1. This forum section is a read-only archive which contains old newsgroup posts. If you wish to post a query, please do so in one of our main forum sections (here). This way you will get a faster, better response from the members on Motherboard Point.

WMF Exploit!!! Install this patch now!

Discussion in 'Tablet PC' started by Jim, Jan 3, 2006.

  1. Jim

    Jim Guest

    In case you have been living under a rock for the last week or so, you may
    not have heard about the WMF Windows exploit.

    For those rock dwellers, here's the scoop.....short and sweet. Reprinted
    here without permission from SANS at
    http://isc.sans.org/diary.php?storyid=994. Hope they don't mind.... ;).

    ---------------------------------------------

    WMF FAQ (NEW)
    Published: 2006-01-03,
    Last Updated: 2006-01-03 08:55:06 UTC by Johannes Ullrich (Version: 3(click
    to highlight changes))

    [a few users offered translations of this FAQ into various languages.
    Obviously, we can not check the translation for accuracy, nor can we update
    them. So use at your own risk: Deutsch and Deutsch (pdf), Catalan , Español
    , Italiana and Italiana, Polski, Suomenkielinen, Danish, Japanese,
    Slovenian, Chinese, Norwegian and Nederlands (in progress) ]


    a.. Why is this issue so important?
    The WMF vulnerability uses images (WMF images) to execute arbitrary code. It
    will execute just by viewing the image. In most cases, you don't have click
    anything. Even images stored on your system may cause the exploit to be
    triggered if it is indexed by some indexing software. Viewing a directory in
    Explorer with 'Icon size' images will cause the exploit to be triggered as
    well.

    a.. Is it better to use Firefox or Internet Explorer?
    Internet Explorer will view the image and trigger the exploit without
    warning. New versions of Firefox will prompt you before opening the image.
    However, in most environments this offers little protection given that these
    are images and are thus considered 'safe'.

    a.. What versions of Windows are affected?
    All. Windows 2000, Windows XP, (SP1 and SP2), Windows 2003. All are affected
    to some extent. Mac OS-X, Unix or BSD is not affected.

    Note: If you're still running on Win98/ME, this is a watershed moment: we
    believe (untested) that your system is vulnerable and there will be no patch
    from MS. Your mitigation options are very limited. You really need to
    upgrade.

    a.. What can I do to protect myself?
    1.. Microsoft has not yet released a patch. An unofficial patch was made
    available by Ilfak Guilfanov. Our own Tom Liston reviewed the patch and we
    tested it. The reviewed and tested version is available here (now at v1.4,
    MD5: 15f0a36ea33f39c1bcf5a98e51d4f4f6), PGP signature (signed with ISC key)
    here. THANKS to Ilfak Guilfanov for providing the patch!!
    2.. You can unregister the related DLL.
    3.. Virus checkers provide some protection.
    To unregister the DLL:

    a.. Click Start, click Run, type "regsvr32 -u %windir%system32shimgvw.dll"
    (without the quotation marks... our editor keeps swallowing the
    backslashes... its %windir%(backslash)system32(backslash)shimgvw.dll), and
    then click OK.
    b.. A dialog box appears to confirm that the un-registration process has
    succeeded. Click OK to close the dialog box.
    Our current "best practice" recommendation is to both unregister the DLL and
    to use the unofficial patch.

    a.. How does the unofficial patch work?
    The wmfhotfix.dll is injected into any process loading user32.dll. The DLL
    then patches (in memory) gdi32.dll's Escape() function so that it ignores
    any call using the SETABORTPROC (ie. 0x09) parameter. This should allow
    Windows programs to display WMF files normally while still blocking the
    exploit. The version of the patch located here has been carefully checked
    against the source code provided as well as tested against all known
    versions of the exploit. It should work on WinXP (SP1 and SP2) and Win2K.

    a.. Will unregistering the DLL (without using the unofficial patch)
    protect me?
    It might help. But it is not foolproof. We want to be very clear on this: we
    have some very stong indications that simply unregistering the shimgvw.dll
    isn't always successful. The .dll can be re-registered by malicious
    processes or other installations, and there may be issues where
    re-registering the .dll on a running system that has had an exploit run
    against it allowing the exploit to succeed. In addition it might be
    possible for there to be other avenues of attack against the Escape()
    function in gdi32.dll. Until there is a patch available from MS, we
    recommend using the unofficial patch in addition to un-registering
    shimgvw.dll.
    a.. Should I just delete the DLL?
    It might not be a bad idea, but Windows File Protection will probably
    replace it. You'll need to turn off Windows File Protection first. Also,
    once an official patch is available you'll need to replace the DLL.
    (renaming, rather than deleting is probably better so it will still be
    handy).

