http://msnbc.msn.com/id/10684853/

Windows PC's face 'huge' virus threat

By Kevin Allison in San Francisco
Updated: 1:41 a.m. ET Jan. 3, 2006

Computer security experts were grappling with the threat of a new weakness
in Microsoft's Windows operating system that could put hundreds of millions
of PCs at risk of infection by spyware or viruses.The news marks the latest
security setback for Microsoft, the world's biggest software company, whose
Windows operating system is a favourite target for hackers.

"The potential [security threat] is huge," said Mikko Hyppvnen, chief
research officer at F-Secure, an antivirus company. "It's probably bigger
than for any other vulnerability we've seen. Any version of Windows is
vulnerable right now."The flaw, which allows hackers to infect computers
using programs maliciously inserted into seemingly innocuous image files,
was first discovered last week.

But the potential for damaging attacks increased dramatically at the weekend
after a group of computer hackers published the source code they used to
exploit it. Unlike most attacks, which require victims to download or
execute a suspect file, the new vulnerability makes it possible for users to
infect their computers with spyware or a virus simply by viewing a web page,
e-mail or instant message that contains a contaminated image.

"We haven't seen anything that bad yet, but multiple individuals and groups
are exploiting this vulnerability," Mr Hyppvnen said. He said that every
Windows system shipped since 1990 contained the flaw.Microsoft said in a
security bulletin on its website that it was aware that the vulnerability
was being actively exploited.

But by early yesterday, it had not yet released an official patch to correct
the flaw. "We are working closely with our antivirus partners and aiding law
enforcement in its investigation," the company said. In the meantime,
Microsoft said it was urging customers to be careful opening e-mail or
following web links from untrusted sources.

Meanwhile, some security experts were urging system administrators to take
the unusual step of installing an unofficial patch created at the weekend by
Ilfak Guilfanov, a Russian computer programmer.Concerns remain that without
an official patch, many corporate information technology systems could
remain vulnerable as employees trickle back to work after the holiday
weekend.

"We've received many e-mails from people saying that no one in a corporate
environment will find using an unofficial patch acceptable," wrote Tom
Liston, a researcher at the Internet Storm Center, an antivirus research
group. Both ISC and F-Secure have endorsed the unofficial fix.Microsoft
routinely identifies or receives reports of security weaknesses but most
such vulnerabilities are limited to a particular version of the Windows
operating system or other piece of Microsoft software.

In recent weeks, the company has been touting its progress in combating
security threats. The company could not be reached on Monday for comment

Copyright The Financial Times Ltd.

Meh, im good.

For the next few days until MS issues a patch,
cut back on the porn and warez sites, guys.
Yer gonna get bit.

tag

Is this the CHI-COMS again? .....Or hacker punks?

Isnt this technically old news? I thought the potential was always there.

same ole shit diffrent day.

over 15 years of using a computer and only 2 virus both not my fault one my uncle had a floppy with michael angelo on it way back in the day and the other was my friend was using my comp to check his e-mail and opened a unknown file he got in a spam letter. both got very chewed out for it.

Quoted: Isnt this technically old news? I thought the potential was always there.

The big news now is that this Microsoft backdoor exists in every version from 15 years ago all of the way to the newest versions of Vista.  The other big deal is that anyone can do anything with your Microsoft Windows computer just by getting you to view a web page that contains a .wmf image.z

Quoted: Windows PC's face 'huge' virus threat

In other late breaking news, it has been determined that the Pope is Catholic.

tag

What is a virus, again?

Sorry, I forgot.

I'm a Mac user.

Why would one of the sickos that write viruses waste their time writing viruses for any of the other 5% of computers in the world that don't run windows?

The virus threat for windows is 'huge' because it's on 95% of the worlds computers! Duh!

Quoted: For the next few days until MS issues a patch, cut back on the porn and warez sites, guys. Yer gonna get bit.

From what I've heard there have been instances of supposedly above-board sites pushing the images.  Hacking websites is old hat at this point.

