floods in.

Re:How do I avoid it? Fixes? (4, Informative)

Maroulis (467300) | more than 8 years ago | (#14374851)

Microsoft suggests to unregister the problem dll.
start->run
regsvr32 -u %windir%\system32\shimgvw.dll

http://www.microsoft.com/technet/security/advisory /912840.mspx [microsoft.com]

Re:How do I avoid it? Fixes? (-1, Redundant)

bigpicture (939772) | more than 8 years ago | (#14374977)

Why does MS not suggest unregistering all the DLLs, by installing an OS that doesn't have them?

Re:How do I avoid it? Fixes? (4, Informative)

FhnuZoag (875558) | more than 8 years ago | (#14374985)

That works for some things, but not everything, because shimgvw is NOT the problem dll. The real problem is in gdi32.dll, which IIRC is too important to be removed.

What happens when you unregister this DLL? (0)

Anonymous Coward | more than 8 years ago | (#14375062)

Are images turned off when browsing?

Re:How do I avoid it? Fixes? (0, Redundant)

TheSpoom (715771) | more than 8 years ago | (#14374852)

Don't click suspicious links in MSN messages. If someone sends you one, ask about it, and if they don't remember sending it, they probably have a virus.

Re:How do I avoid it? Fixes? (1)

secolactico (519805) | more than 8 years ago | (#14374915)

Ah, but doesn't the official MSN client displays images without asking? I know it displays previews for some images.

(It did a couple of versions back, maybe that's changed now. Trillian user myself).

Re:How do I avoid it? Fixes? (1)

TheSpoom (715771) | more than 8 years ago | (#14374943)

Also a Trillian Pro user, and this brings up a good point... from what I've seen, Trillian brings up thumbnail images of image sends as well. I hope that doesn't mean that Trillian is also vulnerable...

Re:How do I avoid it? Fixes? (5, Funny)

Lehk228 (705449) | more than 8 years ago | (#14374856)

use gaim, the image support is terrible you will be safe

Re:How do I avoid it? Fixes? (1)

gruntled (107194) | more than 8 years ago | (#14374862)

I'm avoiding it by, you know, not using a messenger client hard-wired to the operating system...

Re:How do I avoid it? Fixes? (0)

burdicda (145830) | more than 8 years ago | (#14374871)

Microsoft suggests

You keep sending more money muhahahaha....

Ah, Slashdot... (5, Funny)

SheeEttin (899897) | more than 8 years ago | (#14375004)

Ah, Slashdot... where the first post is modded "redundant".

Patch ETA? (0, Redundant)

Limburgher (523006) | more than 8 years ago | (#14374828)

Looks potentially nasty.

Re:Patch ETA? (1)

hector_uk (882132) | more than 8 years ago | (#14374933)

the link they give for it doesn't work --_--. anyone care to post it?

Happy New Year! (4, Funny)

Pedals (758888) | more than 8 years ago | (#14374834)

Well that didn't take long.

temporary fixes (5, Informative)

Phil246 (803464) | more than 8 years ago | (#14374839)

There is information available on temporary fixes from the following sites
http://isc.sans.org/diary.php?rss&storyid=996 [sans.org]
http://www.f-secure.com/weblog/#00000760 [f-secure.com]
http://www.grc.com/sn/notes-020.htm [grc.com]

be aware the runnable patch is completely unofficial, the only action microsoft suggest is unregistering a vulnerable dll which only mitigates the most common method of exploitation while not fixing the underlying problem.
NFI how long it will take microsoft to have an official patch out, but from the sans site, it doesnt look promising that it will appear soon.

Re:temporary fixes (3, Interesting)

MrP- (45616) | more than 8 years ago | (#14375172)

I wonder if microsoft will stick to their update tuesday cycle thing. If so, that means the official patch wont be out until January 10 (second tuesday of the month)

Re:temporary fixes (0)

Anonymous Coward | more than 8 years ago | (#14375220)

Unless they skip this Tuesday. After all, it's not unheard of [slashdot.org] . Apparently patching critical vulnerabilities monthly is still sometimes too fast =P.

Do. This. Now. (4, Informative)

Bozdune (68800) | more than 8 years ago | (#14375216)

Get a patch here: http://www.hexblog.com/2005/12/wmf_vuln.html [hexblog.com]

All the necessary information and explanation (plus q/a) is here. This is the only hope at present. Good luck to everyone on Jan 2 when this thing takes over the world.

happy new year! (0, Offtopic)

minus_273 (174041) | more than 8 years ago | (#14374843)

My prediction: in 2006, MS innovation will lead the way in new fronts!