    a.. Should I just block all .WMF images?
    This may help, but it is not sufficient. WMF files are recognized by a
    special header and the extension is not needed. The files could arrive using
    any extension, or embeded in Word or other documents.

    a.. What is DEP (Data Execution Protection) and how does it help me?
    With Windows XP SP2, Microsoft introduced DEP. It protects against a wide
    range of exploits, by preventing the execution of 'data segements'. However,
    to work well, it requires hardware support. Some CPUs, like AMD's 64 Bit
    CPUs, will provide full DEP protection and will prevent the exploit.

    a.. How good are Anti Virus products to prevent the exploit?
    At this point, we are aware of versions of the exploit that will not be
    detected by antivirus engines. We hope they will catch up soon. But it will
    be a hard battle to catch all versions of the exploit. Up to date AV systems
    are necessary but likely not sufficient.

    a.. How could a malicious WMF file enter my system?
    There are too many methods to mention them all. E-mail attachments, web
    sites, instant messaging are probably the most likely sources. Don't forget
    P2P file sharing and other sources.

    a.. Is it sufficient to tell my users not to visit untrusted web sites?
    No. It helps, but its likely not sufficient. We had at least one widely
    trusted web site (knoppix-std.org) which was compromissed. As part of the
    compromise, a frame was added to the site redirecting users to a corrupt WMF
    file. "Tursted" sites have been used like this in the past.

    a.. What is the actual problem with WMF images here?
    WMF images are a bit different then most other images. Instead of just
    containing simple 'this pixel has that color' information, WMF images can
    call external procedures. One of these procedure calls can be used to
    execute the code.

    a.. Should I use something like "dropmyrights" to lower the impact of an
    exploit.
    By all means yes. Also, do not run as an administrator level users for every
    day work. However, this will only limit the impact of the exploit, and not
    prevent it. Also: Web browsing is only one way to trigger the exploit. If
    the image is left behind on your system, and later viewed by an
    administrator, you may get 'hit'.

    a.. Are my servers vulnerable?
    Maybe... do you allow the uploading of images? email? Are these images
    indexed? Do you sometimes use a web browser on the server? In short: If
    someone can get a image to your server, and if the vulnerable DLL may look
    at it, your server may very well be vulnerable.

    a.. What can I do at my perimeter / firewall to protect my network?
    Not much. A proxy server that strips all images from web sites? Probably
    wont go over well with your users. At least block .WMF images (see above
    about extensions...). If your proxy has some kind of virus checker, it may
    catch it. Same for mail servers. The less you allow your users to initiate
    outbound connections, the better. Close monitoring of user workstations may
    provide a hint if a work station is infected.

    a.. Can I use an IDS to detect the exploit?
    Most IDS vendors are working on signatures. Contact your vendor for details.
    Bleedingsnort.org is providing some continuosly improving signatures for
    snort users.

    a.. If I get hit by the exploit, what can I do?
    Not much :-(. It very much depends on the exact exploit you are hit with.
    Most of them will download additional components. It can be very hard, or
    even impossible, to find all the pieces. Microsoft offers free support for
    issues like that at 866-727-2389 (866 PC SAFETY).

    a.. Does Microsoft have information available?
    http://www.microsoft.com/technet/security/advisory/912840.mspx
    But there is no patch at the time of this writing.


    a.. What does CERT have to say?
    http://www.kb.cert.org/vuls/id/181038
    http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-4560
     
    Jim, Jan 3, 2006
    #1
    1. Advertisements

  2. Jim

    Jim Guest

    Jim, Jan 3, 2006
    #2
    1. Advertisements

  3. MS has updated their security advisory to indicate the patch is expected to
    be released on the next patch Tuesday, Jan 10th.
    http://www.microsoft.com/technet/security/advisory/912840.mspx