Finally found the energy over the holiday weekend to get my last computer upgraded to linux.  For once, I can brush off a Windows virus scare.  WoHoo!

Quoted: Quoted: Isnt this technically old news? I thought the potential was always there. The big news now is that this Microsoft backdoor exists in every version from 15 years ago all of the way to the newest versions of Vista.  The other big deal is that anyone can do anything with your Microsoft Windows computer just by getting you to view a web page that contains a .wmf image.z

umm who the hell uses WMF  anyway almost every image online is either jpg, gif, or png.

Quoted: What is a virus, again? Sorry, I forgot. I'm a Mac user.

A big +1.

\But I will soon have a Dell, courtesy of Uncle Sam and school....

tag

tag

tag

Quoted: Quoted: Quoted: Isnt this technically old news? I thought the potential was always there. The big news now is that this Microsoft backdoor exists in every version from 15 years ago all of the way to the newest versions of Vista.  The other big deal is that anyone can do anything with your Microsoft Windows computer just by getting you to view a web page that contains a .wmf image.z umm who the hell uses WMF  anyway almost every image online is either jpg, gif, or png.

That's not the point.

When you click on your favorite Asian Shemale Porn site the next time, they may have put a WMF in the page.

Quoted: When you click on your favorite Asian Shemale Porn site the next time, they may have put a WMF in the page.

Well, if you use Firefox, it will not open the file automatically.

Quoted: Quoted: When you click on your favorite Asian Shemale Porn site the next time, they may have put a WMF in the page. Well, if you use Firefox, it will not open the file automatically.

or opera.

I never use IE unless I have to "windows update" but the auto dl critical updates I dont even need it for that.

tag

This obviously is going to be difficult to patch.  And the delivery device doesn't simply have to be clicking on a thumbailed image.

I'm not scared. 15 years of computing, and my personal machines haven't been hit yet.

Update the patches, keep your firewall in good shape, don't hit crappy sights, don't open attachments, and keep a backup.

Quoted: This obviously is going to be difficult to patch.  And the delivery device doesn't simply have to be clicking on a thumbailed image.

Why?

Push out a new thumbnail component without the vulnerability.  Why is that difficult?

Quoted: Quoted: This obviously is going to be difficult to patch.  And the delivery device doesn't simply have to be clicking on a thumbailed image. Why? Push out a new thumbnail component without the vulnerability.  Why is that difficult?

and theres already a unoffical patch out there.
/. article

Quoted: Why would one of the sickos that write viruses waste their time writing viruses for any of the other 5% of computers in the world that don't run windows? The virus threat for windows is 'huge' because it's on 95% of the worlds computers! Duh!

The threat for windows is huge because windows is full of vulnerabilities, not because of the number of windows machines. The Apache web server is the most widely deployed web server on the web, yet it has had few exploits. Most of the web server exploits are for microsoft iis.

/me pets BSD and Linux

Quoted: Quoted: This obviously is going to be difficult to patch.  And the delivery device doesn't simply have to be clicking on a thumbailed image. Why? Push out a new thumbnail component without the vulnerability.  Why is that difficult?

Sorry, I didn't mean to imply that it would be difficult to write the patch, just to actually patch all the machines out there in a timely enough manner considering the potential promiscuity of the virus. (should it even exist yet)

Quoted: There are a couple hundred samples of code out to exploit this weakness - it's a big one. Run regsvr32 -u shimgvw.dll to temporarily disable the "thumbnail" view which is what the bug exploits. After Microsoft releases a patch on the 10th of January run regsvr32 shimgvw.dll to turn thumbnails back on.

old info:

http://antivirus.about.com/od/virusdescriptions/a/wmfexploit_2.htm

doesn't work with new variants.

Just a bit of sensationalism from a financial rag.

Yep, its a newfound vulnerability.  Yep, you need to take some reasonable precautions.  But it's NOT fatal -- this is the way of our brave new world.  There will always be some giggling, acne-faced moron taking shots at the Big Player in the OS game.  

