WARNING: Virus Hidden In IMAGES

[stonercreek]

Bad bug...really bad! Microsoft security guys scrambling.

This virus hides in graphic files and auto infects Windows PCs that simply visit the page on which the image is located.

Bad news: Microsoft won't have a fix for it until next Tuesday, January 10th.
Good news: The SANS group has developed one in the meantime.

More Info: http://money.cnn.com/2006/01/03/tech...ex.htm?cnn=yes

Link to SANS fix
http://isc.sans.org/diary.php?storyid=1010

[Doug Nelson]

This is true, though as I understand it the only format involved is WMV files, not any normal still web format. However, they can be embedded in any webpage or email, and don't need to be "opened" to do their damage. Even Firefox is vulnerable, but less so (it asks first if you want to view WMV files).

[Marthig]

I am concerned about this, though I don't open many unknown sites, except yahoo and google when searching for images (!!! ) But what are WMV files ? or what do the initials stand for ?

Thanks - Martha

[silica]

Quote:

Originally Posted by Marthig

I am concerned about this, though I don't open many unknown sites, except yahoo and google when searching for images (!!! ) But what are WMV files ? or what do the initials stand for ?

Thanks - Martha

It's not WMV files, those are windows media player files. It's WMF or windows meta files.

[Doug Nelson]

Yes, I should have typed WMF instead of WMV.

Here's the info from MS:
http://www.microsoft.com/technet/sec...ry/912840.mspx

"Does this vulnerability affect image formats other than Windows Metafile (WMF)?
The only image format affected is the Windows Metafile (WMF) format. It is possible however that an attacker could rename the file extension of a WMF file to that of a different image format. In this situation, it is likely that the Graphic Rendering engine would detect and render the file as a WMF image which could allow exploitation."

[silica]

Some of the best and earliest information on this security problem came from Steve Gibson. There is an unofficial fix for the problem developed by Ilfak Guilfanov. If you want to see further information on this, go to

http://www.grc.com/sn/notes-020.htm

[Kraellin]

here is another source of information about this: http://securityresponse.symantec.com...ent/16074.html .

what i want to know is in this:

Quote:

Description
Microsoft Windows WMF graphics rendering engine is affected by a remote code execution vulnerability. This issue affects the 'SetAbortProc' function.

what is the WMF and what is the 'graphics rendering engine'? is this graphics engine something that we ALL have or is it something that is only used by some programs? i've never even seen a .wmf file or know of anything that even recognizes it. do painter and psp and ps recognize these formats, for instance and if not, would we then be vulnerable to this thing?

from what i can see on the symantec site, the only things affected by this are these:
Platforms Affected
Avaya DefinityOne Media Servers
Avaya IP600 Media Servers
Avaya S3400 Message Application Server
Avaya S8100 Media Servers

Components Affected
IBM Lotus Notes 6.5
IBM Lotus Notes 6.5.1
IBM Lotus Notes 6.5.2

craig

[Gary Richardson]

WMF = Windows MetaFile

A metafile is a list of commands that can be played back to draw a graphic. Typically, a metafile is made up of commands to draw objects such as lines, polygons and text and commands to control the style of these objects. NOTE: Some people equate metafiles with vector graphics. In most cases this is fine; but, strictly speaking, a metafile can contain any mix of vector and raster graphics. For example, a metafile could contain just one command to display a bitmap! Unless the distinction is important, we will consider a metafile to be a kind of vector graphic in this FAQ.

A Windows metafile is a 16-bit metafile that can be used by Windows 3.x, Windows 95, 98 and Windows NT to display a picture.

Most Windows programs support WMF files.

Microsoft's Advisory http://www.microsoft.com/technet/sec...ry/912840.mspx as usual woefully misleading and naive as to the risk posed by this exploit. We have already seen victims infected by this exploit, and it's a horror.

Best advice is to download the unofficial patch by Ifan Guilfanov http://www.grc.com/sn/notes-020.htm until the official Microsoft patch becomes available.
It is easily removed by uninstalling, using Add/Remove programmes in Control Panel. The program is Windows WMF Metafile Vulnerability Hotfix 1.2

Uninstall it before downloading the Microsoft patch to avoid possible conflicts.

[rondon]

I have my RestoreIT point all freshened up and ready to negate any problems.

[Gary Richardson]

Now I recall, so you did.

One of the senior helpers at MRU got hit with this on his m/c on 24th Dec, it went straight through his perimeter defences no trouble. Even hovering your mouse near to the infected link was enough to activate the loader.

Luckily his internal defences stopped the download, so it was only necessary to get rid of the loading mechanism, a full infection was avoided.

nuff said.

[CJ Swartz]

Thanks, silica, Doug, Craig, Chris, Gary -- I've downloaded the fix from Gibson's site and downloaded the vulnerability test --- ran it before and after, with the after showing the fix worked.

At least I'm safer now until Microsoft has their fix ready "officially" (below is info from Gibson's site that says the Microsoft fix has been leaked and that Ilfak's fix can be removed AFTER the Microsoft fix is applied).

From http://www.grc.com/sn/notes-020.htm
"As expected, Ilfak's WMF vulnerability suppression patch, and his WMF vulnerability testing utility, both interact smoothly and seamlessly with Microsoft's forthcoming official security update. Ilfak's code can be left running while installing Microsoft's security update, then safely removed forever once the system has rebooted from the update.

Also, Ilfak's vulnerability tester properly recognizes the system's true WMF vulnerability condition under every combination of patch installations (either Ilfak's, Microsoft's, both, or neither). So, you may use Ilfak's solutions with confidence while Microsoft completes their extensive compatibility and regression testing for this forthcoming security update. Once the update is ready, install Microsoft's update, then safely remove Ilfak's patcher."

[Gary Richardson]

Glad to know the patch can be removed After installing the Microsoft fix. thanks for that CJ.

[CJ Swartz]

I installed Microsoft's fix, and removed Ilfak's fix and ran his vulnerability tester and still passed (after re-booting -- it shows your computer as vulnerable until you re-boot). Hopefully, this will be the last for a month or two...

[CJ Swartz]

Will one of you guys please check out what happened to byRo when his computer malfunctioned after installation of the "fix"?

http://www.retouchpro.com/forums/salon/12481-what-just-hit-me.html

[Gary Richardson]

Looks like Windows Explorer (explorer.exe) got corrupted in some way (probably corrupted registry settings).

Have posted a possible way to get out of this for anyone who gets these symptoms. (see byRo's post).