    Tom
    | In case you have been living under a rock for the last week or so, you may
    | not have heard about the WMF Windows exploit.
    |
    | For those rock dwellers, here's the scoop.....short and sweet. Reprinted
    | here without permission from SANS at
    | http://isc.sans.org/diary.php?storyid=994. Hope they don't mind.... ;).
    |
    | ---------------------------------------------
    |
    | WMF FAQ (NEW)
    | Published: 2006-01-03,
    | Last Updated: 2006-01-03 08:55:06 UTC by Johannes Ullrich (Version:
    3(click
    | to highlight changes))
    |
    | [a few users offered translations of this FAQ into various languages.
    | Obviously, we can not check the translation for accuracy, nor can we
    update
    | them. So use at your own risk: Deutsch and Deutsch (pdf), Catalan ,
    Español
    | , Italiana and Italiana, Polski, Suomenkielinen, Danish, Japanese,
    | Slovenian, Chinese, Norwegian and Nederlands (in progress) ]
    |
    |
    | a.. Why is this issue so important?
    | The WMF vulnerability uses images (WMF images) to execute arbitrary code.
    It
    | will execute just by viewing the image. In most cases, you don't have
    click
    | anything. Even images stored on your system may cause the exploit to be
    | triggered if it is indexed by some indexing software. Viewing a directory
    in
    | Explorer with 'Icon size' images will cause the exploit to be triggered as
    | well.
    |
    | a.. Is it better to use Firefox or Internet Explorer?
    | Internet Explorer will view the image and trigger the exploit without
    | warning. New versions of Firefox will prompt you before opening the image.
    | However, in most environments this offers little protection given that
    these
    | are images and are thus considered 'safe'.
    |
    | a.. What versions of Windows are affected?
    | All. Windows 2000, Windows XP, (SP1 and SP2), Windows 2003. All are
    affected
    | to some extent. Mac OS-X, Unix or BSD is not affected.
    |
    | Note: If you're still running on Win98/ME, this is a watershed moment: we
    | believe (untested) that your system is vulnerable and there will be no
    patch
    | from MS. Your mitigation options are very limited. You really need to
    | upgrade.
    |
    | a.. What can I do to protect myself?
    | 1.. Microsoft has not yet released a patch. An unofficial patch was made
    | available by Ilfak Guilfanov. Our own Tom Liston reviewed the patch and we
    | tested it. The reviewed and tested version is available here (now at v1.4,
    | MD5: 15f0a36ea33f39c1bcf5a98e51d4f4f6), PGP signature (signed with ISC
    key)
    | here. THANKS to Ilfak Guilfanov for providing the patch!!
    | 2.. You can unregister the related DLL.
    | 3.. Virus checkers provide some protection.
    | To unregister the DLL:
    |
    | a.. Click Start, click Run, type "regsvr32 -u
    %windir%system32shimgvw.dll"
    | (without the quotation marks... our editor keeps swallowing the
    | backslashes... its %windir%(backslash)system32(backslash)shimgvw.dll), and
    | then click OK.
    | b.. A dialog box appears to confirm that the un-registration process has
    | succeeded. Click OK to close the dialog box.
    | Our current "best practice" recommendation is to both unregister the DLL
    and
    | to use the unofficial patch.
    |
    | a.. How does the unofficial patch work?
    | The wmfhotfix.dll is injected into any process loading user32.dll. The
    DLL
    | then patches (in memory) gdi32.dll's Escape() function so that it ignores
    | any call using the SETABORTPROC (ie. 0x09) parameter. This should allow
    | Windows programs to display WMF files normally while still blocking the
    | exploit. The version of the patch located here has been carefully checked
    | against the source code provided as well as tested against all known
    | versions of the exploit. It should work on WinXP (SP1 and SP2) and Win2K.
    |
    | a.. Will unregistering the DLL (without using the unofficial patch)
    | protect me?
    | It might help. But it is not foolproof. We want to be very clear on this:
    we
    | have some very stong indications that simply unregistering the shimgvw.dll
    | isn't always successful. The .dll can be re-registered by malicious
    | processes or other installations, and there may be issues where
    | re-registering the .dll on a running system that has had an exploit run
    | against it allowing the exploit to succeed. In addition it might be
    | possible for there to be other avenues of attack against the Escape()
    | function in gdi32.dll. Until there is a patch available from MS, we
    | recommend using the unofficial patch in addition to un-registering
    | shimgvw.dll.
    | a.. Should I just delete the DLL?