Re:happy new year! (1)

Cheapy (809643) | more than 8 years ago | (#14374928)

The number of viruses will explode in size this year, with all these innovations! I can feel it!

Re:happy new year! (0)

Anonymous Coward | more than 8 years ago | (#14374960)

And Linux will continue to be a bit-player used primarily by under-socialized geeks.

MSN? (0)

Anonymous Coward | more than 8 years ago | (#14374863)

You MUST mean MSN Messenger.

Re:MSN? (5, Informative)

sucker_muts (776572) | more than 8 years ago | (#14374888)

You MUST mean MSN Messenger.

Netherlands being the place where it first appeared, and being from Belgium myself, I can say that everybody here simply says 'MSN' when they mean 'MSN Messenger'.
It's more common in europe anyway to use MSN instead of other popular IM networks used thoughout the USA and other countries. IM was never popular with non-geek computer users here and when broadband internet (with a fixed price/month) arrived most teenagers (the primary group of users in europe) all started using MSN Messenger.

Re:MSN? (0)

Anonymous Coward | more than 8 years ago | (#14375167)

I'm afraid that all of the "messenger" tools stink in security terms. MSN is loaded with "features" that are direct violations of the most basic security principles, such as those we're seeing abused right now. Yahoo is wildly overbundled with irrevelant and security violating tools that clutter your system and impinge on system security. Jabber, while lighter weight, sends and stores passwords in plain text a child could access in its default configuration. AOL's tools are so bad I've never even bothered to go isolating them.

Every single one of them reflects an Exciting! New! Concept! that ignores the basic lessons of the old BBS days and of IRC. They mistake the excitement of adding new features for usefulness and treat security as an afterthought. Instead of each branching out into its own new snakepit of stupid ideas and bad code, let's take a deep breath and look at what works and cut back to the bare minimum of what works and make it safe and lightweight.

Oddly enough, tools like Skype seem to do it right from the ground up, but seem to be ignored in favor of over-burdened systems that add the one feature that a vanishingly small set of people want. It's never the same feature for more than a dozen users, and it's painful to see them evolve.

Developers, stop using ... (3, Interesting)

IAAP (937607) | more than 8 years ago | (#14374874)

POP-UP windows!

From MS' site: [microsoft.com] 4: Block pop-up windows in your browser

My credit union requires that I allow pop-ups! I don't know how many times I've gone to legitimate websites and scratched my head for a while trying to figure out why I wasn't seeing anything - all because I'm blocking pop-ups! Firefox tells you with that little message on top of the window, but you know how it is, after a while, you don't notice it anymore.

Re:Developers, stop using ... (4, Informative)

Anonymous Coward | more than 8 years ago | (#14374942)

Block popups on the internet security zone and allow them in the trusted zone then add your credit union to the list of sites you trust and refresh the page for the settings to take effect. Basically you need to create a white list of trusted sites while blocking all the riff raff. It doesn't matter what version of IE you use install the IE5.5 power toys which will add two settings to the tools menu called add to restricted zone and add to trusted zone. It ain't rocket science.

Macs (-1, Offtopic)

Anonymous Coward | more than 8 years ago | (#14374876)

This is a serious comment, i am only doing this as an AC to avoid being modded +5 funny, -7 flamebait. Why do people on slashdot not mind macs, and yet act like microsoft is the devil (which it, obviously is). Apple's Macintosh is not only just as a proprietary piece of crap as Windows, but it also forces you to purchase their HARDWARE if you want to use it the "legit" way (though this may change with mactels, they have been operating this way for years). In my opinion, each of the two companies is, after all considerations THE WORST FUCKING THING TO EVER HAPPEN TO COMPUTING.

Re:Macs (4, Insightful)

Hiro Antagonist (310179) | more than 8 years ago | (#14374911)

Talk about trolling flamebait. Apple makes money on hardware, not operating systems, so it behooves them to make their operating system work on their hardware. The nice thing about this is that they make some damn nice harware (I'm typing this on a PowerBook), and that they have very little incentive to 'feature-pack' their OS like Microsoft does -- so you get less in the way of quirky 'features', and a hell of a lot of functionality.