In a few days, it will all be history, and we can be free to move on to the next "sky is falling" scenario...  yawn...  pace yourself folks -- this kinda crap is going to be happening for a long time.  If we get breathless every time some social reject working from his Mom's basement manages to rub two brain cells together and release a virus, we'll all hyperventilate.

uhh oh. I think my PC has something up with it. All the icons on the desktop disapear then reappear a second later. Almost like a warm start.

I ran Trendmicro virus scan, adaware and Microsoft antispyware...nothing detected. But my icons are still cycling. Also, nothing weird in the taskmanager.

/me cuddles the three no now FOUR poc sploits on his desktop.

Trendmicro teabags fuzzy nuts

link to the sans page that has a link to the temp patch (non microsoft):

isc.sans.org/

Quoted: /me cuddles the three no now FOUR poc sploits on his desktop.

wtf is a poc sploit! I need to know!

Quoted: Just a bit of sensationalism from a financial rag.

No, not really. Did you even do any research on the exploit?

All you need to do is visit a web site. Not open an infected file set in an email or some other way.

antivirus.about.com/od/virusdescriptions/a/wmfexploit.htm

Quoted: I'm a Mac user.

All shits and giggles until something goes and no one can help you!

Let alone there is almost no support for mac people. Just some poor beta-max person in a VHS world.

Quoted: Quoted: Quoted: This obviously is going to be difficult to patch.  And the delivery device doesn't simply have to be clicking on a thumbailed image. Why? Push out a new thumbnail component without the vulnerability.  Why is that difficult? Sorry, I didn't mean to imply that it would be difficult to write the patch, just to actually patch all the machines out there in a timely enough manner considering the potential promiscuity of the virus. (should it even exist yet)

The XP SP2 autoupdate stuff should help out once Microsoft actually releases the patch next week.  However, that's only going to take care of some of it....

.

Quoted: I'm not scared. 15 years of computing, and my personal machines haven't been hit yet. Update the patches, keep your firewall in good shape, don't hit crappy sights, don't open attachments, and keep a backup.

Good advice in general, but do you consider ar15.com to be a crappy (dangerous) site?  Because ar15.com, like most all forums, permits any user to post an image hosted on any remote website.  Your browser will then fetch that image from that website and attempt to display it.  If that image contains the security flaw exploit and your system is not patched to protect you, you will then be infected simply by having read a post on ar15.com.   In fact, you would be infected right now if the following image really did contain the exploit:



To me that is the biggest danger of this particular flaw.  Microsoft has downplayed the vulnerability by stating that hackers would first have to lure their victims to an unfamiliar, dangerous (i.e. "crappy") website that hosts an "infected" image, but that just isn't true when you consider how many forum sites there are that permit people to anoymously post images from any remote hosts.

Quoted: Quoted: I'm not scared. 15 years of computing, and my personal machines haven't been hit yet. Update the patches, keep your firewall in good shape, don't hit crappy sights, don't open attachments, and keep a backup. Good advice in general, but do you consider ar15.com to be a crappy (dangerous) site?  Because ar15.com, like most all forums, permits any user to post an image hosted on any remote website.  Your browser will then fetch that image from that website and attempt to display it.  If that image contains the security flaw exploit and your system is not patched to protect you, you will then be infected simply by having read a post on ar15.com.   In fact, you would be infected right now if the following image really did contain the exploit: tinypic.com/jpkm09.gif To me that is the biggest danger of this particular flaw.  Microsoft has downplayed the vulnerability by stating that hackers would first have to lure their victims to an unfamiliar, dangerous (i.e. "crappy") website that hosts an "infected" image, but that just isn't true when you consider how many forum sites there are that permit people to anoymously post images from any remote hosts.

That's why it's so bad...it can be exploited almost anywhere. And since it's a OS flaw and not a browser flaw, it doesn't matter if you're using firefox or opera.

For now I've turned off images in firefox...I'm getting nothing but text and empty boxes. And I'm reducing the features on my email programs as well. It's crippling the software but this one is so potentially dangerous it has to be done.

what are the symptoms of infection?