    | It might not be a bad idea, but Windows File Protection will probably
    | replace it. You'll need to turn off Windows File Protection first. Also,
    | once an official patch is available you'll need to replace the DLL.
    | (renaming, rather than deleting is probably better so it will still be
    | handy).
    |
    | a.. Should I just block all .WMF images?
    | This may help, but it is not sufficient. WMF files are recognized by a
    | special header and the extension is not needed. The files could arrive
    using
    | any extension, or embeded in Word or other documents.
    |
    | a.. What is DEP (Data Execution Protection) and how does it help me?
    | With Windows XP SP2, Microsoft introduced DEP. It protects against a wide
    | range of exploits, by preventing the execution of 'data segements'.
    However,
    | to work well, it requires hardware support. Some CPUs, like AMD's 64 Bit
    | CPUs, will provide full DEP protection and will prevent the exploit.
    |
    | a.. How good are Anti Virus products to prevent the exploit?
    | At this point, we are aware of versions of the exploit that will not be
    | detected by antivirus engines. We hope they will catch up soon. But it
    will
    | be a hard battle to catch all versions of the exploit. Up to date AV
    systems
    | are necessary but likely not sufficient.
    |
    | a.. How could a malicious WMF file enter my system?
    | There are too many methods to mention them all. E-mail attachments, web
    | sites, instant messaging are probably the most likely sources. Don't
    forget
    | P2P file sharing and other sources.
    |
    | a.. Is it sufficient to tell my users not to visit untrusted web sites?
    | No. It helps, but its likely not sufficient. We had at least one widely
    | trusted web site (knoppix-std.org) which was compromissed. As part of the
    | compromise, a frame was added to the site redirecting users to a corrupt
    WMF
    | file. "Tursted" sites have been used like this in the past.
    |
    | a.. What is the actual problem with WMF images here?
    | WMF images are a bit different then most other images. Instead of just
    | containing simple 'this pixel has that color' information, WMF images can
    | call external procedures. One of these procedure calls can be used to
    | execute the code.
    |
    | a.. Should I use something like "dropmyrights" to lower the impact of an
    | exploit.
    | By all means yes. Also, do not run as an administrator level users for
    every
    | day work. However, this will only limit the impact of the exploit, and not
    | prevent it. Also: Web browsing is only one way to trigger the exploit. If
    | the image is left behind on your system, and later viewed by an
    | administrator, you may get 'hit'.
    |
    | a.. Are my servers vulnerable?
    | Maybe... do you allow the uploading of images? email? Are these images
    | indexed? Do you sometimes use a web browser on the server? In short: If
    | someone can get a image to your server, and if the vulnerable DLL may look
    | at it, your server may very well be vulnerable.
    |
    | a.. What can I do at my perimeter / firewall to protect my network?
    | Not much. A proxy server that strips all images from web sites? Probably
    | wont go over well with your users. At least block .WMF images (see above
    | about extensions...). If your proxy has some kind of virus checker, it may
    | catch it. Same for mail servers. The less you allow your users to initiate
    | outbound connections, the better. Close monitoring of user workstations
    may
    | provide a hint if a work station is infected.
    |
    | a.. Can I use an IDS to detect the exploit?
    | Most IDS vendors are working on signatures. Contact your vendor for
    details.
    | Bleedingsnort.org is providing some continuosly improving signatures for
    | snort users.
    |
    | a.. If I get hit by the exploit, what can I do?
    | Not much :-(. It very much depends on the exact exploit you are hit with.
    | Most of them will download additional components. It can be very hard, or
    | even impossible, to find all the pieces. Microsoft offers free support for
    | issues like that at 866-727-2389 (866 PC SAFETY).
    |
    | a.. Does Microsoft have information available?
    | http://www.microsoft.com/technet/security/advisory/912840.mspx
    | But there is no patch at the time of this writing.
    |
    |
    | a.. What does CERT have to say?
    | http://www.kb.cert.org/vuls/id/181038
    | http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-4560
    |
    |
    | -----------------------------------------
    |
    | So run the patch, reboot and keep your fingers crossed!
    |
    | Jim
    |
    |
     