Plus, OS X is a Unix, which means it plays nicely with other Unices, and it behaves like a Unix on the command line -- so I get all the power of pipes, vi, Bash, the BSD ports collection (a la Darwinports), gcc, and so on. On the GUI side, it behaves like a Mac -- and I think you'd be hard-pressed to fault Apple for their GUI design.

Best of both worlds; you just have to shell out a slight premium for the hardware, and given that you get a REAL OS with it, I'd say that Mac offers a better bargain for the desktop user than any Dell or Gateway.

Re:Macs (1)

heinousjay (683506) | more than 8 years ago | (#14375065)

That's right, Timmy. Your purely subjective opinion is the ONE TRUE WAY. You let those dirty conservatives know it, Timmy. I'm proud of ya.

Re:Macs (1)

deaddrunk (443038) | more than 8 years ago | (#14375136)

you just have to shell out a slight premium for the hardware, and given that you get a REAL OS with it

A real OS that won't run a large proportion of the software people want to run. It doesn't matter how good it is it's how practical it is that counts. I'd quite like an Apple myself but it can't do everything that I want my Windows box to do. Same reason that I have a Linux partition rather than a solely Linux box.

Re:Macs (1, Offtopic)

hahafaha (844574) | more than 8 years ago | (#14374931)

First of all your comment is largely off-topic, causing mine to be as well, but I am only responding to this because I could not bear to read what you wrote and not answer (Mods, please be compassionate!)

You are addressing to largely unrelated issues as one, Freedom of software, and usefulness of the company. Allow me to address them seperately.

The former (Freedom) is a much bigger problem with Windows than Macs, at least with Mac OSX. Sure, they both use proprietary code, but at least Mac OSX uses some Free software.

The latter (usefulness) is very subjective. No doubt Microsoft would think they are useful, while Apple thinks they are. As much as I do not like Microsoft, I am going to have to say that it *and* Apple were both useful, if not so much now. They did start a revolution of computing at home. Unfortunately, it has taken a bad path over the years, but it is the same sort of idea.

As a final note I would like to ask, why did you think you would get +5 funny? I find nothing funny about what you wrote.

Re:Macs (0)

Anonymous Coward | more than 8 years ago | (#14375143)

separately

Re:Macs (1)

hahafaha (844574) | more than 8 years ago | (#14375197)

Right, sorry for the typo.

Re:Macs (0)

Anonymous Coward | more than 8 years ago | (#14375178)

Yea, it was a real rib tickler, alright.

Patch by SANS (0)

Anonymous Coward | more than 8 years ago | (#14374890)

There's a patch available here [sans.org]

There needs to be... (3, Interesting)

Caspian (99221) | more than 8 years ago | (#14374897)

...a dedicated, well-written, well-publicized effort to educate the general public about this sort of thing. We need to establish a meme among the Joe Sixpacks, Moms and Dads, and Grandma Sues of this country that they're foolish if they don't read stories on [whatever].com each week. And on that site, we need to explain, in plain English, [A] what the flaw could do to their computer, [B] what they can do to temporarily/permanently fix the flaw, and [C] what the flaw is due to (99% of the time, this will be 'due to Microsoft software').

Microsoft obviously isn't interested in having an educated user base, or they'd make such a site themselves and advertise it extensively.

Who's with me?

Re:There needs to be... (1)

hahafaha (844574) | more than 8 years ago | (#14374948)

I agree. It is quite obvious why they don't make such a site, however. It is simply because if they did, they would have to say that it is largely their own fault these problems are happening. If they lied about it, places like Slashdot would have serious outcries.

Re:There needs to be... (1)

tpgp (48001) | more than 8 years ago | (#14374953)

...a dedicated, well-written, well-publicized effort to educate the general public about this sort of thing. We need to establish a meme among the Joe Sixpacks, Moms and Dads, and Grandma Sues of this country that they're foolish if they don't read stories on [whatever].com each week. And on that site, we need to explain, in plain English, [A] what the flaw could do to their computer, [B] what they can do to temporarily/permanently fix the flaw, and [C] what the flaw is due to (99% of the time, this will be 'due to Microsoft software').

Interesting idea - how about instead Microsoft pushes a patch out via windows update?

If its too hard to patch their (obviously hard to maintain code) - why not push out the dll unregistering work-around until they have a better fix?

Sure - its going to upset a few granny's to not be able to see thumbnails of their grandkids for a few weeks - but surely thats better then threatening the world's network infrastructure.

Microsoft obviously isn't interested in having an educated user base, or they'd make such a site themselves and advertise it extensively.