Quoted: what are the symptoms of infection?

Painful burning urination, for starters.

Quoted: what are the symptoms of infection?

The flaw allows a wide variety of bad payloads, so there is no single symptom.  It could be anything from a program allowing someone else to control your system to a program to erase every file on your system.

Quoted: Quoted: I'm not scared. 15 years of computing, and my personal machines haven't been hit yet. Update the patches, keep your firewall in good shape, don't hit crappy sights, don't open attachments, and keep a backup. Good advice in general, but do you consider ar15.com to be a crappy (dangerous) site?  Because ar15.com, like most all forums, permits any user to post an image hosted on any remote website.  Your browser will then fetch that image from that website and attempt to display it.  If that image contains the security flaw exploit and your system is not patched to protect you, you will then be infected simply by having read a post on ar15.com.   In fact, you would be infected right now if the following image really did contain the exploit: tinypic.com/jpkm09.gif To me that is the biggest danger of this particular flaw.  Microsoft has downplayed the vulnerability by stating that hackers would first have to lure their victims to an unfamiliar, dangerous (i.e. "crappy") website that hosts an "infected" image, but that just isn't true when you consider how many forum sites there are that permit people to anoymously post images from any remote hosts.

It has to be a .WMF file thu all u have to do it tell your browser to not load WMF files.

Quoted: Quoted: Quoted: I'm not scared. 15 years of computing, and my personal machines haven't been hit yet. Update the patches, keep your firewall in good shape, don't hit crappy sights, don't open attachments, and keep a backup. Good advice in general, but do you consider ar15.com to be a crappy (dangerous) site?  Because ar15.com, like most all forums, permits any user to post an image hosted on any remote website.  Your browser will then fetch that image from that website and attempt to display it.  If that image contains the security flaw exploit and your system is not patched to protect you, you will then be infected simply by having read a post on ar15.com.   In fact, you would be infected right now if the following image really did contain the exploit: tinypic.com/jpkm09.gif To me that is the biggest danger of this particular flaw.  Microsoft has downplayed the vulnerability by stating that hackers would first have to lure their victims to an unfamiliar, dangerous (i.e. "crappy") website that hosts an "infected" image, but that just isn't true when you consider how many forum sites there are that permit people to anoymously post images from any remote hosts. It has to be a .WMF file thu all u have to do it tell your browser to not load WMF files.

Though the WMF Image Handling Exploit involves .WMF files, a .WMF renamed to a different image extension, i.e. TIF, JPG, ICO, etc., will still be recognized by Windows as a WMF file and the exploit will be rendered.

antivirus.about.com/od/virusdescriptions/a/wmfexploit.htm

I got it.


CWS_SE.-50000




TRAK_SE.10419




Trend Micro detected these.  

CYA...gotta reformat now. later

Quoted: Quoted: Quoted: Isnt this technically old news? I thought the potential was always there. The big news now is that this Microsoft backdoor exists in every version from 15 years ago all of the way to the newest versions of Vista.  The other big deal is that anyone can do anything with your Microsoft Windows computer just by getting you to view a web page that contains a .wmf image.z umm who the hell uses WMF  anyway almost every image online is either jpg, gif, or png.

The fuckers infecting your computer when you visit your favourite gay porn site. Didn't you read the article at all!?!?

And whoever said Firefox is safe, is dead wrong, this affects both IE and Firefox.
Just disable rendering WMF's. Done and done.

1. Click on the Start button on the taskbar.
2. Click on Run...
3. Type "regsvr32 /u shimgvw.dll" to disable.
4. Click ok when the change dialog appears.

iDefense notes that this workaround may interfere with certain thumbnail images loading correctly, though I have used the hack on my machine and haven't had any problems yet. The company notes that once Microsoft issues a patch, the WMF feature may be enabled again by entering the command "regsvr32 shimgvw.dll" in step three above.
ETA:
SANS approved hotfix here: http://handlers.sans.org/tliston/WMFHotfix-1.4.msi