    Tom [Pepper] Willett, Jan 3, 2006
    #3
  4. Jim

    Jim Guest

    Thanks for the update.....meanwhile, run the patch on the SANS site or
    you're open to anything.

    Direct link to patch......
    http://handlers.sans.org/tliston/wmffix_hexblog14.exe

    Jim

     
    Jim, Jan 3, 2006
    #4
  5. Jim

    Chris H. Guest

    Microsoft has not released a patch at this point. Please do not download or
    install a patch from any other source.
     
    Chris H., Jan 3, 2006
    #5
  6. Jim

    Jim Guest

    Chris,

    You are acting in an extremely irresponsible manner. This is one of the
    largest exploits ever to hit the Windows platform (in number of machines
    affected), and you are telling people to do nothing.

    The only thing more irresponsible than your post is Microsoft's refusal
    to take immediate action for such an exploit.

    Jim
     
    Jim, Jan 3, 2006
    #6
  7. The patch works fine. I have installed it on my three computers without any
    problem. Even if it caused a couple of glitches, it is better than having
    your computer taken over, and controlled, by an unknown individual.

    --


    Regards,

    Richard Urban
    Microsoft MVP Windows Shell/User

    Quote from George Ankner:
    If you knew as much as you think you know,
    You would realize that you don't know what you thought you knew!
     
    Richard Urban, Jan 3, 2006
    #7
  8. Microsoft is taking action. They have posted an advisory which includes
    steps that can be taken to decrease the likelihood of a system falling
    prey to this vulnerability. A patch has been developed by MS and is now
    in the process of being validated to insure that it meets their release
    standards. The MS patch has a tentative release date of January 10,
    2006, one week from today.

    As most AV vendors now guard against any attack of this vulnerability,
    keeping your AV signatures up to date will keep you protected. If,
    after gathering all information on this you feel you are still at risk,
    then installing the patch available on the SANS website will add
    additional protection. Understand though that the SANS patch has not
    gone through the same level of testing that the MS patch will have gone
    through so has the potential of causing problems.

    In the past, files have been offered as patches to vulnerabilities that
    were themselves an exploit of some sort. It is always best to be wary
    of patches from any non-verifiable source.
    --
    Tom Porterfield
    MS-MVP Windows
    http://support.teloep.org

    Please post all follow-ups to the newsgroup only.
     
    Tom Porterfield, Jan 3, 2006
    #8
  9. Jim

    Chris H. Guest

    Incorrect, Jim. Users should wait for the official patch, and not risk (1)
    going to some web site not connected with Microsoft, and (2) not installing
    some "patch" or other software on their machine from an unknown source.

    As noted in the security bulletin issued, there are specific instances where
    this violation of a computer can take place, and they include being lured to
    a web site.

    Protection of the computer will come with intelligent computer usage,
    including not visiting an unknown site for a "fix" not coming directly from
    Microsoft.
     
    Chris H., Jan 3, 2006
    #9
  10. Jim

    Jim Guest

    One week is a very long time with an exploit like this circulating. Not
    only can the exploit be used to take over your PC and execute virtually any
    code that the attacker wants....the exploit is so simple that any script
    kiddie can do it - and lots of them are.

    From Symantec's website.... "It has been reported that the following Web
    sites may contain malicious files that trigger the exploit:


    a.. [http://]h0nest.org/[REMOVED]/12.exe (IP address 195.0.210.192)
    a.. [http://]kube.isa-geek.com/[REMOVED]/wen/up.exe (IP address not found)
    a.. [http://]charmedmadgic.free.fr/[REMOVED]/sdbot05b.jpg (IP address
    212.27.63.117)
    a.. [http://]69.50.171.122/[REMOVED]/test1.php
    a.. [http://]www.jerrynews.com/[REMOVED]/calc.exe (IP address
    211.100.26.169)
    a.. [http://]apperception.biz/[REMOVED]/main.exe (IP address 66.226.64.19)
    a.. [http://]apperception.biz/[REMOVED]/calc.exe (IP address 66.226.64.19)
    a.. [http://]sploso.com/[REMOVED]/starter2.exe (IP address 72.5.54.36)
    a.. [ftp://]x.www2.ninoa.com/[REMOVED]/pub/ied.exe (IP address
    205.177.28.180)
    a.. [ftp://]x.www2.ninoa.com/[REMOVED]/pub/epl.exe (IP address
    205.177.28.180)
    a.. [http://]www.freecat.biz/[REMOVED]/tr/pawn005.exe (IP address not found)
    a.. [http://]fullchain.net/[REMOVED]/apa/dex.exe (IP address
    192.225.177.21)"
    I'd rather be safe than sorry. Some Antivirus products have been updated to
    catch the 2 variants that have appeared at first. But, as I am sure that
    you are aware, variants of exploits rarely stop at 2 code variants.
    Users should always be wary of executing ANY code on thier systems. Only
    run code from trusted sources. That is why I gave the SANS link instead of
    my company website. SANS is more widely known and has a history of
    trustworthiness that a small company like mine has yet to attain.

    While I understand your sketicism and applaude your watchful eye for any
    code that will run on your system. We should also take any means nec. to
    ensure the protection of the masses.

    More people than you think do not have up-to-date antivirus protection.
    This is not to say that this tool in any way negates the need for such
    protection. Rather it is a stop-gap measure that will offer a measure of
    protection, to those willing to take advantage of it, until Microsoft is
    comfortable releasing thier patch.