They obviously aren't. An educated user base is a user base capable of migrating from their products.

Who's with me?

Well. Obviously not me.

Apart from the fact that I don't see this idea as feasable - why on earth would I assist a huge, faceless corporation that shows nothing but disdain for its customers?

I'd much rather give my time & effor to promoting open source solutions.

Re:There needs to be... (1)

hahafaha (844574) | more than 8 years ago | (#14374976)

Well. Obviously not me. Apart from the fact that I don't see this idea as feasable - why on earth would I assist a huge, faceless corporation that shows nothing but disdain for its customers? I'd much rather give my time & effor to promoting open source solutions.

If such a site were to exist, people would start catching on that it's all Microsoft's fault in the first place. Then people *would* switch to other systems.

Re:There needs to be... (3, Interesting)

Spoing (152917) | more than 8 years ago | (#14375104)

If such a site were to exist, people would start catching on that it's all Microsoft's fault in the first place. Then people *would* switch to other systems.

Nope.

I've had conversations with regular non-techy people. They don't get it; they think that they are safe and/or don't want to think about the dangers or alternatives. Ever. It is not possible to convince them and if you point them to a technical site, they will ignore it. They must come to the decision by themselves after long years of abuse, if they drop Windows at all. That said, to my surprise, my brother in law decided to get a Mac Mini for his kids this Christmas. I gladly helped them configure it and bring over data from the old Windows box they (unfortunately) still use. I've given him that advice for about 5 years, and did not talk with him about it for the last 6 months...so whatever I've said or pointed out to him had very little to do with his decision. (My brother-N-L is a smart guy and does not ignore most other advice w/o good reasons.)

Personally, I just refuse to help them to secure the Windows-based systems they chose to use unless it is a single-function server that I can configure how I see fit. I do reinforce with them just how hard it is to use Microsoft's products in a safe manner; 'exceedingly frustrating and still I'm unconvinced that it is secure when I'm done' is a phrase I use often.

NOTE: I _DO_NOT_ subscribe to the idea that if you keep a system updated with the current patches, use a firewall, and be careful, it is safe to use. If that system is safe, it is more by luck and chance and not by your hard work. This exploit is a perfect example of how all those methods fall apart and can not be relied on.

Re:There needs to be... (0)

hahafaha (844574) | more than 8 years ago | (#14375187)

Really? Ever since I, myself, switched to GNU/Linux, I have been rather successful at converting others. In general, most of the people I have talked to at least realize that Microsoft products are bad. Granted, not everyone actually switched, but, for example, almost everyone I've ever talked to on the subject uses Firefox instead of IE.

Re:There needs to be... (0)

deaddrunk (443038) | more than 8 years ago | (#14375111)

I wish I could, however my favourite MMORPG stubbornly refuses to run properly under either WINE or Cedega and since it's not a popular game like WoW there's not much of a chance of it working in the near to mid-term. Microsoft should have Win32 taken away from them; it's ridiculous that such an important (albeit horrible) API is under the control of one company that shows such contempt for the customers that are stuck with their shoddy products.

Re:There needs to be... (3, Insightful)

W2k (540424) | more than 8 years ago | (#14375089)

The problem isn't that the user base is completely uneducated - it's that for the majority of the educated users on Windows, they're not switching because THERE'S NOTHING BETTER TO SWITCH TO. I'm not trolling; I'd be off Windows in a heartbeat if I had the option. I've replaced pretty much everything else on my box with FSS/OSS alternatives. Windows remains because for the stuff I do with my computer and the expectations I place upon it, there's nothing else to use.

Re:There needs to be... (0)

bigpicture (939772) | more than 8 years ago | (#14375014)

"Microsoft obviously isn't interested in having an educated user base".

You got this right!!! If the average Joe user knew just how bad the OS is, in requiring continual security maintenance, how long do you think they would keep it on their computers??? How long did the Ford Pinto stay on the roads after the public found out that it was a safety hazard???

