WARNING: Virus Hidden In IMAGES

[stonercreek]

Bad bug...really bad! Microsoft security guys scrambling.

This virus hides in graphic files and auto infects Windows PCs that simply visit the page on which the image is located.

Bad news: Microsoft won't have a fix for it until next Tuesday, January 10th.
Good news: The SANS group has developed one in the meantime.

More Info: http://money.cnn.com/2006/01/03/tech...ex.htm?cnn=yes

Link to SANS fix
http://isc.sans.org/diary.php?storyid=1010

[Doug Nelson]

This is true, though as I understand it the only format involved is WMV files, not any normal still web format. However, they can be embedded in any webpage or email, and don't need to be "opened" to do their damage. Even Firefox is vulnerable, but less so (it asks first if you want to view WMV files).

[Marthig]

I am concerned about this, though I don't open many unknown sites, except yahoo and google when searching for images (!!! ) But what are WMV files ? or what do the initials stand for ?

Thanks - Martha

[silica]

Quote:

Originally Posted by Marthig

I am concerned about this, though I don't open many unknown sites, except yahoo and google when searching for images (!!! ) But what are WMV files ? or what do the initials stand for ?

Thanks - Martha

It's not WMV files, those are windows media player files. It's WMF or windows meta files.

[Doug Nelson]

Yes, I should have typed WMF instead of WMV.

Here's the info from MS:
http://www.microsoft.com/technet/sec...ry/912840.mspx

"Does this vulnerability affect image formats other than Windows Metafile (WMF)?
The only image format affected is the Windows Metafile (WMF) format. It is possible however that an attacker could rename the file extension of a WMF file to that of a different image format. In this situation, it is likely that the Graphic Rendering engine would detect and render the file as a WMF image which could allow exploitation."

[silica]

Some of the best and earliest information on this security problem came from Steve Gibson. There is an unofficial fix for the problem developed by Ilfak Guilfanov. If you want to see further information on this, go to

http://www.grc.com/sn/notes-020.htm

[Kraellin]

here is another source of information about this: http://securityresponse.symantec.com...ent/16074.html .

what i want to know is in this:

Quote:

Description
Microsoft Windows WMF graphics rendering engine is affected by a remote code execution vulnerability. This issue affects the 'SetAbortProc' function.

what is the WMF and what is the 'graphics rendering engine'? is this graphics engine something that we ALL have or is it something that is only used by some programs? i've never even seen a .wmf file or know of anything that even recognizes it. do painter and psp and ps recognize these formats, for instance and if not, would we then be vulnerable to this thing?

from what i can see on the symantec site, the only things affected by this are these:
Platforms Affected
Avaya DefinityOne Media Servers
Avaya IP600 Media Servers
Avaya S3400 Message Application Server
Avaya S8100 Media Servers

Components Affected
IBM Lotus Notes 6.5
IBM Lotus Notes 6.5.1
IBM Lotus Notes 6.5.2

craig

[Gary Richardson]

WMF = Windows MetaFile

A metafile is a list of commands that can be played back to draw a graphic. Typically, a metafile is made up of commands to draw objects such as lines, polygons and text and commands to control the style of these objects. NOTE: Some people equate metafiles with vector graphics. In most cases this is fine; but, strictly speaking, a metafile can contain any mix of vector and raster graphics. For example, a metafile could contain just one command to display a bitmap! Unless the distinction is important, we will consider a metafile to be a kind of vector graphic in this FAQ.

A Windows metafile is a 16-bit metafile that can be used by Windows 3.x, Windows 95, 98 and Windows NT to display a picture.

Most Windows programs support WMF files.

Microsoft's Advisory http://www.microsoft.com/technet/sec...ry/912840.mspx as usual woefully misleading and naive as to the risk posed by this exploit. We have already seen victims infected by this exploit, and it's a horror.

Best advice is to download the unofficial patch by Ifan Guilfanov http://www.grc.com/sn/notes-020.htm until the official Microsoft patch becomes available.
It is easily removed by uninstalling, using Add/Remove programmes in Control Panel. The program is Windows WMF Metafile Vulnerability Hotfix 1.2

Uninstall it before downloading the Microsoft patch to avoid possible conflicts.

[rondon]

I have my RestoreIT point all freshened up and ready to negate any problems.

[Gary Richardson]

Now I recall, so you did.

One of the senior helpers at MRU got hit with this on his m/c on 24th Dec, it went straight through his perimeter defences no trouble. Even hovering your mouse near to the infected link was enough to activate the loader.

Luckily his internal defences stopped the download, so it was only necessary to get rid of the loading mechanism, a full infection was avoided.

nuff said.

[CJ Swartz]

Thanks, silica, Doug, Craig, Chris, Gary -- I've downloaded the fix from Gibson's site and downloaded the vulnerability test --- ran it before and after, with the after showing the fix worked.

At least I'm safer now until Microsoft has their fix ready "officially" (below is info from Gibson's site that says the Microsoft fix has been leaked and that Ilfak's fix can be removed AFTER the Microsoft fix is applied).

From http://www.grc.com/sn/notes-020.htm
"As expected, Ilfak's WMF vulnerability suppression patch, and his WMF vulnerability testing utility, both interact smoothly and seamlessly with Microsoft's forthcoming official security update. Ilfak's code can be left running while installing Microsoft's security update, then safely removed forever once the system has rebooted from the update.