    Thanks for your feedback.

    Jim
     
    Jim, Jan 3, 2006
    #10
  11. This is a typical response from Chris who only trusts MS's word as gospel.
    But rather than linking directly to the EXE you should link to the page
    where the user can download it. Direct EXE links are irresponsible to click
    as well. Especially considering that they are so easily spoofed.
     
    Josh Einstein, Jan 3, 2006
    #11
  12. Jim

    Kerry Brown Guest

    If you believe the security bulletin you are have obviously not seen this
    exploit in action. Build a test machine, fully update Windows, install your
    antivirus and antispyware apps of choice and go to one of the many known
    sites that use this exploit. The machine will be infected, no if, ands, or
    buts. The people using the exploit are changing it often enough that the
    antivirus/spyware/malware apps can't keep up. I have tried it. have you? It
    was scary. I immediately ran the unofficial patch on my own machines. By the
    way many sites you think may be safe are not, knoppix-std dot org is one
    site that was known to be hacked and was distributing malware via this
    exploit. To most this would certainly seem to be a safe site. Many on these
    newsgroups regularly recommend using knoppix.

    Kerry
     
    Kerry Brown, Jan 3, 2006
    #12
  13. By the way, I got a patch at www.grc.com (another well known Windows
    security expert) who links to Ilfak Guilfanov's temporary patch.
     
    Josh Einstein, Jan 3, 2006
    #13
  14. Jim

    Jim Guest

    WMF info at
    F-Secure...http://www.f-secure.com/weblog/archives/archive-122005.html#00000756...
    and ...http://www.f-secure.com/weblog/archives/archive-012006.html#00000762
    ..

    " MS Confirms WMF Flaw, Variants Spread Linked by Thom Holwerda on
    2005-12-31 16:55:55 Microsoft acknowledged late Wednesday the existence of a
    zero-day exploit for Windows Metafile images, and said it was looking into
    ways to better protect its customers. Even worse, by the end of the day
    nearly 50 variants of the exploit had already appeared. One security company
    said the possibilities were endless on how the flaw could be exploited.
    'This vulnerability can be used to install any type of malicious code, not
    just Trojans and spyware, but also worms, bots or viruses that can cause
    irreparable damage to computers,' said Luis Corrons of Panda Software." -
    http://www.osnews.com/story.php?news_id=13136

    Antivirus programs are not all detecting the new variants -
    http://isc.sans.org/diary.php?storyid=998 .

    It's up to you. If you think that your AV program will catch ALL variants
    of a new exploit that can allow remote execution of code and remote control
    of your personal or company PCs, by all means, float on.

    On the other hand, if you cannot afford to take a chance with your personal
    or company PCs and data, patch your systems by running
    http://handlers.sans.org/tliston/wmffix_hexblog14.exe .

    Your life.....your data.....your choice.

    Jim
     
    Jim, Jan 3, 2006
    #14
  15. Jim

    Jim Guest

    True enough.

    More sites advise use of the unofficial patch.....
    http://news.ft.com/cms/s/0d644d5e-7bb3-11da-ab8e-0000779e2340.html
    http://www.f-secure.com/weblog/archives/archive-122005.html#00000756

    Always get more than one source to verify the trustworthiness of any
    download links......even mine.