Re:There needs to be... (1)

the_macman (874383) | more than 8 years ago | (#14375075)

...a dedicated, well-written, well-publicized effort to educate the general public about this sort of thing. We need to establish a meme among the Joe Sixpacks, Moms and Dads, and Grandma Sues of this country that they're foolish if they don't read stories on [whatever].com each week. And on that site, we need to explain, in plain English, [A] what the flaw could do to their computer, [B] what they can do to temporarily/permanently fix the flaw, and [C] what the flaw is due to (99% of the time, this will be 'due to Microsoft software'). Microsoft obviously isn't interested in having an educated user base, or they'd make such a site themselves and advertise it extensively.
Or you can just hand them an iMac that suits their needs and be done with it. Worked with my grandma who likes to click on every pop banner on the net. Just my .02

Re:There needs to be... (2, Interesting)

tsa (15680) | more than 8 years ago | (#14375185)

My ISP regularly sends me emails about new MS vulnerabilities and what to do about them. I chuck them immediately because I use Windows only for playing games, but the fact that they send these mails means that a lot of Joe Sixpacks get to know about the dangers and can do something about it. I think that the main reason Joe Sixpack doesn't use non-MS software is that when something on a computer is more difficult than 'click here', 90% of the people doesn't even try. And another thing: people stick to what they know. That's very hard to change.

update antiviruses (1)

phntm (723283) | more than 8 years ago | (#14374904)

Beware of this IM-Worm which spreads via MSN using a link to "http://[snip]/xmas-2006 FUNNY.jpg".
Though it's spread mainly in Netherlands as the link sais.
an up to date antivirus should keep you safe.

Re:update antiviruses (0)

Anonymous Coward | more than 8 years ago | (#14374951)

Except by the time the antivirus detects the file, you've already downloaded it.

And to add to that, updating AV won't help whatsoever until the AV vendors actually add detection for it. Which they haven't.

Another GOOD reason not to run IM! (3, Interesting)

jackb_guppy (204733) | more than 8 years ago | (#14374906)

IM is just a person private email system, period. Try using email, you can even use filters to pick your freinds messages out of the background noise, like inter-departmental mail.

To fix the security risk of IM, either the you give up point to point email that it is to force it though filtering servers (sound like email there again). The Anti-Virus programs on every machine will have to start filtering all that traffic too (wait they are doing this for wmail today also!!)
--
When will people learn that NEW is not always GOOD.

Re:Another GOOD reason not to run IM! (5, Insightful)

unity (1740) | more than 8 years ago | (#14375029)

My customers use IM. My coworkers use IM. I use IM.

IM is potentially the most influential communication medium since email.
I have had quite a few of my customers tell me that "The simple fact that I can reach you via IM, has made your company's service better than any other partner."

IM is "instant", offers logging of communications and doesn't require somebody to check their email (it pops up on their screen). In many ways it is a better communication tool than other options: phone, email or fax. You can even use it to see if somebody is in the office yet, or out to lunch. I could go on and on...

Feel free to not use it; the rest of the modern business world won't be joining you.

Re:Another GOOD reason not to run IM! (3, Insightful)

S.O.B. (136083) | more than 8 years ago | (#14375145)

I am forced to use IM at work and all the benefits you list also have negatives associated with them.

Being "instant" allows people to annoy you for any little thing. The dozen or so phone interruptions I used to get a day are now 20-30 IM interruptions.

"Logging of communications" also means you have no privacy. And if you think your boss isn't tracking you by your IM status you're kidding yourself.

Screen popups mean that you don't have to wait for the recipient to check their email/vmail but it also means that you just interrupted what they were doing. I don't know how many times I was trying to solve a problem and I got IMed by multiple people asking if I had solved the problem.

The difference between IM and previous forms of communication is that I used to have a choice.

Re:Another GOOD reason not to run IM! (1)

unity (1740) | more than 8 years ago | (#14375225)

"Logging of communications" also means you have no privacy. And if you think your boss isn't tracking you by your IM status you're kidding yourself.

I'm a hard worker, I have no problem with my "boss" aka:"customers" knowing that I put in long hours. I use the tracking ability myself to monitor my customer contacts and coworkers; their availability and work habits. This comes in handy when you have clients and coworkers living in different timezones and with varying work schedules. If you work hard, what do you have to hide? :)

All those little annoyances? That is support or just part of getting the job done. If I am busy, I will tell somebody that or use that fancy "Away" indicator in most/all IM clients. The easier I make it for customers and coworkers to communicate with me, the better we can ALL get our job done.

Re:Another GOOD reason not to run IM! (1)

TCM (130219) | more than 8 years ago | (#14375174)

IM is "instant", offers logging of communications and doesn't require somebody to check their email (it pops up on their screen).

That's what IRC is for.