Also, Ilfak's vulnerability tester properly recognizes the system's true WMF vulnerability condition under every combination of patch installations (either Ilfak's, Microsoft's, both, or neither). So, you may use Ilfak's solutions with confidence while Microsoft completes their extensive compatibility and regression testing for this forthcoming security update. Once the update is ready, install Microsoft's update, then safely remove Ilfak's patcher."

[Gary Richardson]

Glad to know the patch can be removed After installing the Microsoft fix. thanks for that CJ.

[CJ Swartz]

I installed Microsoft's fix, and removed Ilfak's fix and ran his vulnerability tester and still passed (after re-booting -- it shows your computer as vulnerable until you re-boot). Hopefully, this will be the last for a month or two...

[CJ Swartz]

Will one of you guys please check out what happened to byRo when his computer malfunctioned after installation of the "fix"?

http://www.retouchpro.com/forums/salon/12481-what-just-hit-me.html

[Gary Richardson]

Looks like Windows Explorer (explorer.exe) got corrupted in some way (probably corrupted registry settings).

Have posted a possible way to get out of this for anyone who gets these symptoms. (see byRo's post).

[Gary Richardson]

Love M$ response. Don't worry, all it will do is crash the programme. Yeah that's of no consequence at all is it?

OK, it might not be a critical security risk any more, but it's still wrong and should be sorted. Come on M$ get your finger out.

On a side note, ever noticed that almost all exploits are based on buffer overruns, sloppy cut price programming, these should be removed in the debugging and beta testing process.

[Gary Richardson]

One of the guys at SWW used to have a signature that said

Quote:

"If you think it's bad now, just wait till Longhorn"

(for those who don't know, Longhorn was the beta name for Vista).

I think that pretty much displays the confidence we all have, that M$ will release even a remotely secure system.

[Doug Nelson]

I just got a notice yesterday that an important Quicktime patch was released for both Mac and Win versions. It seems that someone could use images to execute programs on the user's computer. I wonder how come this didn't get all the press of the MS version? (tip: update your QT plugin)

[Gary Richardson]

Thanks Doug.

[rondon]

I stumbled on to this by accident (I was trying to define "twit") but it's timely... I don't know who these fellows are on the website though.

What they have is a broadcast mostly about the wmf vunerability and one high strung fellow claims it was an intentional back door left by microsoft that was discovered by an evil Hacker forcing microsoft to respond with a fix.. I'm only 2/3 of the way thru the audio broadcast as the phone bumped me and I am redownloading... but it spoken simply enough so that I am catching most of it..

BTW IrfanView was mentioned... my favorite viewer

look for the link here,

http://thisweekintech.com/

PS Twit is: This Week In Tech.

[rondon]

what did surprise me was later I realized these are the folks from the old screen savers show at least some of them. Leo Laporte never struck me as a sensationalist he was the moderator.

I think they only refered to the NSA once and that set off warnings in my head too. But you do know we are in a scandal over on this side of the pond because of the goverment spying on the internet eh? There are claims that they went much further than 1st reported.

I could easily believe Microsoft left that back door on purpose and not for the generous reason given by this Steve fellow. As he said though if a Hacker stumbled on to it microsoft would have had to quickly invent a cover.

as for the who shot Kennedy jab... many of us will go to our graves wondering about that one.

I would rather have debated the merits of the audio file without your antics (laughing faces and all) but then thats how you are.

[Gary Richardson]

I can confirm Chris's knowledge of this exploit pre 28th Dec, as he mentioned it indirectly in a PM to me before that date.

Sorry, the audio file is too large for downloading on dial-up, so can't comment on the contents.

But most software developers leave backdoors into their programmes (although this practice is becoming less popular than it once was), add to this a number of backdoors and facilities added unofficially by the programmers, and it's easy to see why security is only a relative term. (For those doubting the existance of "extra curricular" facilities, see www.eeggs.com for a list of "Easter Eggs" embedded in many mainline programmes).

[rondon]

I haven't formed an opinion but are you even aware there is a scandal?

http://news.google.com/news?hl=en&ne...pping&ie=UTF-8

[rondon]

I'm on a phone modem too! it's only Audio.. if you just let it download for 20 minutes or so you can start listening.

[rondon]

Stonercreek started this thread regarding the threat of viruses in graphics.. The Audio relates to that and only refers once quickly to goverment involvement. I think it explains the problem well... This is no Easter egg.. and would appear intentional.
That is the message...

[rondon]

A month or so ago in another security thread I offered RestoreIT as an alternate and you jumped on that in a simular fashion.. You don't discuss anything , you've decided to rant (repeating yourself) about an off topic here.

The topic is the vunerability and I thought the audio link explained it well for us novices.

[rondon]

The topic is the vunerability and I thought the audio link explained it well for us novices.

[Cameraken]

Come on Guys. You’re all making sensible points. So let’s keep it that way.

I noticed a patch for Windows 98 (I think it was at Steve Gibsons Site) Does anyone know if this should be installed? (I use ME at work).
Is ME at as much risk?

Ken

[Cameraken]

Thank You Chris.

Ken.

[rondon]

Following links around I've found he does 6 hours of radio a week among other things... this link is to the archives all broken down into one hour segments..

http://leoville.tv/radio/pmwiki.php/Main/AudioArchives

With a phone modem I've downloaded 1 hour to listen to while downloading the next..

I think I may have ran into his radio show once on an aborted mission to tune into web radio without enough bandwidth.