    Jim
     
    Jim, Jan 3, 2006
    #15
  16. Jim

    Chris H. Guest

    Please speak for yourself only, Josh. This is a serious subject, and you
    shouldn't be letting your personal opinions about people interfere with
    guiding users in the right direction. It is irresponsible for anyone
    download and install such an unknown, untested patch. Microsoft's security
    bulletin, in part, already issued on the subject:
    =====
    Microsoft Security Advisory (912840)
    Vulnerability in Graphics Rendering Engine Could Allow Remote Code
    Execution.
    Microsoft is investigating new public reports of a vulnerability in Windows.
    Microsoft will continue to investigate the public reports to help provide
    additional guidance for customers.
    Microsoft is aware of detailed exploit code that could allow an attacker to
    execute arbitrary code in the security context of the logged on user when
    visiting a Web site, which contains a specially crafted Windows Metafile
    (WMF) image. An attacker would have no way to force users to visit a
    malicious Web site. Instead, an attacker would have to persuade them to
    visit the Web site, typically by getting them to click a link that takes
    them to the attacker's Web site.
    Customers are encouraged to keep their antivirus software up to date. The
    Microsoft Windows AntiSpyware (Beta) can also help protect your system from
    spyware and other potentially unwanted software. We will continue to
    investigate these public reports.
    Upon completion of this investigation, Microsoft will take the appropriate
    action to help protect our customers. This will include providing a security
    update through our monthly release process or providing an out-of-cycle
    security update, depending on customer needs.
    Microsoft encourages users to exercise caution when they open e-mail and
    links in e-mail from untrusted sources. For more information about Safe
    Browsing, visit the Trustworthy Computing Web site.
    We continue to encourage customers to follow our Protect Your PC guidance of
    enabling a firewall, applying software updates and installing antivirus
    software. Customers can learn more about these steps at the Protect Your PC
    Web site.
    Customers who believe they may have been affected by this issue can contact
    Product Support Services. You can contact Product Support Services in the
    United States and Canada at no charge using the PC Safety line (1
    866-PCSAFETY). Customers outside of the United States and Canada can locate
    the number for no-charge virus support by visiting the Microsoft Help and
    Support Web site.
    Mitigating Factors:
    · In a Web-based attack scenario, an attacker would have to host a
    Web site that contains a Web page that is used to exploit this
    vulnerability. An attacker would have no way to force users to visit a
    malicious Web site. Instead, an attacker would have to persuade them to
    visit the Web site, typically by getting them to click a link that takes
    them to the attacker's Web site.
    · An attacker who successfully exploited this vulnerability could
    gain the same user rights as the local user. Users whose accounts are
    configured to have fewer user rights on the system could be less impacted
    than users who operate with administrative user rights.
    · By default, Internet Explorer on Windows Server 2003, on Windows
    Server 2003 Service Pack 1, on Windows Server 2003 with Service Pack 1 for
    Itanium-based Systems, and on Windows Server 2003 x64 Edition runs in a
    restricted mode that is known as Enhanced Security Configuration This mode
    mitigates this vulnerability where the e-mail vector is concerned although
    clicking on a link would still put users at risk. In Windows Server 2003,
    Microsoft Outlook Express uses plain text for reading and sending messages
    by default. When replying to an e-mail message that is sent in another
    format, the response is formatted in plain text. See the FAQ section of this
    vulnerability for more information about Internet Explorer Enhanced Security
    Configuration.
    =====
     
    Chris H., Jan 3, 2006
    #16
  17. I'm just saying people should trust security experts. There *are* people out
    there more qualified to give security guidance than you or MS. SANS,
    F-secure, and Steve Gibson are 3 such parties.

    The patch may be unknown to or untested by you, but not to those security
    experts.
     
    Josh Einstein, Jan 3, 2006
    #17
  18. I, for one, did my research and felt comfortable installing it on my home
    pc, and all the computers on our company network.