Re:Another GOOD reason not to run IM! (2, Insightful)

the_macman (874383) | more than 8 years ago | (#14375109)

IM is just a person private email system, period. Try using email, you can even use filters to pick your freinds messages out of the background noise, like inter-departmental mail. To fix the security risk of IM, either the you give up point to point email that it is to force it though filtering servers (sound like email there again). The Anti-Virus programs on every machine will have to start filtering all that traffic too (wait they are doing this for wmail today also!!)
Ummm, not really. Half the people I know check their email via the web and have to login everytime vs IM where you just keep a small window open (in fact you can minimize it) and messages pop up if someone contacts you. Plus with IM, when I send someone an IM I *know* if they are in front of their computer that instant, or idle, or away. Plus according to your plan it's effiecient to send an email to someone saying "Hey wanna goto the movies tonight" only for them to check their email the next day.

It's worse than that (5, Insightful)

Anonymous Coward | more than 8 years ago | (#14374914)

I do infosec stuff at a well-known corporation, including Incident Response, and I've been following this closely & working on our response.

Since the first exploit came to light, H.D.Moore of the Metasploit project has reworked the original package they did. The new exploit spits out exploit WMF files [sans.org] that come:

  • with a random size;
  • no .wmf extension, (.jpg), but could be any other image extension actually;
  • a random piece of junk in front of the bad call; carefully crafted to be larger than the MTU on an ethernet network;
  • a number of possible calls to run the exploit are listed in the source;
  • a random trailer
This makes it rather hard for antivirus and IDS sigs to detect it, though Snort and the A/V people are working late over their holidays to improve detection.

SANS/ISC have provided excellent continued summaries of events around this. Here's their FAQ on the issue [sans.org] .

This is looking truly horrible. On Tuesday morning zillions of Windows desktops will be fired up for the first time in a week or two. This thing's already in widespread use by a number of malware distribution networks for the usual reasons. As such it's a nightmare for network and system admins with Windows machines to look after (and us security people trying to provide advice & assistance for them...) But the stealth nightmare is that this is an absolute jackpot for the less visible targetted attacks, such as those emanating from China for the past couple of years (google around, Slashdot and Schneier have covered this as well as many other places.) There are also the opportunistic types who see an easy opportunity to pwn some key machines where they work, say. I will stick my neck out here and make a prediction. Virtually all organisations with Windows machines are effectively wide open to total compromise by a reasonably informed person. That means much of the IT dept as well as significant numbers of the 'interested poweruser' types, developers with a casual interest in security,.. anyone who's heard of this and is capable of running the findingm, running and using the new exploit, basically. Of course we're all tweaking our IDSes and antivirus, locking things down as tight as possible in the 48 hours remaining, but... *shudder*

For ten years I've been waiting for Microsoft's luck to run out. This is about #3 on my list of catastrophic MS incidents. There aren't many ways things could be worse.

It will be a good time to be running Linux on work machine, though :)

Re:It's worse than that (1, Insightful)

lseltzer (311306) | more than 8 years ago | (#14375063)

Yes, it's really really bad, but it's not anywhere near as bad as a real network worm and we've had several of those. At least these attacks do require user interaction and there is workaround that's usually effective.

BTW, according to testing by AV-Test of 73 variants all of the major AV packages and most of the others are detecting all of them. You're right though that there will be holes in this coverage, especially in as much as some of them are doing exploit-by-exploit coverage as opposed to a true heuristic. The ones that do sniff out the actual WMFs and look for the exploit sequence seem to be working so far.

Re:It's worse than that (4, Insightful)

Lehk228 (705449) | more than 8 years ago | (#14375113)

this is MUCH worse than a network worm.

worms are pretty easy to seal out with a firewall and are easally patched. this exploit allows all sorts of local user exploits in a corporate environment. it also so far has been able to fly through hardware and software firewalls of all shapes and sizes.

Re:It's worse than that (5, Informative)

borderpatrol (942564) | more than 8 years ago | (#14375130)

I work for a major electronics retailer in the Service department. Most of our duties are simple PC repair, data backup, and virus/spyware removal.

I have seen in the past week our work increase 5 fold because of this exploit. What is normally a very slow time of the year for us has become very busy for us and it's making me nervous myself.

We had a few customer that bought brand new computers and laptop and are bringing them back the same day with this exploit. A quick check reveals that their Norton was up-to-date, yet this stuff still slipped in. Other customers are getting this thing left and right. Unfortunately I have not much to tell them except to keep updating all your security products daily as it's only going to get worse before it gets better. Hand them a copy of Norton and Sunbelt Counterspy and tell them good luck.

I do believe there is a bit a social engineering planned into this. Customers with year-end financials, tax season starting up, holiday credit card payments and statements coming through. Very ripe time to plucking financial and personal data. And with this being an extended holiday weekend, this exploit has a bit of time to fester and refine itself before the big trojan/virus with a major payload slips past the AV and Adware detections and onto millions of computers. What happens when someone combines with exploit with a backgood into a major ad server network? Imagine the damage then.

I'm doing the best I can at my house against this thing, but looking at the 7+ Windows boxes I'm now worrying about updating, installing, patching and unregistering, and the 1 Apple laptop I haven't had to restart in 6 months, and I wonder if this is going to be the big one that really gives Microsoft the black eye it can't recover from.

Great.. (2, Interesting)

wfberg (24378) | more than 8 years ago | (#14374918)

Microsoft recommends, for the time being to just

regsvr32 -u %windir%\system32\shimgvw.dll

BUT according to this analysis, the real fault lies with gdi32.dll ! How the hell do you get rid of that? It's about as deeply embedded in windows as, say, glibc is in Linux distributions..

Re:Great.. (2, Informative)

Anonymous Coward | more than 8 years ago | (#14375041)

The problem is not with gdi32.dll. The problem is with the way the WMF handler uses the SetEscape() API.

Pointing the finger at gdi32.dll is like running a malicious script that executes "rm -fr /" and blaming the rm executable when your files disappear.

What you gonna do, internet..... (3, Funny)

Channard (693317) | more than 8 years ago | (#14374932)

... when Hulkamania runs wild on you? Oh, wait, WMF. Never mind.

Most importantly: THERE IS A FIX (5, Informative)

FhnuZoag (875558) | more than 8 years ago | (#14374936)

It's unofficial, but it works.

http://www.hexblog.com/2005/12/wmf_vuln.html [hexblog.com]

Re:Most importantly: THERE IS A FIX (0, Troll)

TCM (130219) | more than 8 years ago | (#14375192)

Quick, everyone! Download an executable from a totally unrelated third-party site with "blog" in its name! Look! I even got the patch in my mail before I knew it existed!

Re:Most importantly: THERE IS A FIX (2, Informative)

W2k (540424) | more than 8 years ago | (#14375228)

Parent is a troll who obviously didn't even RTFA. This patch is legit, it comes with complete source code, and it's been verified good by at least one third party [grc.com] , Steve Gibson of GRC.com. It immunizes against the vulnerability and has no known ill effects. It's as good a counter-measure as there can be before an official fix is released.

Good TIMING! (1)

putko (753330) | more than 8 years ago | (#14374965)

I'm impressed at the timing on this one -- it hits during the slowest time of the year.

I figure the exploiters, even if they aren't the fastest in the bunch, will have massive penetration by the time people start modifying their systems to protect themselves.

So I'm wondering if the bad guys knew about this one for a while and just waited until now to spring it, or did the Microsoft customers just get profoundly unlucky.

Steve Jobs is probably laughing away over this one.

These stories about vulnerabilities... (-1, Flamebait)

Darius Jedburgh (920018) | more than 8 years ago | (#14374986)

They're pretty boring aren't they. You'd have to be a pretty sad fucker to think that they're worthy of making headline news on anything other than a specialist security web site. Bye bye /.

Re:These stories about vulnerabilities... (-1, Offtopic)

heinousjay (683506) | more than 8 years ago | (#14375162)

Exactly what was it about Slashdot that made you think anything but sad fuckers populated these communist shores? The unrepentant geekery fool you? The non-stop proselytizing of an alternative OS like someone actually gave a shit? The grant-mooching hippie worship? The political idealism that speaks of a life lived on IRC, without real world contact in any way? The belief that the general population actually cares one whit for technology? The crowing about the slightest bit of sexual contact in any post from someone who's so much as seen the opposite sex? The evangelical atheism, as if steadfast faith in science weren't just as much of a religion as Christianity? The me-too moderation, demonstrating a deepseated need to belong heretofore only seen in bulemic cheerleaders?

Fearmongering (4, Interesting)

eddy (18759) | more than 8 years ago | (#14375036)

What we need now is for someone to find a remote exploit in a popular webserver and combine both exploits into a worm, 'cause then we're all really fucked.

Re:Fearmongering (0)

Anonymous Coward | more than 8 years ago | (#14375070)

then we're all really fucked.

What you mean "we," paleface?