    Tom
    | I'm just saying people should trust security experts. There *are* people
    out
    | there more qualified to give security guidance than you or MS. SANS,
    | F-secure, and Steve Gibson are 3 such parties.
    |
    | The patch may be unknown to or untested by you, but not to those security
    | experts.
    |
    | --
    | Josh Einstein
    | Tablet Enhancements for Outlook 2.0 - Try it free for 14 days
    | www.tabletoutlook.com
    |
    | | > Please speak for yourself only, Josh. This is a serious subject, and
    you
    | > shouldn't be letting your personal opinions about people interfere with
    | > guiding users in the right direction. It is irresponsible for anyone
    | > download and install such an unknown, untested patch. Microsoft's
    | > security bulletin, in part, already issued on the subject:
    | > =====
    | > Microsoft Security Advisory (912840)
    | > Vulnerability in Graphics Rendering Engine Could Allow Remote Code
    | > Execution.
    | > Microsoft is investigating new public reports of a vulnerability in
    | > Windows. Microsoft will continue to investigate the public reports to
    help
    | > provide additional guidance for customers.
    | > Microsoft is aware of detailed exploit code that could allow an attacker
    | > to execute arbitrary code in the security context of the logged on user
    | > when visiting a Web site, which contains a specially crafted Windows
    | > Metafile (WMF) image. An attacker would have no way to force users to
    | > visit a malicious Web site. Instead, an attacker would have to persuade
    | > them to visit the Web site, typically by getting them to click a link
    that
    | > takes them to the attacker's Web site.
    | > Customers are encouraged to keep their antivirus software up to date.
    The
    | > Microsoft Windows AntiSpyware (Beta) can also help protect your system
    | > from spyware and other potentially unwanted software. We will continue
    to
    | > investigate these public reports.
    | > Upon completion of this investigation, Microsoft will take the
    appropriate
    | > action to help protect our customers. This will include providing a
    | > security update through our monthly release process or providing an
    | > out-of-cycle security update, depending on customer needs.
    | > Microsoft encourages users to exercise caution when they open e-mail and
    | > links in e-mail from untrusted sources. For more information about Safe
    | > Browsing, visit the Trustworthy Computing Web site.
    | > We continue to encourage customers to follow our Protect Your PC
    guidance
    | > of enabling a firewall, applying software updates and installing
    antivirus
    | > software. Customers can learn more about these steps at the Protect Your
    | > PC Web site.
    | > Customers who believe they may have been affected by this issue can
    | > contact Product Support Services. You can contact Product Support
    Services
    | > in the United States and Canada at no charge using the PC Safety line (1
    | > 866-PCSAFETY). Customers outside of the United States and Canada can
    | > locate the number for no-charge virus support by visiting the Microsoft
    | > Help and Support Web site.
    | > Mitigating Factors:
    | > · In a Web-based attack scenario, an attacker would have to
    host
    | > a Web site that contains a Web page that is used to exploit this
    | > vulnerability. An attacker would have no way to force users to visit a
    | > malicious Web site. Instead, an attacker would have to persuade them to
    | > visit the Web site, typically by getting them to click a link that takes
    | > them to the attacker's Web site.
    | > · An attacker who successfully exploited this vulnerability
    could
    | > gain the same user rights as the local user. Users whose accounts are
    | > configured to have fewer user rights on the system could be less
    impacted
    | > than users who operate with administrative user rights.
    | > · By default, Internet Explorer on Windows Server 2003, on
    | > Windows Server 2003 Service Pack 1, on Windows Server 2003 with Service
    | > Pack 1 for Itanium-based Systems, and on Windows Server 2003 x64 Edition
    | > runs in a restricted mode that is known as Enhanced Security
    Configuration
    | > This mode mitigates this vulnerability where the e-mail vector is
    | > concerned although clicking on a link would still put users at risk. In
    | > Windows Server 2003, Microsoft Outlook Express uses plain text for
    reading
    | > and sending messages by default. When replying to an e-mail message that
    | > is sent in another format, the response is formatted in plain text. See
    | > the FAQ section of this vulnerability for more information about
    Internet
    | > Explorer Enhanced Security Configuration.
    | > =====
    | > --
    | > Chris H.
    | > Microsoft Windows MVP/Tablet PC
    | > Tablet Creations - http://nicecreations.us/
    | > Associate Expert
    | > Expert Zone - www.microsoft.com/windowsxp/expertzone
    | >
    | > | >> This is a typical response from Chris who only trusts MS's word as
    | >> gospel. But rather than linking directly to the EXE you should link to
    | >> the page where the user can download it. Direct EXE links are
    | >> irresponsible to click as well. Especially considering that they are so
    | >> easily spoofed.
    | >>
    | >> --
    | >> Josh Einstein
    | >> Tablet Enhancements for Outlook 2.0 - Try it free for 14 days
    | >> www.tabletoutlook.com
    | >>
    | >> | >>> Chris,
    | >>>
    | >>> You are acting in an extremely irresponsible manner. This is one
    of
    | >>> the largest exploits ever to hit the Windows platform (in number of
    | >>> machines affected), and you are telling people to do nothing.
    | >>>
    | >>> The only thing more irresponsible than your post is Microsoft's
    | >>> refusal to take immediate action for such an exploit.
    | >>>
    | >>> Jim
    | >>>
    | >>> | >>>> Microsoft has not released a patch at this point. Please do not
    | >>>> download or install a patch from any other source.
    | >>>> --
    | >>>> Chris H.
    | >>>> Microsoft Windows MVP/Tablet PC
    | >>>> Tablet Creations - http://nicecreations.us/
    | >>>> Associate Expert
    | >>>> Expert Zone - www.microsoft.com/windowsxp/expertzone
    | >>>>
    | >>>>
    | >>>
    | >>>
    | >>
    | >>
    | >
    | >
    |
    |
     
    Tom [Pepper] Willett, Jan 3, 2006
    #18
  19. Jim

    Chris H. Guest

    Yes, they should. How you can trust some sites which have claimed for more
    than four years that Universal Plug and Play is going to "bring down the
    Internet." ROFLOL! Yup, the Internet failed in 2001. Right.
     
    Chris H., Jan 3, 2006
    #19
  20. Josh Einstein, Jan 3, 2006
    #20
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.