--Anonymous Mac user

Re:Fearmongering (0)

Anonymous Coward | more than 8 years ago | (#14375117)

"We" internet users? Unless you Macintosh "One step look-ahead" Users have your own private one?

Seen this on porn sites (1)

SlightOverdose (689181) | more than 8 years ago | (#14375067)

I've noticed numerous TGP porn sites have been trying to get me to open a WMF file (Not that I uh.... would know about this first hand or anything ;p). Didn't think there was anything to it until seeing this article- my guess is it's being used to install crapware of some kind.

lucky I'm using Linux.

Can't think with a hang-over (1, Interesting)

Anonymous Coward | more than 8 years ago | (#14375071)

but somebody can finish this joke... it has to do with a hacked Windows PC... I am teh lose today.

"and on the 7th day 'after' Christmas my true-love gave to me"

Re:Can't think with a hang-over (5, Funny)

ettlz (639203) | more than 8 years ago | (#14375182)

Seven Sony rootkits,
Six keystroke loggers,
Five porn diallers!
Four Exploit.WMFs,
Three Mytobs,
Two Bifrose-Ds,
And a homepage stuck on goatse.

so... (1)

Antony.S (813668) | more than 8 years ago | (#14375079)

Doesn't this virus still require the user to click a link? It's not fully automated?

Why are so many people making it sound like the end of the world?

Re:so... (1)

josepha48 (13953) | more than 8 years ago | (#14375154)

its not as unique as you think. I submitted a story similar to this to /. but it was rejected. Since I knew it would be I wrote it down in my /. journal. The link below is my journal, and it talks about a Yahoo! phish.

http://slashdot.org/~josepha48/journal/125456

Yes a user has to click the link. The issue is that with IM people usually assume that the link is from the actual sender of the IM. So in the case of Yahoo! someone who has you on their buddy list, which is usually someone you chat often with, sends you an IM with a link. These new phish, only require you to click on the link before they screw you.

Its been a day since I reported it to Yahoo! and they still have not taken the URL down. I wonder how far these things have to spread before anyone really decides its an issue.

Re:so... (0)

Anonymous Coward | more than 8 years ago | (#14375156)

The exploit itself doesn't require someone to click in a link, the IM version does.
In theory, you just need to "view" in your browser the wmf, to infect your machine, there are some reports that even some desktop search tools 'indexing' the file can invoke the exploit.
I wonder if the preview picture in the MSN IM (I don't use it, so not sure at all), can be forced to render a WMF

Another one strikes (1)

bulio (884542) | more than 8 years ago | (#14375138)

This is only going to get worse. According to the blog at F-Secure, there is so many variants coming out it isn't even funny. Also, it doesn't help that just by allowing google desktop to index the file, you can get a virus. From what I can gather, you can unregister shimgvw.dll, but the problem lays deep inside Windows, so you still aren't 100% safe. There is also an unofficial patch out, but how many newbie computer users will actually apply it? I have a feeling that this exploit is going to be a real bad one until Microsoft can release a patch, as tons of different worms and trojans can be released into a machine with this exploit.

Is this the exploit reported back in November? (2, Interesting)

Animats (122034) | more than 8 years ago | (#14375149)

An exploit of "gdi32.dll" using a WMF file for the attack was documented back in November [securiteam.com] . Does this new exploit use the same attack approach?

Re:Is this the exploit reported back in November? (4, Informative)

Heembo (916647) | more than 8 years ago | (#14375218)

This is the same basic exploit - but the seriousness and criticality is dramatically harder. A malicious file can contain any file extension of any random size and still be a WMF file on the "inside" and still have a "arbitrary code" payload. Most security groups are way freaked out now since IDS/IPS and AV patches are not patching this complete yet. Check out http://isc.sans.org/diary.php?rss&storyid=994 [sans.org] more a more indepth answer.

plUs 3, Troll) (-1, Offtopic)

Anonymous Coward | more than 8 years ago | (#14375165)

to i7s laid-back

VBS in WMF? WTF?! (2, Informative)

void*p (899835) | more than 8 years ago | (#14375219)

Why in the world would a WMF file need to be able to execute a script? And aren't most of Microsoft's vulnerabilities related to the wanton running of scripts without a user being aware that it's happening?

We must be in Soviet Russia... (-1, Offtopic)

Anonymous Coward | more than 8 years ago | (#14375227)

...because the internet owns us!
Load More Comments
Slashdot Login

Need an Account?

Forgot your password?